manualshive.com logo in svg

Digisol DG-FS4528P, Management Manual

Share
Download
Digisol DG-FS4528P Management Manual Download Page 158

C

HAPTER

 7

  |  Security Measures

Configuring Local/Remote Logon Authentication

–  158  –

Figure 50:  Authentication Server Operation

RADIUS uses UDP while uses TCP. UDP only offers best effort 

delivery, while TCP offers a connection-oriented transport. Also, note that 

RADIUS encrypts only the password in the access-request packet from the 

client to the server, while encrypts the entire body of the packet.

C

OMMAND

 U

SAGE

 

By default, management access is always checked against the 

authentication database stored on the local switch. If a remote 

authentication server is used, you must specify the authentication 

sequence and the corresponding parameters for the remote 

authentication protocol. Local and remote logon authentication control 

management access via the console port, web browser, or Telnet.

 

RADIUS and logon authentication assign a specific privilege 

level for each user name/password pair. The user name, password, and 

privilege level must be configured on the authentication server. The 

encryption methods used for the authentication process must also be 

configured or negotiated between the authentication server and logon 

client. This switch can pass authentication messages between the 

server and client that have been encrypted using MD5 (Message-Digest 

5), TLS (Transport Layer Security), or TTLS (Tunneled Transport Layer 

Security).

 

You can specify up to three authentication methods for any user to 

indicate the authentication sequence. For example, if you select (1) 

RADIUS, (2) TACACS and (3) Local, the user name and password on 

the RADIUS server is verified first. If the RADIUS server is not 

available, then authentication is attempted using the server, 

and finally the local user name and password is checked.

P

ARAMETERS

These parameters are displayed:

 

Authentication Sequence 

– Select the authentication, or 

authentication sequence required:

 

Local

 – User authentication is performed only locally by the switch.

Web
Telnet

RADIUS/

server

console

1. Client attempts management access.
2. Switch contacts authentication server.
3. Authentication server challenges client.
4. Client responds with proper password or key.
5. Authentication server approves access.
6. Switch grants management access.

Summary of Contents for DG-FS4528P

Page 1: ...S4528P Layer 2 Fast Ethernet Managed POE Switch Management Guide V1 0 2011 12 12 MUSTANG 4000 Managed Switch Series As our product undergoes continuous development the specifications are subject to change without prior notice ...

Page 2: ......

Page 3: ...EMENT GUIDE FAST ETHERNET SWITCH DG FS4528P Layer 2 Workgroup Switch with Power over Ethernet 24 10 100BASE TX RJ 45 Ports 2 10 100 1000BASE T RJ 45 Ports and 2 Gigabit Combination Ports RJ 45 SFP DG FS4528P ...

Page 4: ......

Page 5: ... show information NOTE Emphasizes important information or calls your attention to related features or instructions CAUTION Alerts you to a potential hazard that could cause loss of data or damage the system or equipment WARNING Alerts you to a potential hazard that could cause personal injury RELATED PUBLICATIONS The following publication details the hardware features of the switch including the ...

Page 6: ...57 Remote Connections 58 Basic Configuration 59 Console Connection 59 Setting Passwords 59 Setting an IP Address 60 Manual Configuration 60 Dynamic Configuration 61 Downloading a Configuration File Referenced by a DHCP Server 62 Enabling SNMP Management Access 64 Community Strings for SNMP version 1 and 2c clients 65 Trap Receivers 65 Configuring Access for SNMP Version 3 Clients 66 Managing Syste...

Page 7: ...Frames 93 Displaying CPU Utilization 94 Displaying Memory Utilization 95 Managing System Files 96 Automatic Operation Code Upgrade 96 Copying Operation Code via FTP or TFTP 100 Saving or Restoring Configuration Settings 102 Copying Files Using HTTP 104 Deleting Files 106 Setting The Start Up File 106 Console Port Settings 107 Telnet Settings 109 Configuring Event Logging 110 System Log Configurati...

Page 8: ...D 141 Configuring Local SNMPv3 Users 142 Configuring Remote SNMPv3 Users 143 Configuring SNMPv3 Groups 146 Setting SNMPv3 Views 149 6 SAMPLING TRAFFIC FLOWS 151 Overview 151 Configuring sFlow Global Parameters 152 Configuring sFlow Port Parameters 153 7 SECURITY MEASURES 155 Configuring User Accounts 156 Configuring Local Remote Logon Authentication 157 Configuring Encryption Keys 161 AAA Authoriz...

Page 9: ...upplicant Port Settings for 802 1X 192 Displaying 802 1X Authenticator Statistics 194 Displaying 802 1X Supplicant Statistics 196 Web Authentication 197 Configuring Global Settings for Web Authentication 198 Configuring Interface Settings for Web Authentication 199 Displaying Web Authentication Port Information 199 Re authenticating Web Authenticated Ports 200 Network Access MAC Address Authentica...

Page 10: ...ooping 240 Displaying DHCP Snooping Binding Information 241 IP Source Guard 242 Configuring Ports for IP Source Guard 242 Configuring Static Bindings for IP Source Guard 244 Displaying Information for Dynamic IP Source Guard Bindings 246 8 INTERFACE CONFIGURATION 248 Port Configuration 248 Displaying Connection Status 248 Configuring Interface Connections 249 Trunk Configuration 252 Configuring a ...

Page 11: ...ynamic Address Table 287 Changing the Aging Time 288 11 SPANNING TREE ALGORITHM 290 Overview 290 Configuring Loopback Detection 293 Displaying Global Settings for STA 294 Configuring Global Settings for STA 296 Displaying Interface Settings for STA 300 Configuring Interface Settings for STA 303 Spanning Tree Edge Port Configuration 306 Configuring Multiple Spanning Trees 308 Displaying Interface S...

Page 12: ...te VLANs 341 Displaying Private VLAN Interface Information 341 Configuring Private VLAN Interfaces 343 Protocol VLANs 344 Configuring Protocol VLAN Groups 345 Mapping Protocol Groups to VLANs 346 Configuring VLAN Mirroring 347 Configuring IP Subnet VLANs 349 Configuring MAC based VLANs 350 14 LINK LAYER DISCOVERY PROTOCOL 352 Overview 352 Setting LLDP Timing Attributes 353 Configuring LLDP Interfa...

Page 13: ...Configuring IGMP Snooping and Query Parameters 392 Enabling IGMP Immediate Leave 394 Displaying Interfaces Attached to a Multicast Router 396 Specifying Static Interfaces for a Multicast Router 396 Displaying Port Members of Multicast Services 397 Assigning Interfaces to Multicast Services 398 Filtering and Throttling IGMP Groups 399 Enabling IGMP Filtering and Throttling 400 Configuring IGMP Filt...

Page 14: ...nection 422 Telnet Connection 423 Entering Commands 424 Keywords and Arguments 424 Minimum Abbreviation 424 Command Completion 424 Getting Help on Commands 425 Showing Commands 425 Partial Keyword Lookup 426 Negating the Effect of Commands 427 Using Command History 427 Understanding Command Modes 427 Exec Commands 427 Configuration Commands 428 Command Line Processing 430 Output Modifiers and Redi...

Page 15: ...t info 447 banner configure equipment location 448 banner configure ip lan 448 banner configure lp number 449 banner configure manager info 450 banner configure mux 450 banner configure note 451 show banner 452 System Status 452 show access list tcam utilization 453 show memory 453 show process cpu 453 show running config 454 show startup config 455 show system 456 show tech support 457 show users...

Page 16: ...t time 476 speed 477 stopbits 478 timeout login response 478 disconnect 479 show line 479 Event Logging 480 logging facility 481 logging history 481 logging host 482 logging on 483 logging trap 483 clear log 484 show log 485 show logging 485 SMTP Alerts 487 logging sendmail 487 logging sendmail destination email 487 logging sendmail host 488 logging sendmail level 489 logging sendmail source email...

Page 17: ...me recurring 500 clock timezone 502 clock timezone predefined 502 calendar set 503 show calendar 504 Time Range 504 time range 504 absolute 505 periodic 506 show time range 507 Switch Clustering 507 cluster 508 cluster commander 509 cluster ip pool 509 cluster member 510 rcommand 511 show cluster 511 show cluster members 512 show cluster candidates 512 UPnP 512 upnp device 513 upnp device ttl 513 ...

Page 18: ...s 528 snmp server host 530 snmp server enable traps mac notification 532 snmp server enable port traps mac notification 533 show snmp server enable port traps interface 534 24 FLOW SAMPLING COMMANDS 535 sflow 535 sflow source 536 sflow sample 537 sflow polling interval 537 sflow owner 538 sflow timeout 538 sflow destination 539 sflow max header size 539 sflow max datagram size 540 show sflow 540 2...

Page 19: ...r key 553 tacacs server port 553 tacacs server retransmit 554 tacacs server timeout 554 show tacacs server 555 AAA 555 aaa accounting commands 556 aaa accounting dot1x 557 aaa accounting exec 558 aaa accounting update 559 aaa authorization exec 559 aaa group server 560 server 561 accounting dot1x 561 accounting commands 562 accounting exec 562 authorization exec 563 show accounting 564 Web Server ...

Page 20: ...t 580 dot1x eapol pass through 580 dot1x system auth control 581 dot1x intrusion action 581 dot1x max req 582 dot1x operation mode 582 dot1x port control 583 dot1x re authentication 584 dot1x timeout quiet period 584 dot1x timeout re authperiod 585 dot1x timeout supp timeout 585 dot1x timeout tx period 586 dot1x re authenticate 586 dot1x identity profile 587 dot1x max start 588 dot1x pae supplican...

Page 21: ...on 605 network access aging 606 network access mac filter 606 mac authentication reauth time 607 network access dynamic qos 608 network access dynamic vlan 609 network access guest vlan 609 network access link detection 610 network access link detection link down 611 network access link detection link up 611 network access link detection link up down 612 network access max mac count 612 network ac...

Page 22: ...dhcp snooping information option circuit id string 631 ip dhcp snooping trust 631 clear ip dhcp snooping database flash 632 ip dhcp snooping database flash 632 show ip dhcp snooping 633 show ip dhcp snooping binding 633 IP Source Guard 634 ip source guard binding 634 ip source guard 636 ip source guard max binding 637 show ip source guard 638 show ip source guard binding 638 ARP Inspection 639 ip ...

Page 23: ...roup 656 show ip access list 656 IPv6 ACLs 657 access list ipv6 657 permit deny Standard IPv6 ACL 658 permit deny Extended IPv6 ACL 659 show ipv6 access list 660 ipv6 access group 661 show ipv6 access group 662 MAC ACLs 662 access list mac 662 permit deny MAC ACL 663 mac access group 665 show mac access group 666 show mac access list 666 ARP ACLs 667 access list arp 667 permit deny ARP ACL 668 sho...

