Home
/
Asante
/
IC40240-10G
/
User Manual

Asante IC40240-10G, User Manual

Share

Page: 145 / 792

Asante IC40240-10G User Manual Download Page 145

d.

The client uses its private key to decrypt the challenge string, computes the

MD5 checksum, and sends the checksum back to the switch.

e.

The switch compares the checksum sent from the client against that

computed for the original string it sent. If the two checksums match, this
means that the client's private key corresponds to an authorized public key,
and the client is authenticated.

Authenticating SSH v2 Clients

a.

The client first queries the switch to determine if DSA public key

authentication using a preferred algorithm is acceptable.

b. If the specified algorithm is supported by the switch, it notifies the client to

proceed with the authentication process. Otherwise, it rejects the request.

c.

The client sends a signature generated using the private key to the switch.

d.

When the server receives this message, it checks whether the supplied key

is acceptable for authentication, and if so, it then checks whether the
signature is correct. If both checks succeed, the client is authenticated.

Note:

The SSH server supports up to four client sessions. The maximum number of
client sessions includes both current Telnet sessions and SSH sessions.

Generating the Host Key Pair

A host public/private key pair is used to provide secure communications between an
SSH client and the switch. After generating this key pair, you must provide the host
public key to SSH clients and import the client’s public key to the switch as
described in the preceding section (Command Usage).

Field Attributes

•

Public-Key of Host-Key

– The public key for the host.

- RSA: The first field indicates the size of the host key (e.g., 1024), the second

field is the encoded public exponent (e.g., 65537), and the last string is the
encoded modulus.

-

DSA: The first field indicates that the encryption method used by SSH is based

on the Digital Signature Standard (DSS). The last string is the encoded modulus.

•

Host-Key Type

– The key type used to generate the host key pair (i.e., public and

private keys). (Range: RSA, DSA, Both: Default: Both)

The SSH server uses RSA or DSA for key exchange when the client first
establishes a connection with the switch, and then negotiates with the client to
select either DES (56-bit) or 3DES (168-bit) for data encryption.

6-10

User Authentication

6

«
...
143
144
145
146
147
...
»

Summary of Contents for IC40240-10G

Page 1: ...IntraCore 40240 40480 10G Layer 3 Gigabit Stackable Ethernet Switch User s Manual ...

Page 2: ...ny associated artwork product design or design concept may be copied or reproduced in whole or in part by any means without the express written consent of Asante Asante and IntraCore are registered trademarks and the Asante logo AsanteCare Auto Uplink and IntraCare are trademarks of Asante All other brand names or product names are trademarks or registered trademarks of their respective holders Al...

Page 3: ...0BASE T RJ 45 Ports 4 Gigabit Combination Ports RJ 45 SFP 2 10 Gigabit Extender Module Slots 2 Stacking Ports IntraCore 40480 10G Gigabit Ethernet Switch Stackable Layer 3 Switch 44 10 100 1000BASE T RJ 45 Ports 4 Gigabit Combination Ports RJ 45 SFP 2 10 Gigabit Extender Module Slots 2 Stacking Ports ...

Page 4: ...IC40240 10G 99 00837 IC40480 10G 99 00836 ...

Page 5: ...t information or calls your attention to related features or instructions Caution Alerts you to a potential hazard that could cause loss of data or damage the system or equipment Warning Alerts you to a potential hazard that could cause personal injury Related Publications The following publication details the hardware features of the switch including the physical and performance related character...

Page 6: ...ii ...

Page 7: ...anagement Access 2 5 Resilient Configuration 2 5 Renumbering the Stack 2 5 Ensuring Consistent Code is Used Across the Stack 2 5 Basic Configuration 2 6 Console Connection 2 6 Setting Passwords 2 7 Setting an IP Address 2 7 Manual Configuration 2 8 Dynamic Configuration 2 11 Enabling SNMP Management Access 2 13 Community Strings for SNMP version 1 and 2c clients 2 13 Trap Receivers 2 14 Configurin...

Page 8: ...loading Configuration Settings from a Server 4 25 Console Port Settings 4 26 Telnet Settings 4 28 Configuring Event Logging 4 30 System Log Configuration 4 30 Remote Log Configuration 4 31 Displaying Log Messages 4 33 Sending Simple Mail Transfer Protocol Alerts 4 33 Renumbering the Stack 4 35 Resetting the System 4 36 Setting the System Clock 4 36 Setting the Current Time 4 37 Configuring SNTP 4 ...

Page 9: ...the ACL Name and Type 7 1 Configuring a Standard IPv4 ACL 7 2 Configuring an Extended IPv4 ACL 7 3 Configuring a MAC ACL 7 6 Configuring a Standard IPv6 ACL 7 7 Configuring an Extended IPv6 ACL 7 8 Binding a Port to an Access Control List 7 11 Chapter 8 Port Configuration 8 1 Displaying Connection Status 8 1 Configuring Interface Connections 8 3 Creating Trunk Groups 8 6 Statically Configuring a T...

Page 10: ...n Interface to a QinQ Tunnel 11 17 Configuring Private VLANs 11 18 Enabling Private VLANs 11 19 Configuring Uplink and Downlink Ports 11 19 Configuring Protocol Based VLANs 11 20 Configuring Protocol Groups 11 20 Mapping Protocols to VLANs 11 21 Chapter 12 Link Layer Discovery Protocol 12 1 Setting Basic LLDP Timing Attributes 12 1 Configuring LLDP Interface Attributes 12 3 Displaying LLDP Local D...

Page 11: ...ce 16 1 Configuring General DNS Service Parameters 16 1 Configuring Static DNS Host to Address Entries 16 3 Displaying the DNS Cache 16 5 Chapter 17 Dynamic Host Configuration Protocol 17 1 Configuring DHCP Relay Service 17 1 Configuring the DHCP Server 17 2 Enabling the Server Setting Excluded Addresses 17 3 Configuring Address Pools 17 4 Displaying Address Bindings 17 9 Chapter 18 Configuring Ro...

Page 12: ...irst Protocol 20 14 Configuring General Protocol Settings 20 15 Configuring OSPF Areas 20 19 Configuring Area Ranges Route Summarization for ABRs 20 23 Configuring OSPF Interfaces 20 25 Configuring Virtual Links 20 29 Configuring Network Area Addresses 20 31 Configuring Summary Addresses for External AS Routes 20 33 Redistributing External Routes 20 35 Configuring NSSA Settings 20 36 Displaying Li...

Page 13: ...d 22 4 exit 22 5 quit 22 5 Chapter 23 System Management Commands 23 1 Device Designation Commands 23 1 hostname 23 1 switch renumber 23 2 System Status Commands 23 3 show startup config 23 3 show running config 23 5 show system 23 7 show users 23 8 show version 23 8 Frame Size Commands 23 9 jumbo frame 23 9 File Management Commands 23 10 copy 23 11 delete 23 13 dir 23 14 whichboot 23 15 boot syste...

Page 14: ...ogging sendmail destination email 23 34 logging sendmail 23 34 show logging sendmail 23 35 Time Commands 23 35 sntp client 23 36 sntp server 23 37 sntp poll 23 37 sntp update time 23 38 show sntp 23 38 clock timezone 23 39 clock timezone predefined 23 39 clock summer time date 23 40 clock summer time predefined 23 41 clock summer time recurring 23 42 show clock 23 43 calendar set 23 44 show calend...

Page 15: ...ius server key 25 7 radius server retransmit 25 8 radius server timeout 25 8 show radius server 25 8 TACACS Client 25 9 tacacs server host 25 9 tacacs server port 25 10 tacacs server key 25 10 show tacacs server 25 11 Web Server Commands 25 11 ip http port 25 11 ip http server 25 12 ip http secure server 25 12 ip http secure port 25 13 Telnet Server Commands 25 14 ip telnet server 25 14 Secure She...

Page 16: ... 35 management 25 35 show management 25 36 Chapter 26 Access Control List Commands 26 1 IPv4 ACLs 26 1 access list ip 26 2 permit deny Standard IPv4 ACL 26 2 permit deny Extended IPv4 ACL 26 3 show ip access list 26 5 ip access group 26 6 show ip access group 26 6 IPv6 ACLs 26 7 access list ipv6 26 7 permit deny Standard IPv6 ACL 26 8 permit deny Extended IPv6 ACL 26 9 show ipv6 access list 26 11 ...

Page 17: ...hernet Interface 28 5 lacp admin key Port Channel 28 6 lacp port priority 28 6 show lacp 28 7 Chapter 29 Mirror Port Commands 29 1 port monitor 29 1 show port monitor 29 2 Chapter 30 Rate Limit Commands 30 1 rate limit 30 1 Chapter 31 Address Table Commands 31 1 mac address table static 31 1 clear mac address table dynamic 31 2 show mac address table 31 3 mac address table aging time 31 4 show mac...

Page 18: ...s 32 18 Chapter 33 Spanning Tree Commands 33 1 spanning tree 33 2 spanning tree mode 33 2 spanning tree forward time 33 4 spanning tree hello time 33 4 spanning tree max age 33 5 spanning tree priority 33 6 spanning tree pathcost method 33 6 spanning tree transmission limit 33 7 spanning tree mst configuration 33 7 mst vlan 33 8 mst priority 33 9 name 33 9 revision 33 10 max hops 33 11 spanning tr...

Page 19: ...34 12 show vlan 34 13 Configuring IEEE 802 1Q Tunneling 34 14 dot1q tunnel system tunnel control 34 15 switchport dot1q tunnel mode 34 15 switchport dot1q tunnel tpid 34 16 show dot1q tunnel 34 17 Configuring Private VLANs 34 18 pvlan 34 18 show pvlan 34 19 Configuring Protocol based VLANs 34 20 protocol vlan protocol group Configuring Groups 34 20 protocol vlan protocol group Configuring Interfac...

Page 20: ...6 8 show class map 36 9 show policy map 36 9 show policy map interface 36 10 Chapter 37 Multicast Filtering Commands 37 1 IGMP Snooping Commands 37 1 ip igmp snooping 37 1 ip igmp snooping vlan static 37 2 ip igmp snooping version 37 2 ip igmp snooping immediate leave 37 3 show ip igmp snooping 37 4 show mac address table multicast 37 4 IGMP Query Commands 37 5 ip igmp snooping querier 37 5 ip igm...

Page 21: ...ress 39 6 ip dhcp pool 39 6 network 39 7 default router 39 8 domain name 39 8 dns server 39 9 next server 39 9 bootfile 39 10 netbios name server 39 10 netbios node type 39 11 lease 39 11 host 39 12 client identifier 39 13 hardware address 39 14 clear ip dhcp binding 39 14 show ip dhcp binding 39 15 Chapter 40 Router Redundancy Commands 40 1 Virtual Router Redundancy Protocol Commands 40 1 vrrp ip...

Page 22: ... 13 show ipv6 interface 41 14 ipv6 default gateway 41 17 show ipv6 default gateway 41 17 ipv6 mtu 41 18 show ipv6 mtu 41 19 show ipv6 traffic 41 19 clear ipv6 traffic 41 25 ping ipv6 41 25 ipv6 neighbor 41 26 ipv6 nd dad attempts 41 27 ipv6 nd ns interval 41 29 show ipv6 neighbors 41 30 clear ipv6 neighbors 41 32 Address Resolution Protocol ARP 41 32 arp 41 32 arp timeout 41 33 clear arp cache 41 ...

Page 23: ...mation originate 42 21 timers spf 42 22 area range 42 23 area default cost 42 24 summary address 42 24 redistribute 42 25 network area 42 26 area stub 42 27 area nssa 42 28 area virtual link 42 30 ip ospf authentication 42 32 ip ospf authentication key 42 33 ip ospf message digest key 42 34 ip ospf cost 42 35 ip ospf dead interval 42 36 ip ospf hello interval 42 36 ip ospf priority 42 37 ip ospf r...

Page 24: ...ix A Software Specifications A 1 Software Features A 1 Management Features A 2 Standards A 2 Management Information Bases A 3 Appendix B Troubleshooting B 1 Problems Accessing the Management Interface B 1 Using System Logs B 2 Glossary Index ...

Page 25: ...s to Egress Queues 13 3 Table 13 2 CoS Priority Levels 13 3 Table 13 3 Mapping IP Precedence 13 8 Table 13 4 Mapping DSCP Priority 13 10 Table 19 1 Address Resolution Protocol 19 8 Table 19 2 ARP Statistics 19 14 Table 19 3 IP Statistics 19 16 Table 19 4 ICMP Statistics 19 17 Table 19 5 USP Statistics 19 19 Table 19 6 TCP Statistics 19 20 Table 20 1 RIP Information and Statistics 20 11 Table 21 1 ...

Page 26: ...12 Port Security Commands 25 24 Table 25 13 802 1X Port Authentication Commands 25 26 Table 25 14 IP Filter Commands 25 35 Table 26 1 Access Control List Commands 26 1 Table 26 2 IPv4 ACL Commands 26 1 Table 26 3 IPv6 ACL Commands 26 7 Table 26 4 MAC ACL Commands 26 12 Table 26 5 ACL Information Commands 26 16 Table 27 1 Interface Commands 27 1 Table 27 2 show interfaces switchport display descrip...

Page 27: ...ble 40 4 show vrrp brief display description 40 8 Table 41 1 IP Interface Commands 41 1 Table 41 2 Basic IP Configuration Commands 41 1 Table 41 3 show ipv6 interface display description 41 15 Table 41 4 show ipv6 mtu display description 41 19 Table 41 5 show ipv6 traffic display description 41 21 Table 41 6 show ipv6 neighbors display description 41 31 Table 41 7 Address Resolution Protocol Comma...

Page 28: ...isplay description 42 47 Table 42 17 show ip ospf summary display description 42 48 Table 42 18 show ip ospf interface display description 42 49 Table 42 19 show ip ospf neighbor display description 42 50 Table 42 20 show ip ospf virtual links display description 42 51 Table B 1 Troubleshooting Chart B 1 ...

Page 29: ...5 Figure 4 16 Configuring the Console Port 4 27 Figure 4 17 Configuring the Telnet Interface 4 29 Figure 4 18 System Logs 4 31 Figure 4 19 Remote Logs 4 32 Figure 4 20 Displaying Logs 4 33 Figure 4 21 Enabling and Configuring SMTP Alerts 4 34 Figure 4 22 Renumbering the Stack 4 36 Figure 4 23 Resetting the System 4 36 Figure 4 24 Current Time 4 37 Figure 4 25 SNTP Configuration 4 38 Figure 4 26 Cl...

Page 30: ...e 8 5 LACP Aggregation Port 8 11 Figure 8 6 LACP Port Counters Information 8 13 Figure 8 7 LACP Port Internal Information 8 15 Figure 8 8 LACP Port Neighbors Information 8 16 Figure 8 9 Port Broadcast Control 8 18 Figure 8 10 Mirror Port Configuration 8 19 Figure 8 11 Rate Limit Configuration 8 21 Figure 8 12 Port Statistics 8 25 Figure 9 1 Static Addresses 9 2 Figure 9 2 Dynamic Addresses 9 3 Fig...

Page 31: ...re 13 8 IP Port Priority Status 13 11 Figure 13 9 IP Port Priority 13 12 Figure 14 1 Configuring Class Maps 14 3 Figure 14 2 Configuring Policy Maps 14 6 Figure 14 3 Service Policy Settings 14 7 Figure 15 1 IGMP Configuration 15 4 Figure 15 1 IGMP Immediate Leave 15 5 Figure 15 2 Multicast Router Port Information 15 6 Figure 15 3 Static Multicast Router Port Configuration 15 7 Figure 15 4 IP Multi...

Page 32: ...ace Settings 20 8 Figure 20 4 RIP Redistribution Configuration 20 10 Figure 20 5 RIP Statistics 20 12 Figure 20 6 OSPF General Configuration 20 18 Figure 20 7 OSPF Area Configuration 20 22 Figure 20 8 OSPF Range Configuration 20 24 Figure 20 9 OSPF Interface Configuration 20 28 Figure 20 10 OSPF Interface Configuration Detailed 20 28 Figure 20 11 OSPF Virtual Link Configuration 20 30 Figure 20 12 ...

Page 33: ...Getting Started ...

Page 34: ...routes 32 IP interfaces Supports IPv4 and IPv6 addressing management and QoS Supports dynamic data switching and addresses learning Supported to ensure wire speed switching while eliminating bad frames 1 1 Chapter 1 Introduction This switch provides a broad range of features for Layer 2 switching and Layer 3 routing It includes a management agent that allows you to configure the features listed in...

Page 35: ...ffic security and efficient use of network bandwidth CoS priority queueing ensures the minimum delay for moving real time multimedia data across the network While multicast filtering provides support for real time network applications Some of the management features are briefly described below Configuration Backup and Restore You can save the current configuration settings to a file on a TFTP serv...

Page 36: ... configured on interfaces at the edge of a network to limit traffic into or out of the network Traffic that falls within the rate limit is transmitted while packets that exceed the acceptable amount of traffic are dropped Port Mirroring The switch can unobtrusively mirror traffic from any port to a monitor port You can then attach a protocol analyzer or RMON probe to this port to perform traffic a...

Page 37: ...for the older IEEE 802 1D STP standard It is intended as a complete replacement for STP but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP compliant mode if they detect STP protocol messages from attached devices Multiple Spanning Tree Protocol MSTP IEEE 802 1s This protocol is a direct extension of RSTP It can provide an independent spa...

Page 38: ...conventional routers Routing for unicast traffic is supported with the Routing Information Protocol RIP and the Open Shortest Path First OSPF protocol RIP This protocol uses a distance vector approach to routing Routes are determined on the basis of minimizing the distance vector or hop count which serves as a rough estimate of transmission cost OSPF This approach uses a link state routing protoco...

Page 39: ...ch packet is classified upon entry into the network based on access lists IP Precedence or DSCP values or VLAN lists Using access lists allows you select traffic based on Layer 2 Layer 3 or Layer 4 information contained in each packet Based on network policies different kinds of traffic can be marked for different kinds of forwarding Multicast Filtering Specific multicast traffic can be assigned t...

Page 40: ... this file should be set as the startup configuration file page 4 24 The following table lists some of the basic system defaults Table 1 2 System Defaults 1 Function Console Port Connection Authentication Web Management Parameter Baud Rate Data bits Stop bits Parity Local Console Timeout Privileged Exec Level Normal Exec Level Enable Privileged Exec from Normal Exec Level RADIUS Authentication TAC...

Page 41: ... Status Enabled all ports Broadcast Limit Rate 500 packets per second Status Enabled RSTP Defaults All values based on IEEE 802 1w Fast Forwarding Edge Port Disabled Aging Time 300 seconds Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Disabled Switchport Mode Egress Mode Hybrid tagged untagged frames GVRP global Disabled GVRP port interface Disabled Introduction Table 1 2 Syste...

Page 42: ...Gateway 0 0 0 0 DHCP Client Enabled Relay Disabled Server Disabled DNS Client Proxy service Disabled BOOTP Disabled ARP Enabled Cache Timeout 20 minutes Proxy Disabled Unicast Routing RIP Disabled OSPF Disabled Router Redundancy VRRP Disabled Multicast Filtering IGMP Snooping Snooping Enabled Querier Disabled System Log Status Enabled Messages Logged Levels 0 7 all Messages Logged to Flash Levels ...

Page 43: ...1 1 10 Introduction ...

Page 44: ...nection to the RS 232 serial console port on the switch or remotely by a Telnet connection over the network The switch s management agent also supports SNMP Simple Network Management Protocol This SNMP agent permits the switch to be managed from any system in the network using network management software such as HP Openview The switch s web interface CLI configuration program and SNMP agent allow ...

Page 45: ... Connect the console cable to the serial port on a terminal or a PC running terminal emulation software and tighten the captive retaining screws on the DB 9 connector 2 Connect the other end of the cable to the RS 232 serial port on the switch 3 Make sure the terminal emulation software is set as follows Select the appropriate serial port COM port 1 or COM port 2 Set to any of the following baud r...

Page 46: ...gram can be accessed using Telnet from any computer attached to the network The switch can also be managed by any computer using a web browser Internet Explorer 5 0 or above Netscape 6 2 or above or Mozilla Firefox 2 0 0 0 or above or from a network computer using SNMP network management software Note The onboard program only provides access to basic configuration functions To access the full rang...

Page 47: ... up it continues to synchronize configuration information to all of the Slave units in the stack If the Master unit fails or is powered off a new master unit will be selected based on the election rules described in the preceding section The backup unit elected to serve as the new stack Master will take control of the stack without any loss of configuration settings To ensure a logical fail over t...

Page 48: ... unit to which you normally connect for management access fails and there are no active port members on the other units within this VLAN interface then this IP address will no longer be available To retain a constant IP address for management access across fail over events you should include port members on several units within the primary VLAN used for stack management Resilient Configuration If ...

Page 49: ...different image version For information on downloading firmware see Managing Firmware on page 4 21 or File Management Commands on page 23 10 Basic Configuration Console Connection The CLI program provides two different command levels normal access level Normal Exec and privileged access level Privileged Exec The commands available at the Normal Exec level are a limited subset of those available at...

Page 50: ...n password 0 password for the Privileged Exec level where password is your new password Press Enter Note 0 specifies a password in plain text 7 specifies a password in encrypted form Username admin Password CLI session with the 24 48 L3 GE Switch is opened To end the CLI session enter Exit Console configure Console config username guest password 0 password Console config username admin password 0 ...

Page 51: ...dress and netmask is the network mask for the network Press Enter 3 Type exit to return to the global configuration mode prompt Press Enter 4 To set the IP address of the default gateway for the network to which the switch belongs type ip default gateway gateway where gateway is the IP address of the default gateway Press Enter Console config interface vlan 1 Console config if ip address 192 168 1...

Page 52: ...detailed information on the other ways to assign IPv6 addresses see Setting the Switch s IP Address IP Version 6 on page 4 9 Link Local Address All link local addresses must be configured with a prefix of FE80 Remember that this address type makes the switch accessible over IPv6 for all devices attached to the same local subnet only Also if the switch detects that the address you configured confli...

Page 53: ...nter To set the IP address of the IPv6 default gateway for the network to which the switch belongs type ipv6 default gateway gateway where gateway is the IPv6 address of the default gateway Press Enter To generate an IPv6 global unicast address for the switch using a general network prefix complete the following steps 1 2 3 4 5 2 10 Console config ipv6 general prefix rd 2001 DB8 2222 48 Console co...

Page 54: ...interface configuration mode Press Enter 2 At the interface configuration mode prompt use one of the following commands To obtain IP settings via DHCP type ip address dhcp and press Enter To obtain IP settings via BOOTP type ip address bootp and press Enter 3 Type end to return to the Privileged Exec mode Press Enter 4 Type ip dhcp restart client to begin broadcasting service requests Press Enter ...

Page 55: ... Vlan 1 is up IPv6 is enable Link local address FE80 200 E8FF FE90 0 64 Global unicast address es Joined group address es FF01 1 16 FF02 1 16 FF02 1 FF90 0 104 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND retransmit interval is 1000 milliseconds Console 27 1 41 7 41 5 Address for Multi segment Network To generate an IPv6 address that can be used in a network containing more than...

Page 56: ...ew for the private community string that provides read write access to the entire MIB tree However you may assign new views to version 1 or 2c community strings that suit your specific security requirements see page 5 17 Community Strings for SNMP version 1 and 2c clients Community strings are used to control management access to SNMP version 1 and 2c stations as well as to authorize SNMP stations...

Page 57: ... clients we recommend that you delete both of the default community strings If there are no community strings then SNMP management access from SNMP v1 and v2c clients is disabled Trap Receivers You can also specify SNMP stations that are to receive traps from the switch To configure a trap receiver use the snmp server host command From the Privileged Exec level global configuration mode prompt typ...

Page 58: ...to this file which is then used to boot the stack See Saving or Restoring Configuration Settings on page 4 24 for more information Operation Code System software that is executed after boot up also known as run time code This code runs the switch operations and provides the CLI and web management interfaces See Managing Firmware on page 4 21 for more information 2 15 Managing System Files Configur...

Page 59: ...ands only modify the running configuration file and are not saved when the switch is rebooted To save all your configuration changes in nonvolatile storage you must copy the running configuration file to the start up configuration file using the copy command New startup configuration files must have a name specified File names on the switch are case sensitive can be from 1 to 31 characters must no...

Page 60: ...m the Privileged Exec mode prompt type copy running config startup config and press Enter 2 Enter the name of the start up file Press Enter Console copy running config startup config Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Console 2 23 11 2 17 ...

Page 61: ...2 2 18 Initial Configuration ...

Page 62: ...agement Tasks 4 1 Simple Network Management Protocol 5 1 User Authentication 6 1 Access Control Lists 7 1 Port Configuration 8 1 Address Table Settings 9 1 Spanning Tree Algorithm 10 1 VLAN Configuration 11 1 Link Layer Discovery Protocol 12 1 Class of Service 13 1 Quality of Service 14 1 Multicast Filtering 15 1 Domain Name Service 16 1 Dynamic Host Configuration Protocol 17 1 Configuring Router ...

Page 63: ...Switch Management ...

Page 64: ... on page 2 7 2 Set user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Setting Passwords on page 2 7 3 After you enter a user name and password you will have access to the system configuration program Notes 1 You are allowed three attempts to enter the correct password on...

Page 65: ...e home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used to navigate to other menus and display configuration parameters and statistics Figure 3 1 Home Page Note The examples in this chapter are based on the IC40480 10G Other than the number of fixed ports there are no other dif...

Page 66: ...o the page Internet Explorer 6 x and earlier This option is available under the menu Tools Internet Options General Temporary Internet Files Settings Internet Explorer 7 x This option is available under Tools Internet Options General Browsing History Settings Temporary Internet Files 2 You may have to manually refresh the screen after making configuration changes by pressing the browser s refresh ...

Page 67: ...ging process Stores and displays error messages Configures the logging of messages to a remote logging process Sends an SMTP client message to a participating server Main Menu Using the onboard web agent you can define system parameters manage and control the switch and all its ports or monitor network conditions The following table briefly describes the selections available from this program Tabl...

Page 68: ...vice Configures SNMP v3 users Configures SNMP v3 users on a remote device 5 11 Configures SNMP v3 groups Configures SNMP v3 views Configures user names passwords and access levels Configures authentication sequence RADIUS and TACACS Configures secure HTTP settings Secure Shell Configures Secure Shell server settings Generates the host key pair public and private Imports and manages user RSA and DS...

Page 69: ... 7 8 8 8 8 IP Filter Port Port Information Trunk Information Port Configuration Trunk Configuration Trunk Membership LACP Configuration Aggregation Port Port Counters Information Port Internal Information Port Neighbors Information Port Broadcast Control Trunk Broadcast Control Mirror Port Configuration Rate Limit Input Port Configuration Input Trunk Configuration Output Port Configuration Output ...

Page 70: ... 13 Trunk Configuration Configures individual trunk settings for STA 10 13 MSTP Multiple Spanning Tree Algorithm 3 VLAN Configuration Port Information Trunk Information Port Configuration Trunk Configuration VLAN 802 1Q VLAN GVRP Status Basic Information Current Table Static List Static Table Static Membership by Port Port Configuration Trunk Configuration 802 1Q Tunnel Configuration Tunnel Port C...

Page 71: ...g to a class of service value Sets IP Differentiated Services Code Point priority mapping a DSCP tag to a class of service value Globa ly enables or disables IP Port Priority Sets TCP UDP port priority defining the socket number and associated class of service value Table 3 2 Switch Main Menu Continued Menu Description Page LLDP Configuration Port Configuration Trunk Configuration Local Informatio...

Page 72: ... 18 7 18 8 19 1 19 4 19 4 IGMP Configuration IGMP Immediate Leave Multicast Router Port Information Static Multicast Router Port Configuration IP Multicast Registration Table IGMP Member Port Table Enables multicast filtering configures parameters for multicast query Configures immediate leave for multicast services no longer required Displays the ports that are attached to a neighboring multicast...

Page 73: ...on Protocol General Sets the protocol timeout and enables or disables proxy ARP for the specified VLAN 19 8 19 9 19 11 19 12 19 13 19 14 19 16 19 16 19 17 19 19 19 20 19 21 19 21 19 22 20 1 20 2 20 3 Static Addresses Dynamic Addresses Other Addresses Statistics Statistics IP ICMP UDP TCP Routing Static Routes Routing Table Routing Protocol RIP Routing Information Protocol General Settings Network ...

Page 74: ...edistributes routes from one routing domain to another Configures settings for importing routes into or exporting routes out of not so stubby areas Shows information about different OSPF Link State Advertisements LSAs stored in this router s database Displays routing table entries for area border routers and autonomous system boundary routers Displays information about neighboring routers on each ...

Page 75: ...3 3 12 Configuring the Switch ...

Page 76: ...nt has been up These additional parameters are displayed for the CLI System Description Brief description of device type MAC Address The physical layer address for this switch Web Server Shows if management access via HTTP is enabled Web Server Port Shows the TCP port number used by the web interface Web Secure Server Shows if management access via HTTPS is enabled Web Secure Server Port Shows the...

Page 77: ...n 24 48 port 10 100 1000 Stackable Managed Switch with 2 X 10G uplinks System OID String 1 3 6 1 4 1 259 8 1 9 System Information System Up Time 0 days 1 hours 28 minutes and 0 51 seconds System Name R D 5 System Location WC 9 System Contact Ted MAC Address Unit1 00 20 1A DF 9C A0 MAC Address Unit2 00 20 1A DF 9E C0 Web Server Enabled Web Server Port 80 Web Secure Server Enabled Web Secure Server ...

Page 78: ...tus of the internal power supply Management Software EPLD Version Version number of EEPROM Programmable Logic Device Loader Version Version number of loader code Boot ROM Version Version of Power On Self Test POST and boot code Operation Code Version Version number of runtime code Role Shows that this switch is operating as Master or Slave These additional parameters are displayed for the CLI Unit...

Page 79: ...rt maintains its own filtering database Configurable PVID Tagging This switch allows you to override the default Port VLAN ID PVID used in frame tags and egress status VLAN Tagged or Untagged on each port Refer to VLAN Configuration on page 11 1 Local VLAN Capable This switch does not support multiple local bridges outside of the scope of 802 1Q defined VLANs GMRP GARP Multicast Registration Proto...

Page 80: ...ent access over the network This switch supports both IPv4 and IPv6 and can be managed through either of these address types For information on configuring the switch with an IPv6 address see Setting the Switch s IP Address IP Version 6 on page 4 9 The IPv4 address for this stack is obtained via DHCP by default To manually configure an address you need to change the stack s default settings to val...

Page 81: ... However the management station can be attached to a port belonging to any VLAN as long as that VLAN has been assigned an IP address IP Address Mode Specifies whether IP functionality is enabled via manual configuration Static Dynamic Host Configuration Protocol DHCP or Boot Protocol BOOTP If DHCP BOOTP is enabled IP will not function until a reply has been received from the server Requests will b...

Page 82: ...ole config Console config interface vlan 1 Console config if ip address 10 1 0 253 255 255 255 0 Console config if exit Console config ip default gateway 10 1 0 254 Console config Manual Configuration Web Click IP General Routing Interface Select the VLAN through which the management station is attached set the IP Address Mode to Static and specify a Primary interface Enter the IP address and subn...

Page 83: ...erface Configuration DHCP Note If you lose your management connection make a console connection to the Master unit and enter show ip interface to determine the new stack address CLI Specify the management interface and set the IP address mode to DHCP or BOOTP and then enter the ip dhcp restart client command Console config Console config interface vlan 1 Console config if ip address dhcp Console c...

Page 84: ...page 19 4 To enable routing between the different interfaces on this stack you must enable IP routing page 19 4 To enable routing between the interfaces defined on this stack and external network interfaces you must configure static routes page 19 21 or use dynamic routing i e either RIP or OSPF page 20 2 and 20 14 respectively The precedence for configuring IP interfaces is the IP General Routing...

Page 85: ... an IPv6 General Network Prefix on page 4 15 When using this method remember that the prefix length specified on the IPv6 Configuration page must include both the length of the general prefix and any contiguous bits from the left of the specified address that are added to the general prefix to form the extended network portion of the address You can configure multiple IPv6 global unicast addresses...

Page 86: ...of IPv6 addresses on an interface and enables IPv6 functionality on the interface The network portion of the address is based on prefixes received in IPv6 router advertisement messages and the host portion is automatically generated using the modified EUI 64 form of the interface identifier i e the switch s MAC address If the router advertisements have the other stateful configuration flag set the...

Page 87: ...eral prefix and any number of subsequent prefix bits that exceed the length of the general prefix Therefore depending on the specified prefix length some of the address bits entered in the IPv6 Address field may be appended to the general prefix However if the prefix length is shorter than the general prefix then the length of the general prefix takes precedence and some of the address bits entere...

Page 88: ...1 1 and FF02 1 for all IPv6 nodes within scope 1 interface local and scope 2 link local respectively FF01 1 16 is the transient node local multicast address for all attached IPv6 nodes and FF02 1 16 is the link local multicast address for all attached IPv6 nodes The node local multicast address is only used for loopback transmission of multicast traffic Link local multicast addresses cover the sam...

Page 89: ...nfiguration Set the IPv6 default gateway specify the VLAN to configure enable IPv6 and set the MTU Then enter a global unicast or link local address and click Add IPv6 Address Figure 4 7 IPv6 Interface Configuration 4 14 Basic Management Tasks 4 ...

Page 90: ... 00 04 50 FE80 203 A0FF FED6 141D Console Configuring an IPv6 General Network Prefix The IPv6 General Prefix page is used to configure general prefixes that are subsequently used on the IPv6 Configuration web page see page 4 9 to specify the network address portion of an interface address Command Usage Prefixes may contain zero value fields or end in zeros A general prefix holds a short prefix tha...

Page 91: ...diting fields for a prefix entry Enter a name for the general prefix the value for the general prefix and the prefix length Then click Add to enable the entry Figure 4 8 IPv6 General Prefix Configuration CLI This example creates a general network prefix of 2009 DB9 2229 48 Console config ipv6 general prefix rd 2009 DB9 2229 48 Console config end Console show ipv6 general prefix IPv6 general prefix...

Page 92: ...face is administratively re activated An interface that is re activated restarts duplicate address detection for all unicast IPv6 addresses on the interface While duplicate address detection is performed on the interface s link local address the other IPv6 addresses remain in a tentative state If no duplicate link local address is found duplicate address detection is started for the remaining IPv6...

Page 93: ...th was functioning A packet was sent within the last DELAY_FIRST_PROBE_TIME interval If no reachability confirmation is received within this interval after entering the DELAY state the switch will send a neighbor solicitation message and change the state to PROBE PROBE A reachability confirmation is actively sought by resending neighbor solicitation messages every RetransTimer interval until confi...

Page 94: ...of attempts allowed for duplicate address detection set the interval for neighbor solicitation messages and click Apply To configure static neighbor entries click Add fill in the IPv6 address VLAN interface and hardware address Then click Add Figure 4 9 IPv6 Neighbor Detection and Neighbor Cache 4 19 Setting the Switch s IP Address IP Version 6 4 ...

Page 95: ...ce vlan 1 Console config if ipv6 nd dad attempts 5 Console config if ipv6 nd ns interval 30000 Console config if end Console show ipv6 interface Vlan 1 is up IPv6 is enable Link local address FE80 1034 11FF FE11 4321 64 Global unicast address es 2009 DB9 2229 79 subnet is 2009 DB9 2229 0 64 Joined group address es FF01 1 16 FF02 1 16 FF02 1 FF00 79 104 FF02 1 FF11 4321 104 MTU is 1280 bytes ND DAD...

Page 96: ...rames and click Apply Figure 4 10 Configuring Support for Jumbo Frames CLI This example enables jumbo frames globally for the switch 4 Configuring Support for Jumbo Frames Console config jumbo frame Console config 23 9 Managing Firmware You can upload download firmware to or from a TFTP server or copy files to and from switch units in a stack By saving runtime code to a file on a TFTP server that ...

Page 97: ...le cannot be deleted Downloading System Software from a Server When downloading runtime code you can specify the destination file name to replace the current image or first download the file using a different name from the current runtime code file and then set the new file as the startup file Web Click System File Management Copy Operation Select tftp to file as the file transfer method enter the...

Page 98: ...ment Delete Select the file name from the given list by checking the tick box and click Apply Note that the file currently designated as the startup code cannot be deleted Figure 4 13 Deleting Files CLI To download new firmware form a TFTP server enter the IP address of the TFTP server select config as the file type then enter the source and destination file names When the file has finished downlo...

Page 99: ...Copies a file from a TFTP server to the switch tftp to running config Copies a file from a TFTP server to the running config tftp to startup config Copies a file from a TFTP server to the startup config file to unit Copies a file from this switch to another unit in the stack unit to file Copies a file from another unit in the stack to this switch TFTP Server IP Address The IP address of a TFTP ser...

Page 100: ...eration Choose tftp to startup config or tftp to file and enter the IP address of the TFTP server Specify the name of the file to download select a file on the switch to overwrite or specify a new file name and then click Apply Figure 4 14 Downloading Configuration Settings for Start Up If you download to a new file name using tftp to startup config or tftp to file the file is automatically set as...

Page 101: ...ied amount of time set by the Silent Time parameter before allowing the next logon attempt Range 0 120 Default 3 attempts Silent Time Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts has been exceeded Range 0 65535 Default 0 Data Bits Sets the number of data bits per character that are interpreted and generated by the console port If pa...

Page 102: ...er byte Range 1 2 Default 1 stop bit Password 1 Specifies a password for the line connection When a connection is started on a line with password protection the system prompts for the password If you enter the correct password the system shows a prompt Default No password Login 1 Enables password checking at login You can select authentication by a single global password as configured for the Pass...

Page 103: ...eshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time set by the Silent Time parameter before allowing the next logon attempt Range 0 120 Default 3 attempts 4 28 CLI Enter Line Configuration mode for the console then specify the connection parameters as required To display the current c...

Page 104: ...t access then click Apply Figure 4 17 Configuring the Telnet Interface CLI Enter Line Configuration mode for a virtual terminal then specify the connection parameters as required To display the current virtual terminal settings use the show line command from the Normal Exec level Telnet Settings 4 Console config line vty Console config line login local Console config line password 0 secret Console...

Page 105: ...of debug or error messages to the logging process Default Enabled Flash Level Limits log messages saved to the switch s permanent flash memory for all levels up to the specified level For example if level 3 is specified all messages from level 0 to level 3 will be logged to flash Range 0 7 Default 3 Table 4 1 Logging Levels Level Severity Name Description 7 Debug Debugging messages 6 Informational...

Page 106: ... in the corresponding database Range 16 23 Default 23 Logging Trap Limits log messages that are sent to the remote syslog server for all levels up to the specified level For example if level 3 is specified all messages from level 0 to level 3 will be sent to the remote server Range 0 7 Default 7 Host IP List Displays the list of remote server IP addresses that will receive syslog messages The maxi...

Page 107: ...p Console config logging host 10 1 0 9 Console config logging facility 23 Console config logging trap 4 Console config logging trap Console config exit Console show logging trap Syslog logging Enabled REMOTELOG status Disabled REMOTELOG facility type local use 7 REMOTELOG level type Warning conditions REMOTELOG server ip address 10 1 0 9 REMOTELOG server ip address 0 0 0 0 REMOTELOG server ip addr...

Page 108: ...Rising 1 1 threshold 80 current 222 Configuring Event Logging 4 Sending Simple Mail Transfer Protocol Alerts To alert system administrators of problems the switch can use SMTP Simple Mail Transfer Protocol to send email messages when triggered by logging events of a specified level The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients Command...

Page 109: ...ts of alert messages You can specify up to five recipients Use the New Email Destination Address text field and the Add Remove buttons to configure the list Web Click System Log SMTP Enable SMTP specify a source email address and select the minimum severity level To add an IP address to the SMTP Server List type the new IP address in the SMTP Server field and click Add To delete an IP address clic...

Page 110: ...units are numbered sequentially down through the ring 4 35 Renumbering the Stack 4 CLI Enter the IP address of at least one SMTP server set the syslog severity level to trigger an email message and specify the switch source and up to five recipient destination email addresses Enable SMTP with the logging sendmail command to complete the configuration Use the show logging sendmail command to displa...

Page 111: ...urate time on the switch enables the system log to record meaningful dates and times for event entries You can also manually set the clock using the Current Time page as described in the next section If the clock is not set the switch will only record the time from the factory default set at the last bootup When the SNTP client is enabled the switch periodically sends a request for a time update t...

Page 112: ...nsole calendar set 16 15 58 february 1 2008 Console Configuring SNTP You can configure the switch to send time synchronization requests to time servers Command Attributes SNTP Client Configures the switch to operate as an SNTP client This requires at least one time server to be specified in the SNTP Server field Default Disabled SNTP Poll Interval Sets the interval between sending requests for a t...

Page 113: ...hen displays the current time and settings Console config sntp client Console config sntp poll 16 Console config sntp server 10 1 0 19 137 82 140 80 128 250 36 2 Console config sntp update time Console config exit Console show sntp Current time Jan 6 14 56 05 2004 Poll interval 60 Current mode unicast SNTP status Enabled SNTP server 10 1 0 19 137 82 140 80 128 250 36 2 Current server 128 250 36 2 ...

Page 114: ...fter west UTC Name Assigns a name to the time zone Range 1 29 characters Hours 0 13 The number of hours before after UTC Minutes 0 59 The number of minutes before after UTC Web Select SNTP Clock Time Zone Select one of the predefined time zones or manually set the offset for your time zone relative to the UTC and click Apply Figure 4 26 Clock Time Zone CLI This example shows how to select one of t...

Page 115: ...specify the time corresponding to your local time when summer time is in effect select the predefined summer time time zone appropriate for your location Table 4 2 Predefined Summer Time Parameters Region Australia Europe New Zealand USA Start Time Day Week Month End Time Day Week Month Rel Offset 00 00 00 Sunday Week 5 of October 23 59 59 Sunday Week 5 of March 60 min 00 00 00 Sunday Week 5 of Ma...

Page 116: ...e deviates from your regular time zone Offset Summer time offset from the regular time zone in minutes Range 0 99 minutes From Start time for summer time offset To End time for summer time offset Web Select SNTP Summer Time Select one of the configuration modes configure the relevant attributes enable summer time status and click Apply Figure 4 27 Summer Time CLI This example configures summer tim...

Page 117: ...4 4 42 Basic Management Tasks ...

Page 118: ...ously monitors the status of the switch hardware as well as the traffic passing through its ports A network management station can access this information using software such as HP OpenView Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings To communicate with the switch the management station must first submit a valid community string for authenticat...

Page 119: ...ined noAuthNoPriv user defined AuthNoPriv user defined AuthPriv user defined Read View Write View Notify View Security defaultview none none Community string only defaultview defaultview none Community string only user defined user defined user defined Community string only defaultview none none Community string only defaultview defaultview none Community string only user defined user defined user...

Page 120: ...cess to the SNMP protocol Default strings public read only access private read write access Range 1 32 characters case sensitive Access Mode Specifies the access rights for the community string Read Only Authorized management stations are only able to retrieve MIB objects Read Write Authorized management stations are able to both retrieve and modify MIB objects Web Click SNMP Configuration Add new...

Page 121: ... that critical information is received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider these effects when deciding whether to issue notifications as traps or informs To send an inform to a SNMPv2c host complete these steps 1 Enable the SNMP agent page 5 2 2 E...

Page 122: ...Inform Notifications are sent as inform messages Note that this option is only available for version 2c and 3 hosts Default traps are used Timeout The number of seconds to wait for an acknowledgment before resending an inform message Range 0 2147483647 centiseconds Default 1500 centiseconds Retry times The maximum number of times to resend an inform message if the recipient does not acknowledge re...

Page 123: ...3 clients and then click Add Select the trap types required using the check boxes for Authentication and Link up down traps and then click Apply Figure 5 3 Configuring SNMP Trap Managers CLI This example adds a trap manager and enables authentication traps Console config snmp server host 10 1 19 23 private version 2c udp port 162 Console config snmp server enable traps authentication 5 6 24 5 24 7...

Page 124: ... authenticating and encrypting SNMPv3 packets A local engine ID is automatically generated that is unique to the switch This is referred to as the default engine ID If the local engineID is deleted or changed all SNMP users will be cleared You will need to reconfigure all existing users A new engine ID can be specified by entering 9 to 64 hexadecimal characters If an odd number of characters are s...

Page 125: ...Trap Types on page 5 4 and Configuring Remote SNMPv3 Users on page 5 11 A new engine ID can be specified by entering 9 to 64 hexadecimal characters If an odd number of characters are specified a trailing zero is added to the value to fill in the missing octet For example the value 123456789 is equivalent to 1234567890 Web Click SNMP SNMPv3 Remote Engine ID Enter an ID of up to 64 hexadecimal chara...

Page 126: ... or encryption used in SNMP communications This is the default for SNMPv3 AuthNoPriv SNMP communications use authentication but the data is not encrypted only available for the SNMPv3 security model AuthPriv SNMP communications use both authentication and encryption only available for the SNMPv3 security model Authentication Protocol The method used for user authentication Options MD5 SHA Default ...

Page 127: ...the Actions column of the users table and select the new group Figure 5 6 Configuring SNMPv3 Users CLI Use the snmp server user command to configure a new user name and assign it to a group Console config snmp server user chris group r d v3 auth md5 greenpeace priv des56 einstien Console config exit Console show snmp user EngineId 80000034030001f488f5200000 User Name chris Authentication Protocol ...

Page 128: ...ere the remote user resides Note that the remote engine identifier must be specified before you configure a remote user See Specifying a Remote Engine ID on page 5 8 Remote IP The Internet address of the remote device where the user resides Security Model The user security model SNMP v1 v2c or v3 Default v1 Security Level The security level used for the user noAuthNoPriv There is no authentication...

Page 129: ...emote SNMPv3 Users CLI Use the snmp server user command to configure a new user name and assign it to a group Console config snmp server user mark group r d remote 192 168 1 19 v3 auth md5 greenpeace priv des56 einstien 24 14 Console config exit Console show snmp user 24 15 No user exist SNMP remote user EngineId 80000000030004e2b316c54321 User Name mark Authentication Protocol none Privacy Protoc...

Page 130: ...level used for the group noAuthNoPriv There is no authentication or encryption used in SNMP communications AuthNoPriv SNMP communications use authentication but the data is not encrypted only available for the SNMPv3 security model AuthPriv SNMP communications use both authentication and encryption only available for the SNMPv3 security model Read View The configured view for read access Range 1 3...

Page 131: ...e down state from some other state but not from the notPresent state This other state is indicated by the included value of ifOperStatus 1 3 6 1 6 3 1 1 5 4 A linkUp trap signifies that the SNMP entity acting in an agent role has detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state but not into the notPresent state This...

Page 132: ...ed 1 3 6 1 4 1 202 20 57 84 2 1 0 40 This trap is sent when an incorrect IP address is rejected by the IP Filter 1 3 6 1 4 1 202 20 57 84 2 1 0 41 This trap is triggered if the SMTP system cannot open a connection to the mail server successfully 1 3 6 1 4 1 202 20 57 84 2 1 0 56 This trap is sent when the slave board version is mismatched with the master board version This trap binds two objects t...

Page 133: ...Pv3 Groups CLI Use the snmp server group command to configure a new group specifying the security model and level and restricting MIB access to defined read and write views Console config snmp server group secure users v3 priv read defaultview write defaultview notify defaultview 24 11 Console config exit Console show snmp group 24 12 Simple Network Management Protocol 5 Group Name secure users Se...

Page 134: ...ask a specific portion of the OID string Type Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view Web Click SNMP SNMPv3 Views Click New to configure a new view In the New View page define a name and specify OID subtrees in the switch MIB to be included or excluded in the view Click Back to save the new view and return to the SNMPv3 Views li...

Page 135: ... View Name readaccess Subtree OID 1 3 6 1 2 View Type included Storage Type nonvolatile Row Status active View Name defaultview Subtree OID 1 View Type included Storage Type nonvolatile Row Status active Console 5 18 CLI Use the snmp server view command to configure a new view This example view includes the MIB 2 interfaces table and the wildcard mask selects all index entries 24 10 24 11 Simple N...

Page 136: ... read access for most configuration parameters However the administrator has write access for all parameters governing the onboard agent You should therefore assign a new administrator password as soon as possible and store it in a safe place The default guest name is guest with the password guest The default administrator name is admin with the password admin Command Attributes Account List Displ...

Page 137: ...estrict management access based on specified user names and passwords You can manually configure access rights on the switch or you can use a remote access authentication server based on RADIUS or TACACS protocols Remote Authentication Dial in Web Telnet RADIUS TACACS server console 1 Client attempts management access 2 Switch contacts authentication server 3 Authentication server challenges clien...

Page 138: ...s not available then authentication is attempted using the TACACS server and finally the local user name and password is checked Command Attributes Authentication Select the authentication or authentication sequence required Local User authentication is performed only locally by the switch Radius User authentication is performed using a RADIUS server only TACACS User authentication is performed us...

Page 139: ...b Click Security Authentication Settings To configure local or remote authentication preferences specify the authentication sequence i e one to three methods fill in the parameters for RADIUS or TACACS authentication if selected and click Apply Figure 6 2 Authentication Server Settings CLI Specify all the required parameters to enable logon authentication Console config authentication login radius...

Page 140: ... keys for encrypting and decrypting data The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 5 x or above and Netscape 6 2 or above 6 5 Configuring HTTPS Console show radius server Remote RADIUS server configuration Global settings Communication key with RADIUS server Server port number 181 Retransmit times 5 Request ti...

Page 141: ...urrently support HTTPS Table 6 1 HTTPS System Support Web Browser Operating System Internet Explorer 5 0 or later Windows 98 Windows NT with service pack 6a Windows 2000 Windows XP Netscape 6 2 or later Windows 98 Windows NT with service pack 6a Windows 2000 Windows XP Solaris 2 6 Mozilla Firefox 2 0 0 0 or later Windows 2000 Windows XP Linux To specify a secure site certificate see Replacing the ...

Page 142: ...ing to be replaced by a message confirming that the connection to the switch is secure you must obtain a unique certificate and a private key and password from a recognized certification authority Note For maximum security we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity This is because the default certificate for the switch is not unique to the hardwar...

Page 143: ...sion 1 5 and 2 0 clients Command Usage The SSH server on this switch supports both password and public key authentication If password authentication is specified by the SSH client then the password can be authenticated either locally or via a RADIUS or TACACS remote authentication server as specified on the Authentication Settings page page 6 2 If public key authentication is specified by the clie...

Page 144: ...16643 steve 192 168 1 19 4 Set the Optional Parameters On the SSH Settings page configure the optional parameters including the authentication timeout the number of retries and the server key size 5 Enable SSH Service On the SSH Settings page enable the SSH server on the switch 6 Authentication One of the following authentication methods is employed Password Authentication for SSH v1 5 or V2 Clien...

Page 145: ...erver supports up to four client sessions The maximum number of client sessions includes both current Telnet sessions and SSH sessions Generating the Host Key Pair A host public private key pair is used to provide secure communications between an SSH client and the switch After generating this key pair you must provide the host public key to SSH clients and import the client s public key to the sw...

Page 146: ...utton is used to generate the host key pair Note that you must first generate the host key pair before you can enable the SSH server on the SSH Server Settings page Clear This button clears the host key from both volatile memory RAM and non volatile memory Flash Web Click Security SSH Host Key Settings Select the host key type from the drop down box select the option to save the host key from memo...

Page 147: ...ntication Field Attributes Public Key of user The RSA and DSA public keys for the selected user RSA The first field indicates the size of the host key e g 1024 the second field is the encoded public exponent e g 37 and the last string is the encoded modulus DSA The first field indicates that SSH version 2 was used to create the key The second field contains the key comment The third string is the ...

Page 148: ...ry to first delete the original key from the switch The import process will overwrite the existing key Delete Deletes a selected RSA or DSA public key that has already been imported to the switch Web Click Security SSH SSH User Public Key Settings Select the user name and the public key type from the respective drop down boxes input the TFTP server IP address and the public key source file name an...

Page 149: ... server includes basic settings for authentication Field Attributes SSH Server Status Allows you to enable disable the SSH server on the switch Default Disabled Version The Secure Shell version number Version 2 0 is displayed but the switch supports management access via either SSH Version 1 5 or 2 0 clients SSH Authentication Timeout Specifies the time interval in seconds that the SSH server wait...

Page 150: ...es SSH sets the authentication parameters and displays the current configuration It shows that the administrator has made a connection via SHH and then disables this connection Configuring the Secure She 6 Console config ip ssh server Console config ip ssh timeout 100 Console config ip ssh authentication retries 5 Console config ip ssh server key size 512 Console config end Console show ip ssh SSH...

Page 151: ...ed port will stop learning The MAC addresses already in the address table will be retained and will not age out Any other device that attempts to use the port will be prevented from accessing the switch Command Usage A secure port has the following restrictions It cannot be used as a member of a static or dynamic trunk It should not be connected to a network interconnection device The default maxi...

Page 152: ...y Figure 6 8 Port Security CLI This example selects the target port sets the port security action to send a trap and disable the port specifies a maximum address count and then enables port security for the port Console config interface ethernet 1 5 Console config if port security action trap and shutdown Console config if port security max mac count 20 Console config if port security Console conf...

Page 153: ...nfigured The RADIUS server and 802 1X client support EAP The switch only supports EAPOL in order to pass the EAP packets from the server to the client 6 18 Configuring 802 1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC Although this automatic configuration and access is a desirable feature it also allows unauthorized pe...

Page 154: ... setting for 802 1X Web Click Security 802 1X Information Figure 6 9 802 1X Global Information CLI This example shows the default global setting for 802 1X Console show dot1x 25 32 Global 802 1X Parameters system auth control enable 802 1X Port Summary Configuring 802 1X Port Authentication 6 Port Name Status Operation Mode 1 1 disabled Single Host 1 2 disabled Single Host Mode Authorized ForceAut...

Page 155: ... become unauthorized for all hosts if one attached host fails re authentication or sends an EAPOL logoff message The number of hosts allowed access to a port operating in this mode is determined by the Max Count attribute described below In MAC Based mode each host connected to a port needs to pass authentication The number of hosts allowed access to a port operating in this mode is limited only b...

Page 156: ... added to the secure address table when seen on a switch port Static addresses are treated as authenticated without sending a request to a RADIUS server When port status changes to down all MAC addresses are cleared from the secure MAC address table Static VLAN assignments are not restored Re authentication Sets the client to be re authenticated after the interval specified by the Re authenticatio...

Page 157: ...Web Click Security 802 1X Port Configuration Modify the parameters required and click Apply Figure 6 11 802 1X Port Configuration 6 22 User Authentication 6 ...

Page 158: ... displayed in this example see show dot1x on page 25 32 Console config interface ethernet 1 2 Console config if dot1x port control auto Console config if dot1x re authentication Console config if dot1x max req 5 Console config if dot1x timeout quiet period 40 Console config if dot1x timeout re authperiod 5 Console config if dot1x timeout tx period 40 Console config if end Console show dot1x Global...

Page 159: ...ator in which the Packet Body Length field is invalid The protocol version number carried in the most recently received EAPOL frame The source MAC address carried in the most recently received EAPOL frame The number of EAPOL frames of any type that have been transmitted by this Authenticator The number of EAP Req Id frames that have been transmitted by this Authenticator The number of EAP Request ...

Page 160: ...le displays the dot1x statistics for port 4 Console show dot1x statistics interface ethernet 1 4 25 32 Eth 1 4 Rx EAPOL EAPOL EAPOL EAPOL EAP EAP EAP Start Logoff Invalid Total Resp Id Resp Oth LenError 2 0 0 1007 672 0 0 Last Last EAPOLVer EAPOLSrc 1 00 00 E8 98 73 21 6 Configuring 802 1X Port Authentication Tx EAPOL Total 2017 Console EAP EAP Req Id Req Oth 1005 0 6 25 ...

Page 161: ...ddresses either individual addresses or address ranges When entering addresses for the same group i e SNMP web or Telnet the switch will not accept overlapping address ranges When entering addresses for different groups the switch will accept overlapping address ranges You cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses You can ...

Page 162: ...le config management telnet client 192 168 1 19 25 35 Console config management telnet client 192 168 1 25 192 168 1 30 Console config exit Console show management all client 25 36 Management IP Filter HTTP Client Start IP address End IP address SNMP Client Start IP address End IP address 6 Filtering IP Addresses for Management Access TELNET Client Start IP address End IP address 1 192 168 1 19 2 ...

Page 163: ...6 6 28 User Authentication ...

Page 164: ...s including Standard and Extended ACLs IPv6 Standard ACLs and IPv6 Extended ACLs For the IC40240 10G all ports share this quota For the IC40480 10G ports 1 24 share a quota of 96 rules and ports 25 50 share another quota of 96 rules since there are two switch chips in this system The order in which active ACLs are checked is as follows 1 User defined rules in IP and MAC ACLs for ingress ports are ...

Page 165: ...gure 7 1 Selecting ACL Type CLI This example creates a standard IP ACL named bill Console config access list ip standard bill Console config std acl 26 2 Configuring a Standard IPv4 ACL Command Attributes Action An ACL can contain any combination of permit or deny rules Address Type Specifies the source IP address Use Any to include all possible addresses Host to specify a specific host address in...

Page 166: ...n any combination of permit or deny rules Source Destination Address Type Specifies the source or destination IP address Use Any to include all possible addresses Host to specify a specific host address in the Address field or IP to specify a range of addresses with the Address and SubMask fields Options Any Host IP Default Any Source Destination IP Address Source or destination IP address Source ...

Page 167: ...cimal number for an equivalent binary bit mask that is applied to the control code Enter a decimal number where the equivalent binary bit 1 means to match a bit and 0 means to ignore a bit The following bits may be specified 1 fin Finish 2 syn Synchronize 4 rst Reset 8 psh Push 16 ack Acknowledgement 32 urg Urgent pointer For example use the code value and mask below to catch packets with the foll...

Page 168: ...s in subnet 10 7 1 x For example if the rule is matched i e the rule 10 7 1 0 255 255 255 0 equals the masked address 10 7 1 2 255 255 255 0 the packet passes through 2 Allow TCP packets from class C addresses 192 168 1 0 to any destination address when set for destination TCP port 80 i e HTTP 3 Permit all TCP packets from class C addresses 192 168 1 0 with the TCP control code set to SYN 7 Config...

Page 169: ...n MAC address VID VLAN ID Range 1 4093 VID Bit Mask VLAN bitmask Range 1 4093 Ethernet Type This option can only be used to filter Ethernet II formatted packets Range 600 fff hex A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX Ethernet Type Bit Mask Protocol bitmask Range 600 fff hex Packet Format This attribut...

Page 170: ...s Control Lists 7 Console config mac acl permit any host 00 e0 29 94 34 de ethertype 0800 Console config mac acl 26 13 Configuring a Standard IPv6 ACL Command Attributes Action An ACL can contain any combination of permit or deny rules Source Address Type Specifies the source IP address Use Any to include all possible addresses Host to specify a specific host address in the Address field or IPv6 p...

Page 171: ... ipv6 acl permit host 2009 DB9 2229 79 Console config std ipv6 acl permit 2009 DB9 2229 5 64 Console config std ipv6 acl 26 8 Configuring an Extended IPv6 ACL Command Attributes Action An ACL can contain any combination of permit or deny rules Destination Address Type Specifies the destination IP address Use Any to include all possible addresses or IPv6 prefix to specify a range of addresses Optio...

Page 172: ...ult quality of service or real time service see RFC 2460 Range 0 16777215 A flow label is assigned to a flow by the flow s source node New flow labels must be chosen pseudo randomly and uniformly from the range 1 to FFFFF hexadecimal The purpose of the random allocation is to make any set of bits within the Flow Label field suitable for use as a hash key by routers for looking up the state associa...

Page 173: ...is example adds three rules 1 Accepts any incoming packets for the destination 2009 DB9 2229 79 48 2 Allows packets to any destination address when the DSCP value is 5 3 Allows any packets sent to the destination 2009 DB9 2229 79 48 when the flow label is 43 Console config ext ipv6 acl permit 2009 DB9 2229 79 48 26 9 Console config ext ipv6 acl permit any dscp 5 Console config ext ipv6 acl permit ...

Page 174: ...the IPv6 ACL to bind to a port IN ACL for ingress packets ACL Name Name of the ACL Web Click Security ACL Port Binding Mark the Enable field for the port you want to bind to an ACL for ingress traffic select the required ACL from the drop down list then click Apply Figure 7 7 ACL Port Binding CLI This examples assigns an IP and MAC ingress ACL to port 1 and an IP ingress ACL to port 2 7 Binding a ...

Page 175: ...7 7 12 Access Control Lists ...

Page 176: ...ows the current speed and duplex mode Auto or fixed choice Flow Control Status Indicates the type of flow control currently in use IEEE 802 3x Back Pressure or None Autonegotiation Shows if auto negotiation is enabled or disabled Media Type 4 Shows the forced preferred port type to use for combination ports 21 24 IC40240 10G or 45 48 IC40480 10G Copper Forced SFP Forced SFP Preferred Auto Trunk Me...

Page 177: ...nsmits and receives pause frames for flow control FC Supports flow control Broadcast storm Shows if broadcast storm control is enabled or disabled Broadcast storm limit Shows the broadcast storm threshold 500 262143 packets per second Flow control Shows if flow control is enabled or disabled LACP Shows if LACP is enabled or disabled Port security Shows if port security is enabled or disabled Max M...

Page 178: ...ters Admin Allows you to manually disable an interface You can disable an interface due to abnormal behavior e g excessive collisions and then reenable it after the problem has been resolved You may also disable an interface for security reasons Speed Duplex Allows you to manually set the port speed and duplex mode i e with auto negotiation disabled Note The 1000BASE T standard does not support fo...

Page 179: ...essure jamming signals may degrade overall performance for the segment attached to the hub Default Autonegotiation enabled Advertised capabilities for 1000BASE T 10half 10full 100half 100full 1000full 1000BASE SX LX LH 1000full 10GBASE SR LR ER 10Gfull Media Type Shows the forced preferred port type to use for the combination ports IC40240 10G Ports 21 24 IC40480 10G Ports 45 48 Copper Forced Alwa...

Page 180: ...SW 13 Console config if shutdown Console config if no shutdown Console config if no negotiation Console config if speed duplex 100half Console config if negotiation Console config if capabilities 100half Console config if capabilities 100full Console config if capabilities flowcontrol Console config if exit Console config interface ethernet 1 21 Console config if media type copper forced Console c...

Page 181: ...provide redundancy by taking over the load if a port in the trunk fails However before making any physical connections between devices use the web interface or CLI to specify the trunk on the devices at both ends When using a port trunk take note of the following points Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop You ...