Page 24: ...interface 688 show cable diagnostics 689 29 LINK AGGREGATION COMMANDS 690 channel group 691 lacp 692 lacp admin key Ethernet Interface 693 lacp mode 694 lacp port priority 695 lacp system priority 696 lacp admin key Port Channel 696 show lacp 697 30 POWER OVER ETHERNET COMMANDS 701 power mainpower maximum allocation 701 power inline compatible 702 power inline 703 power inline maximum allocation 7...

Page 25: ... control apply 722 snmp server enable port traps atc broadcast control release 723 snmp server enable port traps atc multicast alarm clear 723 snmp server enable port traps atc multicast alarm fire 724 snmp server enable port traps atc multicast control apply 724 snmp server enable port traps atc multicast control release 725 show auto traffic control 725 show auto traffic control interface 726 34...

Page 26: ...747 spanning tree bpdu filter 748 spanning tree bpdu guard 749 spanning tree cost 750 spanning tree edge port 751 spanning tree link type 752 spanning tree loopback detection 753 spanning tree loopback detection release mode 754 spanning tree loopback detection trap 755 spanning tree mst cost 755 spanning tree mst port priority 756 spanning tree portfast 757 spanning tree port bpdu flooding 758 sp...

Page 27: ... control vlan 783 enable 784 guard timer 785 holdoff timer 785 meg level 786 node id 787 ring port 787 rpl owner 788 wtr timer 788 show erps 789 39 VLAN COMMANDS 792 GVRP and Bridge Extension Commands 793 bridge ext gvrp 793 garp timer 794 switchport forbidden vlan 795 switchport gvrp 795 show bridge ext 796 show garp timer 796 show gvrp configuration 797 Editing VLAN Groups 797 vlan database 798 ...

Page 28: ... tpid 811 show dot1q tunnel 811 Configuring L2CP Tunneling 812 l2protocol tunnel tunnel dmac 812 switchport l2protocol tunnel 813 show l2protocol tunnel 816 Configuring Port based Traffic Segmentation 816 pvlan 816 pvlan uplink downlink 817 pvlan session 818 pvlan up to up 819 show pvlan 819 Configuring Private VLANs 820 private vlan 821 private vlan association 822 switchport mode private vlan 82...

Page 29: ...t voice vlan priority 836 switchport voice vlan rule 837 switchport voice vlan security 838 show voice vlan 838 40 CLASS OF SERVICE COMMANDS 840 Priority Commands Layer 2 840 queue mode 841 queue cos map 842 switchport priority default 843 show queue bandwidth 844 show queue cos map 844 show queue mode 845 Priority Commands Layer 3 and 4 845 map ip dscp Global Configuration 845 map ip dscp Interfa...

Page 30: ...64 show mac address table multicast 865 IGMP Query Commands 866 ip igmp snooping querier 866 ip igmp snooping query count 867 ip igmp snooping query interval 867 ip igmp snooping query max response time 868 ip igmp snooping router port expire time 869 Static Multicast Routing 869 ip igmp snooping vlan mrouter 870 show ip igmp snooping mrouter 870 IGMP Filtering and Throttling 871 ip igmp filter Gl...

Page 31: ... 892 ipv6 mld snooping router port expire time 893 ipv6 mld snooping unknown multicast mode 893 ipv6 mld snooping version 894 ipv6 mld snooping vlan mrouter 894 ipv6 mld snooping vlan static 895 ipv6 mld snooping immediate leave 896 show ipv6 mld snooping 896 show ipv6 mld snooping group 897 show ipv6 mld snooping mrouter 897 44 LLDP COMMANDS 898 lldp 900 lldp holdtime multiplier 900 lldp med fast...

Page 32: ...3 tlv poe 911 lldp med notification 911 lldp med tlv extpoe 912 lldp med tlv inventory 912 lldp med tlv location 913 lldp med tlv med cap 913 lldp med tlv network policy 914 lldp notification 914 show lldp config 915 show lldp info local device 917 show lldp info remote device 918 show lldp info statistics 919 45 DOMAIN NAME SERVICE COMMANDS 921 ip domain list 921 ip domain lookup 922 ip domain na...

Page 33: ...OMMANDS 937 ip address 938 ip default gateway 939 show ip interface 940 show ip redirects 940 ping 940 clear arp cache 942 show arp 942 SECTION IV APPENDICES 943 A SOFTWARE SPECIFICATIONS 944 Software Features 944 Management Features 945 Standards 946 Management Information Bases 947 B TROUBLESHOOTING 948 Problems Accessing the Management Interface 948 Using System Logs 949 GLOSSARY 950 COMMAND LI...

Page 34: ...oading Files Using HTTP 105 Figure 15 Downloading Files Using HTTP 105 Figure 16 Deleting Files 106 Figure 17 Setting the Start up Code 107 Figure 18 Console Port Settings 108 Figure 19 Telnet Connection Settings 110 Figure 20 Configuring Settings for System Memory Logs 112 Figure 21 Showing Error Messages Logged to System Memory 112 Figure 22 Configuring Settings for Remote Logging of Error Messa...

Page 35: ...counts 157 Figure 50 Authentication Server Operation 158 Figure 51 Configuring Authentication Settings 160 Figure 52 Configuring Encryption Keys 162 Figure 53 Configuring AAA RADIUS Server Groups 164 Figure 54 Configuring AAA TACACS Server Groups 165 Figure 55 Configuring the Methods Used for AAA Accounting 166 Figure 56 Configuring the Update Interval for AAA Accounting 167 Figure 57 Configuring ...

Page 36: ...ings for Network Access 206 Figure 83 Configuring Link Detection for Network Access 207 Figure 84 Showing Addresses Authenticated for Network Access 209 Figure 85 Configuring a MAC Address Filter for Network Access 210 Figure 86 Creating an ACL 212 Figure 87 Configuring a Standard IPv4 ACL 213 Figure 88 Configuring an Extended IPv4 ACL 215 Figure 89 Configuring a Standard IPv6 ACL 217 Figure 90 Co...

Page 37: ...ing LACP Port Remote Information 263 Figure 120 Configuring Broadcast Storm Control 265 Figure 121 Configuring Multicast Storm Control 266 Figure 122 Configuring Unknown Unicast Storm Control 267 Figure 123 Configuring Port Mirroring 268 Figure 124 Configuring Port Mirroring 269 Figure 125 Mirroring Packets Based on the Source MAC Address 270 Figure 126 Configuring Rate Limits 272 Figure 127 Confi...

Page 38: ...321 Figure 155 Configuring Global Status of GVRP 322 Figure 156 Displaying Basic VLAN Information 323 Figure 157 Displaying Current VLANs 324 Figure 158 Creating Static VLANs 325 Figure 159 Adding Static Members to VLANs 327 Figure 160 Adding VLAN Groups to an Interface 328 Figure 161 Adding VLAN Groups to an Interface 330 Figure 162 QinQ Operational Concept 331 Figure 163 Enabling QinQ Tunneling ...

Page 39: ...ating a Policy Map 381 Figure 193 Adding Rules to a Policy Map 382 Figure 194 Attaching a Policy Map to a Port 383 Figure 195 Configuring a Voice VLAN 386 Figure 196 Configuring Port Settings for a Voice VLAN 387 Figure 197 Configuring an OUI Telephony List 388 Figure 198 Multicast Filtering Concept 390 Figure 199 Configuring General Settings for IGMP Snooping 394 Figure 200 Enabling IGMP Immediat...

Page 40: ...aying MVR Receiver Groups 413 Figure 216 Configuring Static MVR Receiver Group Members 414 Figure 217 Configuring General Settings for DNS 416 Figure 218 Configuring Static Entries in the DNS Table 418 Figure 219 Showing Entries in the DNS Cache 419 Figure 220 Storm Control by Limiting the Traffic Rate 714 Figure 221 Storm Control by Shutting Down a Port 715 Figure 222 Configuring VLAN Trunking 80...

Page 41: ...194 Table 14 802 1X Supplicant Statistics 196 Table 15 Dynamic QoS Profiles 202 Table 16 ARP Inspection Log 230 Table 17 ARP Inspection Statistics 231 Table 18 LACP Port Counters 259 Table 19 LACP Internal Configuration Information 260 Table 20 LACP Internal Configuration Information 262 Table 21 Port Statistics 276 Table 22 Recommended STA Path Cost Range 304 Table 23 Recommended STA Path Costs 3...

Page 42: ...ap display description 486 Table 48 Event Logging Commands 487 Table 49 Time Commands 490 Table 50 Predefined Summer Time Parameters 500 Table 51 Time Range Commands 504 Table 52 Switch Cluster Commands 507 Table 53 UPnP Commands 512 Table 54 SNMP Commands 516 Table 55 show snmp engine id display description 525 Table 56 show snmp group display description 526 Table 57 show snmp user display descr...

Page 43: ...RP Inspection Commands 639 Table 84 Access Control List Commands 649 Table 85 IPv4 ACL Commands 649 Table 86 IPv4 ACL Commands 657 Table 87 MAC ACL Commands 662 Table 88 ARP ACL Commands 667 Table 89 ACL Information Commands 670 Table 90 Interface Commands 671 Table 91 show interfaces switchport display description 686 Table 92 Link Aggregation Commands 690 Table 93 show lacp counters display desc...

Page 44: ... 119 Commands for Displaying VLAN Information 806 Table 120 802 1Q Tunneling Commands 807 Table 121 L2CP Tunnel Commands 812 Table 122 Traffic Segmentation Commands 816 Table 123 Traffic Segmentation Forwarding 817 Table 124 Private VLAN Commands 820 Table 125 Protocol based VLAN Commands 825 Table 126 IP Subnet VLAN Commands 829 Table 127 MAC Based VLAN Commands 831 Table 128 Voice VLAN Commands ...

Page 45: ...eiver members display description 890 Table 145 MLD Snooping Commands 891 Table 146 LLDP Commands 898 Table 147 Address Table Commands 921 Table 148 show dns cache display description 927 Table 149 DHCP Commands 929 Table 150 DHCP Client Commands 929 Table 151 DHCP Relay Commands 931 Table 152 Inserting Option 82 Information display description 933 Table 153 Basic IP Configuration Commands 937 Tab...

Page 46: ...rview of the switch and introduces some basic concepts about network switches It also describes the basic settings required to access the management interface This section includes these chapters Introduction on page 47 Initial Switch Configuration on page 56 ...

Page 47: ...figuration Backup and Restore Using management station or FTP TFTP server Authentication Console Telnet web user name password RADIUS TACACS Port IEEE 802 1X MAC address filtering SNMP v1 2c Community strings SNMP version 3 MD5 or SHA password Telnet SSH Web HTTPS General Security Measures AAA ARP inspection DHCP Snooping with Option 82 relay information IP Source Guard Network Access MAC Address ...

Page 48: ...y or can be verified via a remote authentication server i e RADIUS or TACACS Port based authentication is also supported via the IEEE 802 1X protocol This protocol uses Extensible Authentication Protocol over LANs EAPOL to request user credentials from the 802 1X client and then verifies the client s right to access the network via an authentication server Address Table 8K MAC addresses in the for...

Page 49: ... periods of congestion and prevent the loss of packets when port buffer thresholds are exceeded The switch supports flow control based on the IEEE 802 3x standard now incorporated in IEEE 802 3 2002 RATE LIMITING This feature controls the maximum rate for traffic transmitted or received on an interface Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out ...

Page 50: ... verified for accuracy with the cyclic redundancy check CRC This prevents bad frames from entering the network and wasting bandwidth To avoid dropping frames on congested ports the switch provides 4 Mbits for frame buffering This buffer can queue packets awaiting transmission on congested networks SPANNING TREE ALGORITHM The switch supports these spanning tree protocols Spanning Tree Protocol STP ...

Page 51: ...affic to pass only between data ports and the uplink ports thereby isolating adjacent ports within the same VLAN and allowing you to limit the total number of VLANs that need to be configured Use protocol VLANs to restrict traffic to specified interfaces based on protocol type NOTE The switch allows 255 user manageable VLANs One other VLAN VLAN ID 4093 is reserved for switch clustering TRAFFIC PRI...

Page 52: ...rs carrying traffic for multiple customers across their networks QinQ tunneling is used to maintain customer specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs This is accomplished by inserting Service Provider VLAN SPVLAN tags into the customer s frames when they enter the service provider s network and then stripping the tags when the f...

Page 53: ...one Local Console Timeout 0 disabled Authentication and Security Measures Privileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privileged Exec from Normal Exec Level Password super RADIUS Authentication Disabled TACACS Authentication Disabled 802 1X Port Authentication Disabled Web Authentication Disabled MAC Authentication Disabled HTTPS Enabl...

Page 54: ...roadcast Enabled 64 kbits sec Multicast Disabled Unknown Unicast Disabled Address Table Aging Time 300 seconds Spanning Tree Algorithm Status Enabled RSTP Defaults RSTP standard Edge Ports Disabled LLDP Status Enabled Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Disabled Switchport Mode Egress Mode Hybrid tagged untagged frames GVRP global Disabled GVRP port inter...

Page 55: ...g Layer 2 Snooping Enabled Querier Disabled Multicast VLAN Registration Disabled MLD Snooping Disabled System Log Status Enabled Messages Logged to RAM Levels 0 7 all Messages Logged to Flash Levels 0 3 SMTP Email Alerts Event Handler Enabled but no server defined SNTP Clock Synchronization Disabled NTP Clock Synchronization Disabled Switch Clustering Status Enabled Commander Disabled Table 2 Syst...

Page 56: ...istics using a standard web browser such as Internet Explorer 5 x or above Netscape 6 2 or above and Mozilla Firefox 2 0 0 0 or above The switch s web management interface can be accessed from any computer attached to the network The CLI program can be accessed by a direct connection to the RS 232 serial console port on the switch or remotely by a Telnet or Secure Shell SSH connection over the net...

Page 57: ...ay system information and statistics REQUIRED CONNECTIONS The switch provides an RS 232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch A null modem console cable is provided with the switch Attach a VT100 compatible terminal or a PC running a terminal emulation program to the switch You can use the console cable provided with this package or use...

Page 58: ...onsole connection or DHCP protocol The IP address for this switch is obtained via DHCP by default To manually configure this address or enable dynamic address assignment via DHCP see Setting an IP Address NOTE This switch supports four concurrent Telnet or SSH sessions After configuring the switch s IP parameters you can access the onboard configuration program from anywhere within the attached ne...

Page 59: ...enter admin 3 At the Password prompt also enter admin The password characters are not displayed on the console screen 4 The session is opened and the CLI displays the Console prompt indicating you have access at the Privileged Exec level SETTING PASSWORDS If this is your first time to log into the CLI program you should define new passwords for both default user names using the username command re...

Page 60: ...ions that exist on another network segment Valid IP addresses consist of four decimal numbers 0 to 255 separated by periods Anything outside this format will not be accepted by the CLI program NOTE The IP address for this switch is obtained via DHCP by default Before you can assign an IP address to the switch you must obtain the following information from your network administrator IP address for ...

Page 61: ...tain address assignments through BOOTP or DHCP It may be necessary to use this command when DHCP is configured on a VLAN and the member ports which were previously shut down are now enabled If the bootp or dhcp option is saved to the startup config file step 6 then the switch will start broadcasting service requests as soon as it is powered on To automatically configure the switch by communicating...

Page 62: ...here that file is stored If the switch receives information that allows it to download the remote bootup file it will save this file to a local buffer and then restart the provision process Note the following DHCP client behavior The bootup configuration file received from a TFTP server is stored on the switch with the original file name If this file name already exists in the switch the file is o...

Page 63: ...ulated in Option 43 Note that in the Vendor class two section the server still sends Option 43 telling the switch to download the test2 configuration file from the server 192 168 255 101 ddns update style ad hoc default lease time 600 max lease time 7200 log facility local7 server name Server1 Server identifier 192 168 255 250 option 43 with encapsulated option 66 67 option space dynamicProvision ...

Page 64: ...e configured to accept management commands from Simple Network Management Protocol SNMP applications You can configure the switch to respond to SNMP requests or generate SNMP traps When SNMP management stations send requests to the switch either to return information or to set a parameter the switch provides the requested data or sets the specified parameter The switch can also be configured to se...

Page 65: ...nd mode is rw read write or ro read only Press Enter Note that the default mode is read only 2 To remove an existing string simply type no snmp server community string where string is the community access string to remove Press Enter Console config snmp server community admin rw Console config snmp server community private Console config NOTE If you do not intend to support access to SNMP version ...

Page 66: ...or encryption Console config snmp server view mib 2 1 3 6 1 2 1 included Console config snmp server view 802 1d 1 3 6 1 2 1 17 included Console config snmp server group r d v3 auth mib 2 802 1d Console config snmp server user steve group r d v3 auth md5 greenpeace priv des56 einstien Console config For a more detailed explanation on how to configure the switch for access from SNMPv3 clients refer ...

Page 67: ...he running config the system will reboot and the settings will have to be copied from the running config to a permanent file SAVING OR RESTORING CONFIGURATION SETTINGS Configuration commands only modify the running configuration file and are not saved when the switch is rebooted To save all your configuration changes in nonvolatile storage you must copy the running configuration file to the start ...

Page 68: ...er over Ethernet PoE standard that enables DC power to be supplied to attached devices over the wire pairs in the connecting Ethernet cable Any 802 3af compliant device attached to a port can directly draw power from the switch over the Ethernet cable without requiring its own separate power source This capability gives network administrators centralized power control for devices such as IP phones...

Page 69: ... 281 for details Console config power mainpower maximum allocation 180 Console config PoE is enabled for all ports by default Power can be disabled for a port by using the no form of the power inline CLI command as shown in the example below Console config interface ethernet 1 2 Console config if no power inline Console config if ...

Page 70: ...ocol on page 131 Sampling Traffic Flows on page 151 Security Measures on page 155 Interface Configuration on page 248 Power Over Ethernet Settings on page 280 Address Table Settings on page 285 Spanning Tree Algorithm on page 290 Layer 2 Protocol Tunneling on page 313 VLAN Configuration on page 318 Link Layer Discovery Protocol on page 352 Class of Service on page 366 Quality of Service on page 37...

Page 71: ...an IP Address 2 Set user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Setting Passwords 3 After you enter a user name and password you will have access to the system configuration program NOTE You are allowed three attempts to enter the correct password on the third fai...

Page 72: ...user name and password for the administrator is admin HOME PAGE When your web browser connects with the switch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used to navigate to other menus and display configuration parameters and statistics Figure 1 Home Page...

Page 73: ...for item Check for newer versions of stored pages should be Every visit to the page NOTE When using Internet Explorer 5 0 you may have to manually refresh the screen after making configuration changes by pressing the browser s refresh button PANEL DISPLAY The web agent displays an image of the switch s ports The Mode can be set to display different information for the ports including Active i e up...

Page 74: ...ic Operation Code Upgrade Automatically upgrades operation code if a newer version is found on the server 96 Copy Operation Allows the transfer and copying of files 100 HTTP Upgrade Copies operation code or configuration files from management station to the switch 104 HTTP Download Copies operation code or configuration files from the switch to the management station 104 Delete Allows deletion of ...

Page 75: ...n parameters payload parameters and sampling interval 153 Security 155 User Accounts Configures user names passwords and access levels 156 Authentication Settings Configures authentication sequence local RADIUS TACACS 157 Encryption Key Configures RADIUS and TACACS encryption key settings 161 AAA Authentication Authorization and Accounting 162 RADIUS Group Settings Defines the configured RADIUS se...

Page 76: ...Statistics Displays dot1x supplicant statistics for the selected port 196 Web Authentication Allows authentication and access to the network when 802 1X or Network Access authentication are infeasible or impractical 197 Configuration Configures general protocol settings 198 Port Configuration Enables Web Authentication for individual ports 199 Port Information Displays status information for indiv...

Page 77: ...r specific LACP groups 258 Port Counters Information Displays statistics for LACP protocol messages 259 Port Internal Information Displays configuration settings and operational state for the local side of a link aggregation 260 Port Neighbors Information Displays configuration settings and operational state for the remote side of a link aggregation 262 Port Broadcast Control Sets the broadcast st...

Page 78: ...ed for the bridge 294 Configuration Configures global bridge settings for STP RSTP and MSTP 296 Port Information Displays individual port settings for STA 300 Trunk Information Displays individual trunk settings for STA 300 Port Configuration Configures individual port settings for STA 303 Trunk Configuration Configures individual trunk settings for STA 303 Port Edge Port Configuration Sets an int...

Page 79: ...traffic segmentation for different client sessions based on specified downlink and uplink ports 336 Status Enables traffic segmentation and blocks or forwards traffic between uplink ports assigned to different client sessions 336 Session Configuration Creates a client session and assigns the downlink and uplink ports to service the traffic 337 Private VLAN 338 Information Displays Private VLAN fea...

Page 80: ...ch port 366 Default Trunk Priority Sets the default priority for each trunk 366 Traffic Classes Maps IEEE 802 1p priority tags to output queues 367 Traffic Classes Status Enables disables traffic class priorities not implemented NA Queue Mode Sets queue mode to strict priority or Weighted Round Robin 369 Queue Scheduling Configures Weighted Round Robin queueing 370 IP DSCP Priority Status Globally...

Page 81: ...VR VLAN adds multicast stream addresses 405 Port Information Displays MVR interface type MVR operational and activity status and immediate leave status 406 Trunk Information Displays MVR interface type MVR operational and activity status and immediate leave status 406 Group IP Information Displays the ports attached to an MVR multicast stream 407 Port Configuration Configures MVR interface type an...

Page 82: ...Enables IP source guard and selects filter type per port 242 Static Configuration Adds a static addresses to the source guard binding table 244 Dynamic Information Displays the source guard binding table for a selected interface 246 UPNP Universal Plug and Play 124 Configuration Enables UPNP and defines timeout values 125 Cluster 126 Configuration Globally enables clustering for the switch sets Co...