Page 182: ...click Apply Figure 8 3 Static Trunk Configuration 8 7 8 Creating Trunk Groups statically configured active links Statically Configuring a Trunk Command Usage When configuring static trunks you may not be able to link switches of different types depending on the manufacturer s implementation However note that the static trunks on this switch are Cisco EtherChannel compatible To avoid creating a loo...

Page 183: ...it Console config interface ethernet 1 9 Console config if channel group 1 Console config if exit Console config interface ethernet 1 10 Console config if channel group 1 Console config if end Console show interfaces status port channel 1 Information of Trunk 1 Basic information 27 1 27 1 28 2 27 9 Port type Mac address Configuration Name Port admin Speed duplex Capabilities Flow control Port secu...

Page 184: ...her switch to form a trunk Creating Trunk Groups 8 27 1 28 3 27 9 8 9 Port type Mac address Configuration Port admin Speed duplex Capabilities Flow control Port security Max MAC count Current status 1000T 00 30 F1 D4 73 A2 Up Auto 10half 10full 100half 100full 1000full Disabled Disabled 0 Created by LACP Link status Up Port operation status Up Operation speed duplex 1000full Flow control type None...

Page 185: ...ity is used to determine link aggregation group LAG membership and to identify this device to other switches during LAG negotiations Range 0 65535 Default 32768 Ports must be configured with the same system priority to join the same LAG System priority is combined with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations wi...

Page 186: ...these settings for the Port Partner Be aware that these settings only affect the administrative state of the partner and will not take effect until the next time an aggregate link is formed with this device After you have completed setting the port LACP parameters click Apply Figure 8 5 LACP Aggregation Port 8 11 Creating Trunk Groups 8 ...

Page 187: ... 1 28 4 28 5 28 6 28 7 1 3 00 00 E9 31 31 31 2 32768 00 00 E9 31 31 31 3 32768 00 00 E9 31 31 31 28 7 Console config interface ethernet 1 1 Console config if lacp actor system priority 3 Console config if lacp actor admin key 120 Console config if lacp actor port priority 128 Console config if exit Console config interface ethernet 1 10 Console config if lacp actor system priority 3 Console config...

Page 188: ...et Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type Marker I legal Pkts Number of frames that carry the Slow Protocols Ethernet Type value but contain a badly formed PDU or an illegal value of Protocol Subtype Web Click Port LACP Port Counters Information Select a member port to display the correspond...

Page 189: ...k is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information Synchronization The System considers this link to be IN_SYNC i e it has been allocated to the correct Link Aggregation Group the group has been associated with a compatible Aggregator and the identity of the Link Aggregation Group ...

Page 190: ... and operational state for the local side of port channel 1 Creating Trunk Groups 8 Console show lacp 1 internal Port channel 1 28 7 Oper Key 3 Admin Key 0 Eth 1 2 LACPDUs Internal 30 sec LACP System Priority 32768 LACP Port Priority 32768 Admin Key 3 Oper Key 3 Admin State defaulted aggregation long timeout LACP activity Oper State distributing collecting synchronization aggregation long timeout ...

Page 191: ...ed to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port Oper Priority Priority value assigned to this aggregation port by the partner Admin Key Current administrative value of the Key for the protocol partner Oper Key Current operational value of the Key for the protocol partner Admin State Admin...

Page 192: ...t type 1000BASE T SFP or 10G Protect Status Shows whether or not broadcast storm control has been enabled Default Enabled Threshold Threshold as percentage of port bandwidth Options 500 262143 packets per second Default 500 pps Trunk 6 Shows if port is a trunk member 6 Port Broadcast Control 7 Trunk Broadcast Control 8 17 Eth 1 2 Partner Admin System ID 32768 00 00 00 00 00 00 Partner Oper System ...

Page 193: ...Disable 1000M bits per second VLAN membership mode Hybrid Ingress rule Disabled Acceptable frame type All frames Native VLAN 1 Priority for untagged traffic 0 GVRP status Disabled Allowed VLAN 1 u Forbidden VLAN Console 8 18 Web Click Port Port Broadcast Control or Trunk Broadcast Control Check the Enabled box for any interface set the threshold and click Apply Figure 8 9 Port Broadcast Control CL...

Page 194: ...traffic to mirror to the target port Rx receive Tx transmit or Both Default Rx Target Unit The unit whose port will duplicate or mirror the traffic on the source port Range 1 8 Target Port The port that will mirror the traffic from the source port Range 1 26 50 Web Click Port Mirror Port Configuration Specify the source port the traffic type to be mirrored and the monitor port then click Add Figur...

Page 195: ...re to verify conformity Non conforming traffic is dropped conforming traffic is forwarded without any changes Command Attribute Rate Limit Sets the output rate limit for an interface Default Status Disabled Default Rate Gigabit Ethernet 1000 Mbps Range Gigabit Ethernet 1 1000 Mbps Note Rate limits are not supported for the 10 Gigabit Ethernet ports 8 20 CLI Use the interface command to select the ...

Page 196: ...he individual interfaces and click Apply Figure 8 11 Rate Limit Configuration CLI This example sets the rate limit for input and output traffic passing through port 1 to 600 Mbps 8 Configuring Rate Limits Console config interface ethernet 1 1 Console config if rate limit input 600 Console config if rate limit output 600 Console config if 27 1 30 1 8 21 ...

Page 197: ...ch were addressed to a multicast address at this sub layer including those that were discarded or not sent The total number of packets that higher level protocols requested be transmitted and which were addressed to a broadcast address at this sub layer including those that were discarded or not sent Showing Port Statistics You can display standard statistics on network traffic from the Interfaces...

Page 198: ...ier sense condition was lost or never asserted when attempting to transmit a frame A count of times that the SQE TEST ERROR message is generated by the PLS sublayer for a particular interface A count of frames received on a particular interface that exceed the maximum permitted frame size A count of frames for which the first transmission attempt on a particular interface is delayed because the me...

Page 199: ...rmed The total number of frames received that were less than 64 octets in length excluding framing bits but including FCS octets and had either an FCS or alignment error The total number of frames including bad packets received and transmitted that were 64 octets in length excluding framing bits but including FCS octets The total number of frames including bad packets received and transmitted wher...

Page 200: ...k Port Port Statistics Select the required interface and click Query You can also use the Refresh button at the bottom of the page to update the screen Figure 8 12 Port Statistics 8 25 Showing Port Statistics 8 ...

Page 201: ...e Collision frames 0 Multiple collision frames 0 SQE Test errors 0 Deferred transmissions 0 Late collisions 0 Excessive collisions 0 Internal mac transmit errors 0 Internal mac receive errors 0 Frame too longs 0 Carrier sense errors 0 Symbol errors 0 RMON stats Drop events 0 Octets 4422579 Packets 31552 Broadcast pkts 238 Multi cast pkts 17033 Undersize pkts 0 Oversize pkts 0 Fragments 0 Jabbers 0...

Page 202: ...n be assigned to a specific interface on this switch Static addresses are bound to the assigned interface and will not be moved When a static address is seen on another interface the address will be ignored and will not be written to the address table Command Attributes Static Address Counts 8 The number of manually configured addresses Current Static Address Table Lists all the static addresses I...

Page 203: ...oring the source address for traffic entering the switch When the destination address for inbound traffic is found in the database the packets intended for that address are forwarded directly to the associated port Otherwise the traffic is flooded to all ports Command Attributes Interface Indicates a port or trunk MAC Address Physical address associated with this interface VLAN ID of configured VL...

Page 204: ...the displayed addresses and then click Query Figure 9 2 Dynamic Addresses CLI This example also displays the address table entries for port 1 Displaying the Address Table 9 Console show mac address table interface ethernet 1 1 Interface Mac Address Vlan Type 31 3 9 3 Eth 1 1 00 E0 29 94 34 DE Eth 1 1 00 20 9C 23 CD 60 Console 1 Permanent 2 Learned ...

Page 205: ...on Aging Time The time after which a learned entry is discarded Range 10 1000000 seconds Default 300 seconds Web Click Address Table Address Aging Specify the new aging time click Apply Figure 9 3 Address Aging CLI This example sets the aging time to 400 seconds Console config mac address table aging time 400 Console config 9 4 31 4 Address Table Settings 9 ...

Page 206: ...t LAN to the root device All ports connected to designated bridging devices are assigned as designated ports After determining the lowest cost spanning tree it enables all root ports and designated ports and disables all other ports Network packets are therefore only forwarded between root ports and designated ports eliminating any possible network loops Designated Root Root Port x x Designated Po...

Page 207: ...s IST for this Region Region R MST 1 MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers including the Region Name Revision Level and Configuration Digest see Configuring Multiple Spanning Trees on page 16 An MST Region may contain multiple MSTP Instances An Internal Spanning Tree IST is used to connect all the MSTP switches within an ...

Page 208: ...onfiguration message Forward Delay The maximum time in seconds the root device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to a discarding state o...

Page 209: ...ted from among the device ports attached to the network References to ports in this section means interfaces which includes both ports and trunks Root Forward Delay The maximum time in seconds this device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward f...

Page 210: ...ng Eth 1 1 information Admin Status Enabled Role root State forwarding External Admin Path Cost 0 Internal Admin Path Cost 0 External Oper Path Cost 100000 Internal Oper Path Cost 100000 Priority 128 Designated Cost 0 Designated Port 128 15 Designated Root 32768 0 0001ECF8D8C6 Designated Bridge 32768 0 0001ECF8D8C6 Fast Forwarding Disabled Forward Transitions 1 Admin Edge Port Disabled Oper Edge P...

Page 211: ...ree Protocol To allow multiple spanning trees to operate over the network you must configure a related set of bridges with the same MSTP configuration allowing them to participate in a specific set of spanning tree instances A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments Be careful when switching between spanning tree modes Changing modes stops al...

Page 212: ...The higher of 6 or 2 x Hello Time 1 Maximum The lower of 40 or 2 x Forward Delay 1 Forward Delay The maximum time in seconds this device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting inf...

Page 213: ... other words this key is a mapping of all VLANs to the CIST Region Revision 10 The revision for this MSTI Range 0 65535 Default 0 Region Name 10 The name for this MSTI Maximum length 32 characters Max Hop Count The maximum number of hops allowed in the MST region before a BPDU is discarded Range 1 40 Default 20 10 The MST name and revision number are both required to uniquely identify an MST regio...

Page 214: ...Web Click Spanning Tree STA Configuration Modify the required attributes and click Apply Figure 10 2 STA Global Configuration 10 9 Configuring Global Settings 10 ...

Page 215: ...e of them change state to learning and then to forwarding Forward Transitions The number of times this port has transitioned from the Learning state to the Forwarding state Designated Cost The cost for a packet to travel from this port to the root in the current Spanning Tree configuration The slower the media the higher the cost Designated Bridge The bridge priority and MAC address of the device ...

Page 216: ... on page 10 13 Oper Edge Port This parameter is initialized to the setting for Admin Edge Port in STA Port Configuration on page 10 13 i e true or false but will be set to false if a BPDU is received indicating that another bridge is attached to this port Port Role Roles are assigned according to whether the port is part of the active topology connecting the bridge to the root bridge i e root port...

Page 217: ...vice Fast forwarding This field provides the same information as Admin Edge port and is only included for backward compatibility with earlier products Admin Edge Port You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwardin...

Page 218: ...dia connection and edge port to indicate if the attached device can support fast forwarding References to ports in this section means interfaces which includes both ports and trunks Command Attributes The following attributes are read only and cannot be changed STA State Displays current state of this port within the Spanning Tree See Displaying Interface Settings on page 10 10 for additional info...

Page 219: ...path cost according to the values shown below Path cost 0 is used to indicate auto configuration mode Table 10 4 Recommended STA Path Cost Range Port Type Gigabit Ethernet 10G Ethernet Short Path Cost IEEE 802 1D 1998 2 000 65 535 200 20 000 Long Path Cost 802 1D 2004 2 000 200 000 200 20 000 Use the STA Configuration screen page 10 6 to set the path cost method Table 10 5 Default STA Path Costs P...

Page 220: ...ou can also use the Protocol Migration button to manually re check the appropriate BPDU format RSTP or STP compatible to send on the selected interfaces Default Disabled Web Click Spanning Tree STA Port Configuration or Trunk Configuration Modify the required attributes then click Apply Figure 10 6 STA Port Configuration CLI This example sets STA attributes for port 7 Console config interface ethe...

Page 221: ...es 1 Set the spanning tree type to MSTP STA Configuration page 10 6 2 Enter the spanning tree priority for the selected MST instance MSTP VLAN Configuration 3 Add the VLANs that will share this MSTI MSTP VLAN Configuration Note All VLANs are automatically added to the IST Instance 0 To ensure that the MSTI maintains connectivity across the network you must configure a related set of bridges with t...

Page 222: ...0 17 Console show spanning tree mst 1 Spanning tree information Spanning Tree Mode MSTP Spanning Tree Enabled Disabled Enabled Instance 1 VLANs Configuration 1 Priority 32768 Bridge Hello Time sec 2 Bridge Max Age sec 20 Bridge Forward Delay sec 15 Root Hello Time sec 2 Root Max Age sec 20 Root Forward Delay sec 15 Max Hops 20 Remaining Hops 20 Designated Root 32768 1 0000E8900000 Current Root Por...

Page 223: ...nal Oper Path Cost Internal Oper Path Cost Priority Designated Cost Designated Port Designated Root Designated Bridge Fast Forwarding Forward Transitions Admin Edge Port Oper Edge Port Admin Link Type Oper Link Type Spanning Tree Status 10000 10000 128 0 128 23 32768 1 0000E8900000 32768 1 0000E8900000 Disabled 2 Disabled Disabled auto Point to point Enabled 33 7 33 9 33 8 Spanning Tree Algorithm ...

Page 224: ... followed by settings for each port The settings for instance 0 are global settings that apply to the IST page 10 3 the settings for other instances only apply to the local spanning tree 33 18 10 19 Console show spanning tree mst 0 Spanning tree information Spanning Tree Mode MSTP Spanning Tree Enabled Disabled Enabled Instance 0 VLANs Configuration 2 4093 Priority 32768 Bridge Hello Time sec 2 Br...

Page 225: ...k STA Port Configuration only The following interface attributes can be configured MST Instance ID Instance identifier to configure Range 0 4094 Default 0 Priority Defines the priority used for this port in the Spanning Tree Protocol If the path cost for all ports on a switch are the same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree ...

Page 226: ... to ports with slower media Path cost takes precedence over port priority Note that when the Path Cost Method is set to short page 3 63 the maximum path cost is 65 535 By default the system automatically detects the speed and duplex mode used on each port and configures the path cost according to the values shown below Path cost 0 is used to indicate auto configuration mode Table 10 9 Recommended ...

Page 227: ...MSTP attributes for port 4 Console config interface ethernet 1 4 Console config if spanning tree mst port priority 0 Console config if spanning tree mst cost 50 Console config if 10 22 27 1 33 17 33 16 Spanning Tree Algorithm 10 ...

Page 228: ...tly provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN This switch supports the following VLAN features Up to 4093 VLANs based on the IEEE 802 1Q standard Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol Port overlapping allowing a port to participate in multiple VLANs E...

Page 229: ...Protocol defines a system whereby the switch can automatically learn the VLANs to which each end station should be assigned If an end station or its network adapter supports the IEEE 802 1Q VLAN protocol it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join When this switch receives these messages it will automatically place the receiving port in t...

Page 230: ... the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag However when this switch receives an untagged frame from a VLAN unaware device it first decides where to forward the frame and then inserts a VLAN tag reflecting the ingress port s default VID 11 3 these hosts and core switches in the network enable GVRP on the links between these devices You sho...

Page 231: ... Web Only 11 4 Enabling or Disabling GVRP Global Setting GARP VLAN Registration Protocol GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network GVRP must be enabled to permit automatic VLAN registration and to suppo...

Page 232: ...w this VLAN was added to the switch Dynamic GVRP Automatically learned via GVRP Permanent Added as a static entry Egress Ports Shows all the VLAN port members Untagged Ports Shows the untagged VLAN port members Web Click VLAN 802 1Q VLAN Current Table Select any ID from the scroll down list Figure 11 3 VLAN Current Table 11 5 IEEE 802 1Q VLANs CLI Enter the following command Console show bridge ex...

Page 233: ...N Static List to create or remove VLAN groups To propagate information about VLAN groups used on this switch to external network devices you must specify a VLAN ID for each of these groups Command Attributes Current Lists all the current VLAN groups created for this system Up to 4093 VLAN groups can be defined VLAN 1 is the default untagged VLAN New Allows you to specify the name and numeric ident...

Page 234: ...tic R D Active Adding Static Members to VLANs VLAN Index Use the VLAN Static Table to configure port members for the selected VLAN index Assign ports as tagged if they are connected to 802 1Q VLAN compliant devices or untagged they are not connected to any VLAN aware devices Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol Notes 1 ...

Page 235: ... tag and therefore not carry VLAN or CoS information Note that an interface must be assigned to at least one group as an untagged port Forbidden Interface is forbidden from automatically joining the VLAN via GVRP For more information see Automatic VLAN Registration on page 11 2 None Interface is not a member of the VLAN Packets associated with this VLAN will not be transmitted by the interface Tru...

Page 236: ...interface After configuring VLAN membership for each interface click Apply Figure 11 6 VLAN Static Membership by Port CLI This example adds Port 3 to VLAN 1 as a tagged port and removes Port 3 from VLAN 2 Console config interface ethernet 1 3 Console config if switchport allowed vlan add 1 tagged Console config if switchport allowed vlan remove 2 Console config if 27 1 34 11 11 9 IEEE 802 1Q VLANs...

Page 237: ...ames that are untagged are assigned to the default VLAN Option All Tagged Default All Ingress Filtering Determines how to process frames tagged for VLANs for which the ingress port is not a member Default Disabled Ingress filtering only affects tagged frames If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member these frames will be flooded to all...

Page 238: ...ult Hybrid 1Q Trunk Specifies a port as an end point for a VLAN trunk A trunk is a direct link between two switches so the port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames Hybrid Specifies a hybrid VLAN interface The port may transmit tagged or untagged frames Trunk Me...

Page 239: ...ace by using a VLAN in VLAN hierarchy preserving the customer s original tagged packets and adding SPVLAN tags to each frame also called double tagging A port configured to support QinQ tunneling must be set to tunnel port mode The Service Provider VLAN SPVLAN ID for the specific customer must be assigned to the QinQ tunnel access port on the edge switch where the customer traffic enters the servi...

Page 240: ...the outer tag is an SPVLAN tag and the inner tag is a dummy tag 8100 0000 If the incoming packet is tagged the outer tag is an SPVLAN tag and the inner tag is a CVLAN tag 11 13 When a double tagged packet enters another trunk port in an intermediate or core switch in the service provider s network the outer tag is stripped for packet processing When the packet exits another trunk port on the same ...

Page 241: ... be configured on a per port basis and the verification cannot be disabled 3 If the ether type of an incoming packet single or double tagged is equal to the TPID of the uplink port no new VLAN tag is added If the uplink port is not the member of the outer VLAN of the incoming packets the packet will be dropped when ingress filtering is enabled If ingress filtering is not enabled the packet will st...

Page 242: ...ltering is automatically disabled on a tunnel port General Configuration Guidelines for QinQ 1 Configure the switch to QinQ mode see Enabling QinQ Tunneling on the Switch on page 11 16 2 Set the Tag Protocol Identifier TPID value of the tunnel access port This step is required if the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The default ethertype valu...

Page 243: ...ontaining that ethertype are assigned to the VLAN contained in the tag following the ethertype field as they would be with a standard 802 1Q trunk Frames arriving on the port containing any other ethertype are looked upon as untagged frames and assigned to the native VLAN of that port All ports on the switch will be set to the same ethertype Command Attributes 802 1Q Tunnel Status Sets the switch ...

Page 244: ...el Configures IEEE 802 1Q tunneling QinQ for a client access port to segregate and preserve customer VLAN IDs for traffic crossing the service provider network 802 1Q Tunnel Uplink Configures IEEE 802 1Q tunneling QinQ for an uplink port to another device within the service provider network Trunk Member Shows if a port is a member or a trunk 11 17 Configuring IEEE 802 1Q Tunneling CLI This example...

Page 245: ... VLAN Configuration 11 The dot1q tunnel mode of the set interface 1 1 is Normal mode TPID is 0x9100 The dot1q tunnel mode of the set interface 1 2 is Access mode TPID is 0x9100 The dot1q tunnel mode of the set interface 1 3 is Uplink mode TPID is 0x9100 The dot1q tunnel mode of the set interface 1 4 is Normal mode TPID is 0x9100 The dot1q tunnel mode of the set interface 1 5 is Normal mode TPID is...

Page 246: ...ink ports Web Click VLAN Private VLAN Link Status Mark the ports that will serve as uplinks and downlinks for the private VLAN then click Apply Figure 11 9 Private VLAN Link Status 11 19 Enabling Private VLANs Use the Private VLAN Status page to enable disable the Private VLAN function Web Click VLAN Private VLAN Status Select Enable or Disable from the scroll down box and click Apply Figure 11 8 ...

Page 247: ...LAN for each major protocol running on your network Do not add port members at this time 2 Create a protocol group for each of the protocols you want to assign to a VLAN using the Protocol VLAN Configuration page 3 Then map the protocol for each interface to the appropriate VLAN using the Protocol VLAN Port Configuration page Configuring Protocol Groups Create a protocol group for one or more prot...

Page 248: ... group to a VLAN for each interface that will participate in the group Command Usage When creating a protocol based VLAN only assign interfaces using this configuration screen If you assign interfaces using any of the other VLAN menus such as the VLAN Static Table page 7 or VLAN Static Membership by Port menu page 9 these interfaces will admit traffic of any protocol type into the associated VLAN ...

Page 249: ...VLAN Port Configuration Select a a port or trunk enter a protocol group ID the corresponding VLAN ID and click Apply Figure 11 11 Protocol VLAN Port Configuration CLI The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 3 Console config interface ethernet 1 1 Console config if protocol vlan protocol group 1 vlan 3 Console config if 11...

Page 250: ...globally on the switch Default Disabled Transmission Interval Configures the periodic transmit interval for LLDP advertisements Range 5 32768 seconds Default 30 seconds This attribute must comply with the following rule Transmission Interval Hold Time Multiplier 65536 and Transmission Interval 4 Delay Interval Hold Time Multiplier Configures the time to live TTL value sent in LLDP advertisements a...

Page 251: ...lies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted Only state changes that exist at the time of a notification are included in the transmission An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect ...

Page 252: ...ors that occur between SNMP notifications is not transmitted Only state changes that exist at the time of a trap notification are included in the transmission An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification events missed due to throttling or transmission loss TLV Type Configures the information included i...

Page 253: ...y a number of different addresses associated with a Layer 3 device an individual LLDP PDU may contain more than one management address TLV Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier VID associated with the management address r...

Page 254: ... IETF RFC 2863 Locally assigned locally assigned Chassis ID An octet string indicating the specific identifier for the particular chassis in this system System Name An string that indicates the system s administratively assigned name see Displaying System Information on page 4 1 System Description A textual description of the network entity This field is also displayed by the show system command 1...

Page 255: ...Management Address The management address protocol packet includes the IPv4 address of the switch If no management address is available the address should be the MAC address for the CPU or for the port sending this advertisement Interface Settings The attributes listed below apply to both port and trunk interface types When a trunk is listed the descriptions apply to the first port of the trunk Po...

Page 256: ...idge System Capabilities Enable Bridge Management Address 192 168 0 101 IPv4 LLDP Port Information Interface PortID Type PortID PortDesc Eth 1 1 MAC Address 00 01 02 03 04 06 Ethernet Port on unit 1 port 1 Eth 1 2 MAC Address 00 01 02 03 04 07 Ethernet Port on unit 1 port 2 Eth 1 3 MAC Address 00 01 02 03 04 08 Ethernet Port on unit 1 port 3 Eth 1 4 MAC Address 00 01 02 03 04 09 Ethernet Port on u...

Page 257: ... information through LLDP Field Attributes Local Port The local port to which a remote LLDP capable device is attached Chassis ID An octet string indicating the specific identifier for the particular chassis in this system Port ID A string that contains the specific identifier for the port from which this LLDPDU was transmitted Port Name A string that indicates the port s description If RFC 2863 i...

Page 258: ... Table 12 1 Chassis ID Subtype on page 12 5 Chassis ID An octet string indicating the specific identifier for the particular chassis in this system Port Type Indicates the basis for the identifier that is listed in the Port ID field Table 12 3 Port ID Subtype ID Basis Reference Interface alias IfAlias IETF RFC 2863 Chassis component EntPhysicalAlias when entPhysClass has a value of chassis 3 IETF ...

Page 259: ...ich are currently enabled Refer to the preceding table See Table 12 2 System Capabilities on page 12 6 Management Address The IPv4 address of the remote device If no management address is available the address should be the MAC address for the CPU or for the port sending this advertisement Web Click LLDP Remote Information Details Select an interface from the drop down lists and click Query Figure...

Page 260: ...General Statistics on Remote Devices Neighbor Entries List Last Updated The time the LLDP neighbor entry list was last updated New Neighbor Entries Count The number of LLDP neighbors for which the remote TTL has not yet expired Neighbor Entries Deleted Count The number of LLDP neighbors which have been removed from the LLDP remote systems MIB for any reason Neighbor Entries Dropped Count The numbe...

Page 261: ...how lldp info statistics 32 18 LLDP Device Statistics Neighbor Entries List Last Updated 2450279 seconds New Neighbor Entries Count 1 Neighbor Entries Deleted Count 0 Neighbor Entries Dropped Count 0 Neighbor Entries Ageout Count 0 Interface NumFramesRecvd NumFramesSent NumFramesDiscarded Eth 1 1 10 11 0 Eth 1 2 0 0 0 Eth 1 3 0 0 0 Eth 1 4 0 0 0 Eth 1 5 0 0 0 Link Layer Discovery Protocol 12 12 12...

Page 262: ...detectable errors Frames Received Number of LLDP PDUs received Frames Sent Number of LLDP PDUs transmitted TLVs Unrecognized A count of all TLVs not recognized by the receiving LLDP local agent TLVs Discarded A count of all LLDPDUs received and then discarded due to insufficient memory space missing or out of sequence attributes or any other reason Neighbor Ageouts A count of the times that a neig...

Page 263: ...specific port this switch switch show lldp info statistics detail ethernet 1 1 32 18 LLDP Port Statistics Detail PortName Eth 1 1 Frames Discarded 0 Frames Invalid 0 Frames Received 12 Frames Sent 13 TLVs Unrecognized 0 TLVs Discarded 0 Neighbor Ageouts 0 switch 12 14 Link Layer Discovery Protocol 12 ...

Page 264: ...into the appropriate priority queue at the output port Command Usage This switch provides eight priority queues for each port It uses Weighted Round Robin to prevent head of queue blockage The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged frames This priority does not apply to IEEE 802 1Q VLAN tagged frames If ...

Page 265: ... default 5 Console config if end Console show interfaces switchport ethernet 1 3 Information of Eth 1 3 Broadcast threshold Enabled 500 packets second LACP status Disabled Ingress rate limit Disable 1000M bits per second Egress rate limit Disable 1000M bits per second VLAN membership mode Hybrid Ingress rule Disabled Acceptable frame type All frames Native VLAN 1 Priority for untagged traffic 5 GV...

Page 266: ...Command Attributes Priority CoS value Range 0 7 where 7 is the highest priority Traffic Class 16 Output queue buffer Range 0 7 where 7 is the highest CoS priority queue 16 CLI shows Queue ID 13 3 Mapping CoS Values to Egress Queues This switch processes Class of Service CoS priority tagged traffic by using eight priority queues for each port with service schedules based on strict or Weighted Round...

Page 267: ...ue cos map 0 0 Console config queue cos map 1 1 Console config queue cos map 2 2 Console config exit Console show queue cos map Information of Eth 1 1 CoS Value 0 1 2 3 4 5 6 7 Priority Queue 0 1 2 3 4 5 6 7 Information of Eth 1 2 CoS Value 0 1 2 3 4 5 6 7 Priority Queue 0 1 2 3 4 5 6 7 27 1 35 4 35 6 Class of Service 13 Mapping specific values for CoS priorities is implemented as an interface con...

Page 268: ...ing that can occur with strict priority queuing Command Attributes WRR Weighted Round Robin shares bandwidth at the egress ports by using scheduling weights 1 2 4 6 8 10 12 14 for queues 0 through 7 respectively This is the default selection Strict Services the egress queues in sequential order transmitting all traffic in the higher priority queues before servicing lower priority queues Web Click ...

Page 269: ...rresponding traffic priorities This weight sets the frequency at which each queue will be polled for service and subsequently affects the response time for software applications assigned a specific priority value Command Attributes WRR Setting Table 17 Displays a list of weights for each traffic class i e queue Weight Value Set a new weight for the selected traffic class Range 1 15 Web Click Prior...

Page 270: ...The precedence for priority mapping is IP Port Priority IP Precedence or DSCP Priority and then Default Port Priority IP Precedence and DSCP Priority cannot both be enabled Enabling one of these priority types will automatically disable the other Selecting IP Precedence DSCP Priority The switch allows you to choose between using IP Precedence or DSCP priority Select one of the methods or disable t...

Page 271: ... Precedence Priority Level Traffic Type Priority Level Traffic Type 7 Network Control 3 Flash 6 Internetwork Control 2 Immediate 5 Critical 1 Priority 4 Flash Override 0 Routine Command Attributes IP Precedence Priority Table Shows the IP Precedence to CoS map Class of Service Value Maps a CoS value to the selected IP Precedence value Note that 0 represents low priority and 7 represent high priori...

Page 272: ...nce settings Console config map ip precedence Console config interface ethernet 1 1 Console config if map ip precedence 1 cos 0 Console config if end Console show map ip precedence ethernet 1 1 Precedence mapping status disabled Port Precedence COS 35 8 27 1 35 9 35 12 13 9 Eth 1 1 Eth 1 1 Eth 1 1 Eth 1 1 Eth 1 1 Eth 1 1 Eth 1 1 Eth 1 1 Console 0 0 1 0 2 2 3 3 4 4 5 5 6 6 7 7 Mapping specific valu...

Page 273: ...at all the DSCP values that are not specified are mapped to CoS value 0 Table 13 4 Mapping DSCP Priority IP DSCP Value CoS Value 0 0 8 1 10 12 14 16 2 18 20 22 24 3 26 28 30 32 34 36 4 38 40 42 5 48 6 46 56 7 Command Attributes DSCP Priority Table Shows the DSCP Priority to CoS map Class of Service Value Maps a CoS value to the selected DSCP Priority value Note that 0 represents low priority and 7...

Page 274: ...value for a new IP port Note that 0 represents low priority and 7 represent high priority Note Up to 8 entries can be specified IP Port Priority settings apply to all interfaces Web Click Priority IP Port Priority Status Set IP Port Priority Status to Enabled Figure 13 8 IP Port Priority Status 13 11 CLI The following example globally enables DSCP Priority service on the switch maps DSCP value 0 t...

Page 275: ...ort 1 to CoS value 0 and then displays the IP Port Priority settings Console config map ip port Console config interface ethernet 1 1 Console config if map ip port 80 cos 0 Console config if end Console show map ip port ethernet 1 5 TCP port mapping status disabled Port Port no COS Eth 1 1 80 0 Console Mapping specific values for IP Port Priority is implemented as an interface configuration comman...