Page 83: ...ating software or configuration files and set the system start up files Configuring Console and Telnet Settings Sets console port and Telnet connection parameters Logging Events Sets conditions for logging event messages to system memory or flash memory configures conditions for sending trap messages to remote log servers and configures trap reporting to remote hosts using Simple Mail Transfer Pro...

Page 84: ...n page 516 PARAMETERS These parameters are displayed in the web interface System Name Name assigned to the switch Object ID MIB II object ID for switch s network management subsystem Location Specifies the system location Contact Administrator responsible for the system System Up Time Length of time the management agent has been up WEB INTERFACE To configure general system information 1 Click Syst...

Page 85: ...irmware version numbers for the main board and management software as well as the power status of the system CLI REFERENCES System Management Commands on page 442 PARAMETERS The following parameters are displayed in the web interface Main Board Serial Number The serial number of the switch Number of Ports Number of built in ports Hardware Version Hardware version of the main board Chip Device ID I...

Page 86: ...e Loader Version Version number of loader code Boot ROM Version Version of Power On Self Test POST and boot code Operation Code Version Version number of runtime code Role Shows that this switch is operating as Master or Slave WEB INTERFACE To view hardware and software version information 1 Click System then Switch Information Figure 4 General Switch Information ...

Page 87: ...s switch provides mapping of user priorities to multiple traffic classes Refer to Class of Service on page 366 Static Entry Individual Port This switch allows static filtering for unicast and multicast addresses Refer to Setting Static Addresses on page 285 VLAN Learning This switch uses Independent VLAN Learning IVL where each port maintains its own filtering database Configurable PVID Tagging Th...

Page 88: ...s that exist on another network segment You can direct the device to obtain an address from a BOOTP or DHCP server or manually configure a static IP address Valid IP addresses consist of four decimal numbers 0 to 255 separated by periods Anything other than this format will not be accepted CLI REFERENCES DHCP Client on page 929 IP Interface Commands on page 937 PARAMETERS These parameters are disp...

Page 89: ...ssigning IP addresses or to set other services or policies for clients When Option 82 is enabled the requesting client or an intermediate relay agent that has used the information fields to describe itself can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server Depending on the selected frame format for the remote id set by the ip d...

Page 90: ...ets are flooded onto the VLAN which received the reply if DHCP relay service is enabled and any of the following situations apply The reply packet does not contain Option 82 information The reply packet contains a valid relay agent address field that is not the address of this switch or receives a reply packet with a zero relay agent address through the management VLAN The reply packet is received...

Page 91: ...uests to a DHCP server DHCP Relay Option 82 Sub option Format Disables use of sub type and sub length fields in circuit ID CID and remote ID RID in Option 82 information DHCP Relay Option 82 Remote ID Specifies the frame format to use for the remote id when Option 82 information is generated by the switch MAC HEX Includes a MAC address field for the relay agent in hexadecimal format that is the MA...

Page 92: ...lick Apply Figure 6 Configuring a Static IP Address To obtain an dynamic address through DHCP BOOTP for the switch 1 Click System IP Configuration 2 Select the VLAN through which the management station is attached set the IP Address Mode to DHCP or BOOTP 3 Click Apply to save your changes 4 Then click Restart DHCP to immediately request a new address Figure 7 Configuring a Dynamic IPv4 Address ...

Page 93: ...m Jumbo Frames page to configure support for jumbo frames The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10 KB for the Gigabit Ethernet ports Compared to standard Ethernet frames that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields CLI REFEREN...

Page 94: ...tion Average CPU utilization over past 60 seconds CPU Peak Time Time when CPU reached peak utilization since last reset CPU Peak Duration Duration CPU ran at peak utilization since system boot CPU Utilization Rising Threshold1 Rising threshold for CPU utilization alarm Range 1 100 Default 90 CPU Utilization Falling Threshold1 Falling threshold for CPU utilization alarm Range 1 100 Default 70 WEB I...

Page 95: ... Size Total amount of memory provided by the system Allocated Size Amount of memory allocated to active processes Free Size Amount of memory currently free for use Free Percent Percentage of free memory compared to total memory Utilization Raising Threshold1 Rising threshold for memory utilization alarm Range 1 100 Default 90 Utilization Falling Threshold1 Falling threshold for memory utilization ...

Page 96: ...ode auto on page 467 upgrade opcode path on page 469 show upgrade on page 470 COMMAND USAGE If this feature is enabled the switch searches the defined URL once during the bootup sequence FTP port 21 and TFTP port 69 are both supported Note that the TCP UDP port bindings cannot be modified to support servers listening on non standard ports The host portion of the upgrade file location URL must be a...

Page 97: ...tion in the list of case sensitive Unix like operating systems is Mac OS X which by default is case insensitive Please check the documentation for your server s operating system if you are unsure of its file system s behavior Note that the switch itself does not distinguish between upper and lower case file names and only checks to see if the file stored on the server is more recent than the curre...

Page 98: ...ry structures from the parent directory with a prepended forward slash The forward slash must be the last character of the URL ftp username password host filedir ftp Defines FTP protocol for the server connection username Defines the user name for the FTP connection If the user name is omitted then anonymous is the assumed user name for the connection password Defines the password for the FTP conn...

Page 99: ... IP address 192 168 0 1 with various user name password and file location options presented ftp 192 168 0 1 The user name and password are empty so anonymous will be the user name and the password will be blank The image file is in the FTP root directory ftp switches upgrade 192 168 0 1 The user name is switches and the password is upgrade The image file is in the FTP root ftp switches upgrade 192...

Page 100: ...sing FTP or TFTP By backing up a file to an FTP or TFTP server or management station that file can later be downloaded to the switch to restore operation Specify the method of file transfer along with the file type and file names as required You can also set the switch to use new firmware or configuration settings without overwriting the current version Just download the file using a different nam...

Page 101: ...tch Valid characters A Z a z 0 9 _ NOTE Up to two copies of the system software i e the runtime firmware can be stored in the file directory on the switch NOTE The maximum number of user defined configuration files is limited only by available flash memory space NOTE The file Factory_Default_Config cfg can be copied to a file server or management station but cannot be used as the destination file ...

Page 102: ...e current startup file or to another file which can be subsequently set as the startup file If you copy the configuration settings to a file server this information can be later downloaded to restore the switch s settings CLI REFERENCES copy on page 462 PARAMETERS The following parameters are displayed in the web interface File Transfer Method The configuration copy operation includes these option...

Page 103: ...m a TFTP server to the switch tftp to running config Copies a file from a TFTP server to the running config tftp to startup config Copies a file from a TFTP server to the startup config FTP TFTP Server IP Address The IP address of an FTP or TFTP server The server s location must be specified as a valid IPv4 IP address DNS host names are not recognized Valid IP addresses consist of four numbers 0 t...

Page 104: ...t the system via the System Reset menu COPYING FILES USING HTTP In addition to performing copy operations to and from an FTP or TFTP server the switch can upload or download files to the web management station using HTTP Both switch operation code files and configuration files can be uploaded downloaded using HTTP PARAMETERS The following parameters are displayed in the web interface File Type Spe...

Page 105: ...e file type and then use the Browse button to locate the file on the local web management station Specify the name of a file on the switch to overwrite or specify a new file name 3 Then click Apply Figure 14 Uploading Files Using HTTP To download files to your management station from the switch using HTTP 1 Click System File Management HTTP Download 2 Select an operation code file or configuration...

Page 106: ...n Delete 2 Mark the file to be deleted 3 Then click Apply Figure 16 Deleting Files SETTING THE START UP FILE Use the System File Management Set Start Up page to specify the firmware or configuration file to use for system initialization CLI REFERENCES whichboot on page 467 boot system on page 461 WEB INTERFACE To set a file to use for system initialization 1 Click System File Management then Set S...

Page 107: ...yed in the web interface Login Timeout Sets the interval that the system waits for a user to log into the CLI If a login attempt is not detected within the timeout interval the connection is terminated for the session Range 0 300 seconds Default 0 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input is not detected within the timeout interval the ...

Page 108: ...ate of the device connected to the serial port Range 9600 19200 or 38400 baud Default 9600 baud Stop Bits Sets the number of the stop bits transmitted per byte Range 1 2 Default 1 stop bit NOTE The password for the console connection can only be configured through the CLI see the password command NOTE Password checking can be enabled or disabled for logging in to the console connection see the log...

Page 109: ...pt is not detected within the timeout interval the connection is terminated for the session Range 0 300 seconds Default 300 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is terminated Range 0 65535 seconds Default 600 seconds Password Threshold Sets the password intrusion thres...

Page 110: ...M LOG CONFIGURATION Use the System Log System Logs page to enable or disable event logging and specify which levels are logged to RAM or flash memory Severe error messages that are logged to flash memory are permanently stored in the switch to assist in troubleshooting network problems Up to 4096 log entries can be stored in the flash memory with the oldest entries being overwritten first when the...

Page 111: ...d to RAM Range 0 7 Default 7 NOTE The Flash Level must be equal to or less than the RAM Level WEB INTERFACE To configure the logging of error messages to system memory 1 Click System Log System Logs 2 Enable or disable system logging set the level of event messages to be logged to flash memory and RAM 3 Click Apply Table 8 Logging Levels Level Severity Name Description 7 Debug Debugging messages 6...

Page 112: ...emory flushed on power reset and up to 4096 entries in permanent flash memory Figure 21 Showing Error Messages Logged to System Memory REMOTE LOG CONFIGURATION Use the System Log Remote Logs page to send log messages to syslog servers or other management stations You can also limit the event messages sent to only those messages below a specified level CLI REFERENCES Event Logging on page 480 PARAM...

Page 113: ...rting or storing messages in the corresponding database Range 16 23 Default 23 Logging Trap Limits log messages that are sent to the remote syslog server for all levels up to the specified level For example if level 3 is specified all messages from level 0 to level 3 will be sent to the remote server Range 0 7 Default 7 Host IP Address Specifies the IP address of a remote server which will be sent...

Page 114: ... threshold level see the table on page 111 used to trigger alert messages All events at this level or higher will be sent to the configured email recipients For example using Level 7 will report all events from level 7 to level 0 Default Level 7 SMTP Server List Specifies a list of up to three recipient SMTP servers The switch attempts to connect to the other listed servers if the first fails Use ...

Page 115: ...sets the entire system When the system is restarted it will always run the Power On Self Test It will also retain all configuration information stored in non volatile memory by the copy running config startup config command see the copy command PARAMETERS The following parameters are displayed in the web interface Hours Specifies the amount of hours to wait combined with the minutes before the swi...

Page 116: ...a pending delayed reset NOTE To immediately restart the switch enter 0 in both the Hours and Minutes fields and click Reset WEB INTERFACE To restart the switch 1 Click System then Reset 2 Enter the amount of time the switch should wait before rebooting 3 Click the Reset button to reboot the switch or click the Cancel button to cancel a configured reset 4 If prompted confirm that you want reset the...

Page 117: ...o three time server IP addresses The switch will attempt to poll each server in the configured sequence SETTING THE TIME MANUALLY Use the System SNTP Current Time page to set the system time on the switch manually without using SNTP CLI REFERENCES calendar set on page 503 show calendar on page 504 PARAMETERS The following parameters are displayed in the web interface Current Time Shows the current...

Page 118: ...h to operate as an SNTP client This requires at least one NTP or SNTP time server to be specified in the SNTP Server field Default Disabled SNTP Polling Interval Sets the interval between sending requests for a time update from a time server Range 16 16384 seconds Default 16 seconds SNTP Server IP Address Sets the IP address for up to three time servers The switch attempts to update the time from ...

Page 119: ...isabled NTP Polling Interval Sets the interval between sending requests for a time update from NTP servers Fixed 1024 seconds NTP Authenticate Enables authentication for time requests and updates between the switch and NTP servers Default Disabled NTP Server Sets the IP address for an NTP server to be polled The switch requests an update from all configured servers then determines the most accurat...

Page 120: ...sitive printable ASCII characters no spaces NOTE SNTP and NTP clients cannot both be enabled at the same time WEB INTERFACE To configure NTP 1 Click SNTP then Configuration 2 Enable NTP client requests set the polling interval enable message authentication if required and enter the IP address of up to 50 time servers 3 Click Apply Figure 27 Configuring NTP ...

Page 121: ...ARAMETERS The following parameters are displayed in the web interface Predefined Configuration A drop down box provides access to the 80 predefined time zone configurations Each choice indicates it s offset from UTC and lists at least one major city or location covered by the time zone User defined Configuration Allows the user to define all parameters of the local time zone Direction Configures t...

Page 122: ...uration Summer Time in Effect Shows if the system time has been adjusted Status Shows if summer time is set to take effect during the specified period Name Name of the time zone while summer time is in effect usually an acronym Range 1 30 characters Mode Selects one of the following configuration modes The Mode option can only be managed when the Summer Time Status option has been set to enabled f...

Page 123: ...and offset times of summer time for the switch on a recurring basis This mode sets the summer time zone relative to the currently configured time zone To specify a time corresponding to your local time when summer time is in effect you must indicate the number of minutes your summer time zone deviates from your regular time zone Offset Summer time offset from the regular time zone in minutes Range...

Page 124: ...e UPnP discovery protocol allows that control point to search for UPnP enabled devices on the network Once a control point has discovered a device its next step is to learn more about the device and its capabilities by retrieving the device s description from the URL provided by the device in the discovery message After a control point has retrieved a description of the device it can send actions ...

Page 125: ...e switch s web management interface Or right click on the entry and select Properties to display a list of device attributes advertised through UPnP Figure 30 Displaying UPnP Devices in Windows XP UPNP CONFIGURATION Use the UPnP Configuration page to enable or disable UPnP and to set advertisement and time out values CLI REFERENCES UPnP on page 512 PARAMETERS The following parameters are displayed...

Page 126: ...ter The management station can use either Telnet or the web interface to communicate directly with the Commander through its IP address and then use the Commander to manage Member switches through the cluster s internal IP addresses Clustered switches must be in the same Ethernet broadcast domain In other words clustering only functions for switches which can pass information between the Commander...

Page 127: ...switches and the Commander PARAMETERS These parameters are displayed Cluster Status Enables or disables clustering on the switch Default Enabled Commander Status Enables or disables the switch as a cluster Commander Default Disabled Role Indicates the current role of the switch in the cluster either Commander Member or Candidate Default Candidate Cluster IP Pool An internal IP address pool that is...

Page 128: ...idate switches to the cluster as Members CLI REFERENCES Switch Clustering on page 507 PARAMETERS These parameters are displayed Member ID Specify a Member ID number for the selected Candidate switch Range 1 36 MAC Address Select a discovered switch MAC address from the Candidate Table or enter a specific MAC address of a known switch WEB INTERFACE To configure cluster members 1 Click Cluster Membe...

Page 129: ...on page 507 PARAMETERS These parameters are displayed Member ID The ID number of the Member switch Range 1 36 Role Indicates the current status of the switch in the cluster IP Address The internal cluster IP address assigned to the Member switch MAC Address The MAC address of the Member switch Description The system description string of the Member switch WEB INTERFACE To show the cluster members ...

Page 130: ...re available to become cluster Members CLI REFERENCES Switch Clustering on page 507 PARAMETERS These parameters are displayed Role Indicates the current status of Candidate switches in the network MAC Address The MAC address of the Candidate switch Description The system description string of the Candidate switch WEB INTERFACE To show cluster candidates 1 Click Cluster Candidate Information Figure...

Page 131: ...dentifies the source of SNMPv3 inform messages sent from the local switch SNMPv3 Groups Adds an SNMPv3 group which can be used to set the access policy for its assigned users SNMPv3 Views Configures SNMPv3 views which are used to restrict user access to specified portions of the MIB tree OVERVIEW Simple Network Management Protocol SNMP is a communication protocol designed specifically for managing...

Page 132: ...so has a defined security access to set of MIB objects for reading and writing which are known as views The switch has a default view all MIB objects and default groups defined for security models v1 and v2c The following table shows the security models and levels available and the system default settings NOTE The predefined default groups and view can be deleted from the system You can then defin...

Page 133: ...tch to your management station 2 Use the SNMP SNMPv3 Engine ID page to change the local engine ID If you want to change the default engine ID it must be changed before configuring other parameters 3 Use the SNMP SNMPv3 Views page to specify read and write access views for the switch MIB tree 4 Use the SNMP SNMPv3 Users page to configure SNMP user groups with the required security model i e SNMP v1...

Page 134: ...y private Read Write Access Mode Specifies the access rights for the community string Read Only Authorized management stations are only able to retrieve MIB objects Read Write Authorized management stations are able to both retrieve and modify MIB objects WEB INTERFACE To set a community access string 1 Click SNMP Configuration 2 Add new community strings as required and select the corresponding a...

Page 135: ... received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider these effects when deciding whether to issue notifications as traps or informs To send an inform to a SNMPv2c host complete these steps 1 Enable the SNMP agent page 139 2 Create a view with the require...

Page 136: ...nerated When sending SNMPv3 inform messages the community string is used as the name of a remote user to identify the source of the inform messages sent from this switch An account for the specified user must be manually configured page 143 Trap UDP Port Specifies the UDP port number used by the trap manager Default 162 Trap Version Specifies whether to send notifications as SNMP v1 v2c or v3 trap...

Page 137: ...rfaces Changes to dynamic address entries in the MAC address table may occur due to address aging changes in spanning tree topology or for other reasons Changes to static address entries are not included in this type of trap message The attributes reported in these traps include the 1 MAC address 2 VLAN identifier 3 interface index 4 and an ADD REMOVE attribute indicating the type of change Interv...

Page 138: ...ved from the MAC address table for an interface CLI REFERENCES snmp server enable port traps mac notification on page 533 COMMAND USAGE MAC notification traps must also be globally enabled on the SNMP Configuration page for this interface level command to take effect see Specifying Trap Managers and Trap Types PARAMETERS These parameters are displayed Port Port number Range 1 28 MAC Notification S...

Page 139: ...raps are to be enabled 3 Click Apply Figure 39 Configuring MAC Notification for Interfaces ENABLING THE SNMP AGENT Use the SNMP Agent Status page to enable SNMP service for all management clients i e versions 1 2c 3 CLI REFERENCES snmp server on page 517 PARAMETERS These parameters are displayed Agent Status Enables SNMP on the switch Default Enabled WEB INTERFACE To enable SNMP service 1 Click SN...

Page 140: ...cally generated that is unique to the switch This is referred to as the default engine ID If the local engine ID is deleted or changed all SNMP users will be cleared You will need to reconfigure all existing users PARAMETERS These parameters are displayed Engine ID A new engine ID can be specified by entering 9 to 64 hexadecimal characters 5 to 32 octets in hexadecimal format If an odd number of c...

Page 141: ...nforms the authoritative SNMP agent is the remote agent You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it See Configuring Remote SNMPv3 Users PARAMETERS These parameters are displayed Remote Engine ID The engine ID can be specified by entering 9 to 64 hexadecimal characters 5 to 32 octets in hexadecimal format If an odd number of ...

Page 142: ...user is assigned Range 1 32 characters Security Model The user security model SNMP v1 v2c or v3 Security Level The following security levels are only used for the groups assigned to the SNMP security model noAuthNoPriv There is no authentication or encryption used in SNMP communications This is the default security level AuthNoPriv SNMP communications use authentication but the data is not encrypt...

Page 143: ...curity level is authPriv a privacy password must also be specified 4 Click Add Figure 43 Configuring Local SNMPv3 Users CONFIGURING REMOTE SNMPV3 USERS Use the SNMP SNMPv3 Remote Users page to identify the source of SNMPv3 inform messages sent from the local switch Each SNMPv3 user is defined by a unique name Users must be configured with a specific security level and assigned to a group The SNMPv...

Page 144: ...s assigned Range 1 32 characters Remote IP The Internet address of the remote device where the user resides Security Model The user security model SNMPv3 only Security Level The following security levels are only used for the groups assigned to the SNMP security model noAuthNoPriv There is no authentication or encryption used in SNMP communications This is the default security level AuthNoPriv SNM...

Page 145: ... and assign it to a group Enter the IP address to identify the source of SNMPv3 inform messages sent from the local switch If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv then an authentication protocol and password must be specified If the security level is authPriv a privacy password must also be specified 4 Click Add Figure 44 Configuring Remote SNMPv3 Us...

Page 146: ...P group to which the user is assigned Range 1 32 characters Security Model The user security model SNMP v1 v2c or v3 Security Level The following security levels are only used for the groups assigned to the SNMP security model noAuthNoPriv There is no authentication or encryption used in SNMP communications This is the default security level AuthNoPriv SNMP communications use authentication but th...

Page 147: ...that the SNMP entity acting in an agent role has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state but not from the notPresent state This other state is indicated by the included value of ifOperStatus linkUp 1 3 6 1 6 3 1 1 5 4 A linkUp trap signifies that the SNMP entity acting in an agent role has detected that the ifO...

Page 148: ...CHAPTER 5 Simple Network Management Protocol Configuring SNMPv3 Groups 148 ...

Page 149: ... model and level and then select read write and notify views 3 Click Apply Figure 45 Creating an SNMP Group SETTING SNMPV3 VIEWS Use the SNMP SNMPv3 Views page to configure SNMPv3 views which are used to restrict user access to specified portions of the MIB tree The predefined view defaultview includes access to the entire MIB tree CLI REFERENCES snmp server view on page 524 ...