Page 276: ...he resources allocated to different traffic classes The manner in which an individual device handles traffic in the DiffServ architecture is called per hop behavior All devices along a path should be configured in a consistent manner to construct a consistent end to end QoS solution Notes 1 You can configure up to 16 rules per Class Map You can also include multiple classes in a Policy Map 2 You s...

Page 277: ...on of a class map Range 1 16 characters for the name 1 64 characters for the description Edit Rules Opens the Match Class Settings page for the selected class entry Modify the criteria used to classify ingress traffic on this page Add Class Opens the Class Configuration page Enter a class name and description on this page and click Add to open the Match Class Settings page Enter the criteria used ...

Page 278: ...Add Adds specified criteria to the class Up to 16 items are permitted per class Remove Deletes the selected criteria from the class Web Click QoS DiffServ then click Add Class to create a new class or Edit Rules to change the rules of an existing class Figure 14 1 Configuring Class Maps 14 3 Configuring Quality of Service Parameters 14 ...

Page 279: ... Standard ACL and Extended ACL IPv6 Standard ACL and IPv6 Extended ACL This limitation applies to each switch chip IC40240 10G ports 1 26 IC40480 10G ports 1 25 ports 26 50 Also note that the maximum number of classes that can be applied to a policy map is 16 Policing is based on a token bucket where bucket depth i e the maximum burst before the bucket overflows is by specified the Burst field and...

Page 280: ...d Action Specifies whether the traffic that exceeds the specified rate will be dropped or the DSCP service level will be reduced Remove Class Deletes a class Policy Options Class Name Name of class map Action Configures the service provided to ingress traffic by setting a CoS DSCP or IP Precedence value in a matching packet as specified in Match Class Settings on page 14 2 Range CoS 0 7 DSCP 0 63 ...

Page 281: ...Serv Policy Map to display the list of existing policy maps To add a new policy map click Add Policy To configure the policy rule settings click Edit Classes Figure 14 2 Configuring Policy Maps 14 6 Quality of Service 14 ...

Page 282: ...lick QoS DiffServ Service Policy Settings Check Enabled and choose a Policy Map for a port from the scroll down box then click Apply Figure 14 3 Service Policy Settings CLI This example applies a service policy to an ingress interface CLI This example creates a policy map called rd policy sets the average bandwidth the 1 Mbps the burst rate to 1522 bps and the response to reduce the DSCP value for...

Page 283: ...14 14 8 Quality of Service ...

Page 284: ...ighboring multicast switch router to ensure that it will continue to receive the multicast service The purpose of IP multicast filtering is to optimize a switched network s performance so multicast packets will only be forwarded to those ports containing multicast group hosts or multicast routers switches instead of flooding traffic to all ports in the subnet VLAN 15 1 Chapter 15 Multicast Filteri...

Page 285: ...iltered from sources in the Exclude list and forwarded from all other available sources Notes 1 When the switch is configured to use IGMPv3 snooping the snooping version may be downgraded to version 2 or version 1 depending on the version of the IGMP query packets detected on each VLAN 2 IGMP snooping will not function unless a multicast router port is enabled on the switch This can be accomplishe...

Page 286: ...y ask their hosts if they want to receive multicast traffic If there is more than one router switch on the LAN performing IP multicasting one of these devices is elected querier and assumes the role of querying the LAN for group members It then propagates the service requests on to any upstream multicast switch router to ensure that it will continue to receive the multicast service Note Multicast ...

Page 287: ...own below Figure 15 1 IGMP Configuration CLI This example modifies the settings for multicast filtering and then displays the current status Console config ip igmp snooping Console config ip igmp snooping querier Console config ip igmp snooping query count 10 Console config ip igmp snooping query interval 100 Console config ip igmp snooping query max response time 20 Console config ip igmp snoopin...

Page 288: ...ry Parameters on page 15 3 If immediate leave is enabled the switch assumes that only one host is connected to the interface Therefore immediate leave should only be enabled on an interface if it is connected to only one IGMP enabled device either a service host or a neighbor running IGMP snooping Immediate leave is only effective if IGMP snooping is enabled and IGMPv2 or IGMPv3 snooping is used I...

Page 289: ...iscovered by this switch or those that are statically assigned to an interface on this switch Web Click IGMP Snooping Multicast Router Port Information Select the required VLAN ID from the scroll down list to display the associated multicast routers Figure 15 2 Multicast Router Port Information 15 6 CLI This example enables IGMP immediate leave for VLAN 1 and then displays the current IGMP snoopin...

Page 290: ... Port or Trunk Specifies the interface attached to a multicast router Web Click IGMP Snooping Static Multicast Router Port Configuration Specify the interfaces attached to a multicast router indicate the VLAN which will forward all the corresponding multicast traffic and then click Add After you have finished adding interfaces to the list click Apply Figure 15 3 Static Multicast Router Port Config...

Page 291: ...ng IP Multicast Registration Table Select a VLAN ID and the IP address for a multicast service from the scroll down lists The switch will display all the interfaces that are propagating this multicast service Figure 15 4 IP Multicast Registration Table CLI This example displays all the known multicast services supported on VLAN 1 along with the ports propagating the corresponding services The Type...

Page 292: ...traffic coming from the attached multicast router switch Range 1 4093 Multicast IP The IP address for a specific multicast service Unit Stack unit Range 1 8 Port or Trunk Specifies the interface attached to a multicast router switch Web Click IGMP Snooping IGMP Member Port Table Specify the interface attached to a multicast service via an IGMP enabled switch or multicast router indicate the VLAN t...

Page 293: ...15 15 10 Multicast Filtering ...

Page 294: ...l search it for a corresponding entry If none is found the default domain name is used When an incomplete host name is received by the DNS service on this switch and a domain name list has been specified the switch will work through the domain list appending each domain name in the list to the host name and checking with the specified name servers for a match When more than one name server is spec...

Page 295: ...mber that if a domain list is specified the default domain name is not used Console config ip domain name sample com Console config ip domain list sample com uk Console config ip domain list sample com jp Console config ip name server 192 168 1 55 10 1 0 55 Console config ip domain lookup Console show dns Domain Lookup Status DNS enabled Default Domain Name sample com Domain Name List sample com u...

Page 296: ...tiple IP addresses If more than one IP address is associated with a host name in the static table or via information returned from a name server a DNS client can try each address in succession until it establishes a connection with the target device Field Attributes Host Name Name of a host device that is mapped to one or more IP addresses Range 1 127 characters IP Address Internet address es asso...

Page 297: ...Host Table CLI This example maps two address to a host name and then configures an alias host name for the same addresses Console config ip host rd5 192 168 1 55 10 1 0 55 Console config ip host rd6 10 1 0 55 Console show hosts Hostname rd5 Inet address 10 1 0 55 192 168 1 55 Alias rd6 Console 16 4 38 1 38 6 Domain Name Service 16 ...

Page 298: ...pecifies the host address for the owner and CNAME which specifies an alias IP The IP address associated with this record TTL The time to live reported by the name server Domain The domain name associated with this record Web Select DNS Cache Figure 16 3 DNS Cache CLI This example displays all the resource records learned from the designated name servers Console show dns cache 38 7 NO FLAG 0 4 1 4 ...

Page 299: ...16 16 6 Domain Name Service ...

Page 300: ...ch supports DHCP relay service for attached host devices If DHCP relay is enabled and this switch sees a DHCP request broadcast it inserts its own IP address into the request so that Server DHCP Provides IP address compatible with switch segment to which client is attached the DHCP server will know the subnet where the client is located Then the switch forwards the packet to the DHCP server When t...

Page 301: ...DHCP server that can assign temporary IP addresses to any attached host requesting service It can also provide other network settings such as the domain name default gateway Domain Name Servers DNS Windows Internet Naming Service WINS name servers or information on the bootup file for the host device to download Addresses can be assigned to clients from a common address pool configured for a speci...

Page 302: ...P Server General page Enabling the Server Setting Excluded Addresses Enable the DHCP Server and specify the IP addresses that it should not be assigned to clients Command Attributes DHCP Server Enables or disables the DHCP server on this switch Default Disabled Excluded Addresses Specifies IP addresses that the DHCP server should not assign to DHCP clients You can specify a single address or an ad...

Page 303: ...arching for a manual binding the switch compares the client identifier and then the hardware address for DHCP clients Since BOOTP clients cannot transmit a client identifier you must configure a hardware address for this host type If no manual binding has been specified for a host entry with a hardware address or client identifier the switch will assign an address from the first matching network p...

Page 304: ...outer should be on the same subnet as the client DNS Server The IP address of the primary and alternate DNS server DNS servers must be configured for a DHCP client to map host names to IP addresses Netbios Server IP address of the primary and alternate NetBIOS Windows Internet Naming Service WINS name server used for Microsoft DHCP clients Netbios Type NetBIOS node type for Microsoft DHCP clients ...

Page 305: ...nfiguration Specify a pool name then click Add Figure 17 3 DHCP Server Pool Configuration CLI This example adds an address pool and enters DHCP pool configuration mode Console config ip dhcp pool mgr Console config dhcp 17 6 39 6 Dynamic Host Configuration Protocol 17 ...

Page 306: ... Console config dhcp domain name example com Console config dhcp bootfile wme bat Console config dhcp next server 10 1 0 21 Console config dhcp lease infinite Console config dhcp Configuring a Network Address Pool Web Click DHCP Server Pool Configuration Click the Configure button for any entry Click the radio button for Network Enter the IP address and subnet mask for the network pool Configure t...

Page 307: ...onfig dhcp netbios node type hybrid Console config dhcp domain name example com Console config dhcp bootfile wme bat Console config dhcp next server 10 1 0 21 Console config dhcp lease infinite Console config dhcp 17 8 Configuring a Host Address Pool Web Click DHCP Server Pool Configuration Click the Configure button for any entry Click the radio button for Host Enter the IP address subnet mask an...

Page 308: ...nother device Entry Count Number of hosts that have been given addresses by the switch Note More than one DHCP server may respond to a service request by a host In this case the host generally accepts the first address assigned by any DHCP server Web Click DHCP Server IP Binding You may use the Delete button to clear an address from the DHCP server s database Figure 17 6 DHCP Server IP Binding CLI...

Page 309: ...17 17 10 Dynamic Host Configuration Protocol ...

Page 310: ...uter priority Router redundancy can be set up in any of the following configurations These examples use the address of one of the participating routers as the master router When the virtual router IP address is not a real address the master router is selected based on priority When the priority is the same on several competing routers then the router with the highest IP address is selected as the ...

Page 311: ...he group that will participate in the protocol as the master router or a backup router To select a specific device as the master router set the address of this interface as the virtual router address for the group Now set the same virtual address and a priority on the backup routers and configure an authentication string You can also enable the preempt feature which allows a router to take over as...

Page 312: ...er fails Preempting the Acting Master The virtual IP Owner has the highest priority so no other router can preempt it and it will always resume control as the master virtual router when it comes back on line The preempt function only allows a backup router to take over from a master router if no router in the group is the virtual IP owner or from another backup router that is temporarily acting as...

Page 313: ...priority than the acting master virtual router i e a master router that is not the group s address owner or another backup router that has taken over from the previous master Default Enabled Preempt Delay Time to wait before issuing a claim to become the master Range 0 120 seconds 0 seconds Priority The priority of this router in a VRRP group Range 1 254 Default 100 The priority for the VRRP group...

Page 314: ...Web Click IP VRRP Group Configuration Select the VLAN ID enter the VRID group number and click Add Figure 18 1 VRRP Group Configuration 18 5 Virtual Router Redundancy Protocol 18 ...

Page 315: ...ter the virtual address for an existing group to make it a backup router or to compete as the master based on configured priority if no other members are set as the owner of the group address Click Add IP to enter an IP address into the Associated IP Table Then set any of the other parameters as required and click Apply Figure 18 2 VRRP Group Configuration Detail 18 6 Configuring Router Redundancy...

Page 316: ...d VLAN to the virtual IP address It then adds a secondary IP address to the VRRP group sets all of the other VRRP parameters and then displays the configured settings Console config interface vlan 1 Console config if vrrp 1 ip 192 168 1 6 Console config if vrrp 1 ip 192 168 2 6 secondary Console config if vrrp 1 timers advertise 5 Console config if vrrp 1 preempt delay 10 Console config if vrrp 1 ...

Page 317: ...ackets received with a packet length less than the length of the VRRP header Invalid Type Packets Number of VRRP packets received by the virtual router with an invalid value in the type field Error Address List Packets Number of packets received for which the address list does not match the locally configured list for the virtual router Invalid Authentication Type Packets Number of packets receive...

Page 318: ...l Packets 0 Total Number of Received Authentication Failures Packets 0 Total Number of Received Error IP TTL VRRP Packets 0 Total Number of Received Priority 0 VRRP Packets 0 Total Number of Sent Priority 0 VRRP Packets 5 Total Number of Received Invalid Type VRRP Packets 0 Total Number of Received Error Address List VRRP Packets 0 Total Number of Received Invalid Authentication Type VRRP Packets ...

Page 319: ...18 18 10 Configuring Router Redundancy ...

Page 320: ...onal routers the static and dynamic routing functions must first be configured to work Initial Configuration By default all ports belong to the same VLAN and the switch provides only Layer 2 functionality To segment the attached network first create VLANs for each unique user group or application traffic page 11 6 assign all ports that belong to the same group to these VLANs page 11 7 and then ass...

Page 321: ... the help of a router However if the MAC address is not yet known to the switch an Address Resolution Protocol ARP packet with the destination IP address is broadcast to get the destination MAC address from the destination node The IP packet can then be sent directly with the destination MAC address If the destination belongs to a different subnet on this switch the packet can be routed directly t...

Page 322: ...d sent out to the destination The reformat process includes decreasing the Time To Live TTL field of the IP header recalculating the IP header checksum and replacing the destination MAC address with either the MAC address of the destination node or that of the next hop router When another packet destined to the same node arrives the destination MAC can be retrieved directly from the Layer 3 addres...

Page 323: ...ch in band then you must define the IP subnet address for at least one VLAN Command Attributes IP Routing Status Configures the switch to operate as a Layer 2 switch or as a multilayer routing switch Options Disable this field to restrict operation to Layer 2 switching enable it to allow multilayer operation at either Layer 2 or 3 as required This command affects both static and dynamic unicast ro...

Page 324: ... be assigned to a specific subnet then you must create a router interface for each VLAN that will support routing The router interface consists of an IP address and subnet mask This interface address defines both the network prefix number to which the router interface is attached and the router s host number on that network In other words a router interface address defines the network segment that...

Page 325: ...ds you will need to specify secondary addresses if more than one IP subnet can accessed via this interface If DHCP BOOTP is enabled the system will immediately start broadcasting service requests IP is enabled but does not function until a reply has been received from the address server Requests will be broadcast periodically by the router for an IP address DHCP BOOTP values can include the IP add...

Page 326: ...e and click Set IP Configuration after entering each address Figure 19 2 IP Routing Interface CLI This example sets a primary IP address for VLAN 1 and then adds a secondary IP address for a different subnet also attached to this router interface Console config interface vlan 1 Console config if ip address 10 1 0 253 255 255 255 0 Console config if ip address 10 1 9 253 255 255 255 0 secondary Con...

Page 327: ...ation If there is no entry for an IP address in the ARP cache the router will broadcast an ARP request packet to all devices on the network The ARP request contains the following fields similar to that shown in this example Table 19 1 Address Resolution Protocol destination IP address 10 1 0 19 destination MAC address source IP address 10 1 0 253 source MAC address 00 00 ab cd 00 00 When devices r...

Page 328: ...sk than that used by the router or other relevant network devices Extensive use of Proxy ARP can degrade router performance because it may lead to increased ARP traffic and increased search time for larger ARP address tables 19 9 Basic ARP Configuration You can use the ARP General configuration menu to specify the timeout for ARP cache entries or to enable Proxy ARP for specific VLAN interfaces Co...

Page 329: ...ve routing or a default gateway and click Apply Figure 19 3 ARP General CLI This example sets the ARP cache timeout for 15 minutes i e 900 seconds and enables Proxy ARP for VLAN 3 Console config arp timeout 900 Console config interface vlan 3 Console config if ip proxy arp Console config if 19 10 41 33 27 1 41 35 IP Routing 19 ...

Page 330: ...no response to an ARP broadcast message For example some applications may not respond to ARP requests or the response arrives too late causing network operations to time out Static entries will not be aged out or deleted when power is reset You can only remove a static entry via the configuration interface Command Attributes IP Address IP address statically mapped to a physical MAC address Valid I...

Page 331: ...he address entry Dynamic to Static 19 Changes a selected dynamic entry to a static entry Clear All 19 Deletes all dynamic entries from the ARP cache Entry Count The number of dynamic entries in the ARP cache The following field is also displayed in the CLI Type Indicates if entries were learned through replies to broadcast messages are statically configured entries or are other entries for local i...

Page 332: ...5 62 03 74 dynamic 1 10 1 0 253 00 00 ab cd 00 00 other 1 10 1 0 255 ff ff ff ff ff ff other 1 Total entry 6 Console clear arp cache This operation will delete all the dynamic entries in ARP Cache Are you sure to continue this operation y n y Console Displaying Local ARP Entries The ARP cache also contains entries for local interfaces including subnet host and broadcast addresses Command Attribute...

Page 333: ...9 00 10 b5 62 03 74 10 1 0 253 00 00 ab cd 00 00 10 1 0 255 ff ff ff ff ff ff Total entry 6 Console static static dynamic other other Displaying ARP Statistics You can display statistics for ARP messages crossing all interfaces on this router Table 19 2 ARP Statistics Parameter Received Request Received Reply Sent Request Sent Reply 19 14 Description Number of ARP Request packets received by the r...

Page 334: ...fragment Sent 9 generated 0 no route ICMP statistics Rcvd 0 checksum errors 0 redirects 0 unreachable 0 echo 5 echo reply 0 mask requests 0 mask replies 0 quench 0 parameter 0 timestamp Sent 0 redirects 0 unreachable 0 echo 0 echo reply 0 mask requests 0 mask replies 0 quench 0 timestamp 0 time exceeded 0 parameter problem UDP statistics Rcvd 0 total 0 checksum errors 0 no port Sent 0 total TCP st...

Page 335: ...input datagrams discarded due to errors in their IP headers including bad checksums version number mismatch other format errors time to live exceeded errors discovered in processing their IP options etc The number of locally addressed datagrams received successfully but discarded because of an unknown or unsupported protocol The total number of input datagrams successfully delivered to IP user pro...

Page 336: ...nsmits message packets to report errors in processing IP packets ICMP is therefore an integral part of the Internet Protocol ICMP messages may be used to report various situations such as when a datagram cannot reach its destination when the gateway does not have the buffering capacity to forward a datagram and when the gateway can direct the host to send traffic on a shorter route ICMP is also us...

Page 337: ...mber of ICMP Redirect messages received sent Echos The number of ICMP Echo request messages received sent Echo Replies The number of ICMP Echo Reply messages received sent Timestamps The number of ICMP Timestamp request messages received sent Timestamp Replies The number of ICMP Timestamp Reply messages received sent Address Masks The number of ICMP Address Mask Request messages received sent Addr...

Page 338: ... 19 5 USP Statistics Parameter Description Datagrams Received The total number of UDP datagrams delivered to UDP users Datagrams Sent The total number of UDP datagrams sent from this entity Receive Errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port No Ports The total number of received UDP datagrams for ...

Page 339: ... a direct transition to the CLOSED state from either the SYN SENT state or the SYN RCVD state plus the number of times TCP connections have made a direct transition to the LISTEN state from the SYN RCVD state Current Connections The number of TCP connections for which the current state is either ESTABLISHED or CLOSE WAIT Receive Errors The total number of segments received in error e g bad TCP che...

Page 340: ...tes are included in RIP and OSPF updates periodically sent by the router if this feature is enabled by the RIP or OSPF see page 20 9 or 20 35 respectively Command Attributes Interface Index number of the IP interface IP Address IP address of the destination network subnetwork or host Netmask Network mask for the associated IP subnet This mask identifies the host address bits used for routing to sp...

Page 341: ...c and then dynamic Also note that the route for a local interface is not enabled i e listed in the routing table unless there is at least one active link connected to that interface Command Attributes Interface Index number of the IP interface IP Address IP address of the destination network subnetwork or host Note that the address 0 0 0 0 indicates the default gateway for this router Netmask Netw...

Page 342: ...obtained from various methods Console show ip route 42 3 Ip Address Netmask Next Hop Protocol Metric Interface 0 0 0 0 0 0 0 0 10 1 0 0 255 255 255 0 10 1 1 0 255 255 255 0 Total entries 3 Console 10 1 0 254 10 1 0 253 10 1 0 254 static 1 local 1 RIP 2 1 1 1 19 23 Displaying the Routing Table 19 ...

Page 343: ...19 19 24 IP Routing ...

Page 344: ... which lead to relevant subnets OSPFv2 Dynamic Routing Protocol OSPF overcomes all the problems of RIP It uses a link state routing protocol to generate a shortest path tree then builds up its routing table based on this tree OSPF produces a more stable network because the participating routers act on network changes predictably and simultaneously converging on the best route more quickly than RIP...

Page 345: ...C 1723 There are several serious problems with RIP that you should consider First of all RIP version 1 has no knowledge of subnets both RIP versions can take a long time to converge on a new route after the failure of a link or router during which time routing loops may occur and its small hop count limitation of 15 restricts its use to smaller networks Moreover RIP version 1 wastes valuable netwo...

Page 346: ...rsions set on the RIP Interface Settings screen page 20 6 always take precedence over the settings for the Global RIP Version Timer Settings The timers must be set to the same values for all routers in the network Update Sets the rate at which updates are sent This is the fundamental timer used to control all basic RIP processes This value will also set the timeout timer to 6 times the update time...

Page 347: ...RIP General Settings CLI This example sets the router to use RIP Version 2 and sets the basic timer to 15 seconds Console config router rip Console config router version 2 Console config router timers basic 15 Console config router end Console show rip globals RIP Process Enabled Update Time in Seconds 15 Number of Route Change 0 Number of Queries 1 Console 20 4 42 6 42 11 42 8 42 16 Unicast Routi...

Page 348: ...d only the first field in the network address is used 128 191 is class B and the first two fields in the network address are used 192 223 is class C and the first three fields in the network address are used Web Click Routing Protocol RIP Network Addresses Add all interfaces that will participate in RIP and click Apply Figure 20 2 RIP Network Addresses CLI This example includes network interface 1...

Page 349: ...ible to propagate route information by broadcasting to other routers on the network using the RIPv2 advertisement list instead of multicasting as normally required by RIPv2 Using this mode allows RIPv1 routers to receive these protocol messages but still allows RIPv2 routers to receive the additional information provided by RIPv2 including subnet mask next hop and authentication information Use Do...

Page 350: ...oes not add any dynamic entries to the routing table for an interface Send Version The RIP version to send on an interface RIPv1 Sends only RIPv1 packets RIPv2 Sends only RIPv2 packets RIPv1 Compatible Route information is broadcast to other routers with RIPv2 Default 20 Do Not Send Does not transmit RIP updates Instability Preventing Specifies the method used to reduce the convergence time when t...

Page 351: ...st use the same password Range 1 16 characters case sensitive Web Click Routing Protocol RIP Interface Settings Select the RIP protocol message types that will be received and sent the method used to provide faster convergence and prevent loopback i e prevent instability in the network topology and the authentication option and corresponding password Then click Apply Figure 20 3 RIP Interface Sett...

Page 352: ... the problem of redistributing external routes with incompatible metrics It is advisable to use a low metric when redistributing routes from another protocol into RIP Using a high metric limits the usefulness of external routes redistributed into RIP For example if a metric of 10 is defined for redistributed routes these routes can only be advertised to routers up to 5 hops away at which point the...

Page 353: ...outes and click Set Figure 20 4 RIP Redistribution Configuration CLI This example redistributes static routes and sets the metric for all of these routes to a value of 3 Console config router rip Console config router redistribute static metric 3 Console config router 20 10 42 6 42 11 Unicast Routing 20 ...

Page 354: ...me a route update was received from this peer Whether RIPv1 or RIPv2 packets were received from this peer Number of bad RIP packets received from this peer Number of bad routes received from this peer 20 11 Displaying RIP Information and Statistics You can display basic information about the current global configuration settings for RIP statistics about route changes and queries information about ...

Page 355: ...Web Click Routing Protocol RIP Statistics Figure 20 5 RIP Statistics 20 12 Unicast Routing 20 ...

Page 356: ...an be accessed from the CLI using the following commands Console show rip globals RIP Process Enabled Update Time in Seconds 30 Number of Route Change 4 Number of Queries 0 Console show ip rip configuration 42 16 42 16 Interface SendMode ReceiveMode Poison Authentication 10 1 0 253 rip1Compatible 10 1 1 253 rip1Compatible Console show ip rip status RIPv1Orv2 SplitHorizon noAuthentication RIPv1Orv2...

Page 357: ...y route costs throughout the network when older OSPF routers exist as well as the not so stubby area option RFC 3101 isolated area ABR virtual link ABR normal area ASBR ASBR stub ABR ABR NSSA ASBR backbone Autonomous System A Router external network Autonomous System B Command Usage OSPF looks at more than just the simple hop count When adding the shortest path to any node into the tree the optima...

Page 358: ... links can also be used to provide a redundant link between contiguous areas to prevent areas from being partitioned or to merge backbone areas Note that virtual links are not supported for stubs or NSSAs see definition below Configuring General Protocol Settings To implement dynamic OSPF routing first assign VLAN groups to each IP subnet to which this router will be attached then use the OSPF Gen...

Page 359: ...tting the SPF holdtime to 0 means that there is no delay between consecutive calculations Area Numbers 21 The number of configured areas attached to this router Default Route Information Originate Default Route 22 Generates a default external route into an autonomous system Note that the AS Boundary Router field must be enabled and the Advertise Default Route field properly configured Default Disa...

Page 360: ...uch a route is known See Redistributing External Routes on page 20 35 External Metric Type 22 The external link type used to advertise the default route Type 1 route advertisements add the internal cost to the external route metric Type 2 routes do not add the internal cost metric When comparing Type 2 routes the internal cost is only used as a tie breaker if several Type 2 routes have the same co...

Page 361: ...iguration CLI This example configures the router with the same settings as shown in the screen capture for the web interface Console config router ospf 42 19 Console config router router id 10 1 1 253 42 20 Console config router no compatible rfc1583 42 20 Console config router default information originate always metric 10 metric type 2 42 21 Console config router timers spf 10 42 22 Console conf...

Page 362: ...tubby area NSSA Normal Area A large OSPF domain should be broken up into several areas to increase network stability and reduce the amount of routing traffic required through the use of route summaries that aggregate a range of addresses into a single route The backbone or any normal area can pass traffic between other areas and are therefore known as transit areas Each router in an area has ident...

Page 363: ...ult summary route sent into a stub or not so stubby area NSSA from an Area Border Router ABR 20 20 NSSA A not so stubby area NSSA can be configured to control the use of default routes for Area Border Routers ABRs and Autonomous System Boundary Routers ASBRs or external routes learned from other routing domains and imported through an ABR An NSSA is similar to a stub It blocks most external routin...

Page 364: ...the backbone by default Default Normal area Default Cost Cost for the default summary route sent into a stub from an area border router ABR Range 0 16777215 Default 1 Note that if you set the default cost to 0 the router will not advertise a default route into the attached stub Summary Makes an ABR send a Type 3 summary link advertisement into a stub Default Summary A stub is designed to save rout...

Page 365: ... area 0 0 0 1 as a normal area area 0 0 0 2 as a stub and area 0 0 0 3 as an NSSA It also configures the router to propagate a default summary route into the stub and sets the cost for this default route to 10 Console config router network 10 1 1 0 255 255 255 0 area 0 0 0 1 42 26 Console config router area 0 0 0 2 stub summary 42 27 Console config router area 0 0 0 2 default cost 10 42 24 Console...

Page 366: ...address Range Network Base address for the routes to summarize Range Netmask Network mask for the summary route Advertising Indicates whether or not to advertise the summary route If the routes are set to be advertised the router will issue a Type 3 summary LSA for each specified address range If the summary is not advertised the specified routes remain hidden from the rest of the network Default ...

Page 367: ...default for the area range command is to advertise the route summary The configured summary route is shown in the list of information displayed for area 1 Console config router area 0 0 0 1 range 10 1 1 0 255 255 255 0 42 23 Console config router end Console show ip ospf Routing Process with ID 10 1 1 253 Supports only single TOS TOS0 route Number of area in this router is 4 Area 0 0 0 0 BACKBONE ...

Page 368: ...te This router supports up 64 OSPF interfaces Detailed Interface Configuration VLAN ID The VLAN corresponding to the selected interface Rtr Priority Sets the interface priority for this router Range 0 255 Default 1 A designated router DR and backup designated router BDR is elected for each OSPF area based on Router Priority The DR forms an active adjacency to all other routers in the area to excha...

Page 369: ...ting the hello interval to a smaller value can reduce the delay in detecting topological changes but will increase routing traffic Rtr Dead Interval Sets the interval at which hello packets are not seen before neighbors declare the router down This interval must be set to the same value for all routers on the network Range 1 65535 seconds Default 40 or 4 times the Hello Interval The dead interval ...

Page 370: ... as described in the preceding item this password key is inserted into the OSPF header when routing protocol packets are originated by this device A different password can be assigned to each network interface but the password must be used consistently on all neighboring routers throughout a network that is autonomous system All neighboring routers in the same network with the same password will e...

Page 371: ... Configuration Select the required interface from the scroll down box and click Detailed Settings Figure 20 9 OSPF Interface Configuration Change any of the interface specific protocol parameters and then click Apply Figure 20 10 OSPF Interface Configuration Detailed ...

Page 372: ...None The other items are described under Configuring OSPF Interfaces page 20 25 20 29 CLI This example configures the interface parameters for VLAN 1 Console config interface vlan 1 Console config if ip ospf priority 5 Console config if ip ospf transmit delay 6 Console config if ip ospf retransmit interval 7 Console config if ip ospf hello interval 5 Console config if ip ospf dead interval 50 Cons...

Page 373: ...fy the settings for an existing link click the Detail button for the required entry modify the link settings and click Set Figure 20 11 OSPF Virtual Link Configuration CLI This example configures a virtual link from the ABR adjacent to area 0 0 0 4 through a transit area to the neighbor router 10 1 1 252 at the other end of the link which is adjacent to the backbone Console config router area 0 0 ...

Page 374: ...ink State Advertisements LSAs If necessary you can use the Area Configuration page to configure an area as a stubby area that cannot send or receive external LSAs or a not so stubby area NSSA that can import external route information into its area page 20 19 An area must be assigned a range of subnetwork addresses This area and the corresponding address range forms a routing interface and can be ...

Page 375: ...l OSPF Network Area Address Configuration Configure a backbone area that is contiguous with all the other areas in your network configure an area for all of the other OSPF interfaces then click Apply Figure 20 12 OSPF Network Area Address Configuration ...

Page 376: ...SBR can be configured to redistribute routes learned from other protocols into all attached autonomous systems See Redistributing External Routes on page 20 35 To reduce the amount of external LSAs sent to other autonomous systems you can configure the router to advertise an aggregate route that consolidates a broad range of external addresses This helps both to decrease the number of external LSA...

Page 377: ...pecify the base address and network mask then click Add Figure 20 13 OSPF Summary Address Configuration CLI This example This example creates a summary address for all routes contained in 192 168 x x Console config router summary address 192 168 0 0 255 255 0 0 42 24 Console config router ...

Page 378: ...o calculate external route costs Options Type 1 Type 2 Default Type 1 Metric type specifies the way to advertise routes to destinations outside the autonomous system AS through External LSAs Specify Type 1 to add the internal cost metric to the external route metric In other words the cost of the route from any router within the AS is equal to the cost associated with reaching the advertising ASBR...

Page 379: ...efer to Configuring OSPF Areas on page 20 19 Command Attributes Area ID Identifier for an not so stubby area NSSA The area ID must be in the form of an IPv4 address Default Information Originate An NSSA ASBR originates and floods Type 7 external LSAs throughout its area for known network destination outside of the AS However you can also configure an NSSA ASBR to generate a Type 7 default route to...

Page 380: ...rds redistribution should be disabled to prevent the NSSA ABR from advertising external routing information learned through routers in other areas into the NSSA Default Enabled Note This router supports up 16 areas either normal transit areas stubs or NSSAs Web Click Routing Protocol OSPF NSSA Settings Create a new NSSA or modify the routing behavior for an existing NSSA and click Apply Figure 20 ...

Page 381: ... Area border routers can generate Summary LSAs that give the cost to a subnetwork located outside the area AS Summary Type 4 Area border routers can generate AS Summary LSAs that give the cost to an autonomous system boundary router ASBR AS External Type 5 An ASBR can generate an AS External LSA for each known network destination outside the AS NSSA External Type 7 An ASBR within an NSSA generates...

Page 382: ...SPF Link State Database Information Specify parameters for the LSAs you want to display then click Query Figure 20 16 OSPF Link State Database Information CLI The CLI provides a wider selection of display options for viewing the Link State Database See show ip ospf database on page 42 41 ...

Page 383: ...th Rte Type Route type either intra area or interarea route INTRA or INTER Area The area from which this route was learned SPF No The number of times the shortest path first algorithm has been executed for this route Web Click Routing Protocol OSPF Border Router Information Figure 20 17 OSPF Border Router Information CLI This example shows one router that serves as both the ABR for the local area ...

Page 384: ... Two way Bidirectional communications established ExStart Initializing adjacency between neighbors Exchange Database descriptions being exchanged Loading LSA databases being exchanged Full Neighboring routers now fully adjacent Identification flags include D Dynamic neighbor S Static neighbor DR Designated router BDR Backup designated router Address IP address of this interface Web Click Routing P...

Page 385: ...20 20 42 Unicast Routing ...

Page 386: ...tion Commands 25 1 Access Control List Commands 26 1 Interface Commands 27 1 Link Aggregation Commands 28 1 Mirror Port Commands 29 1 Rate Limit Commands 30 1 Address Table Commands 31 1 LLDP Commands 32 1 Spanning Tree Commands 33 1 VLAN Commands 34 1 Class of Service Commands 35 1 Quality of Service Commands 36 1 Multicast Filtering Commands 37 1 Domain Name Service Commands 38 1 DHCP Commands 3...

Page 387: ...Command Line Interface ...

Page 388: ... of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec But when the guest user name and password is entered the CLI displays the Console prompt and enters normal access mode i e Normal Exec 2 Enter the necessary commands to complete your desired tasks 3 When finished exit the session wit...

Page 389: ... matches the network segment to which you are attached After you configure the switch with an IP address you can open a Telnet session by performing these steps 1 From the remote host enter the Telnet command and the IP address of the device you want to access 2 At the prompt enter the user name and system password The CLI will display the Vty n prompt for the administrator to show that you are us...

Page 390: ...er commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username admin password 0 smith Minimum Abbreviation The CLI will accept a minimum number of characters that uniquely identify a command For example the command configure can be entered as con If an entry is ambiguous the system will p...

Page 391: ...pecify spanning tree ssh Secure shell startup config The system configuration of starting up system Information of system tacacs server Login by TACACS server tech support Technical information users Display information about terminal lines version System hardware and software status vlan Switch VLAN Virtual Interface vrrp Show vrrp Console show 21 4 Showing Commands If you enter a at the command ...

Page 392: ... list can be executed again or first modified and then executed Using the show history command displays a longer list of recently executed commands 21 5 The command show interfaces will display the following information Console show interfaces counters Information of interfaces counters protocol vlan Protocol vlan information status Information of interfaces status switchport Information of interf...

Page 393: ...o enter Privileged Exec mode enter the following user names and passwords Username admin Password admin login password CLI session with the 24 48 L3 GE Switch is opened To end the CLI session enter Exit Console 21 6 Understanding Command Modes The command set is divided into Exec and Configuration classes Exec commands generally display information on system status or clear statistical counters Co...

Page 394: ...iguration Creates a DiffServ class map for a specified traffic type DHCP Configuration These commands are used to configure the DHCP server Interface Configuration These commands modify the port configuration such as speed duplex and negotiation Line Configuration These commands modify the console port and Telnet configuration and include command such as parity and databits Multiple Spanning Tree ...

Page 395: ... config mac acl access list ipv6 standard Console config std ipv6 acl access list ipv6 extended Console config ext ipv6 acl class map Console config cmap Page 23 17 26 2 26 2 26 12 26 7 26 7 36 2 39 6 27 1 33 7 36 5 42 6 42 19 ip dhcp pool interface ethernet port port channel id vlan id spanning tree mst configuration policy map router rip ospf vlan database Console config dhcp Console config if C...

Page 396: ... the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor to the right one character Ctrl K Deletes all characters from the cursor to the end of the line Ctrl L Repeats current command line on a new line Ctrl N Enters the next command line in the history buffer Ctrl P Enters the last command Ctrl R Re...

Page 397: ...iltering specified addresses displays current entries clears the table or sets the aging time Configures Spanning Tree settings for the switch Configures VLAN settings and defines port membership for VLAN groups also enables or configures private VLANs and protocol VLANs Sets port priority for untagged frames selects strict priority or weighted round robin relative weight for each priority queue a...

Page 398: ...onfiguration MST Multiple Spanning Tree CM Class Map Configuration NE Normal Exec DC DHCP Server Configuration PE Privileged Exec GC Global Configuration PM Policy Map Configuration IC Interface Configuration RC Router Configuration LC Line Configuration VC VLAN Database Configuration 21 11 Command Groups 21 ...

Page 399: ...21 21 12 Overview of the Command Line Interface ...

Page 400: ... the enable password command on page 25 3 22 1 Chapter 22 General Commands These commands are used to control the command access mode configuration mode and other basic functions Table 22 1 General Commands Command Function enable Activates privileged mode disable Returns to normal mode from privileged mode configure Activates global configuration mode show history Shows the command history buffer...

Page 401: ... on page 21 6 Default Setting None Command Mode Privileged Exec Command Usage The character is appended to the end of the prompt to indicate that the system is in normal access mode Example Console disable Console Related Commands enable 22 1 configure This command activates Global Configuration mode You must enter this mode to modify any settings on the switch You must also enter Global Configura...

Page 402: ...of the command history buffer Console show history Execution command history 2 config 1 show history Configuration command history 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console The command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode and commands from the Configuration command history buffer when you are in any of the c...

Page 403: ...the entire system Example This example shows how to reset the switch Console reload System will be restarted continue y n y prompt This command customizes the CLI prompt Use the no form to restore the default prompt Syntax prompt string no prompt string Any alphanumeric string to use for the CLI prompt Maximum length 255 characters Default Setting Console Command Mode Global Configuration Example ...

Page 404: ...configuration mode or exits the configuration program Default Setting None Command Mode Any Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console config exit Console exit Press ENTER to start session User Access Verification Username quit This command exits the configuration program Default Setting None Command...

Page 405: ...Example This example shows how to quit a CLI session Console quit Press ENTER to start session User Access Verification Username 22 6 General Commands 22 ...

Page 406: ...formation that uniquely identifies the switch Table 23 2 Device Designation Commands Chapter 23 System Management Commands These commands are used to control system logs passwords user names management options and display or configure a variety of other system information Table 23 1 System Management Commands Page 23 1 23 3 23 9 23 10 23 17 23 26 23 32 23 35 Command Function hostname Specifies the...

Page 407: ...d sequentially starting from the top unit for a non loop stack or starting from the Master unit for a looped stack Syntax switch all renumber Default Setting For non loop stacking the top unit is unit 1 For loop stacking the master unit is unit 1 Command Mode Global Configuration Example This example shows how to renumber all units Console switch all renumber Console 23 2 System Management Command...

Page 408: ... VLAN configuration settings for each interface Multiple spanning tree instances name and interfaces IP address configured for VLANs Layer 4 precedence settings Routing protocol configuration settings Spanning tree settings Any configured settings for the console port and Telnet 23 3 Command Function show startup config Displays the contents of the configuration file stored in flash memory that is...

Page 409: ... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNTP server 0 0 0 0 0 0 0 0 0 0 0 0 snmp server community public ro snmp server community private rw username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d25...

Page 410: ...g information MAC address for each switch in the stack SNTP server settings SNMP community strings Users names access levels and encrypted passwords VLAN database VLAN ID name and state VLAN configuration settings for each interface Multiple spanning tree instances name and interfaces IP address configured for VLANs Layer 4 precedence settings Routing protocol configuration settings Spanning tree ...

Page 411: ... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNTP server 0 0 0 0 0 0 0 0 0 0 0 0 snmp server community private rw snmp server community public ro username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d25...

Page 412: ...anaged Switch with 2 X 10G uplinks System OID String 1 3 6 1 4 1 259 8 1 9 System information System Up time 0 days 1 hours 23 minutes and 44 61 seconds System Name NONE System Location NONE System Contact NONE MAC Address Unit1 00 20 1A DF 9C A0 MAC Address Unit2 00 20 1A DF 9E C0 Web Server Enabled Web Server Port 80 Web Secure Server Enabled Web Secure Server Port 443 Telnet Server Enable Telne...

Page 413: ... 8 show users Shows all active console and Telnet sessions including user name idle time and IP address of Telnet client Default Setting None Command Mode Normal Exec Privileged Exec Command Usage The session used to execute this command is indicated by a symbol next to the Line i e session index number Example Console show users Username accounts Username Privilege Public Key admin 15 None None g...

Page 414: ...t frames that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept th...

Page 415: ... the new file set as the startup file Saving or Restoring Configuration Settings Configuration settings can be uploaded and downloaded to and from a TFTP server The configuration file can be later downloaded to restore switch settings The configuration file can be downloaded under a new file name and then set as the startup file or the current startup configuration file can be specified as the des...

Page 416: ... server https certificate Keyword that allows you to copy the HTTPS secure site certificate public key Keyword that allows you to copy a SSH key from a TFTP server See Secure Shell Commands on page 25 15 unit Keyword that allows you to copy to from a specific unit in the stack Default Setting None Command Mode Privileged Exec Command Usage The system prompts for data required to complete the copy ...

Page 417: ...e shows how to download new firmware from a TFTP server Console copy tftp file TFTP server ip address 10 1 0 19 Choose file type 1 config 2 opcode 1 2 2 Source file name V3 1 16 20 BIX Destination file name V311620 Write to FLASH Programming Write to FLASH finish Success Console The following example shows how to upload the configuration settings to a file on the TFTP server Console copy file tftp...

Page 418: ...icate Source private file name SS private Private password Success Console reload System will be restarted continue y n y This example shows how to copy a public key used by SSH from an TFTP server Note that public key authentication via SSH is only supported for users configured locally on the switch Console copy tftp public key TFTP server IP address 192 168 1 19 Choose public key type 1 RSA 2 D...

Page 419: ...of files in flash memory Syntax dir unit boot rom config opcode filename The type of file or image to display includes boot rom Boot ROM or diagnostic image file config Switch configuration file opcode Run time operation code image file filename Name of configuration file or code image If this file exists but contains errors information on this file cannot be shown unit Stack unit Range 1 8 Defaul...

Page 420: ...d for a description of the file information displayed by this command Console whichboot File name File type Startup Size byte Unit1 IC40240_480F_DIAG_V1 1 0 1 BIX Boot Rom Image Y 1595976 IC40240_480F FLF 38_V1 1 0 2 BIX Operation Code Y 4973264 startup1 cfg Config File Y 3653 Console 23 15 Console dir File name File type Startup Size byte File Management Commands File information is shown below T...

Page 421: ...eration code filename Name of configuration file or code image unit Stack unit Range 1 8 The colon is required Default Setting None Command Mode Global Configuration Command Usage A colon is required after the specified unit number and file type If the file contains an error it cannot be set as the default file Example Console config boot system config startup Console config Related Commands dir 2...

Page 422: ...n Identifies a specific line for configuration and starts the line configuration mode Enables password checking at login Specifies a password on a line Sets the interval that the system waits for a login attempt Sets the interval that the command interpreter waits until user input is detected Sets the password intrusion threshold which limits the number of failed logon attempts Sets the amount of ...

Page 423: ...on Command Usage There are three authentication modes provided by the switch itself at login login selects authentication by a single global password as specified by the password line configuration command When using this method the management interface starts in Normal Exec NE mode login local selects authentication via the user name and password specified by the username command i e default sett...

Page 424: ...h password protection the system prompts for the password If you enter the correct password the system shows a prompt You can use the password thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state The encrypted password is required for compatibility with legacy password settings i...

Page 425: ... session This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the default setting Example To set the timeout to two minutes enter this command Console config line timeout login response 120 Console config line exec timeout This command sets the interval that the system waits until use...

Page 426: ...empts Use the no form to remove the threshold value Syntax password thresh threshold no password thresh threshold The number of allowed password attempts Range 1 120 0 no threshold Default Setting The default value is three attempts Command Mode Line Configuration Command Usage When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time before all...

Page 427: ...s command Console config line silent time 60 Console config line Related Commands password thresh 23 21 databits This command sets the number of data bits per character that are interpreted and generated by the console port Use the no form to restore the default value Syntax databits 7 8 no databits 7 Seven data bits per character 8 Eight data bits per character Default Setting 8 data bits per cha...

Page 428: ...Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting Example To specify no parity enter this command Console config line parity none Console config line speed This command sets the terminal line s baud rate This command sets both the transmit to terminal and receive from terminal speeds Use the no form...

Page 429: ...ple To specify 57600 bps enter this command Console config line speed 57600 Console config line stopbits This command sets the number of the stop bits transmitted per byte Use the no form to restore the default setting Syntax stopbits 1 2 1 One stop bit 2 Two stop bits Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits enter this command Console config line s...

Page 430: ...meters Syntax show line console vty console Console terminal line vty Virtual terminal for remote console access i e Telnet Default Setting Shows all lines Command Mode Normal Exec Privileged Exec Example To show all lines enter this command Console show line Console configuration Password threshold 3 times Interactive timeout Disabled Login timeout Disabled Silent time Disabled Baudrate auto Data...

Page 431: ...mmands logging history 23 27 logging trap 23 29 clear log 23 29 23 26 Event Logging Commands This section describes commands used to configure event logging on the switch Table 23 8 Event Logging Commands Command logging on logging history logging host logging facility logging trap clear log show logging show log Function Controls logging of error messages Limits syslog messages saved to switch me...

Page 432: ...el no logging history flash ram flash Event history stored in flash memory i e permanent memory ram Event history stored in temporary RAM i e memory flushed on power reset level One of the levels listed below Messages sent include the selected level down to level 0 Range 0 7 Table 23 9 Logging Levels Level 7 6 5 4 3 2 1 0 Severity Name Description debugging Debugging messages informational Informa...

Page 433: ...his command sets the facility type for remote logging of syslog messages Use the no form to return the type to the default Syntax no logging facility type type A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service Range 16 23 Default Setting 23 Command Mode Global Configuration Command Usage The command specifies the facility type tag sen...

Page 434: ...d Mode Global Configuration Command Usage Using this command with a specified level enables remote logging and sets the minimum severity level to be saved Using this command without a specified level also enables remote logging but restores the minimum severity level to the default Example Console config logging trap 4 Console config clear log This command clears messages from the log buffer Synta...

Page 435: ...Privileged Exec Example The following example shows that system logging is enabled the message level for flash memory is errors i e default level 3 0 and the message level for RAM is debugging i e default level 7 0 Console show logging flash Syslog logging Enabled History logging in FLASH level errors Console show logging ram Syslog logging Enabled History logging in RAM level debugging Console Ta...

Page 436: ...e logging trap command The facility type for remote logging of syslog messages as specified in the logging facility command The severity threshold for syslog messages sent to a remote server as specified in the logging trap command The address of syslog servers as specified in the logging host command Event Logging Commands The following example displays settings for the trap function Console show...

Page 437: ... 5 function 1 and event no 1 0 00 01 30 2001 01 01 Unit 1 Port 1 link up notification level 6 module 5 function 1 and event no 1 Console SMTP Alert Commands These commands configure SMTP event handling and forwarding of alert messages to the specified SMTP servers and email recipients Table 23 12 SMTP Alert Commands Command logging sendmail host logging sendmail level logging sendmail source email...

Page 438: ...threshold used to trigger alert messages Syntax logging sendmail level level level One of the system message levels page 23 27 Messages sent include the selected level down to level 0 Range 0 7 Default 7 Default Setting Level 7 Command Mode Global Configuration Command Usage The specified level indicates an event threshold All events at this level or higher will be sent to the configured email rec...

Page 439: ...nt Syntax no logging sendmail destination email email address email address The source email address used in alert messages Range 1 41 characters Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages However you must enter a separate command to specify each recipient Example Console config logging sendmail destination email te...

Page 440: ...enables the system log to record meaningful dates and times for event entries If the clock is not set the switch will only record the time from the factory default set at the last bootup Table 23 13 Time Commands Command sntp client sntp server sntp poll sntp update time show sntp clock timezone clock timezone predefined Function Mode Page Accepts time from specified time servers Specifies one or ...

Page 441: ...ole config sntp server 10 1 0 19 Console config sntp poll 60 Console config sntp client Console config end Console show sntp Current time Dec 23 02 52 44 2002 Poll interval 60 Current mode unicast SNTP status Enabled SNTP server 137 92 140 80 0 0 0 0 0 0 0 0 Current server 137 92 140 80 Console 23 36 Table 23 13 Time Commands Continued Command Function clock summertime date Configures summer time ...

Page 442: ...om which the switch will poll for time updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issues time synchronization requests based on the interval set via the sntp poll command Example Console config sntp server 10 1 0 19 Console Related Commands sntp client 23 36 sntp poll 23 37 show sntp 23 38 sntp poll This command...

Page 443: ...ow sntp This command displays the current time and configuration settings for the SNTP client and indicates whether or not the local time has been properly updated Command Mode Normal Exec Privileged Exec Command Usage This command displays the current time the poll interval used for sending time synchronization requests and the current SNTP mode i e unicast Example Console show sntp Current time ...

Page 444: ... longitude To display a time corresponding to your local time you must indicate the number of hours and minutes your time zone is east before or west after of UTC Example Console config clock timezone Japan hours 8 minute 0 after UTC Console config Related Commands show sntp 23 38 clock timezone predefined This command uses predefined time zone configurations to set the time zone for the switch s ...

Page 445: ...ar e hour e minute offset no clock summer time name Name of the time zone while summer time is in effect usually an acronym Range 1 30 characters b month The month when summer time will begin Options january february march april may june july august september october november december b day The day summer time will begin Options sunday monday tuesday wednesday thursday friday saturday b year The y...

Page 446: ...al time when summer time is in effect you must indicate the number of minutes your summer time time zone deviates from your regular time zone Example Console config clock summer time DEST date april 1 2007 23 23 april 23 2007 23 23 60 Console config Related Commands show clock 23 43 clock summer time predefined This command configures the summer time daylight savings time status and settings for t...

Page 447: ... daylight and mornings have less This is known as Summer Time or Daylight Savings Time DST Typically clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn This command sets the summer time time relative to the configured time zone To specify the time corresponding to your local time when summer time is in effect select the predefined summer time time zone...

Page 448: ...one in minutes Range 0 99 minutes Default Setting Disabled Command Mode Global Configuration Command Usage In some countries or regions clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less This is known as Summer Time or Daylight Savings Time DST Typically clocks are adjusted forward one hour at the start of spring and then adjusted backward in...

Page 449: ...4 hour format Range 0 23 min Minute Range 0 59 sec Second Range 0 59 day Day of month Range 1 31 month january february march april may june july august september october november december year Year 4 digit Range 2001 2100 Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15 12 34 February 1st 2002 Console calendar set 15 12 34 february 1 2...

Page 450: ...nd snmp server show snmp snmp server community snmp server contact snmp server location snmp server host snmp server enable traps snmp server engine id show snmp engine id snmp server view show snmp view snmp server group show snmp group snmp server user show snmp user Function Enables the SNMP agent Displays the status of SNMP communications Sets up the community access string to permit access to...

Page 451: ...onsole config snmp server Console config show snmp This command can be used to check the status of SNMP communications Default Setting None Command Mode Normal Exec Privileged Exec Command Usage This command provides information on the community access strings counter information for SNMP input and output protocol data units and whether or not SNMP logging has been enabled with the snmp server ena...

Page 452: ...Trap PDUs SNMP logging disabled Console snmp server community This command defines the SNMP v1 and v2c community access string Use the no form to remove the specified community string Syntax snmp server community string ro rw no snmp server community string string Community string that acts like a password and permits access to the SNMP protocol Maximum length 32 characters case sensitive Maximum ...

Page 453: ...g no snmp server contact string String that describes the system contact information Maximum length 255 characters Default Setting None Command Mode Global Configuration Example Console config snmp server contact Paul Console config Related Commands snmp server location 24 4 snmp server location This command sets the system location string Use the no form to remove the location string Syntax snmp ...

Page 454: ...not acknowledge receipt Range 0 255 Default 3 seconds The number of seconds to wait for an acknowledgment before resending an inform message Range 0 2147483647 centiseconds Default 1500 centiseconds community string Password like community string sent with the notification operation to SNMP V1 and V2c hosts Although you can set this string using the snmp server host command by itself we recommend ...

Page 455: ...nformation is received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider these effects when deciding whether to issue notifications as traps or informs To send an inform to a SNMPv2c host complete these steps 1 Enable the SNMP agent page 24 2 2 Allow the switch...

Page 456: ...aps authentication link up down authentication Keyword to issue authentication failure notifications link up down Keyword to issue link up or link down notifications Default Setting Issue authentication and link up down traps Command Mode Global Configuration Command Usage If you do not enter an snmp server enable traps command no notifications controlled by this command are sent In order to confi...

Page 457: ... Mode Global Configuration Command Usage An SNMP engine is an independent SNMP agent that resides either on this switch or on a remote device This engine protects against message replay delay and redirection The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A remote engine ID is required when using SNMPv3 in...

Page 458: ... Command Mode Privileged Exec Example This example shows the default engine ID Console show snmp engine id Local SNMP engineID 8000002a8000000000e8666672 Local SNMP engineBoots 1 Remote SNMP engineID 80000000030004e2b316c54321 Console Table 24 2 show snmp engine id display description IP address 192 168 1 19 Field Description Local SNMP engineID String identifying the engine ID Local SNMP engineBo...

Page 459: ...MIB tree Command Mode Global Configuration Command Usage Views are used in the snmp server group command to restrict user access to specified portions of the MIB tree The predefined view defaultview includes access to the entire MIB tree Examples This view includes MIB 2 Console config snmp server view mib 2 1 3 6 1 2 1 included Console config This view includes the MIB 2 interfaces table ifDescr ...

Page 460: ... This group uses SNMPv3 with authentication no authentication or with authentication and privacy See Simple Network Management Protocol on page 5 1 for further information about these authentication and encryption options readview Defines the view for read access 1 32 characters writeview Defines the view for write access 1 32 characters notifyview Defines the view for notifications 1 32 character...

Page 461: ... page 5 14 Also note that the authentication link up and link down messages are legacy traps and must therefore be enabled in conjunction with the snmp server enable traps command page 24 7 Example Console config snmp server group r d v3 auth write daily Console config show snmp group Four default groups are provided SNMPv1 read only access and read write access and SNMPv2c read only access and re...

Page 462: ...tive Group Name private Security Model v2c Read View defaultview Write View defaultview Notify View none Storage Type volatile Row Status active Console Table 24 4 show snmp group display description Field Description groupname Name of an SNMP group security model The SNMP version readview The associated read view writeview The associated write view notifyview The associated notify view storage ty...

Page 463: ... required priv des56 Uses SNMPv3 with privacy with DES56 encryption priv password Privacy password Enter as plain text if the encrypted option is not used Otherwise enter an encrypted password Default Setting None Command Mode Global Configuration Command Usage The SNMP engine ID is used to compute the authentication privacy digests from the password You should therefore configure the engine ID wi...

Page 464: ...n Protocol md5 Privacy Protocol des56 Storage Type nonvolatile Row Status active SNMP remote user EngineId 80000000030004e2b316c54321 User Name mark Authentication Protocol mdt Privacy Protocol des56 Storage Type nonvolatile Row Status active Console Table 24 5 show snmp user display description Field Description EngineId String identifying the engine ID User Name Name of user connecting to the SN...

Page 465: ...24 24 16 SNMP Commands ...

Page 466: ...hentication methods You can also enable port based authentication for network client access using IEEE 802 1X Table 25 1 Authentication Commands Command Group User Accounts Authentication Sequence RADIUS Client TACACS Client Web Server Settings Telnet Server Settings Secure Shell Settings Port Security Port Authentication Management IP Filter Function Page Configures the basic user names and passw...

Page 467: ...hentication password for the user Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting The default access level is Normal Exec The factory defaults for the user names and passwords are Table 25 3 Default Login Settings username access level password guest 0 guest admin 15 admin Command Mode Global Configuration Command Usage The encrypted password is required for comp...

Page 468: ...crypted case sensitive Default Setting The default is level 15 The default password is super Command Mode Global Configuration Command Usage You cannot set a null password You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command page 22 1 The encrypted password is required for compatibility with legacy password settings i e plain text...

Page 469: ...vilege level must be configured on the authentication server You can specify three authentication methods in a single command to indicate the authentication sequence For example if you enter authentication login radius tacacs local the user name and password on the RADIUS server is verified first If the RADIUS server is not available then authentication is attempted on the TACACS server If the TAC...

Page 470: ...lso note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication me...

Page 471: ...5 8 radius server host This command specifies primary and backup RADIUS servers and authentication parameters that apply to each server Use the no form to restore the default values Syntax no radius server index host host_ip_address auth port auth_port key key retransmit retransmit timeout timeout index Allows you to specify up to five servers These servers are queried in sequence until a server r...

Page 472: ...1 65535 Default Setting 1812 Command Mode Global Configuration Example Console config radius server port 181 Console config radius server key This command sets the RADIUS encryption key Use the no form to restore the default Syntax radius server key key_string no radius server key key_string Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum l...

Page 473: ...dius server timeout This command sets the interval between transmitting authentication requests to the RADIUS server Use the no form to restore the default Syntax radius server timeout number_of_seconds no radius server timeout number_of_seconds Number of seconds the switch waits for a reply before resending a request Range 1 65535 Default Setting 5 Command Mode Global Configuration Example Consol...

Page 474: ... authentication server contains a database of multiple user name password pairs with associated privilege levels for each user or group that require management access to a switch Table 25 6 TACACS Client Commands Command Function Mode tacacs server host Specifies the TACACS server GC tacacs server port Specifies the TACACS server network port GC tacacs server key Sets the TACACS encryption key GC ...

Page 475: ...ult Setting 49 Command Mode Global Configuration Example Console config tacacs server port 181 Console config tacacs server key This command sets the TACACS encryption key Use the no form to restore the default Syntax tacacs server key key_string no tacacs server key key_string Encryption key used to authenticate logon access for the client Do not use blank spaces in the string Maximum length 48 c...

Page 476: ...ed communications GC 25 12 ip http secure port Specifies the UDP port number for HTTPS GC 25 13 ip http port This command specifies the TCP port number used by the web browser interface Use the no form to use the default port Syntax ip http port port number no ip http port port number The TCP port to be used by the browser interface Range 1 65535 Default Setting 80 Command Mode Global Configuratio...

Page 477: ...d enables the secure hypertext transfer protocol HTTPS over the Secure Socket Layer SSL providing secure access i e an encrypted connection to the switch s web interface Use the no form to disable this function Syntax no ip http secure server Default Setting Enabled Command Mode Global Configuration Command Usage Both HTTP and HTTPS service can be enabled independently on the switch However you ca...

Page 478: ...a Windows 2000 Windows XP Netscape 6 2 or later Windows 98 Windows NT with service pack 6a Windows 2000 Windows XP Solaris 2 6 Mozilla Firefox 2 0 0 0 or later Windows 2000 Windows XP Linux To specify a secure site certificate see Replacing the Default Secure site Certificate on page 6 7 Also refer to the copy command on page 23 11 Example Console config ip http secure server Console config Relate...

Page 479: ...Global Configuration Example Console config ip telnet server Console config ip telnet port 123 Console config 25 14 If you change the HTTPS port number clients attempting to connect to the HTTPS server must specify the port number in the URL in this format https device port_number Example Console config ip http secure port 1000 Console config Related Commands ip http secure server 25 12 Telnet Ser...

Page 480: ... 2 0 clients Table 25 10 Secure Shell Commands Command ip ssh server ip ssh timeout ip ssh authentication retries ip ssh server key size copy tftp public key delete public key ip ssh crypto host key generate ip ssh crypto zeroize ip ssh save host key disconnect show ip ssh show ssh show public key show users Function Enables the SSH server on the switch Specifies the authentication timeout for the...

Page 481: ...blic key files based on standard UNIX format as shown in the following example for an RSA key 1024 35 1341081685609893921040944920155425347631641921872958921143173880 05553616163105177594083868631109291232226828519254374603100937187721199 69631781366277414168985132049117204830339254324101637997592371449011938 00609025394840848271781943722884025331159521348610229029789827213532671 31629432532818915...

Page 482: ...e switch it notifies the client to proceed with the authentication process Otherwise it rejects the request c The client sends a signature generated using the private key to the switch d When the server receives this message it checks whether the supplied key is acceptable for authentication and if so it then checks whether the signature is correct If both checks succeed the client is authenticate...

Page 483: ...ds The timeout for client response during SSH negotiation Range 1 120 Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase Once an SSH session has been established the timeout for user input is controlled by the exec timeout command for vty sessions Example ...

Page 484: ...onfig ip ssh authentication retires 2 Console config Related Commands show ip ssh 25 22 ip ssh server key size This command sets the SSH server key size Use the no form to restore the default setting Syntax ip ssh server key size key size no ip ssh server key size key size The size of server key Range 512 896 bits Default Setting 768 bits Command Mode Global Configuration Command Usage The server ...

Page 485: ...Setting Generates both the DSA and RSA key pairs Command Mode Privileged Exec Command Usage The switch uses only RSA Version 1 for SSHv1 5 clients and DSA Version 2 for SSHv2 clients This command stores the host key pair in memory i e RAM Use the ip ssh save host key command to save the host key pair to flash memory Some SSH client programs automatically add the public key to the known hosts file ...

Page 486: ...ry RAM Use the no ip ssh save host key command to clear the host key from flash memory The SSH server must be disabled before you can execute this command Example Console ip ssh crypto zeroize dsa Console Related Commands ip ssh crypto host key generate 25 20 ip ssh save host key 25 21 no ip ssh server 25 17 ip ssh save host key This command saves the host key from RAM to flash memory Syntax ip ss...

Page 487: ...ommand displays the current SSH server connections Command Mode Privileged Exec Example Console show ssh Connection Version State 0 2 0 Session Started Console Username Encryption admin ctos aes128 cbc hmac md5 stoc aes128 cbc hmac md5 Table 25 11 show ssh display description Field Description Session The session number Range 0 3 Version The Secure Shell version number State The authentication neg...