Page 150: ... Add OID Subtree page to configure additional object identifiers Type Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view WEB INTERFACE To configure an SNMP view of the switch s MIB database 1 Click SNMP SNMPv3 Views 2 Enter a view name and specify the initial OID subtree in the switch s MIB database to be included or excluded in the view U...

Page 151: ...ware level where all traffic is seen whereas traditional probes will only have a partial view of traffic as it is sampled at the monitored interface Moreover the processor and memory load imposed by the sFlow agent is minimal since local analysis does not take place The wire speed transmission characteristic of the switch is thus preserved even at high traffic levels As the Collector receives stre...

Page 152: ...pling Commands on page 535 PARAMETERS These parameters are displayed Global Status Enables sFlow globally for the switch Group Port Members The 100BASE TX ports are organized into groups of 8 based on a restriction in the switch ASIC and the 4 Gigabit ports each in it s own separate group Status Enables sFlow on the ports in the indicated group Rate Configures the packet sampling rate Setting the ...

Page 153: ... SFLOW PORT PARAMETERS Use the sFlow Port Configuration page to set the destination parameters for the sampled data payload parameters and sampling interval CLI REFERENCES Flow Sampling Commands on page 535 PARAMETERS These parameters are displayed Port Choose the port to configure Range 1 28 Default 1 Receiver Owner4 The name of the receiver Range 1 256 characters Default None Receiver IP Address...

Page 154: ... way To change the timeout mark the check box enter a timeout value and click Apply Max Header Size Maximum size of the sFlow datagram header Range 64 256 bytes Default 128 bytes Max Datagram Size Maximum size of the sFlow datagram payload Range 200 1500 bytes Default 1400 bytes Flow Interval The interval at which the sFlow process adds counter values to the sample datagram An interval of 0 second...

Page 155: ...ide a secure web connection SSH Provide a secure shell for secure Telnet access Port Security Configure secure addresses for individual ports Port Authentication Use IEEE 802 1X port authentication to control access to specific ports Web Authentication Allows stations to authenticate and access the network in situations where 802 1X or Network Access authentication methods are infeasible or imprac...

Page 156: ... configuration parameters However the administrator has write access for all parameters governing the onboard agent You should therefore assign a new administrator password as soon as possible and store it in a safe place PARAMETERS These parameters are displayed User Name The name of the user Maximum length 8 characters maximum number of users 16 Access Level Specifies the user level Options 0 No...

Page 157: ... configure access rights on the switch or you can use a remote access authentication server based on RADIUS or TACACS protocols CLI REFERENCES Authentication Sequence on page 545 RADIUS Client on page 547 TACACS Client on page 551 Remote Authentication Dial in User Service RADIUS and Terminal Access Controller Access Control System Plus TACACS are logon authentication protocols that use software r...

Page 158: ...he encryption methods used for the authentication process must also be configured or negotiated between the authentication server and logon client This switch can pass authentication messages between the server and client that have been encrypted using MD5 Message Digest 5 TLS Transport Layer Security or TTLS Tunneled Transport Layer Security You can specify up to three authentication methods for ...

Page 159: ... authentication messages Range 1 65535 Default 1812 Accounting Port Number Network UDP port on authentication server used for accounting messages Range 1 65535 Default 1813 Number of Server Transmits Number of times the switch tries to authenticate logon access via the authentication server Range 1 30 Default 2 Timeout for a Reply The number of seconds the switch waits for a reply from the RADIUS ...

Page 160: ...e local switch user database has to be set up by manually entering user names and passwords see Configuring User Accounts WEB INTERFACE To configure the method s of controlling management access 1 Click Security Authentication Settings 2 Specify the authentication sequence i e one to three methods and fill in the parameters for RADIUS or TACACS authentication if selected 3 Click Apply Figure 51 Co...

Page 161: ...d in the previous field to ensure no errors were made The switch will not change the encryption key if these two fields do not match TACACS Settings Global Provides globally applicable TACACS encryption key settings ServerIndex Specifies the index number of the TACACS server for which an encryption key may be configured The switch currently supports only one TACACS server Secret Text String Encryp...

Page 162: ...e AAA functions require the use of configured RADIUS or TACACS servers in the network The security servers can be defined as sequential groups that are applied as a method for controlling user access to specified services For example when the switch attempts to authenticate a user a request is sent to the first server in the defined group if there is no response the second server will be tried and...

Page 163: ...o support AAA The configuration of RADIUS and TACACS server software is beyond the scope of this guide refer to the documentation provided with the RADIUS or TACACS server software CONFIGURING AAA RADIUS GROUP SETTINGS Use the AAA RADIUS Group Settings screen to define the configured RADIUS servers to use for accounting and authorization CLI REFERENCES AAA on page 555 PARAMETERS These parameters a...

Page 164: ...RAMETERS These parameters are displayed Group Name Defines a name for the TACACS server group 1 255 characters Server Specifies the TACACS server to use for the group Range 1 When specifying the index for a TACACS sever the server index must already be defined see Configuring Local Remote Logon Authentication WEB INTERFACE To configure the TACACS server groups to use for accounting and authorizati...

Page 165: ...5 characters Note that the method name is only used to describe the accounting method configured on the specified RADIUS or TACACS servers No information is sent to the servers about the method to use Service Request Specifies the service as 802 1X Accounting for end users Exec Administrative accounting for local console Telnet or SSH connections Commands Administrative accounting to apply to comm...

Page 166: ...E To configure the accounting method applied to various service types and the assigned server group 1 Click Security AAA Accounting Settings 2 Specify a method name the type of service request and a group name 3 Click Add Figure 55 Configuring the Methods Used for AAA Accounting ...

Page 167: ...e update interval for AAA accounting 1 Click Security AAA Accounting Periodic Update 2 Enter the required update interval 3 Click Apply Figure 56 Configuring the Update Interval for AAA Accounting AAA ACCOUNTING 802 1X PORT SETTINGS Use the Security AAA Accounting 802 1X Port Settings page to specify the accounting method applied to an interface CLI REFERENCES accounting dot1x on page 561 PARAMETE...

Page 168: ...commands on page 562 PARAMETERS These parameters are displayed Commands Privilege Level The CLI privilege levels 0 15 Console Specifies a user defined method name to apply to commands entered at the specified CLI privilege level through the console interface Telnet Specifies a user defined method name to apply to commands entered at the specified CLI privilege level through Telnet WEB INTERFACE To...

Page 169: ...ENCES accounting exec on page 562 PARAMETERS These parameters are displayed Console Specifies a user defined method name to apply to console connections Telnet Specifies a user defined method name to apply to Telnet connections WEB INTERFACE To configure the accounting method applied to console and Telnet connections 1 Click Security AAA Accounting Exec Settings 2 Enter a defined method name for c...

Page 170: ... method Group List Displays the accounting server group Interface Displays the port console or Telnet interface to which these rules apply This field is null if the accounting method and associated server group has not been assigned to an interface Statistics Accounting Type Displays the accounting service User Name Displays a registered user name Interface Displays the receive port number through...

Page 171: ...GS Use the Security AAA Authorization page to configure the authorization method used for requested services CLI REFERENCES aaa authorization exec on page 559 COMMAND USAGE This feature performs authorization to determine if a user is allowed to run an Exec shell AAA authentication through a RADIUS or TACACS server must be enabled before authorization is enabled ...

Page 172: ...n Authentication Any other group name refers to a server group configured on the TACACS Group Settings page Authorization is only supported for TACACS servers WEB INTERFACE To configure the authorization method applied to the Exec service type and the assigned server group 1 Click Security AAA Authorization Settings 2 Specify the name of the authorization method and server group name 3 Click Add F...

Page 173: ...Authorization Methods for Exec Service AUTHORIZATION SUMMARY Use the Security AAA Authorization Summary page to display the configured authorization methods and the interfaces to which they are applied CLI REFERENCES show accounting on page 564 PARAMETERS These parameters are displayed Authorization Type Displays the authorization service Method Name Displays the user defined or default accounting...

Page 174: ...n page 565 COMMAND USAGE Both the HTTP and HTTPS service can be enabled independently on the switch However you cannot configure both services to use the same UDP port HTTP can only be configured through the CLI using the ip http server command If you enable HTTPS you must indicate this in the URL that you specify in your browser https device port_number When you start HTTPS the connection is esta...

Page 175: ...RE SITE CERTIFICATE Use the Security HTTPS Settings page to replace the default secure site certificate When you log onto the web interface using HTTPS for secure access a Secure Sockets Layer SSL certificate appears for the switch By default the certificate that Netscape and Internet Explorer display will be associated with a warning that the site is not recognized as a secure site This is becaus...

Page 176: ...The switch must be reset for the new certificate to be activated To reset the switch see Resetting the System CLI REFERENCES Web Server on page 565 PARAMETERS These parameters are displayed TFTP Server IP Address IP address of TFTP server which contains the certificate file Source Certificate File Name Name of certificate file stored on the TFTP server Source Private File Name Name of private key ...

Page 177: ... key that the client uses along with a local user name and password for access authentication SSH also encrypts all data transfers passing between the switch and SSH enabled management station clients and ensures that data traveling over the network arrives unaltered NOTE You need to install an SSH client on the management station to access the switch for management via the SSH protocol NOTE The s...

Page 178: ...See Importing User Public Keys or use the copy tftp public key command page 462 to copy a file containing the public key for all the SSH client s granted management access to the switch Note that these clients must be configured locally on the switch via the User Accounts page as described on page 156 The clients are subsequently authenticated using these keys The current firmware only accepts pub...

Page 179: ...ic key and sends it to the client d The client uses its private key to decrypt the challenge string computes the MD5 checksum and sends the checksum back to the switch e The switch compares the checksum sent from the client against that computed for the original string it sent If the two checksums match this means that the client s private key corresponds to an authorized public key and the client...

Page 180: ...SSH Version 1 5 or 2 0 clients SSH Authentication Timeout Specifies the time interval in seconds that the SSH server waits for a response from a client during an authentication attempt Range 1 120 seconds Default 120 seconds SSH Authentication Retries Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authenticatio...

Page 181: ...S Secure Shell on page 569 PARAMETERS These parameters are displayed Public Key of Host Key The public key for the host RSA Version 1 The first field indicates the size of the host key e g 1024 the second field is the encoded public exponent e g 65537 and the last string is the encoded modulus DSA Version 2 The first field indicates that the encryption method used by SSH is based on the Digital Si...

Page 182: ...t key pair Default Disabled Generate This button is used to generate the host key pair Note that you must first generate the host key pair before you can enable the SSH server on the SSH Server Settings page Clear This button clears the host key from both volatile memory RAM and non volatile memory Flash WEB INTERFACE To generate the SSH host key pair 1 Click Security SSH Host Key Settings 2 Selec...

Page 183: ...he encoded modulus and the last field is a comment denoting the end of the key User Name This drop down box selects the user who s public key you wish to manage Note that you must first create users on the User Accounts page see Configuring User Accounts Public Key Type The type of public key to upload RSA The switch accepts a RSA version 1 encrypted public key DSA The switch accepts a DSA version...