Page 488: ... chaining sha1 Secure Hash Algorithm 1 160 bit hashes md5 Message Digest algorithm number 5 128 bit hashes show public key This command shows the public key for the specified user or for the host Syntax show public key user username host username Name of an SSH user Range 1 8 characters Default Setting Shows all public keys Command Mode Privileged Exec Command Usage If no parameters are entered al...

Page 489: ...qdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 w0W Console Port Security Commands These commands can be used to enable port security on a port When using port security the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number Only incoming traffic with source addresses already stored in the dynamic or static address table for ...

Page 490: ... with this command the switch first clears all dynamically learned entries from the address table It then starts learning new MAC addresses on the specified port and stops learning addresses when it reaches a configured maximum number Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted First use the port security max mac count command ...

Page 491: ...out quiet period dot1x timeout re authperiod dot1x timeout tx period show dot1x 25 26 Function Enables dot1x globally on the switch Resets all dot1x parameters to their default values Sets the maximum number of times that the switch retransmits an EAP request identity packet to the client before it times out the authentication session Sets dot1x mode for a port interface Allows single or multiple ...

Page 492: ...default values Command Mode Global Configuration Example Console config dot1x default Console config dot1x max req This command sets the maximum number of times the switch port will retransmit an EAP request identity packet to the client before it times out the authentication session Use the no form to restore the default Syntax dot1x max req count no dot1x max req count The maximum number of requ...

Page 493: ...chanisms can be applied 802 1X port authentication cannot be configured on trunk ports In other words a static trunk or dynamically configured trunk cannot be set to auto or force unauthorized mode When 802 1X authentication is enabled on a port the MAC address learning function for this interface is disabled and the addresses dynamically learned on this port are removed Authenticated MAC addresse...

Page 494: ... connect to this port with each host needing to be authenticated Default Single host Command Mode Interface Configuration Command Usage The max count parameter specified by this command is only effective if the dot1x mode is set to auto by the dot1x port control command page 4 105 In multi host mode only one host connected to a port needs to pass authentication for all other hosts to be granted ne...

Page 495: ...sole dot1x re authentication This command enables periodic re authentication for a specified port Use the no form to disable re authentication Syntax no dot1x re authentication Command Mode Interface Configuration Command Usage The re authentication process verifies the connected client s user ID and password on the RADIUS server During re authentication the client remains connected the network an...

Page 496: ...nds Command Mode Interface Configuration Example Console config interface eth 1 2 Console config if dot1x timeout quiet period 350 Console config if dot1x timeout re authperiod This command sets the time period after which a connected client must be re authenticated Syntax dot1x timeout re authperiod seconds no dot1x timeout re authperiod seconds The number of seconds Range 1 65535 Default 3600 se...

Page 497: ...fic interface Syntax show dot1x statistics interface interface statistics Displays dot1x status for each port interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 Command Mode Privileged Exec Command Usage This command displays the following information Global 802 1X Parameters Shows whether or not 802 1X port authentication is globally enabled on the switch 802 1X...

Page 498: ...an connect to an 802 1X authorized port Max Count The maximum number of hosts allowed to access this port page 25 29 Port control Shows the dot1x mode on a port as auto force authorized or force unauthorized page 25 28 Supplicant MAC address of authorized client Current Identifier The integer 0 255 used by the Authenticator to identify the current authentication session Authenticator State Machine...

Page 499: ...uth Count 0 Backend State Machine State Idle Request Count 0 Identifier Server 2 Reauthentication State Machine State Initialize Console 25 34 Console show dot1x Global 802 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode 1 1 disabled Single Host 1 2 disabled Single Host Mode Authorized ForceAuthorized n a ForceAuthorized n a ForceAuthorized yes Auto yes...

Page 500: ...ddress or the starting address of a range end address The end address of a range Default Setting All addresses Command Mode Global Configuration Command Usage If anyone tries to access a management interface on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured fo...

Page 501: ...ess es to the SNMP web and Telnet groups http client Adds IP address es to the web group snmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group Command Mode Privileged Exec Example Console show management all client Management Ip Filter HTTP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 SNMP Client Star...

Page 502: ...rmation Displays ACLs and associated rules shows ACLs assigned to each port Page 26 1 26 7 26 12 26 16 IPv4 ACLs The commands in this section configure ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code To configure IPv4 ACLs first create an access list containing the required permit or deny rules and then bind the access list to one or more ports Table 26 2 IPv4 A...

Page 503: ...o add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 32 rules Example Console config access list ip standard david Console config std acl Related Commands permit deny 26 2 ip access group 26 6 show ip access list ...

Page 504: ...ccess list ip 26 2 permit deny Extended IPv4 ACL This command adds a rule to an Extended IPv4 ACL The rule sets a filter condition for packets with specific source or destination IP addresses protocol types source or destination protocol ports or TCP control codes Use the no form to remove a rule Syntax no permit deny protocol number udp any source address bitmask host source any destination addre...

Page 505: ...atch and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned You can specify both Precedence and ToS in the same rule However if DSCP is used then neither Precedence nor ToS can be specified The control code bitmask is a decimal number representing a...

Page 506: ...ig ext acl This permits all TCP packets from class C addresses 192 168 1 0 with the TCP control code set to SYN Console config ext acl permit tcp 192 168 1 0 255 255 255 0 any control flag 2 2 Console config ext acl Related Commands access list ip 26 2 show ip access list This command displays the rules for configured IPv4 ACLs Syntax show ip access list standard extended acl_name standard Specifi...

Page 507: ...ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one Example Console config int eth 1 2 Console config if ip access group standard david in Console config if Related Commands show ip access list 26 5 show ip access group This command shows the ports assigned to IPv4 ACLs Command Mode Privileged Exec Example Console sho...

Page 508: ... no deny command followed by the exact text of a previously configured rule An ACL can contain up to 32 rules 26 7 Mode Page IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses next header type and flow label To configure IPv6 ACLs first create an access list containing the required permit or deny rules and then bind the access list to one or more ports Table 26 3 IPv6 AC...

Page 509: ...lues One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields prefix length A decimal value indicating how many contiguous bits from the left of the address comprise the prefix i e the network portion of the address host Keyword followed by a specific IP address Default Setting None Command Mode Standard IPv6 ACL Command Usage Ne...

Page 510: ...y level Range 0 63 flow label A label for packets belonging to a particular traffic flow for which the sender requests special handling by IPv6 routers such as non default quality of service or real time service see RFC 2460 Range 0 16777215 next header Identifies the type of header immediately following the IPv6 header Range 0 255 Default Setting None Command Mode Extended IPv6 ACL Command Usage ...

Page 511: ...Pv4 Protocol field in RFC 1700 including these commonly used headers 0 Hop by Hop Options RFC 2460 6 TCP Upper layer Header RFC 1700 17 UDP Upper layer Header RFC 1700 43 Routing RFC 2460 44 Fragment RFC 2460 51 Authentication RFC 2402 50 Encapsulating Security Payload RFC 2406 60 Destination Options RFC 2460 Example This example accepts any incoming packets if the destination address is 2009 DB9 ...

Page 512: ...cess group 26 11 ipv6 access group This command binds a port to an IPv6 ACL Use the no form to remove the port Syntax no ipv6 access group acl_name in acl_name Name of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bo...

Page 513: ...r more ports Table 26 4 MAC ACL Commands Command Function access list mac Creates a MAC ACL and enters configuration mode permit deny Filters packets matching a specified source and destination address packet format and Ethernet type show mac access list Displays the rules for configured MAC ACLs mac access group Adds a port to a MAC ACL show mac access group Shows port assignments for MAC ACLs Mo...

Page 514: ...ckets matching a specified MAC source or destination address i e physical layer address or Ethernet protocol type Use the no form to remove a rule Syntax no permit deny any host source source address bitmask any host destination destination address bitmask vid vid vid bitmask ethertype protocol protocol bitmask Note The default is for Ethernet II packets no permit deny tagged eth2 any host source ...

Page 515: ...fic Ethernet protocol number Range 600 fff hex protocol bitmask 27 Protocol bitmask Range 600 fff hex Default Setting None Command Mode MAC ACL Command Usage New rules are added to the end of the list The ethertype option can only be used to filter Ethernet II formatted packets A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include the followi...

Page 516: ... to a MAC ACL Use the no form to remove the port Syntax mac access group acl_name in acl_name Name of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will r...

Page 517: ... ACLs assigned to each port show access list This command shows all IPv4 ACLs and associated rules Command Mode Privileged Exec Example Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 0 0 255 255 15 0 IP extended access list bob Mode Page PE 26 16 PE 26 17 permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 255 255 255 0 any destination port 80 80 permit...

Page 518: ...ccess group This command shows the port assignments of IPv4 ACLs Command Mode Privileged Executive Example Console show access group Interface ethernet 1 2 IP standard access list david MAC access list jerry Console 26 26 17 ...

Page 519: ...26 26 18 Access Control List Commands ...

Page 520: ... interfaces status show interfaces counters show interfaces switchport Function Configures an interface type and enters interface configuration mode Adds a description to an interface configuration Configures the speed and duplex operation of a given interface when autonegotiation is disabled Enables autonegotiation of a given interface Advertises the capabilities of a given interface for use in a...

Page 521: ...is attached to this interface Range 1 64 characters Default Setting None Command Mode Interface Configuration Ethernet Port Channel Command Usage The description is displayed by the show interfaces status command page 27 9 and in the running configuration file An example of the value which a network manager might store in this object is the name of the manufacturer and the product name Example The...

Page 522: ...mand Usage The 1000BASE T and 10GBASE T standards do not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T or 10GBASE T port or trunk If not used the success of the link process cannot be guaranteed when connecting to other types of switches To force operation to the speed and duplex mode specified in a speed duplex command use the no negotiat...

Page 523: ...iation is disabled auto MDI MDI X pin signal configuration will also be disabled for the RJ 45 ports Example The following example configures port 11 to use autonegotiation Console config interface ethernet 1 11 Console config if negotiation Console config if Related Commands capabilities 27 4 speed duplex 27 3 capabilities This command advertises the port capabilities of a given interface during ...

Page 524: ...should always be used to establish a connection over any 1000BASE T or 10GBASE T port or trunk When auto negotiation is enabled with the negotiation command the switch will negotiate the best settings for a link based on the capabilites command When auto negotiation is disabled you must manually specify the link attributes with the speed duplex and flowcontrol commands Example The following exampl...

Page 525: ...lowcontrol must be included in the capabilities list for any port Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub Example The following example enables flow control on port 5 Console config interface ethernet 1 5 Console config if flowc...

Page 526: ...is command allows you to disable a port due to abnormal behavior e g excessive collisions and then reenable it after the problem has been resolved You may also want to disable a port for security reasons Example The following example disables port 5 Console config interface ethernet 1 5 Console config if shutdown Console config if switchport broadcast packet rate This command configures broadcast ...

Page 527: ...n an interface Syntax clear counters interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset This command sets the base value for displayed statistics to zero for the current management session However if you lo...

Page 528: ...aying Connection Status on page 8 1 Example Console show interfaces status ethernet 1 5 Information of Eth 1 5 Basic Information Port Type Mac Address Configuration Name Port Admin Speed duplex Capabilities Broadcast Storm Broadcast Storm Limit Flow Control LACP Port Security Max MAC Count Port Security Action Media Type Current status 1000T 12 34 12 34 12 49 Up Auto 10half 10full 100half 100full ...

Page 529: ...t 0 Error Output 0 Unknown Protos Input 0 QLen Output 0 Extended iftable Stats Multi cast input 0 Multi cast output 3064 Broadcast input 262 Broadcast output 1 Ether like Stats Alignment Errors 0 FCS Errors 0 Single Collision Frames 0 Multiple Collision Frames 0 SQE Test Errors 0 Deferred Transmissions 0 Late Collisions 0 Excessive Collisions 0 Internal Mac Transmit Errors 0 Internal Mac Receive E...

Page 530: ...1000M bits per second Egress Rate Limit Disable 1000M bits per second VLAN Membership Mode Hybrid Ingress Rule Disabled Acceptable Frame Type All frames Native VLAN 1 Priority for Untagged Traffic 0 GVRP Status Disabled Allowed VLAN 1 u Forbidden VLAN 802 1Q tunnel Status Disable 802 1Q tunnel Mode NORMAL 802 1Q tunnel TPID 8100 Hex Console Table 27 2 show interfaces switchport display description...

Page 531: ...priority for untagged frames page 35 3 Shows if GARP VLAN Registration Protocol is enabled or disabled page 34 3 Shows the VLANs this interface has joined where u indicates untagged and t indicates tagged page 34 11 Shows the VLANs this interface can not dynamically join via GVRP page 34 12 Shows if 802 1Q tunnel is enabled on this interface page 34 15 Shows the tunnel mode as Normal 802 1Q Tunnel...

Page 532: ...his switch and another network device For static trunks the switches have to comply with the Cisco EtherChannel standard For dynamic trunks the switches have to comply with LACP This switch supports up to 12 trunks and up to 32 for the stack For example a trunk consisting of two 1000 Mbps ports can support an aggregate bandwidth of 4 Gbps when operating at full duplex Table 28 1 Link Aggregation C...

Page 533: ...ort to be allowed to join a channel group If a link goes down LACP port priority is used to select the backup link channel group This command adds a port to a trunk Use the no form to remove a port from a trunk Syntax channel group channel id no channel group channel id Trunk index Range 1 32 Default Setting The current port will be added to this trunk Command Mode Interface Configuration Ethernet...

Page 534: ...he additional ports will be placed in standby mode and will only be enabled if one of the active links fails Example The following shows LACP enabled on ports 10 12 Because LACP has also been enabled on the ports at the other end of the links the show interfaces status port channel 1 command shows that Trunk1 has been established Console config interface ethernet 1 10 Console config if lacp Consol...

Page 535: ...ations Range 0 65535 Default Setting 32768 Command Mode Interface Configuration Ethernet Command Usage Port must be configured with the same system priority to join the same LAG System priority is combined with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a link has been es...

Page 536: ...t admin key matches and 3 the LACP port channel key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group Once the remote side of a link has been established LACP ope...

Page 537: ...admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group Note that when the LAG is no longer used the port channel admin key is reset to 0 Example Console config interface port channel 1 Console config if lacp admin key 3 Cons...

Page 538: ...dministrative state not its operational state and will only take effect the next time an aggregate link is established with the partner Example Console config interface ethernet 1 5 Console config if lacp actor port priority 128 show lacp This command displays LACP information Syntax show lacp port channel counters internal neighbors sys id port channel Local identifier for a link aggregation grou...

Page 539: ...llegal value of Protocol Subtype Console show lacp 1 internal Port Channel 1 Oper Key 3 Admin Key 0 Eth 1 1 LACPDUs Internal 30 seconds LACP System Priority 32768 LACP Port Priority 32768 Admin Key 3 Oper Key 3 Console show lacp 1 counters Port Channel 1 Eth 1 2 LACPDUs Sent 12 LACPDUs Receive 6 Marker Sent 0 Marker Receive 0 LACPDUs Unknown Pkts 0 LACPDUs Illegal Pkts 0 Field Oper Key Admin Key L...

Page 540: ... Group is consistent with the System ID and operational Key information transmitted Aggregation The system considers this link to be aggregatable i e a potential candidate for aggregation Long timeout Periodic transmission of LACPDUs uses a slow transmission rate LACP Activity Activity control value with regard to this link 0 Passive 1 Active Console show lacp 1 neighbors Port Channel 1 neighbors ...

Page 541: ...tional values of the partner s state parameters See preceding table Console show lacp sysid Port Channel System Priority System MAC Address 1 32768 00 30 F1 8F 2C A7 2 32768 00 30 F1 8F 2C A7 3 32768 00 30 F1 8F 2C A7 4 32768 00 30 F1 8F 2C A7 5 32768 00 30 F1 8F 2C A7 6 32768 00 30 F1 8F 2C A7 7 32768 00 30 F1 D4 73 A0 8 32768 00 30 F1 D4 73 A0 9 32768 00 30 F1 D4 73 A0 10 32768 00 30 F1 D4 73 A0...

Page 542: ...or real time analysis You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner The destination port is set by specifying an Ethernet interface The mirror port and monitor port speeds should match otherwise traffic may be dropped from the monitor port You can create multiple mirror sessions but all s...

Page 543: ...1 8 port Port number Range 1 26 50 Default Setting Shows all sessions Command Mode Privileged Exec Command Usage This command displays the currently configured source port destination port and mirror mode i e RX TX RX TX Example The following shows mirroring configured from port 6 to port 11 Console config interface ethernet 1 11 Console config if port monitor ethernet 1 6 Console config if end Co...

Page 544: ...Mode Page rate limit Configures the maximum input or output rate for a port IC 30 1 rate limit This command defines the rate limit for a specific interface Use this command without specifying a rate to restore the default rate Use the no form to restore the default status of disabled Syntax rate limit input output rate no rate limit input output input Input rate output Output rate rate Maximum val...

Page 545: ...30 30 2 Rate Limit Commands ...

Page 546: ...c addresses are defined The default mode is permanent Command Mode Global Configuration 31 1 Command mac address table static clear mac address table dynamic show mac address table mac address table aging time show mac address table aging time Chapter 31 Address Table Commands These commands are used to configure the address table for filtering specified addresses displaying current entries cleari...

Page 547: ...will be ignored and will not be written to the address table A static address cannot be learned on another port until the address is removed with the no form of this command Example Console config mac address table static 00 e0 29 94 34 de interface ethernet 1 1 vlan 1 delete on reset Console config Related Commands ipv6 neighbor 41 26 clear mac address table dynamic This command removes any learn...

Page 548: ...h interface Note that the Type field may include the following types Learned Dynamic address entries Permanent Static entry Delete on reset Static entry to be deleted when system is reset The mask should be hexadecimal numbers representing an equivalent bit mask in the form xx xx xx xx xx xx that is applied to the specified MAC address Enter hexadecimal numbers where an equivalent binary bit 0 mea...

Page 549: ...g Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information Example Console config mac address table aging time 100 Console config show mac address table aging time This command shows the aging time for entries in the address table Default Setting None Command Mode Privileged Exec Example Console show ma...

Page 550: ...dvertise its system system capabilities capabilities lldp basic tlv Configures an LLDP enabled port to advertise the system system description description lldp basic tlv Configures an LLDP enabled port to advertise its system system name name lldp dot1 tlv Configures an LLDP enabled port to advertise the supported proto ident protocols lldp dot1 tlv Configures an LLDP enabled port to advertise por...

Page 551: ...ons Configures an LLDP enabled port to advertise its maximum frame size Configures an LLDP enabled port to advertise its Power over Ethernet capabilities Shows LLDP configuration settings for all ports Shows LLDP global and interface specific configuration settings for this device Shows LLDP global and interface specific configuration settings for remote devices Shows statistical counters for all ...

Page 552: ...he receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner Example Console config lldp holdtime multiplier 10 Console config lldp notification interval This command configures the allowed interval for sending SNMP notifications about LLDP MIB changes Use the no form to restore the default setting Syntax lldp no...

Page 553: ...nts missed due to throttling or transmission loss Example Console config lldp notification interval 30 Console config lldp refresh interval This command configures the periodic transmit interval for LLDP advertisements Use the no form to restore the default setting Syntax lldp refresh interval seconds no lldp refresh delay seconds Specifies the periodic interval at which LLDP advertisements are se...

Page 554: ...he remote systems LLDP MIB associated with this port is deleted Example Console config lldp reinit delay 10 Console config lldp tx delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables Use the no form to restore the default setting Syntax lldp tx delay seconds no lldp tx delay seconds Specifies the transmit del...

Page 555: ...ly tx only tx rx no lldp admin status rx only Only receive LLDP PDUs tx only Only transmit LLDP PDUs tx rx Both transmit and receive LLDP Protocol Data Units PDUs Default Setting tx rx Command Mode Interface Configuration Ethernet Port Channel Example Console config interface ethernet 1 1 Console config if lldp admin status rx only Console config if lldp notification This command enables the trans...

Page 556: ...ss This command configures an LLDP enabled port to advertise the management address for this device Use the no form to disable this feature Syntax no lldp basic tlv management ip address Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The management address protocol packet includes the IPv4 address of the switch If no management address is available...

Page 557: ...ture Syntax no lldp basic tlv port description Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The port description is taken from the ifDescr object in RFC 2863 which includes information about the manufacturer the product name and the version of the interface hardware software Example Console config interface ethernet 1 1 Console config if lldp bas...

Page 558: ...on Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The system description is taken from the sysDescr object in RFC 3418 which includes the full name and version identification of the system s hardware type software operating system and networking software Example Console config interface ethernet 1 1 Console config if lldp basic tlv system descripti...

Page 559: ...le this feature Syntax no lldp dot1 tlv proto ident Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises the protocols that are accessible through this interface Example Console config interface ethernet 1 1 Console config if no lldp dot1 tlv proto ident Console config if lldp dot1 tlv proto vid This command configures an LLDP enab...

Page 560: ...ldp dot1 tlv pvid Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The port s default VLAN identifier PVID indicates the VLAN with which untagged or priority tagged frames are associated see switchport native vlan on page 34 10 Example Console config interface ethernet 1 1 Console config if no lldp dot1 tlv pvid Console config if lldp dot1 tlv vlan n...

Page 561: ...lv link agg Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises link aggregation capabilities aggregation status of the link and the 802 3 aggregated port identifier if this interface is currently a link aggregation member Example Console config interface ethernet 1 1 Console config if no lldp dot3 tlv link agg Console config if l...

Page 562: ...ax no lldp dot3 tlv max frame Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage Refer to Frame Size Commands on page 23 9 for information on configuring the maximum frame size for this switch Example Console config interface ethernet 1 1 Console config if lldp dot3 tlv max frame Console config if lldp dot3 tlv poe This command configures an LLDP enabl...

Page 563: ... for all ports Syntax show lldp config detail interface detail Shows configuration summary interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 Command Mode Privileged Exec Example Console show lldp config LLDP Global Configuation LLDP Enable Yes LLDP Transmit interval 30 LLDP Hold Time Multiplier 4 LLDP Delay Interval 2 LLDP Rein...

Page 564: ... name proto vlan proto ident 802 3 specific TLVs Advertised mac phy poe link agg max frame Console show lldp info local device This command shows LLDP global and interface specific configuration settings for this device Syntax show lldp info local device detail interface detail Shows detailed information interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port cha...

Page 565: ... id Range 1 32 Command Mode Privileged Exec 32 16 Console show lldp info local device LLDP Local System Information Chassis Type MAC Address Chassis ID 00 01 02 03 04 05 System Name System Description 24 48 port 10 100 1000 Stackable Managed Switch with 2 X 10G uplinks System Capabilities Support Bridge Router System Capabilities Enable Bridge Router Management Address 192 168 0 2 IPv4 LLDP Port I...

Page 566: ...it 1 port 1 SystemCapSupported Bridge Router SystemCapEnabled Bridge Router Remote Management Address 192 168 0 5 IPv4 Remote Port VID 1 Remote Port Protocol VLAN VLAN 1 supported disabled Remote VLAN Name VLAN 1 DefaultVlan Remote Protocol Identity Hex 88 CC Remote MAC PHY configuration status Remote port auto neg supported Yes Remote port auto neg enabled Yes Remote port auto neg advertised cap ...

Page 567: ... show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated 2450279 seconds New Neighbor Entries Count 1 Neighbor Entries Deleted Count 0 Neighbor Entries Dropped Count 0 Neighbor Entries Ageout Count 0 Port NumFramesRecvd NumFramesSent NumFramesDiscarded 1 0 20 0 2 13 13 0 3 2 2 0 4 0 0 0 5 0 0 0 LLDP Commands 32 switch show lldp info statistics detail ethernet 1 1 LLDP P...

Page 568: ... tree cost spanning tree port priority spanning tree edge port spanning tree portfast spanning tree link type spanning tree mst cost spanning tree mst port priority spanning tree protocol migration Function Enables the spanning tree protocol Configures STP RSTP or MSTP mode Configures the spanning tree bridge forward time Configures the spanning tree bridge he lo time Configures the spanning tree ...

Page 569: ...hen a primary link goes down Example This example shows how to enable the Spanning Tree Algorithm for the switch Console config spanning tree Console config spanning tree mode This command selects the spanning tree mode for this switch Use the no form to restore the default Syntax spanning tree mode stp rstp mstp no spanning tree mode stp Spanning Tree Protocol IEEE 802 1D rstp Rapid Spanning Tree...

Page 570: ...the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port Multiple Spanning Tree Protocol To allow multiple spanning trees to operate over the network you must configure a relat...

Page 571: ...ut topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to the discarding state otherwise temporary data loops might result Example Console config spanning tree forward time 20 Console config spanning tree hello time This command configures the spanning tree bridge hello time globally for this switch Us...

Page 572: ...lt Setting 20 seconds Command Mode Global Configuration Command Usage This command sets the maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message becom...

Page 573: ...he STA root device However if all devices have the same priority the device with the lowest MAC address will then become the root device Example Console config spanning tree priority 40000 Console config spanning tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree Use the no form to restore the default Syntax spanning tree pathc...

Page 574: ...orm to restore the default Syntax spanning tree transmission limit count no spanning tree transmission limit count The transmission limit in seconds Range 1 10 Default Setting 3 Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs Example Console config spanning tree transmission limit 4 Console config spanning tree mst configuration This comm...

Page 575: ...etwork thereby balancing the traffic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new topology for the failed instance By default all VLANs are assigned to the Internal Spanning Tree MSTI 0 that connects all bridges and LANs within the MST region This switch supports up to 58 instances You should try to group VLANs whi...

Page 576: ... alternate bridge of the specified instance The device with the highest priority i e lowest numerical value becomes the MSTI root device However if all devices have the same priority the device with the lowest MAC address will then become the root device You can set this switch to act as the MSTI root device by specifying a priority of 0 or as the MSTI alternate device by specifying a priority of ...

Page 577: ...or this multiple spanning tree configuration of this switch Use the no form to restore the default Syntax revision number number Revision number of the spanning tree Range 0 65535 Default Setting 0 Command Mode MST Configuration Command Usage The MST region name page 33 9 and revision number are used to designate a unique MST region A bridge i e spanning tree compliant device such as this switch c...

Page 578: ...p count to specify the maximum number of bridges that will propagate a BPDU Each bridge decrements the hop count by one before passing on the BPDU When the hop count reaches zero the message is dropped Example Console config mstp max hops 30 Console config mstp spanning tree spanning disabled This command disables the spanning tree algorithm for the specified interface Use the no form to reenable ...

Page 579: ... used to indicate auto configuration mode When the short path cost method is selected and the default path cost recommended by the IEEE 8021D 2004 standard exceeds 65 535 the default is set to 65 535 Table 33 3 Default STA Path Costs Port Type Short Path Cost Long Path Cost IEEE 802 1D 1998 802 1D 2004 Gigabit Ethernet 10 000 10 000 10G Ethernet 1 000 1 000 Command Mode Interface Configuration Eth...

Page 580: ... in the Spanning Tree Algorithm If the path cost for all ports on a switch are the same the port with the highest priority that is lowest value will be configured as an active link in the spanning tree Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Example Console config interface ethernet 1 5 Console config if spanning tree port p...

Page 581: ...hernet ethernet 1 5 Console config if spanning tree edge port Console config if Related Commands spanning tree portfast 33 14 spanning tree portfast This command sets an interface to fast forwarding Use the no form to disable fast forwarding Syntax no spanning tree portfast Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This command is used to ena...

Page 582: ... point Point to point link shared Shared medium Default Setting auto Command Mode Interface Configuration Ethernet Port Channel Command Usage Specify a point to point link if the interface can only be connected to exactly one other bridge or a shared link if it can be connected to two or more bridges When automatic detection is selected the switch derives the link type from the duplex mode A full ...

Page 583: ... method is selected and the default path cost recommended by the IEEE 8021D 2004 standard exceeds 65 535 the default is set to 65 535 The default path costs are listed in Table 33 3 on page 33 12 Command Mode Interface Configuration Ethernet Port Channel Command Usage Each spanning tree instance is associated with a unique set of VLAN IDs This command is used by the multiple spanning tree algorith...

Page 584: ...e If the path cost for all interfaces on a switch are the same the interface with the highest priority that is lowest value will be configured as an active link in the spanning tree Where more than one interface is assigned the highest priority the interface with lowest numeric identifier will be enabled Example Console config interface ethernet ethernet 1 5 Console config if spanning tree mst 1 p...

Page 585: ...it port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 instance_id Instance identifier of the multiple spanning tree Range 0 4094 no leading zeroes Default Setting None Command Mode Privileged Exec Command Usage Use the show spanning tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree CS...

Page 586: ...0 Current Root Port 2 Current Root Cost 10000 Number of Topology Changes 2 Last Topology Change Time sec 4100 Transmission Limit 3 Path Cost Method Long Eth 1 1 information Admin Status Enabled Role root State forwarding External Admin Path Cost 0 Internal Admin Path Cost 0 External Oper Path Cost 10000 Internal Oper Path Cost 10000 Priority 128 Designated Cost 0 Designated Port 128 1 Designated R...

Page 587: ...nfiguration of the multiple spanning tree Command Mode Privileged Exec Example Console show spanning tree mst configuration Mstp Configuration Information Configuration Name R D Revision level 0 Instance VLANs 0 1 Console 33 20 1 3 4093 2 Spanning Tree Commands 33 ...

Page 588: ...nneling Configures private VLANs including uplink and downlink ports Configures protocol based VLANs based on frame type and protocol Page 34 1 34 5 34 7 34 12 34 14 34 18 34 20 GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network This section descr...

Page 589: ...e config bridge ext gvrp Console config show bridge ext This command shows the configuration for bridge extension commands Default Setting None Command Mode Privileged Exec Command Usage See Displaying Basic VLAN Information on page 11 4 and Displaying Bridge Extension Capabilities on page 4 4 for a description of the displayed items Example Console show bridge ext Max support VLAN numbers 256 Max...

Page 590: ...config if switchport gvrp Console config if show gvrp configuration This command shows if GVRP is enabled Syntax show gvrp configuration interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting Shows both global and interface specific configuration Command Mode Normal Exec Privileged Exec Example Console show...

Page 591: ... is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are independent of the media access method or data rate These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration deregistration Timer values are applied to GVRP for all the ports on all VLANs Timer va...

Page 592: ...r 1000 centiseconds Console Related Commands garp timer 34 4 Editing VLAN Groups Table 34 3 Commands for Editing VLAN Groups Command Function vlan database Enters VLAN database mode to add change and delete VLANs vlan Configures a VLAN including VID name and state Mode GC VC vlan database This command enters VLAN database mode All commands in this mode will take effect immediately Default Setting ...

Page 593: ...re the default settings or delete a VLAN Syntax vlan vlan id name vlan name media ethernet state active suspend no vlan vlan id name state vlan id ID of configured VLAN Range 1 4093 no leading zeroes name Keyword to be followed by the VLAN name vlan name ASCII string from 1 to 32 characters media ethernet Ethernet media type state Keyword to be followed by the VLAN state active VLAN is operational...

Page 594: ...nfiguring VLAN Interfaces Command interface vlan switchport mode switchport acceptable frame types switchport ingress filtering switchport native vlan switchport allowed vlan switchport gvrp switchport forbidden vlan switchport priority default Function Mode Page Enters interface configuration mode for a specified VLAN IC 34 7 Configures VLAN membership mode for an interface IC 34 8 Configures fra...

Page 595: ...ed frames trunk Specifies a port as an end point for a VLAN trunk A trunk is a direct link between two switches so the port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames Default Setting All ports are in hybrid mode with the PVID set to VLAN 1 Command Mode Interface Confi...

Page 596: ...y received frames that are untagged are assigned to the default VLAN Example The following example shows how to restrict the traffic received on port 1 to tagged frames Console config interface ethernet 1 1 Console config if switchport acceptable frame types tagged Console config if Related Commands switchport mode 34 8 switchport ingress filtering This command enables ingress filtering for an int...

Page 597: ...figures the PVID i e default VLAN ID for a port Use the no form to restore the default Syntax switchport native vlan vlan id no switchport native vlan vlan id Default VLAN ID for a port Range 1 4093 no leading zeroes Default Setting VLAN 1 Command Mode Interface Configuration Ethernet Port Channel Command Usage If an interface is not a member of VLAN 1 and you assign its PVID to this VLAN the inte...

Page 598: ...i e 1Q Trunk then you can only assign an interface to VLAN groups as a tagged member Frames are always tagged within the switch The tagged untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress If none of the intermediate network devices nor the host at the other end of the connection supports VLANs the interface should ...

Page 599: ...om being automatically added to the specified interface via GVRP If a VLAN has been added to the set of allowed VLANs for an interface then you cannot add it to the set of forbidden VLANs for that same interface Example The following example shows how to prevent port 1 from being added to VLAN 3 Console config interface ethernet 1 1 Console config if switchport forbidden vlan add 3 Console config ...

Page 600: ... VLANs Command Mode Normal Exec Privileged Exec Example The following example shows how to display information for VLAN 1 Console show vlan id 1 VLAN ID 1 Type Static Name DefaultVlan Status Active Ports Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 9 S Eth1 10 S Eth1 11 S Eth1 12 S Eth1 13 S Eth1 14 S Eth1 15 S Eth1 16 S Eth1 17 S Eth1 18 S Eth1 19 S E...

Page 601: ...ember switchport allowed vlan page 34 11 34 14 Configuring IEEE 802 1Q Tunneling IEEE 802 1Q tunneling QinQ tunneling uses a single Service Provider VLAN SPVLAN for customers who have multiple VLANs Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider s network even when they use the same customer specific VLAN IDs QinQ tunneling expands VL...

Page 602: ...se the no form to disable QinQ operating mode Syntax no dot1q tunnel system tunnel control Default Setting Disabled Command Mode Global Configuration Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional Example Console config dot1q tunnel system tunnel control Console config Related Commands show dot1q tunnel 34 17 show interfaces switchport 27 ...

Page 603: ...config if switchport dot1q tunnel mode access Console config if Related Commands show dot1q tunnel 34 17 show interfaces switchport 27 11 switchport dot1q tunnel tpid This command sets the Tag Protocol Identifier TPID value of a tunnel port Use the no form to restore the default setting Syntax switchport dot1q tunnel tpid tpid no switchport dot1q tunnel tpid tpid Sets the ethertype value for 802 1...

Page 604: ... dot1q tunnel This command displays information about QinQ tunnel ports Command Mode Privileged Exec Example Console config dot1q tunnel system tunnel control Console config interface ethernet 1 1 Console config if switchport dot1q tunnel mode access Console config if interface ethernet 1 2 Console config if switchport dot1q tunnel mode uplink Console config if end Console show dot1q tunnel Curren...

Page 605: ...d Mode Global Configuration Command Usage A private VLAN provides port based security and isolation between ports within the VLAN Data traffic on the downlink ports can only be forwarded to and from the uplink port Data cannot pass between downlink ports in the same private VLAN nor to ports which do not belong to a private VLAN Any port can be defined as an uplink port or downlink port but cannot...

Page 606: ... pvlan up link ethernet 1 12 down link ethernet 1 5 8 Console config show pvlan This command displays the configured private VLAN Command Mode Privileged Exec Example Console show pvlan Private VLAN status Enabled Up link port Ethernet 1 12 Down link port Ethernet 1 5 Ethernet 1 6 Ethernet 1 7 Ethernet 1 8 Console 34 19 Configuring Private VLANs 34 ...

Page 607: ...ypes are not supported by this switch due to hardware limitations 34 20 Function Mode Page Configuring Protocol based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN This may require non standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol This kind of configu...

Page 608: ...ol vlan protocol group group id vlan vlan id no protocol vlan protocol group group id vlan group id Group identifier of this protocol group Range 1 2147483647 vlan id VLAN to which matching protocol traffic is forwarded Range 1 4093 Default Setting No protocol groups are mapped for any interface Command Mode Interface Configuration Ethernet Port Channel Command Usage When creating a protocol based...

Page 609: ...roup id group id Group identifier for a protocol group Range 1 2147483647 Default Setting All protocol groups are displayed Command Mode Privileged Exec Example This shows protocol group 1 configured for IP over Ethernet Console show protocol vlan protocol group ProtocolGroup ID Frame Type Protocol Type 1 ethernet 08 00 Console show interfaces protocol vlan protocol group This command shows the ma...

Page 610: ...This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2 Console show interfaces protocol vlan protocol group Port ProtocolGroup ID Vlan ID Eth 1 1 Console Configuring Protocol based VLANs 34 ...

Page 611: ...34 34 24 VLAN Commands ...

Page 612: ...riority processing method CoS IP Precedence or DSCP and maps TCP ports IP precedence tags or IP DSCP tags to class of service values Page 35 1 35 7 Priority Commands Layer 2 This section describes commands used to configure Layer 2 traffic priority on the switch Table 35 2 Priority Commands Layer 2 Command Function queue mode Sets the queue mode to strict priority or Weighted Round Robin WRR switc...

Page 613: ... Configuration Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced or use Weighted Round Robin WRR queuing that specifies a relative weight of each queue WRR uses a predefined relative weight for each queue that determines the percentage of service time the s...

Page 614: ...EE 802 1Q VLAN tagged frames If the incoming frame is an IEEE 802 1Q VLAN tagged frame the IEEE 802 1p User Priority bits will be used This switch provides eight priority queues for each port It is configured to use strict priority queuing or Weighted Round Robin using the queue mode command see page 35 2 Inbound frames that do not have VLAN tags are tagged with the input port s default ingress us...

Page 615: ... precise number of bytes per second that will be serviced on each round The granularity used to calculate this number is based on a unit of 2k bytes The bytes serviced per second per queue in each round is queue weight granularity Example This example shows how to assign WRR weights to each of the priority queues Console configure Console config int eth 1 5 Console config if queue bandwidth 1 3 5 ...

Page 616: ...6 7 Console Related Commands show queue cos map 35 6 show queue mode This command shows the current queue mode Command Mode Privileged Exec Example Console show queue mode Queue Mode wrr Console 35 5 cos1 cosn The CoS values that are mapped to the queue ID It is a space separated list of numbers The CoS value is a number from 0 to 7 where 7 is the highest priority Default Setting This switch suppo...

Page 617: ...nel channel id Range 1 32 Command Mode Privileged Exec Example Console show queue bandwidth Information of Eth 1 1 Queue ID Weight 0 1 1 2 2 4 3 6 4 8 5 10 6 12 7 14 Class of Service Commands 35 show queue cos map This command shows the class of service priority map Syntax show queue cos map interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channe...

Page 618: ...1 3 4 5 6 7 Console Priority Commands Layer 3 and 4 This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch Table 35 4 Priority Commands Layer 3 and 4 Command map ip port map ip port map ip precedence map ip precedence map ip dscp map ip dscp show map ip port show map ip precedence show map ip dscp Function Enables TCP UDP class of service mapping Maps ...

Page 619: ...ity mapping This command sets the IP port priority for all interfaces Example The following example shows how to map HTTP traffic to CoS value 0 Console config interface ethernet 1 5 Console config if map ip port 80 cos 0 Console config if map ip precedence Global Configuration This command enables IP precedence mapping i e IP Type of Service Use the no form to disable IP precedence mapping Syntax...

Page 620: ...e ethernet 1 5 Console config if map ip precedence 1 cos 0 Console config if 35 9 Example The following example shows how to enable IP precedence mapping globally Console config map ip precedence Console config map ip precedence Interface Configuration This command sets IP precedence priority i e IP Type of Service priority Use the no form to restore the default table Syntax map ip precedence ip p...

Page 621: ...e and IP DSCP cannot both be enabled Enabling one of these priority types will automatically disable the other type Example The following example shows how to enable IP DSCP mapping globally Console config map ip dscp Console config map ip dscp Interface Configuration This command sets IP DSCP priority i e Differentiated Services Code Point priority Use the no form to restore the default table Syn...

Page 622: ...DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802 1p standard and then subsequently mapped to the eight hardware priority queues This command sets the IP DSCP priority for all interfaces Example The following example shows how to map IP DSCP value 1 to CoS value 0 Console config interface ethernet 1 5 Console config if map ip dscp 1 cos...

Page 623: ...ec Example Console show map ip precedence ethernet 1 5 Precedence mapping status disabled Port Precedence COS Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0 Console show map ip port TCP port mapping status disabled Port Port no COS Eth 1 5 Console 80 0 Eth 1 5 Eth 1 5 Eth 1 5 Eth 1 5 Eth 1 5 Eth 1 5 Eth 1 5 Eth 1 5 Console 0 0 1 1 2 2 3 3 ...

Page 624: ...ort Port number Range 1 26 50 port channel channel id Range 1 32 Command Mode Privileged Exec Example Console show map ip dscp ethernet 1 1 DSCP mapping status disabled Port DSCP COS Eth 1 1 0 Eth 1 1 1 Eth 1 1 2 Eth 1 1 3 0 0 0 0 0 0 0 61 62 63 Related Commands map ip dscp Global Configuration 35 10 map ip dscp Interface Configuration 35 10 35 35 13 Eth 1 1 Eth 1 1 Eth 1 1 Console ...

Page 625: ...35 35 14 Class of Service Commands ...

Page 626: ...ds described in this section are used to configure Differentiated Services DiffServ classification criteria and service policies You can classify traffic based on access lists IP Precedence or DSCP values or VLANs Using access lists allows you select traffic based on Layer 2 Layer 3 or Layer 4 information contained in each packet Table 36 1 Quality of Service Commands Mode Page GC 36 2 CM 36 3 CM ...

Page 627: ...map Range 1 16 characters Default Setting None Command Mode Global Configuration Command Usage First enter this command to designate a class map and enter the Class Map configuration mode Then use the match command page 36 3 to specify the criteria for ingress traffic that will be classified under this class map Up to 16 match commands are permitted per class map One or more class maps can be assi...

Page 628: ...s packets that must match to qualify for this class map If an ingress packet matches an ACL specified by this command any deny rules included in the ACL will be ignored If match criteria includes an IP ACL or IP priority rule then a VLAN rule cannot be included in the same class map If match criteria includes a MAC ACL or VLAN rule then neither an IP ACL nor IP priority rule can be included in the...

Page 629: ...lass Map Configuration Policy Map Configuration Example Console config class map rd class 1 Console config cmap rename rd class 9 Console config cmap description This command specifies the description of a class map or policy map Syntax description string string Description of the class map or policy map Range 1 64 characters Command Mode Class Map Configuration Policy Map Configuration Example Co...

Page 630: ... Policy Map Example This example creates a policy called rd_policy uses the class command to specify the previously defined rd_class uses the set command to classify the service that incoming packets will receive and then uses the police command to limit the average bandwidth to 100 000 Kbps the burst rate to 1522 bytes and configure the response to drop any violating packets Console config policy...

Page 631: ...ill receive and then uses the police command to limit the average bandwidth to 100 000 Kbps the burst rate to 1522 bytes and configure the response to drop any violating packets Console config policy map rd_policy Console config pmap class rd_class Console config pmap c set ip dscp 3 Console config pmap c police 100000 1522 exceed action drop Console config pmap c set This command services IP traf...

Page 632: ... set rate kbps Committed information rate in kilobits per second Range 1 100000 kbps or maximum port speed whichever is lower burst byte Committed burst size in bytes Range 64 524288 bytes drop Drop packet when specified rate or burst are exceeded set Set DSCP service to the specified value Range 0 63 Default Setting Drop out of profile packets Command Mode Policy Map Class Configuration Command U...

Page 633: ...36 7 police 36 ...

Page 634: ...a particular interface Use the no form to remove the policy map from this interface Syntax no service policy input policy map name input Apply to the input traffic policy map name Name of the policy map for this interface Range 1 16 characters Default Setting No policy map is attached to an interface Command Mode Interface Configuration Ethernet Port Channel Command Usage Only one policy map can b...

Page 635: ...Class Map match any rd_class 2 Match ip precedence 5 Class Map match any rd_class 3 Match vlan 1 Console show policy map This command displays the QoS policy maps which define classification criteria for incoming traffic and may include policers for bandwidth limitations Syntax show policy map policy map name class class map name policy map name Name of the policy map Range 1 16 characters class m...

Page 636: ...s command displays the service policy assigned to the specified interface Syntax show policy map interface interface input interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 Command Mode Privileged Exec Example Console show policy map interface ethernet 1 5 Service policy rd_policy input Console 36 10 Quality of Service Commands...

Page 637: ... settings and displays the multicast service and group members IGMP Query Configures IGMP query parameters for multicast filtering at Layer 2 Static Multicast Interface Configures static multicast router ports which forward all inbound multicast traffic to the attached VLANs Page 37 1 37 5 37 9 IGMP Snooping Commands This section describes commands used to configure IGMP snooping on the switch Tab...

Page 638: ... Setting None Command Mode Global Configuration Command Usage Static multicast entries are never aged out When a multicast entry is assigned to an interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN Example The following shows how to statically configure a multicast group on a port Console config ip igmp snooping vlan 1 static 224 0 0 12 ethernet ...

Page 639: ... Use the no form to restore the default Syntax no ip igmp snooping immediate leave Default Setting Disabled Command Mode Interface Configuration VLAN Command Usage If immediate leave is not used a multicast router or querier will send a group specific query message when an IGMPv2 v3 group leave message is received The router querier stops forwarding traffic for that group only if no host replies t...

Page 640: ...e 300 sec Immediate Leave Processing Disabled on all VLAN IGMP Snooping Version Version 2 Console show mac address table multicast This command shows known multicast group source and host port mappings for the specified interface or for all interfaces if none is specified or for a specified multicast address Syntax show mac address table multicast interface user igmp snooping user igmp snooping mu...

Page 641: ...le 37 3 IGMP Query Commands Command ip igmp snooping querier ip igmp snooping query count ip igmp snooping query interval ip igmp snooping query max response time ip igmp snooping router port expire time Function Mode Page Allows this device to act as the querier for IGMP snooping GC 37 5 Configures the query count GC 37 6 Configures the query interval GC 37 7 Configures the report delay GC 37 7 C...

Page 642: ...roup Range 2 10 Default Setting 2 times Command Mode Global Configuration Command Usage The query count defines how long the querier waits for a response from a multicast client before taking action If a querier has sent a number of queries defined by this command but a client has not responded a countdown timer is started using the time defined by ip igmp snooping query max response time If the c...

Page 643: ...e no form to restore the default Syntax ip igmp snooping query max response time seconds no ip igmp snooping query max response time seconds The report delay advertised in IGMP queries Range 5 25 Default Setting 10 seconds Command Mode Global Configuration Command Usage The switch must be using IGMPv2 for this command to take effect This command defines the time after a query during which a respon...

Page 644: ...ime seconds no ip igmp snooping router port expire time seconds The time the switch waits after the previous querier stops before it considers the router port i e the interface which had been receiving query packets to have expired Range 300 500 Default Setting 300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 for this command to take effect Example The followi...

Page 645: ...uerier Therefore if the IGMP querier is a known multicast router switch connected over the network to an interface port or trunk on your router you can manually configure that interface to join all the current multicast groups Example The following shows how to configure port 11 as a multicast router port within VLAN 1 Console config ip igmp snooping vlan 1 mrouter ethernet 1 11 Console config 37 ...

Page 646: ...ange 1 4093 Default Setting Displays multicast router ports for all configured VLANs Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static Example The following shows that port 11 in VLAN 1 is attached to a multicast router Console show ip igmp snooping mrouter vlan 1 VLAN M cast Router Ports Type 1 Console 37 10 Eth 1 11 Static Multicast Filtering Command...

Page 647: ...be enabled until at least one name server is specified with the ip name server command and domain lookup is enabled with the ip domain lookup command Table 38 1 DNS Commands Command Function ip host Creates a static host name to address mapping clear host Deletes entries from the host name to address table ip domain name Defines a default domain name for incomplete host names ip domain list Define...

Page 648: ... two address to a host name Console config ip host rd5 192 168 1 55 10 1 0 55 Console config end Console show hosts Hostname rd5 Inet address 10 1 0 55 192 168 1 55 Alias Console clear host This command deletes entries from the DNS table Syntax clear host name name Name of the host Range 1 127 characters Removes all entries Default Setting None Command Mode Privileged Exec Example This example cle...

Page 649: ... Console config end Console show dns Domain Lookup Status DNS disabled Default Domain Name sample com Domain Name List Name Server List Console Related Commands ip domain list 38 3 ip name server 38 4 ip domain lookup 38 5 ip domain list This command defines a list of domain names that can be appended to incomplete host names i e host names passed from a client that are not formatted with dotted n...

Page 650: ... Console config end Console show dns Domain Lookup Status DNS disabled Default Domain Name sample com Domain Name List sample com jp sample com uk Name Server List Console Related Commands ip domain name 38 3 ip name server This command specifies the address of one or more domain name servers to use for name to address resolution Use the no form to remove a name server from this list Syntax no ip ...

Page 651: ...e com uk Name Server List 192 168 1 55 10 1 0 55 Console Related Commands ip domain name 38 3 ip domain lookup 38 5 ip domain lookup This command enables DNS host name to address translation Use the no form to disable DNS Syntax no ip domain lookup Default Setting Disabled Command Mode Global Configuration Command Usage At least one name server must be specified before you can enable DNS If all na...

Page 652: ...rver List 192 168 1 55 10 1 0 55 Related Commands ip domain name 38 3 ip name server 38 4 show hosts This command displays the static host name to address mapping table Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address es as a previously configured entry Console show hosts Hostname rd5 Inet address 10 1 0 55 192 168 1 55 Al...

Page 653: ...mes com 198 Address a1116 x akamai net 19 Address a1116 x akamai net 19 61 213 189 104 CNAME graphics8 nytimes com 19 POINTER TO 2 CNAME graphics478 nytimes com edgesui 19 POINTER TO 2 Table 38 2 show dns cache display description 0 4 1 4 2 4 3 4 4 4 Console Field Description NO The entry number for each resource record FLAG The flag is always 4 indicating a cache entry and therefore unreliable TY...

Page 654: ... cache This command clears all entries in the DNS cache Command Mode Privileged Exec Example Console clear dns cache Console show dns cache NO FLAG TYPE IP TTL DOMAIN Console 38 8 Domain Name Service Commands 38 ...

Page 655: ...onfigured to relay DHCP client configuration requests to a DHCP server on another network or you can configure this switch to provide DHCP service directly to any client Table 39 1 DHCP Commands Command Group Function DHCP Client Allows interfaces to dynamically acquire IP address information DHCP Relay Relays DHCP requests from local hosts to a remote DHCP server DHCP Server Configures DHCP servi...

Page 656: ...his command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command DHCP requires the server to reassign the client s last address if available If the BOOTP or DHCP server has been moved to a different domain the network portion of the address provided to the client will be based on this new domain Example In the following examp...

Page 657: ...ss for the DHCP client from its defined scope for the DHCP client s subnet and sends a DHCP response back to the DHCP relay agent i e this switch This switch then broadcasts the DHCP response received from the server to the client Example In the following example the device is reassigned the same address Console config interface vlan 1 Console config if ip dhcp relay Console config if end Console ...

Page 658: ...addresses Default Setting None Command Mode Interface Configuration VLAN Usage Guidelines You must specify the IP address for at least one DHCP server Otherwise the switch s DHCP relay agent will not forward client requests to a DHCP server To start DHCP relay service enter the ip dhcp restart relay command Example Console config interface vlan 1 Console config if ip dhcp relay server 10 1 0 99 Co...

Page 659: ... DHCP client Specifies a default boot image for a DHCP client Configures NetBIOS Windows Internet Naming Service WINS name servers available to Microsoft DHCP clients Configures NetBIOS node type for Microsoft DHCP clients Sets the duration an IP address is assigned to a DHCP client Specifies the IP address and network mask to manually bind to a DHCP client Specifies a client identifier for a DHCP...

Page 660: ...ll IP pool addresses may be assigned Command Mode Global Configuration Example Console config ip dhcp excluded address 10 1 0 19 Console config ip dhcp pool This command configures a DHCP address pool and enter DHCP Pool Configuration mode Use the no form to remove the address pool Syntax no ip dhcp pool name name A string or integer Range 1 8 characters Default Setting DHCP address pools are not ...

Page 661: ...ed the switch first checks for a network address pool matching the gateway where the request originated i e if the request was forwarded by a relay server If there is no gateway in the client request i e the request was not forwarded by a relay server the switch searches for a network pool matching the interface through which the client request was received It then searches for a manually configur...

Page 662: ...same subnet as the client You can specify up to two routers Routers are listed in order of preference starting with address1 as the most preferred router Example Console config dhcp default router 10 1 0 54 10 1 0 64 Console config dhcp domain name This command specifies the domain name for a DHCP client Use the no form to remove the domain name Syntax domain name domain no domain name domain Spec...

Page 663: ... names to IP addresses Servers are listed in order of preference starting with address1 as the most preferred server Example Console config dhcp dns server 10 1 1 253 192 168 3 19 Console config dhcp next server This command configures the next server in the boot process of a DHCP client Use the no form to remove the boot server list Syntax no next server address address Specifies the IP address o...

Page 664: ...rver 39 9 netbios name server This command configures NetBIOS Windows Internet Naming Service WINS name servers that are available to Microsoft DHCP clients Use the no form to remove the NetBIOS name server list Syntax netbios name server address1 address2 no netbios name server address1 Specifies IP address of primary NetBIOS WINS name server address2 Specifies IP address of alternate NetBIOS WIN...

Page 665: ...10 lease This command configures the duration that an IP address is assigned to a DHCP client Use the no form to restore the default value Syntax lease days hours minutes infinite no lease days Specifies the duration of the lease in numbers of days Range 0 364 hours Specifies the number of hours in the lease A days value must be supplied before you can configure hours Range 0 23 minutes Specifies ...

Page 666: ...the request originated i e if the request was forwarded by a relay server If there is no gateway in the client request i e the request was not forwarded by a relay server the switch searches for a network pool matching the interface through which the client request was received It then searches for a manually configured host address that falls within the matching network pool When searching for a ...

Page 667: ... text A text string Range 1 15 characters hex The hexadecimal value Default Setting None Command Mode DHCP Pool Configuration Command Usage This command identifies a DHCP client to bind to an address specified in the host command If both a client identifier and hardware address are configured for a host address the client identifier takes precedence over the hardware address in the search procedur...

Page 668: ...ool Configuration Command Usage This command identifies a DHCP or BOOTP client to bind to an address specified in the host command BOOTP clients cannot transmit a client identifier To bind an address to a BOOTP client you must associate a hardware address with the host entry Example Console config dhcp hardware address 00 e0 29 94 34 28 ethernet Console config dhcp Related Commands host 39 12 clea...

Page 669: ...ce Example Console clear ip dhcp binding Console Related Commands show ip dhcp binding 39 15 show ip dhcp binding This command displays address bindings on the DHCP server Syntax show ip dhcp binding address address Specifies the IP address of the DHCP client for which bindings will be displayed Default Setting None Command Mode Normal Exec Privileged Exec Example Console show ip dhcp binding IP M...

Page 670: ...39 39 16 DHCP Commands ...

Page 671: ...uthentication string You can also enable the preempt feature which allows a router to take over as the master router when it comes on line if it has a higher priority than the currently active master router Table 40 2 VRRP Commands Command vrrp ip vrrp authentication vrrp priority vrrp timers advertise vrrp preempt show vrrp show vrrp interface show vrrp router counters show vrrp interface counter...

Page 672: ...IP address assigned to the virtual router with this command is already configured as the primary address on this interface this router is considered the Owner and will assume the role of the Master virtual router in the group This interface is used for two purposes to send receive advertisement messages and to forward on behalf of the virtual router when operating as the Master VRRP router VRRP is...

Page 673: ... the group its authentication key is compared to the string configured on this router If the keys match the message is accepted Otherwise the packet is discarded Plain text authentication does not provide any real security It is supported only to prevent a misconfigured router from participating in VRRP Example Console config if vrrp 1 authentication bluebird Console config if vrrp priority This c...

Page 674: ... comes on line this backup router will take over as the new acting master However note that if the original master i e the owner of the VRRP IP address comes back on line it will always resume control as the master If the virtual IP address for the VRRP group is the same as that of the configured device the priority will automatically be set to 255 prior to using this command Example Console confi...

Page 675: ...er to take over as the master virtual router for a VRRP group if it has a higher priority than the current acting master router Use the no form to disable preemption Syntax vrrp group preempt delay seconds no vrrp group preempt group Identifies the VRRP group Range 1 255 seconds The time to wait before issuing a claim to become the master Range 0 120 seconds Default Setting Preempt Enabled Delay 0...

Page 676: ...group brief Displays summary information for all VRRP groups on this router group Identifies a VRRP group Range 1 255 Defaults None Command Mode Privileged Exec Command Usage Use this command without any keywords to display the full listing of status information for all VRRP groups configured on this router Use this command with the brief keyword to display a summary of status information for all ...

Page 677: ...gured on the VRRP master This interval is used by all the routers in the group regardless of their local settings Console show vrrp Vlan 1 Group 1 State Virtual IP Address Virtual MAC Address Advertisement Interval Preemption Min Delay Priority Authentication Authentication Key Master Router Master Priority Master Advertisement Interval Master Down Interval Console Master 192 168 1 6 00 00 5E 00 0...

Page 678: ...rity Authentication Authentication Key Master Router Master Priority Master Advertisement Interval Master Down Interval Console 192 168 1 6 00 00 5E 00 01 01 5 sec enabled 10 sec 1 SimpleText bluebird 192 168 1 6 1 5 sec 15 Refer to show vrrp on page 40 6 for a description of the display items 40 8 Router Redundancy Commands Table 40 4 show vrrp brief display description Description VLAN interface...

Page 679: ... 4093 Defaults None Command Mode Privileged Exec Example Console show vrrp 1 interface vlan 1 counters Total Number of Times Transitioned to MASTER Total Number of Received Advertisements Packets Total Number of Received Error Advertisement Interval Packets Total Number of Received Authentication Failures Packets Total Number of Received Error IP TTL VRRP Packets Total Number of Received Priority ...

Page 680: ...unters This command clears VRRP system statistics for the specified group and interface clear vrrp group interface interface counters group Identifies a VRRP group Range 1 255 interface Identifier of configured VLAN interface Range 1 4093 Defaults None Command Mode Privileged Exec Example Console clear vrrp 1 interface 1 counters Console 40 10 Router Redundancy Commands 40 ...

Page 681: ...ork segment if routing is not enabled This section includes commands for configuring IP interfaces the Address Resolution Protocol ARP and Proxy ARP These commands are used to connect subnetworks to the enterprise network Table 41 1 IP Interface Commands Command Group Basic IP Configuration Address Resolution Protocol ARP Function Configures the IP address for interfaces and the gateway router Con...

Page 682: ...Pv6 global unicast address for an interface using an EUI 64 interface ID in the low order 64 bits and enables IPv6 on the interface Configures an IPv6 link local address for an interface and enables IPv6 on the interface Displays the usability and configured settings for IPv6 interfaces NE PE 41 14 Sets an IPv6 default gateway for traffic with no known next hop GC 41 17 Displays the current IPv6 d...

Page 683: ... defines the network segment that is connected to that interface and allows IP packets to be sent to or from the router Before any network interfaces are configured on the router first create a VLAN for each unique user group or for each network application and its associated users Then assign the ports associated with each of these VLANs An IP address must be assigned to this device to gain manag...

Page 684: ...xample In the following example the device is assigned an address in VLAN 1 Console config interface vlan 1 Console config if ip address 192 168 1 5 255 255 255 0 Console config if Related Commands ip dhcp restart client 39 2 ipv6 address 41 9 ip default gateway This command specifies the IPv4 default gateway for destinations not found in the local routing tables Use the no form to remove a defaul...

Page 685: ...onsole show ip interface Vlan 1 is up addressing mode is DHCP Interface address is 192 168 0 2 mask is 255 255 255 0 Primary MTU is 1500 bytes Proxy ARP is disabled Split horizon is disabled Console Related Commands ip address 41 3 show ipv6 interface 41 14 show ip redirects This command shows the IPv4 default gateway configured for this device Default Setting None Command Mode Privileged Exec Exa...

Page 686: ...n network traffic Destination does not respond If the host does not respond a timeout appears in ten seconds Destination unreachable The gateway for this destination indicates that the destination is unreachable Network or host unreachable The gateway found no corresponding entry in the route table When pinging a host name be sure the DNS server has been enabled see page 38 5 If necessary local de...

Page 687: ... accessible over IPv6 for all devices attached to the same local subnet If a duplicate address is detected on the local segment this interface will be disabled and a warning message displayed on the console The no ipv6 enable command does not disable IPv6 for an interface that has been explicitly configured with an IPv6 address Example In this example IPv6 is enabled on VLAN 1 and the link local a...

Page 688: ... A decimal value indicating how many of the contiguous bits from the left of the address comprise the prefix i e the network portion of the address Default Setting No general prefix is defined Command Mode Global Configuration Command Usage Prefixes may contain zero value fields or end in zeros A general prefix holds a short prefix that indicates the high order bits used in the network portion of ...

Page 689: ...ix is used or the subsequent bits following the general prefix if one is used followed by the host address bits The address must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields prefix length A decimal value i...

Page 690: ...s rd 0 0 0 7279 79 64 Console config if end Console show ipv6 interface Vlan 1 is up IPv6 is enable Link local address FE80 200 E8FF FE90 0 64 Global unicast address es 2009 DB9 2229 7279 79 subnet is 2009 DB9 2229 7279 64 Joined group address es FF01 1 16 FF02 1 16 FF02 1 FF00 79 104 FF02 1 FF90 0 104 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND retransmit interval is 1000 mill...

Page 691: ... address configuration information such as a default gateway from a DHCP for IPv6 server Example This example assigns two dynamic global unicast address of 2005 212 CFFF FE0B 4600 and 3FFE 501 FFFF 100 212 CFFF FE0B 4600 to the router Console config if ipv6 address autoconfig Console config if end Console show ipv6 interface Vlan 1 is up IPv6 is enable Link local address FE80 212 CFFF FE0B 4600 64...

Page 692: ... and a link local address for this interface The link local address is made with an address prefix of FE80 and a host portion based the router s MAC address in modified EUI 64 format Note that the value specified in the ipv6 prefix may include some of the high order host bits if the specified prefix length is less than 64 bits If the specified prefix length exceeds 64 bits then the network portion...

Page 693: ... FF02 1 FF90 0 104 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND retransmit interval is 1000 milliseconds Console Related Commands ipv6 address autoconfig 41 10 show ipv6 interface 41 14 ipv6 address link local This command configures an IPv6 link local address for an interface and enables IPv6 on the interface Use the no form without any arguments to remove all manually configur...

Page 694: ...v6 interface Vlan 1 is up IPv6 is enable Link local address FE80 269 3EF9 FE19 6779 64 Global unicast address es 2001 DB8 1 200 E8FF FE90 0 subnet is 2001 DB8 0 1 64 Joined group address es FF01 1 16 FF02 1 16 FF02 1 FF19 6779 104 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND retransmit interval is 1000 milliseconds Console Related Commands ipv6 enable 41 7 show ipv6 interface 41...