Page 184: ...ch WEB INTERFACE To copy the SSH user s public key 1 Click Security SSH User Public Key Settings 2 Select the user name and the public key type from the respective drop down boxes input the TFTP server IP address and the public key source file name 3 Set your browser to allow pop ups 4 Click Copy Public Key Figure 68 Copying the SSH User s Public Key ...

Page 185: ...pair for frames received on the port Note that you can also manually add secure addresses to the port using the Static Address Table page 285 When the port has reached the maximum number of MAC addresses the selected port will stop learning The MAC addresses already in the address table will be retained and will not age out Any other device that attempts to use the port will be prevented from acce...

Page 186: ...lt Disabled Max MAC Count The maximum number of MAC addresses that can be learned on a port Range 0 1024 where 0 means disabled Trunk Trunk number if port is a member WEB INTERFACE To configure port security 1 Click Security Port Security 2 Set the action to take when an invalid address is detected on a port mark the check box in the Security Status column to enable security for a port and set the...

Page 187: ...the client The EAP packet from the RADIUS server contains not only the challenge but the authentication method to be used The client can reject the authentication method and request another depending on the configuration of the client software and the RADIUS server The encryption method used to pass authentication messages can be MD5 Message Digest 5 TLS Transport Layer Security PEAP Protected Ext...

Page 188: ... also have to support the same EAP authentication type MD5 PEAP TLS or TTLS Native support for these encryption methods is provided in Windows XP and in Windows 2000 with Service Pack 4 To support these encryption methods in Windows 95 and 98 you can use the AEGIS dot1x client or other comparable client software DISPLAYING 802 1X GLOBAL SETTINGS Use the Security 802 1X Information page to display ...

Page 189: ...forwarding state when dot1x is globally disabled Default Disabled When this device is functioning as intermediate node in the network and does not need to perform dot1x authentication EAPOL Pass Through can be enabled to allow the switch to forward EAPOL frames from other switches on to the authentication servers thereby allowing the authentication process to still be carried out by switches locat...

Page 190: ...ontrol mode is set to Force Authorized Operation Mode Allows single or multiple hosts clients to connect to an 802 1X authorized port Default Single Host Single Host Allows only a single host to connect to this port Multi Host Allows multiple host to connect to this port In this mode only one host connected to a port needs to pass authentication for all other hosts to be granted network access Sim...

Page 191: ... Quiet Period Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client Range 1 65535 seconds Default 60 seconds Re authentication Period Sets the time period after which a connected client must be re authenticated Range 1 65535 seconds Default 3600 seconds Tx Period Sets the time period during an authentication session that the ...

Page 192: ...lient supplicant process if the client must be authenticated through another device in the network CLI REFERENCES 802 1X Port Authentication on page 605 COMMAND USAGE When devices attached to a port must submit requests to another authenticator on the network configure the Identity Profile parameters which identify this switch as a supplicant and configure the supplicant parameters for those ports...

Page 193: ... another device in the network supplicant status must be enabled Supplicant status can only be enabled if PAE Control Mode is set to Force Authorized on this port see Configuring Authenticator Port Settings for 802 1X on page 190 PAE supplicant status cannot be enabled if a port is a member of trunk or LACP is enabled on the port Authentication Period The time that a supplicant port waits for a re...

Page 194: ...ICS Use the Security 802 1X Authenticator Statistics page to display statistics for dot1x authenticator exchanges for any port CLI REFERENCES show dot1x on page 590 PARAMETERS These parameters are displayed Table 13 802 1X Authenticator Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator Rx EAPOL Logoff The number of EAPOL ...

Page 195: ...Id The number of EAP Resp Id frames that have been received by this Authenticator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx EAP LenError The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid Tx EAP Req Id The number of EAP Req Id frames that h...

Page 196: ...Response frames other than Resp Id frames that have been received by this Supplicant Rx EAP LenError The number of EAPOL frames that have been received by this Supplicant in which the Packet Body Length field is invalid Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Supplicant Rx Last EAPOLSrc The source MAC address carried in the most recent E...

Page 197: ...ed hosts to request and receive a DHCP assigned IP address and perform DNS queries All other traffic except for HTTP protocol traffic is blocked The switch intercepts HTTP protocol traffic and redirects it to a switch generated web page that facilitates user name and password authentication via RADIUS Once authentication is successful the web browser is forwarded on to the originally requested web...

Page 198: ...ays active before it must re authenticate itself Range 300 3600 seconds Default 3600 seconds Quiet Period Configures how long a host must wait to attempt authentication again after it has exceeded the maximum allowable failed login attempts Range 1 180 seconds Default 60 seconds Login Attempts Configures the amount of times a supplicant may attempt and fail authentication before it must wait the c...

Page 199: ...ACE To enable web authentication for a port 1 Click Security Web Authentication Port Configuration 2 Set the status box to enabled for any port that requires web authentication and click Apply Figure 78 Configuring Interface Settings for Web Authentication DISPLAYING WEB AUTHENTICATION PORT INFORMATION Use the Security Web Authentication Port Information page to display web authentication informat...

Page 200: ...TICATED PORTS Use the Security Web Authentication Re authentication page to manually force re authentication of any web authenticated host connected to any port CLI REFERENCES Web Authentication on page 618 PARAMETERS These parameters are displayed Interface Indicates the Ethernet port to query Host IP Indicates the IP address of the host selected for re authentication Refresh Refreshes the list o...

Page 201: ...ADIUS server NOTE RADIUS authentication must be activated and configured properly for the MAC Address authentication feature to work properly See Configuring Local Remote Logon Authentication NOTE MAC authentication cannot be configured on trunk ports CLI REFERENCES Network Access MAC Address Authentication on page 605 COMMAND USAGE MAC address authentication controls access to the network by auth...

Page 202: ...AN identifier list to be applied to the switch port The following attributes need to be configured on the RADIUS server Tunnel Type VLAN Tunnel Medium Type 802 Tunnel Private Group ID 1u 2t VLAN ID list The VLAN identifier list is carried in the RADIUS Tunnel Private Group ID attribute The VLAN list can contain multiple VLAN identifiers in the format 1u 2t 3u where u indicates an untagged VLAN and...

Page 203: ...ribute cannot be found to carry the user profile The Filter ID attribute is empty The Filter ID attribute format for dynamic QoS assignment is unrecognizable can not recognize the whole Filter ID attribute Dynamic QoS assignment fails and the authentication result changes from success to failure when the following conditions occur Illegal characters found in a profile value for example a non digit...

Page 204: ...nge 120 1000000 seconds Default 1800 seconds MAC Address Aging Enables aging for authenticated MAC addresses stored in the secure MAC address table Default Disabled This parameter applies to authenticated MAC addresses configured by the MAC Address Authentication process described in this section as well as to any secure MAC addresses authenticated by 802 1X regardless of the 802 1X Operation Mode...

Page 205: ...t already be created and active see Configuring VLAN Groups Also when used with 802 1X authentication intrusion action must be set for Guest VLAN see Configuring Authenticator Port Settings for 802 1X MAC Filter ID Allows a MAC Filter to be assigned to the port MAC addresses or MAC address ranges present in a selected MAC Filter are exempt from authentication on the specified port as described und...

Page 206: ...hentication fails and the dynamic VLAN and QoS assignments 3 Click Apply Figure 82 Configuring Interface Settings for Network Access CONFIGURING PORT LINK DETECTION Use the Security Network Access Port Link Detection page to send an SNMP trap and or shut down a port when a link event occurs CLI REFERENCES Network Access MAC Address Authentication on page 605 PARAMETERS These parameters are display...

Page 207: ...Access Port Link Detection 2 Modify the link detection status trigger condition and the response for any port 3 Click Apply Figure 83 Configuring Link Detection for Network Access DISPLAYING SECURE MAC ADDRESS INFORMATION Use the Security Network Access MAC Address Information page to display the authenticated MAC addresses stored in the secure MAC address table Information on the secure MAC entri...

Page 208: ... authenticated MAC address RADIUS Server The IP address of the RADIUS server that authenticated the MAC address Time The time when the MAC address was last authenticated Attribute Indicates a static or dynamic address WEB INTERFACE To display the authenticated MAC addresses stored in the secure MAC address table 1 Click Security Network Access MAC Address Information 2 Use the sort key to display ...

Page 209: ...Address Authentication on page 605 COMMAND USAGE Specified MAC addresses are exempt from authentication Up to 64 filter tables can be defined There is no limitation on the number of entries used in a filter table PARAMETERS These parameters are displayed Filter ID 1 64 top ALL Selects all configured MAC filter tables Filter ID Selects all entries associated with a MAC Filter ID Query Displays all ...

Page 210: ...LISTS Access Control Lists ACL provide packet filtering for IPv4 frames based on address protocol Layer 4 protocol port number or TCP control code IPv6 frames based on address or DSCP traffic class or any frames based on MAC address or Ethernet type To filter incoming packets first create an access list add the required rules and then bind the list to a specific port Configuring Access Control Lis...

Page 211: ...iguration page to designate the name and type of an ACL CLI REFERENCES access list ip on page 650 access list ipv6 on page 657 access list mac on page 662 access list arp on page 667 PARAMETERS These parameters are displayed ACL Name Name of the ACL Maximum length 15 characters Type The following filter modes are supported IP Standard IPv4 ACL mode filters packets based on the source IPv4 address ...

Page 212: ...se parameters are displayed Name Shows the name of the selected ACL Action An ACL can contain any combination of permit or deny rules Address Type Specifies the source IP address Use Any to include all possible addresses Host to specify a specific host address in the Address field or IP to specify a range of addresses with the IP Address and Subnet Mask fields Options Any Host IP Default Any IP Ad...

Page 213: ...nge 6 Click Add Figure 87 Configuring a Standard IPv4 ACL CONFIGURING AN EXTENDED IPV4 ACL Use the Security ACL Configure Extended ACL page to configure an Extended IPv4 ACL CLI REFERENCES permit deny Extended IPv4 ACL on page 653 show ip access list on page 656 PARAMETERS These parameters are displayed Name Shows the name of the selected ACL Action An ACL can contain any combination of permit or ...

Page 214: ...ed protocol type Range 0 65535 Source Destination Port Bit Mask Decimal number representing the port bits to match Range 0 65535 Control Code Decimal number representing a bit string that specifies flag bits in byte 14 of the TCP header Range 0 63 Control Code Bit Mask Decimal number representing the code bits to match Range 0 63 The control bit mask is a decimal number for an equivalent binary bi...

Page 215: ...tion page for the required entry 3 Specify the action i e Permit or Deny 4 Select the address type Any Host or IP 5 If you select Host enter a specific address If you select IP enter a subnet address and the mask for an address range 6 Set any other required criteria such as service type protocol type or control code 7 Click Add Figure 88 Configuring an Extended IPv4 ACL ...

Page 216: ...refix Default Any Source IPv6 Address An IPv6 source address or network class The address must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields Source Prefix Length A decimal value indicating how many contiguo...

Page 217: ...ible addresses Host to specify a specific host address in the Source IPv6 Address field or IPv6 prefix to specify a range of addresses Options Any Host IPv6 prefix Default Any Source Destination IPv6 Address An IPv6 address or network class The address must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used...

Page 218: ...ost enter a specific address If you select IPv6 prefix enter a subnet address and prefix length 6 Set the DSCP traffic class if required 7 Click Add Figure 90 Configuring an Extended IPv6 ACL CONFIGURING A MAC ACL Use the Security ACL Configure MAC ACL page to configure a MAC ACL based on hardware addresses packet format and Ethernet type CLI REFERENCES permit deny MAC ACL on page 663 show ip acce...

Page 219: ... to filter Ethernet II formatted packets Range 600 ffff hex A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX Ethernet Type Bit Mask Protocol bit mask Range 600 ffff hex Packet Format This attribute includes the following packet types Any Any Ethernet packet type Untagged eth2 Untagged Ethernet II packets Untagge...

Page 220: ...iguring Global Settings for ARP Inspection CLI REFERENCES permit deny ARP ACL on page 668 show ip access list on page 656 PARAMETERS These parameters are displayed Name Shows the name of the selected ACL Action An ACL can contain any combination of permit or deny rules Packet Type Indicates an ARP request ARP response or either type Range Request Response All Default Request Sender Target IP Addre...

Page 221: ... fields Options Any Host MAC Default Any Sender Target MAC Address Source or destination MAC address Sender Target MAC Address Mask Hexadecimal mask for source or destination MAC address Log Status Logs a packet when it matches the access control entry WEB INTERFACE To add rules to an ARP ACL 1 Click Security ACL 2 Click Edit to open the configuration page for the required entry 3 Specify the acti...

Page 222: ...one MAC access list to any port CLI REFERENCES ip access group on page 655 ipv6 access group on page 661 mac access group on page 665 COMMAND USAGE This switch supports ACLs for ingress filtering only You only bind one ACL to any port for ingress filtering PARAMETERS These parameters are displayed Port Fixed port or SFP module Range 1 28 IP Specifies the IP ACL to bind to a port MAC Specifies the ...

Page 223: ...ding the number policy control entries in use the number of free entries and the overall percentage of TCAM in use CLI REFERENCES show access list tcam utilization on page 453 COMMAND USAGE Policy control entries PCEs are used by various system functions which rely on rule based searches including Access Control Lists ACLs IP Source Guard filter rules Quality of Service QoS processes or traps For ...

Page 224: ...ss bindings stored in a trusted database the DHCP snooping binding database see DHCP Snooping This database is built by DHCP snooping if it is enabled on globally on the switch and on the required VLANs ARP Inspection can also validate ARP packets against user configured ARP access control lists ACLs for hosts with statically configured addresses see Configuring an ARP ACL COMMAND USAGE Enabling D...

Page 225: ...ERENCES ARP Inspection on page 639 COMMAND USAGE ARP Inspection Validation By default ARP Inspection Validation is disabled Specifying at least one of the following validations enables ARP Inspection Validation globally Any combination of the following checks can be active concurrently Destination MAC Checks the destination MAC address in the Ethernet header against the target MAC address in the A...

Page 226: ...l be replaced with the newest entry PARAMETERS These parameters are displayed DAI Status Enables Dynamic ARP Inspection globally Default Disabled Need Additional Validation Enables extended ARP Inspection Validation if any of the following options are enabled Default Disabled Source MAC Validation Validates the source MAC address in the Ethernet header against the sender MAC address in the ARP bod...

Page 227: ...n on page 639 COMMAND USAGE ARP Inspection VLAN Filters ACLs By default no ARP Inspection ACLs are configured and the feature is disabled ARP Inspection ACLs are configured within the ARP ACL configuration page see page 220 ARP Inspection ACLs can be applied to any configured VLAN ARP Inspection uses the DHCP snooping bindings database for the list of valid IP to MAC address bindings ARP ACLs take...

Page 228: ...lected and static mode also selected the switch only performs ARP Inspection and bypasses validation against the DHCP Snooping Bindings database When an ARP ACL is selected but static mode is not selected the switch first performs ARP Inspection and then validation against the DHCP Snooping Bindings database Default Disabled WEB INTERFACE To configure VLAN settings for ARP Inspection 1 Click Secur...

Page 229: ...spection Validation checks and will always be forwarded while those arriving on untrusted interfaces are subject to all configured ARP inspection tests Rate Limit Status If this parameter is enabled then there is no limit on the number of ARP packets that can be processed by the CPU Rate Limit Sets the maximum number of ARP packets that can be processed by CPU per second on untrusted ports Range 0...

Page 230: ...hese parameters are displayed WEB INTERFACE To display the ARP Inspection log 1 Click Security ARP Inspection 2 Select Configure Information from the Step list 3 Select Show Log from the Step list Table 16 ARP Inspection Log Parameter Description No Log entry index number VLAN The VLAN where this packet was seen Port The port where this packet was seen Src IP Address The source IP address in the p...

Page 231: ...Due to Rate Limit Count of ARP packets exceeding and dropped by ARP rate limiting Total ARP Packets Processed by ARP Inspection Count of all ARP packets processed by the ARP Inspection engine ARP Packets Dropped by Additional Validation Source MAC Address Count of packets that failed the source MAC address test ARP Packets Dropped by Additional Validation Destination MAC Address Count of packets t...

Page 232: ...n to all IP addresses by default Once you add an entry to a filter list access to that interface is restricted to the specified addresses If anyone tries to access a management interface on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet...

Page 233: ...Configures IP address es for the web group SNMP IP Filter Configures IP address es for the SNMP group Telnet IP Filter Configures IP address es for the Telnet group Start IP Address A single IP address or the starting address of a range End IP Address The end address of a range Add Remove Filtering Entry Adds removes an IP address from the list WEB INTERFACE To create a list of IP addresses author...

Page 234: ...ted when malicious DHCP messages are received from an outside source DHCP snooping is used to filter DHCP messages received on a non secure interface from outside the network or fire wall When DHCP snooping is enabled globally and enabled on a VLAN interface DHCP messages received on an untrusted interface from a device not listed in the DHCP snooping table will be dropped Table entries are only l...

Page 235: ...ER REQUEST INFORM DECLINE or RELEASE message the packet is forwarded if MAC address verification is disabled However if MAC address verification is enabled then the packet will only be forwarded if the client s hardware address stored in the DHCP packet is the same as the source MAC address in the Ethernet header If the DHCP packet is not a recognizable type it is dropped If a DHCP packet from a c...

Page 236: ...RFACE To configure global settings for DHCP Snooping 1 Click DHCP Snooping Configuration 2 Set the status for the global DHCP snooping process and enable or disable MAC address verification as required 3 Click Apply Figure 101 Configuring Global Settings for DHCP Snooping DHCP SNOOPING VLAN CONFIGURATION Use the DHCP Snooping VLAN Configuration page to enable or disable DHCP snooping on specific V...

Page 237: ... Figure 102 Configuring DHCP Snooping on a VLAN DHCP SNOOPING INFORMATION OPTION CONFIGURATION Use the DHCP Snooping Information Option Configuration page to configure DHCP Snooping Option 82 CLI REFERENCES ip dhcp snooping information option on page 627 ip dhcp snooping information policy on page 628 COMMAND USAGE DHCP provides a relay mechanism for sending information about the switch and its DH...

Page 238: ...formation the switch can be configured to set the action policy for these packets The switch can either drop the DHCP packets keep the existing information or replace it with the switch s relay information DHCP snooping must be enabled for the DHCP Option 82 information to be inserted into packets When enabled the switch will only add remove option 82 information in incoming DCHP packets but not r...

Page 239: ...or the DHCP snooping agent that is the IP address of the management interface in ASCII format String An arbitrary string inserted into the remote identifier field Range 1 32 characters DHCP Snooping Information Option Policy Specifies how to handle DHCP client request packets which already contain Option 82 information Drop Drops the client s request packet instead of relaying it Keep Retains the ...

Page 240: ...enabled both globally and on a VLAN DHCP packet filtering will be performed on any untrusted ports within the VLAN When an untrusted port is changed to a trusted port all the dynamic DHCP snooping bindings associated with this port are removed Set all ports connected to DHCP servers within the local network or fire wall to trusted state Set all other ports outside the local network or fire wall to...

Page 241: ...These parameters are displayed Store DHCP Snooping binding entries to flash Writes all dynamically learned snooping entries to flash memory This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory These entries will be restored to the snooping table when the switch is reset However note that the lease time shown for a dynamic entry that has been restor...

Page 242: ...ries in the IP Source Guard table or dynamic entries in the DHCP Snooping table when enabled see DHCP Snooping IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network This section describes commands used to configure IP Source Guard CONFIGURING PORTS FOR IP SOURCE GUARD Use the IP Source Guard Port Configuration page...

Page 243: ...ge 236 IP source guard will check the VLAN ID source IP address port number and source MAC address for the SIP MAC option If a matching entry is found in the binding table and the entry type is static IP source guard binding the packet will be forwarded If DHCP snooping is enabled IP source guard will check the VLAN ID source IP address port number and source MAC address for the SIP MAC option If ...

Page 244: ...e which is indicated with a value of zero in the table CLI REFERENCES ip source guard binding on page 634 COMMAND USAGE Static addresses entered in the source guard binding table are automatically configured with an infinite lease time Dynamic entries learned via DHCP snooping are configured by the DHCP server itself Static bindings are processed as follows If there is no entry with the same VLAN ...

Page 245: ... current static entries in the table Port The port to which a static entry is bound VLAN ID ID of a configured VLAN Range 1 4094 MAC Address A valid unicast MAC address IP Address A valid unicast IP address including classful types A B or C WEB INTERFACE To configure static bindings for IP Source Guard 1 Click IP Source Guard Static Configuration 2 Enter the required bindings for each port 3 Click...

Page 246: ...y Port A port on this switch VLAN ID of a configured VLAN Range 1 4093 MAC Address A valid unicast MAC address IP Address A valid unicast IP address including classful types A B or C Dynamic Binding List VLAN VLAN to which this entry is bound MAC Address Physical address associated with the entry Unit Stack unit Port Port to which this entry is bound IP Address IP address corresponding to the clie...

Page 247: ...Guard 247 WEB INTERFACE To display the binding table for IP Source Guard 1 Click IP Source Guard Dynamic Information 2 Mark the search criteria and enter the required values 3 Click Query Figure 108 Showing the IP Source Guard Binding Table ...

Page 248: ...orts VLAN Trunking Configures a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong Cable Test Tests the cable attached to a port Displaying Statistics Shows Interface Etherlike and RMON port statistics in table or chart form PORT CONFIGURATION This section describes how to configure port connections mirror traffic from