Page 695: ... 104 FF02 1 FF19 6779 104 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND retransmit interval is 1000 milliseconds Console Table 41 3 show ipv6 interface display description Field VLAN IPv6 Link local address Global unicast address es Description A VLAN is marked up if the router can send and receive packets on this interface down if a line signal is not present or administratively...

Page 696: ... addresses for every unicast and anycast address it is assigned IPv6 addresses that differ only in the high order bits e g due to multiple high order prefixes associated with different aggregations will map to the same solicited node address thereby reducing the number of multicast addresses a node must join In this example FF02 1 FF90 0 104 is the solicited node multicast address which is formed ...

Page 697: ... gateway specified in this command is only valid if routing is disabled with the no ip routing command If IP routing is disabled you must define a gateway if the target device is located in a different subnet If routing is enabled you can still define a static route using the ip route command page 42 2 to ensure that traffic to the designated address or subnet passes through a preferred gateway An...

Page 698: ... MTU option is included in the router advertisements sent from this device This option is provided to ensure that all nodes on a link use the same MTU value in cases where the link MTU is not otherwise well known IPv6 routers do not fragment IPv6 packets forwarded from other routers However traffic originating from an end station connected to an IPv6 router may be fragmented All devices on the sam...

Page 699: ...or all traffic sent along this path Since Time since an ICMP packet too big message was received from this destination Destination Address Address which sent an ICMP packet too big message show ipv6 traffic This command displays statistics about IPv6 traffic passing through this router Command Mode Normal Exec Privileged Exec Example The following example shows statistics for all IPv6 unicast and ...

Page 700: ...or advert Ipv6 icmp output sent output unreach routing unreach admin unreach neighbor unreach address unreach port parameter error parameter header parameter option hopcount expired Reassembly timeout too big echo request echo reply group query group report group reduce router solicit router advert redirects neighbor solicit neighbor advert 41 20 generated fragments Fragmented failed encapsulation...

Page 701: ...his entity This count includes invalid addresses e g 0 and unsupported addresses e g addresses with unallocated prefixes For entities which are not IPv6 routers and therefore do not forward datagrams this counter includes datagrams discarded because the destination address was not a local address The number of IPv6 fragments received which needed to be reassembled at this interface Note that this ...

Page 702: ...ams that have been discarded because they needed to be fragmented at this output interface but could not be Failure that can result from an unresolved address or failure to queue a packet The number of input datagrams discarded because no route could be found to transmit them to their destination The number of input datagrams that could not be forwarded because their size exceeded the link MTU of ...

Page 703: ...mbership Reduction messages received by the interface The number of ICMP Router Solicit messages received by the interface The number of ICMP Router Advertisement messages received by the interface The number of Redirect messages received The number of ICMP Neighbor Solicitation messages received by the interface The number of ICMP Neighbor Advertisement messages received by the interface The tota...

Page 704: ...ICMP Neighbor Advertisement messages sent by the interface The total number of UDP datagrams delivered to UDP users The total number of UDP packet checksum errors The total number of UDP header length errors The total number of received UDP datagrams for which there was no application at the destination port The number of times the system encounter an error when trying to queue the received packet...

Page 705: ...double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields host name The name the IPv6 device to ping A host name can be resolved into an IPv6 address using DNS datagram size Specifies the size of the datagram to send in each ping Range 48 18024 bytes repeat count The number of pings to send Range 1 2147483647 hex data pattern The data...

Page 706: ...DB8 3 64 repeat 5 Which outside interface 1 1 Type ESC to abort Sending 5 100 byte ICMP Echos to 2009 DB9 2229 80 timeout is 2 seconds Success rate is 100 percent round trip min max avg 10 30 14 000000 ms Console Related Commands ping 41 6 ipv6 neighbor This command configures a static entry in the IPv6 neighbor discovery cache Use the no form to remove a static entry from the cache Syntax ipv6 ne...

Page 707: ... 7 deletes all dynamically learned entries in the IPv6 neighbor discovery cache for that interface but does not delete static entries Example The following maps a static entry for global unicast address to a MAC address Console config ipv6 neighbor 2009 DB9 2229 81 vlan 1 30 65 14 01 11 86 Console config end Console show ipv6 neighbors IPv6 Address Age Link layer Addr State Vlan 2009 DB9 2229 80 9...

Page 708: ...sses on the interface While duplicate address detection is performed on the interface s link local address the other IPv6 addresses remain in a tentative state If no duplicate link local address is found duplicate address detection is started for the remaining IPv6 addresses If a duplicate address is detected it is set to duplicate state and a warning message is sent to the console If a duplicate ...

Page 709: ...le Related Commands ipv6 nd ns interval 41 29 show ipv6 neighbors 41 30 ipv6 nd ns interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface Use the no form to restore the default value Syntax ipv6 nd ns interval milliseconds no ipv6 nd ns interval milliseconds The interval between transmitting IPv6 neighbor solicitation messages Range 1...

Page 710: ... milliseconds ND router advertisements are sent every 200 seconds Console Related Commands show running config 23 5 show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache Syntax show ipv6 neighbors vlan vlan id ipv6 address vlan id VLAN ID Range 1 4093 ipv6 address The IPv6 address of a neighbor device You can specify either a link local or global unicast addres...

Page 711: ...than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning A packet was sent within the last DELAY_FIRST_PROBE_TIME interval If no reachability confirmation is received within this interval after entering the DELAY state the router will send a neighbor solicitation message and change the state to PROBE PROBE A reachability co...

Page 712: ...defined on this router The maximum number of static entries allowed in the ARP cache is 128 41 32 clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache Command Mode Privileged Exec Example The following deletes all dynamic entries in the IPv6 neighbor cache Console clear ipv6 neighbors Console Address Resolution Protocol ARP This section describes comma...

Page 713: ...conds The time a dynamic entry remains in the ARP cache Range 300 86400 86400 is one day Default Setting 1200 seconds 20 minutes Command Mode Global Configuration Command Usage When a ARP entry expires it is deleted from the cache and an ARP request packet is sent to re establish the MAC address The aging time determines how long dynamic entries remain in the cache If the timeout is too short the ...

Page 714: ...nd Usage This command displays information about the ARP cache The first line shows the cache timeout It also shows each cache entry including the IP address MAC address type static dynamic other and VLAN interface Note that entry type other indicates local addresses for this router Example This example displays all entries in the ARP cache Console show arp Arp cache timeout 1200 seconds IP Addres...

Page 715: ...bnet or network End stations that require Proxy ARP must view the entire network as a single network These nodes must therefore use a smaller subnet mask than that used by the router or other relevant network devices Extensive use of Proxy ARP can degrade router performance because it may lead to increased ARP traffic and increased search time for larger ARP address tables Example Console config i...

Page 716: ...41 41 36 IP Interface Commands ...

Page 717: ...outing Information Protocol RIP Open Shortest Path First OSPF Function Configures global parameters for static and dynamic routing displays the routing table and statistics for protocols used to exchange routing information Configures global and interface specific parameters for RIP Configures global and interface specific parameters for OSPF Page 42 1 42 5 42 18 Global Routing Configuration Table...

Page 718: ...t netmask Network mask for the associated IP subnet This mask identifies the host address bits used for routing to specific subnets default Sets this entry as the default route gateway IP address of the gateway used for this route metric Selected RIP cost for this interface Range 1 5 default 1 Removes all static routing table entries Default Setting No static routes are configured Command Mode Glo...

Page 719: ... command to remove a static route Example Console clear ip route 10 1 5 0 Console show ip route This command displays information in the IP routing table Syntax show ip route config address netmask config Displays all static routing entries address IP address of the destination network subnetwork or host for which routing information is to be displayed netmask Network mask for the associated IP su...

Page 720: ...e Privileged Exec Example Console show ip route Ip Address Netmask Next Hop Protocol Metric Interface 0 0 0 0 0 0 0 0 10 2 48 102 static 0 1 0 1 10 2 48 2 255 255 252 0 10 2 5 6 255 255 255 0 10 3 9 1 255 255 255 0 10 2 48 16 local 10 2 8 12 RIP 1 2 10 2 9 254 OSPF intra 2 3 Console show ip host route Total count 0 IP address Mac address VLAN Port 3 1 1 1 1 1 1 1 2 2 1 3 192 168 1 250 10 2 48 2 10...

Page 721: ...imestamp 0 time exceeded 0 parameter problem UDP statistics Rcvd 0 total 0 checksum errors 0 no port Sent 0 total TCP statistics Rcvd 0 total 0 checksum errors Sent 0 total ARP statistics Rcvd 0 requests 1 replies Sent 1 requests 0 replies Console Routing Information Protocol RIP This section describes commands used to configure RIP global and interface parameters for dynamic routing on the switch...

Page 722: ...p globals show ip rip Function Specifies the RIP version to use on all network interfaces if not already specified with a receive version or send version command Redistribute routes from one routing domain to another Sets the RIP receive version to use on a network interface Sets the RIP send version to use on a network interface Enables split horizon or poison reverse loop prevention Enables auth...

Page 723: ...en redistributing routes from another protocol into RIP Using a high metric limits the usefulness of external routes redistributed into RIP For example if a metric of 10 is defined for redistributed routes these routes can only be advertised to routers up to 5 hops away at which point the metric exceeds the maximum hop count of 15 By defining a low metric of 1 traffic can follow a imported route t...

Page 724: ...er which there have been no update messages that a route is declared dead The route is marked inaccessible i e the metric set to infinite and advertised as unreachable However packets are still forwarded on this route After the timeout interval expires the router waits for an interval specified by the garbage collection timer before removing this entry from the routing table This timer allows neig...

Page 725: ...nn determines the class 0 127 is class A and only the first field in the network address is used 128 191 is class B and the first two fields in the network address are used 192 223 is class C and the first three fields in the network address are used Example This example includes network interface 10 1 0 0 in the RIP routing process Console config router network 10 1 0 0 Console config router Rela...

Page 726: ...set by the ip rip receive version or ip rip send version command will be set to the following values RIP Version 1 configures the unset interfaces to send RIPv1 compatible protocol messages and receive either RIPv1 or RIPv2 protocol messages RIP Version 2 configures the unset interfaces to use RIPv2 for both sending and receiving protocol messages When the no form of this command is used to restor...

Page 727: ...distributing external routes with incompatible metrics It is advisable to use a low metric when redistributing routes from another protocol into RIP Using a high metric limits the usefulness of external routes redistributed into RIP For example if a metric of 10 is defined for redistributed routes these routes can only be advertised to routers up to 5 hops away at which point the metric exceeds th...

Page 728: ...g 1 2 RIPv1 or RIPv2 packets Command Usage Use this command to override the global setting specified by the RIP redistribute command You can specify the receive version based on these options Use none if you do not want to add any dynamic entries to the routing table for an interface For example you may only want to allow static routes for a specific interface Use 1 or 2 if all routers in the loca...

Page 729: ...none to passively monitor route information advertised by other routers attached to the network Use 1 or 2 if all routers in the local network are based on RIPv1 or RIPv2 respectively Use v2 broadcast to propagate route information by broadcasting to other routers on the network using RIPv2 instead of multicasting as normally required by RIPv2 Using this mode allows RIPv1 routers to receive these ...

Page 730: ...ides faster convergence Example This example propagates routes back to the source using poison reverse Console config interface vlan 1 Console config if ip split horizon poison reverse Console config if ip rip authentication key This command enables authentication for RIPv2 packets and specifies the key that must be used on an interface Use the no form to prevent authentication Syntax ip rip authe...

Page 731: ...es that a simple password will be used md5 Message Digest 5 MD5 authentication Command Mode Interface Configuration VLAN Default Setting No authentication Command Usage The password to be used for authentication is specified in the ip rip authentication key command page 42 14 This command requires the interface to exchange routing information with other routers based on an authorized password Note...

Page 732: ...date Time in Seconds The interval at which RIP advertises known route information Default 30 seconds Number of Route Changes Number of times routing information has changed Number of Queries Number of router database queries received by this router show ip rip This command displays information about interfaces configured for RIP Syntax show ip rip configuration status peer configuration Shows RIP ...

Page 733: ... packets were received from this peer Number of bad RIP packets received from this peer Number of bad routes received from this peer 42 17 Example Console show ip rip configuration Interface SendMode ReceiveMode Poison Authentication 10 1 0 253 rip1Compatible 10 1 1 253 rip1Compatible Console show ip rip status RIPv1Orv2 SplitHorizon noAuthentication RIPv1Orv2 SplitHorizon noAuthentication Interfa...

Page 734: ...1583 default information originate timers spf Function Enables the OSPF routing protocol and enters OSPF configuration mode Sets the router ID for this device Calculates summary route costs using RFC 1583 OSPFv2 Generates a default external route into an autonomous system Configures the hold time between consecutive SPF calculations Mode Page GC 42 19 RC 42 20 RC 42 20 RC 42 21 RC 42 22 RC 42 23 R...

Page 735: ...rder routers show ip ospf database show ip ospf interface show ip ospf neighbor show ip ospf summary address show ip ospf virtual links Function Displays general information about the routing processes Displays routing table entries for Area Border Routers ABR and Autonomous System Boundary Routers ASBR Shows information about different LSAs in the database Displays interface information Displays ...

Page 736: ...set to 0 0 0 0 or 255 255 255 255 If this router already has registered neighbors the new router ID will be used when the router is rebooted or manually restarted by entering the no router ospf page 42 19 followed by the router ospf command If the priority values of the routers bidding to be the designated router or backup designated router for an area are equal the router with the highest ID is e...

Page 737: ...iginate This command generates a default external route into an autonomous system Use the no form to disable this feature Syntax default information originate always metric interface metric metric type metric type no default information originate always Always advertise a default route to the local AS regardless of whether the router has a default route See ip route on page 42 2 interface metric M...

Page 738: ...breaker if several Type 2 routes have the same cost Example This example assigns a metric of 20 to the default external route advertised into an autonomous system sending it as a Type 2 external metric Console config router default information originate metric 20 metric type 2 Console config router Related Commands ip route 42 2 redistribute 42 25 timers spf This command configures the hold time b...

Page 739: ...onfiguration Default Setting Disabled Command Usage This command can be used to summarize intra area routes and advertise this information to other areas through Area Border Routers ABRs If the network addresses within an area are assigned in a contiguous manner the ABRs can advertise a summary route that covers all of the individual networks within the area that fall into the specified range usin...

Page 740: ...e Use this option only on an area border router attached to a stub area or NSSA If the default cost is set to 0 the router will not advertise a default route into the attached stub or NSSA Example Console config router area 10 3 9 0 default cost 10 Console config router Related Commands area stub 42 27 summary address This command aggregates routes learned from other protocols Use the no form to r...

Page 741: ... range 42 23 redistribute 42 25 redistribute This command redistributes external routing information from other routing protocols and static routes into an autonomous system Use the no form to disable this feature or to restore the default settings Syntax no redistribute rip static metric metric value metric type type value rip Imports entries learned through the Routing Information Protocol into ...

Page 742: ...iated with reaching the advertising ASBR plus the cost of the external route When a Type 2 LSA is received by a router it only uses the external route metric to determine route cost Example This example redistributes routes learned from RIP as Type 1 external routes Console config router redistribute rip metric type 1 Console config router Related Commands default information originate 42 21 netwo...

Page 743: ... the router will use the network area with the address range that most closely matches the interface address Also note that if a more specific address range is removed from an area the interface belonging to that range may still remain active if a less specific address range covering that area has been specified This router supports up to 64 OSPF router interfaces and up to 16 total areas either n...

Page 744: ...to 16 total areas either normal transit areas stubs or NSSAs Example This example creates a stub area 10 2 0 0 and assigns all interfaces with class B addresses 10 2 x x to the stub Console config router area 10 2 0 0 stub Console config router network 10 2 0 0 0 255 255 255 area 10 2 0 0 Console config router Related Commands area default cost 42 24 area nssa This command defines a not so stubby ...

Page 745: ...information originate keyword However an NSSA is different from a stub because when the router is an ASBR it can import a default external AS route for routing protocol domains adjacent to the NSSA but not within the OSPF AS into the NSSA using the default information originate keyword External routes advertised into an NSSA can include network destinations outside the AS learned via OSPF the defa...

Page 746: ...in protocol message headers A separate password can be assigned to each network interface However this key must be the same for all neighboring routers on the same network i e autonomous system This key is only used when authentication is enabled for the backbone message digest key key id md5 key Sets the key identifier and password to be used to authenticate protocol messages passed between neigh...

Page 747: ... This value must be the same for all routers attached to an autonomous system Range 1 3600 seconds Default 1 seconds Command Mode Router Configuration Default Setting area id None router id None hello interval 10 seconds retransmit interval 5 seconds transmit delay 1 second dead interval 40 seconds authentication key None message digest key None Command Usage All areas must be connected to a backb...

Page 748: ...sage digest MD5 authentication null Indicates that no authentication is used Command Mode Interface Configuration VLAN Default Setting No authentication Command Usage Use authentication to prevent routers from inadvertently joining an unauthorized area Configure routers in the same area with the same password or key All neighboring routers on the same network with the same password will exchange r...

Page 749: ...ion key This command assigns a simple password to be used by neighboring routers to verify the authenticity of routing protocol messages Use the no form to remove the password Syntax ip ospf authentication key key no ip ospf authentication key key Sets a plain text password Range 1 8 characters Command Mode Interface Configuration VLAN Default Setting No password Command Usage Before specifying pl...

Page 750: ...isabled Command Usage Before specifying MD5 authentication for an interface with the ip ospf authentication command configure the message digest key id and key with this command Normally only one key is used per interface to generate authentication information for outbound packets and to authenticate incoming packets Neighbor routers must use the same key identifier and key value When changing to ...

Page 751: ... across a certain interface This is advertised as the link cost in router link state advertisements Routes are assigned a metric equal to the sum of all metrics for each interface link in the route Interface cost reflects the port speed This router uses a default cost of 1 for all ports Therefore if you install a 10 Gigabit module you may have to reset the cost for all of the 100 Mbps ports to a v...

Page 752: ...mmand Usage The dead interval is advertised in the router s hello packets It must be a multiple of the hello interval and be the same for all routers on a specific network Example Console config interface vlan 1 Console config if ip ospf dead interval 50 Console config if Related Commands ip ospf hello interval 42 36 ip ospf hello interval This command specifies the interval between sending hello ...

Page 753: ... OSPF network segment based on Router Priority The DR forms an active adjacency to all other routers in the network segment to exchange routing topology information If for any reason the DR fails the BDR takes over this role Set the priority to zero to prevent a router from being elected as a DR or BDR If set to any value other than zero the router with the highest priority will become the DR and ...

Page 754: ... information but does not produce unnecessary protocol traffic Note that this value should be larger for virtual links Set this interval to a value that is greater than the round trip delay between any two routers on the attached network to avoid unnecessary retransmissions Example Console config interface vlan 1 Console config if ip ospf retransmit interval 7 Console config if ip ospf transmit de...

Page 755: ...configuration Command Mode Privileged Exec Example Console show ip ospf Routing Process with ID 10 1 1 253 Supports only single TOS TOS0 route It is an area border and autonomous system boundary router Redistributing External Routes from rip with metric mapped to 10 Number of area in this router is 2 Area 0 0 0 0 BACKBONE Number of interfaces in this area is 1 SPF algorithm executed 19 times Area ...

Page 756: ... 1 252 10 2 6 252 Console 10 1 1 253 0 ABR INTRA 10 1 0 0 3 10 2 9 253 0 ASBR INTER 10 2 0 0 7 Table 42 10 show ip ospf border routers display description Description Identifier for the destination router IP address of the next hop toward the destination Link metric for this route Router type of the destination either ABR ASBR or both Route type either intra area or interarea route INTRA or INTER ...

Page 757: ...area id database self originate link state id show ip ospf area id database summary link state id show ip ospf area id database summary link state id adv router ip address show ip ospf area id database summary link state id self originate link state id area id Area defined for which you want to view LSA information This item must be entered in the form of an IP address adv router IP address of the...

Page 758: ...e LSA 42 42 Command Mode Privileged Exec Examples The following shows output for the show ip ospf database command Console show ip ospf database Displaying Router Link States Area 10 1 0 0 Link ID ADV Router Age Seq Checksum 10 1 1 252 10 1 1 252 26 0X80000005 0X89A1 10 1 1 253 10 1 1 253 23 0X80000002 0X8D9D Displaying Net Link States Area 10 1 0 0 Link ID ADV Router Age Seq Checksum 10 1 1 252 C...

Page 759: ...Mask 255 255 255 0 Metric 1 Console Table 42 12 show ip ospf asbr summary display description Field Description OSPF Router id Router ID LS age Age of LSA in seconds Options Optional capabilities associated with the LSA LS Type Summary Links LSA describes routes to AS boundary routers Link State ID Interface address of the autonomous system boundary router Advertising Router Advertising router ID ...

Page 760: ...ummary ASBR LSAs External AS Number of autonomous system external LSAs External Nssa Number of NSSA external network LSAs Total LSA Counts Total number of LSAs 42 44 The following shows output when using the database summary keyword Console show ip ospf database database summary Area ID 10 1 0 0 Router Network 2 1 Total LSA Counts 4 Console Sum Net Sum ASBR External AS External Nssa 1 0 0 0 IP Rou...

Page 761: ...ternal Links LSA describes routes to destinations outside the AS including default external routes for the AS Link State ID IP network number External Network Number Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA used to detect older duplicate LSAs LS Checksum Checksum of the complete contents of the LSA Length The length of the LSA in bytes Network Mask Address...

Page 762: ...le 42 15 show ip ospf network display description Field Description OSPF Router id Router ID LS age Age of LSA in seconds Options Optional capabilities associated with the LSA LS Type Network Link LSA describes the routers attached to the network Link State ID Interface address of the designated router Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA used to detec...

Page 763: ...ay description Field Description OSPF Router id Router ID LS age Age of LSA in seconds Options Optional capabilities associated with the LSA LS Type Router Link LSA describes the router s interfaces Link State ID Router ID of the router that originated the LSA Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA used to detect older duplicate LSAs LS Checksum Checksum...

Page 764: ...mber Advertising Router 10 1 1 252 LS Sequence Number 80000003 LS Checksum 0x3D02 Length 28 Network Mask 255 255 255 0 Metric 1 Console Table 42 17 show ip ospf summary display description Field Description OSPF Router id Router ID LS age Age of LSA in seconds Options Optional capabilities associated with the LSA LS Type Summary Links LSA describes routes to networks Link State ID Router ID of the...

Page 765: ... VLAN ID and Status of physical link IP address of OSPF interface Network mask for interface address OSPF area to which this interface belongs Router ID Includes broadcast non broadcast or point to point networks Interface transmit cost Interface transmit delay in seconds Disabled OSPF not enabled on this interface Down OSPF is enabled on this interface but interface is down Loopback This is a loo...

Page 766: ...tate and identification flag States include Down Connection down Attempt Connection down but attempting contact for non broadcast networks Init Have received Hello packet but communications not yet established Two way Bidirectional communications established ExStart Initializing adjacency between neighbors Exchange Database descriptions being exchanged Loading LSA databases being exchanged Full Ne...

Page 767: ...irtual links Command Mode Privileged Exec Example Console show ip ospf virtual links Virtual Link to router 10 1 1 253 is up Transit area 10 1 1 0 Transmit Delay is 1 sec Timer intervals configured Hello 10 Dead 40 Retransmit 5 Console Table 42 20 show ip ospf virtual links display description Field Description Virtual Link to router OSPF neighbor and link state up or down Transit area Common area...

Page 768: ...42 42 52 IP Routing Commands ...

Page 769: ...Section IV Appendices This section provides additional information on the following topics Software Specifications A 1 Troubleshooting B 1 Glossary Index ...

Page 770: ...Appendices ...

Page 771: ...rm Control Traffic throttled above a critical threshold Port Mirroring Multiple source ports one destination port Rate Limits Input Limit Output limit Range configured per port Port Trunking Static trunks Cisco EtherChannel compliant Dynamic trunks Link Aggregation Control Protocol Spanning Tree Algorithm Spanning Tree Protocol STP IEEE 802 1D 2004 Rapid Spanning Tree Protocol RSTP IEEE 802 1D 200...

Page 772: ...lerts Management Features In Band Management Telnet web based HTTP or HTTPS SNMP manager or Secure Shell Out of Band Management RS 232 DB 9 console port Software Loading TFTP in band or XModem out of band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1 2 3 9 Statistics History Alarm Event Standards IEEE 802 1D 2004 Spanning Tree Algorithm and traffic priori...

Page 773: ... 2328 2178 1587 RADIUS RFC 2618 RIP RFC 1058 RIPv2 RFC 2453 RIPv2 extension RFC 1724 RMON RFC 2819 groups 1 2 3 9 SNMP RFC 1157 SNMPv2c RFC 2571 SNMPv3 RFC DRAFT 3414 3410 2273 3411 3415 SNTP RFC 2030 SSH Version 2 0 TFTP RFC 1350 VRRP RFC 3768 Management Information Bases Bridge MIB RFC 1493 DNS Resolver MIB RFC 1612 Differentiated Services MIB RFC 3289 Entity MIB RFC 2737 Ether like MIB RFC 2665...

Page 774: ...RFC 2453 RIP2 Extension RFC1724 RMON MIB RFC 2819 RMON II Probe Configuration Group RFC 2021 partial implementation SNMPv2 IP MIB RFC 2011 SNMP Framework MIB RFC 3411 SNMP MPD MIB RFC 3412 SNMP Target MIB SNMP Notification MIB RFC 3413 SNMP User Based SM MIB RFC 3414 SNMP View Based ACM MIB RFC 3415 SNMP Community MIB RFC 3584 TACACS Authentication Client MIB TCP MIB RFC 2012 Trap RFC 1215 UDP MIB...

Page 775: ...ions permitted Try connecting again at a later time Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH client software is properly configured on the management station Be sure you have generated a public key on the switch and exported this key to the SSH client Be sure you have set up an account on the switch for each SSH user including user na...

Page 776: ... include all categories 3 Designate the SNMP host that is to receive the error messages 4 Repeat the sequence of commands or other actions that lead up to the error 5 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 6 Contact your distributor s service engineer For example Console config logging on Console config logging history fl...

Page 777: ...y service and prevent blockage of lower level queues Priority may be set according to the port default the packet s priority bit in the VLAN tag TCP UDP port number IP Precedence bit or DSCP priority bit Differentiated Services DiffServ DiffServ provides quality of service on large networks by employing a well defined set of building blocks from which a variety of aggregate forwarding behaviors ma...

Page 778: ...ocol over LAN EAPOL EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch A user name and password is requested by the switch and then passed to an authentication server e g RADIUS for verification EAPOL is implemented as part of the IEEE 802 1X Port Authentication standard GARP VLAN Registration Protocol GV...

Page 779: ...ree Protocol RSTP which reduces the convergence time for network topology changes to about 10 of that required by the older IEEE 802 1D STP standard Now incorporated in IEEE 802 1D 2004 IEEE 802 1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication IEEE 802 3ac Defines frame extensions for VLAN tagging IEEE 802 3x Def...

Page 780: ...s defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic The eight values are mapped one to one to the Class of Service categories by default but may be configured differently to suit the requirements for specific network applications Layer 2 Data Link layer in the ISO 7 Layer Data Communications Protocol This is re...

Page 781: ...Open Shortest Path First OSPF OSPF is a link state routing protocol that functions better over a larger network such as the Internet as opposed to distance vector routing protocols such as RIP It includes features such as unlimited hop count authentication of routing updates and Variable Length Subnet Masks VLSM Out of Band Management Management of the network from a station not attached to the ne...

Page 782: ...of that required by the older IEEE 802 1D STP standard Routing Information Protocol RIP The RIP protocol seeks to find the shortest route to another device by minimizing the distance vector or hop count which serves as a rough estimate of transmission cost RIP 2 is a compatible upgrade to RIP It adds useful capabilities for subnet routing authentication and multicast transmissions Secure Shell SSH...

Page 783: ...ean Time based solely on the Earth s rotation rate with highly accurate atomic time The UTC does not have daylight saving time User Datagram Protocol UDP UDP provides a datagram mode for packet switched communications It uses IP as the underlying transport mechanism to provide access to IP like services UDP packets are delivered just like IP packets connection less datagrams that may be discarded ...

Page 784: ...een configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down XModem A protocol used to transfer files between devices Data is grouped in 128 byte blocks and error corrected Glossary 8 ...

Page 785: ...mmand line interface See CLI community string 2 13 5 3 24 3 configuration files restoring defaults 4 24 23 10 configuration settings saving or restoring 2 16 4 24 23 10 23 11 console port required connections 2 2 CoS configuring 13 1 35 1 36 1 DSCP 13 10 35 10 IP port priority 13 11 35 7 IP precedence 13 8 35 8 layer 3 4 priorities 13 7 35 7 queue mapping 13 3 35 4 queue mode 13 5 35 2 traffic cla...

Page 786: ...02 1X 6 18 25 26 IGMP groups displaying 15 8 37 4 immediate leave status 15 5 37 4 Layer 2 15 2 37 1 query 15 2 37 5 query Layer 2 15 3 37 5 snooping 15 2 37 1 snooping configuring 15 3 37 1 snooping immediate leave 15 5 37 3 IGMP snooping immediate leave 15 5 importing user public keys 6 12 23 11 ingress filtering 11 10 34 9 IP address BOOTP DHCP 4 8 39 2 IP port priority enabling 13 11 35 7 mapp...

Page 787: ... 3 32 1 32 6 32 13 message statistics 12 11 32 18 message timing 12 1 32 3 32 5 Index remote information displaying 12 9 32 16 remote port information displaying 12 8 32 16 timing attributes configuring 12 1 32 3 32 5 TLV 12 1 12 3 TLV management address 12 4 32 7 TLV port description 12 3 32 8 TLV system capabilities 12 4 32 8 TLV system description 12 4 32 9 TLV system name 12 4 32 9 logging sys...

Page 788: ...29 1 priority default port ingress 13 1 35 3 problems troubleshooting B 1 protocol migration 10 15 33 17 proxy ARP 19 9 41 35 Index 4 Q QinQ Tunneling See 802 1Q QoS 14 1 36 1 Quality of Service See QoS queue weights 13 6 35 4 R RADIUS logon authentication 6 2 25 6 rate limits setting 8 20 30 1 remote logging 4 31 23 29 restarting the system 4 36 22 4 RIP configuring 20 2 42 6 42 16 description 20...

Page 789: ...ngs saving or restoring 23 10 system clock setting 4 36 4 37 23 35 system clock summer time 4 40 23 40 23 41 23 42 system clock time zone 4 39 23 39 system mode normal or QinQ 11 16 34 15 Index system software downloading from server 4 22 23 11 T TACACS logon authentication 6 2 25 9 time zone setting 4 39 23 39 time setting 4 36 4 37 23 35 TPID 11 16 34 16 traffic class weights 13 6 35 4 trap mana...

Page 790: ...atistics 18 8 40 6 preemption 18 3 18 4 40 5 priority 18 3 18 4 40 3 protocol message statistics 18 7 40 9 timers 18 4 40 4 virtual address 18 2 18 4 40 2 Index 6 W web interface access requirements 3 1 configuration buttons 3 3 home page 3 2 menu list 3 4 panel display 3 3 ...

Page 791: ......

Page 792: ...IC40240 10G IC40480 10G ...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands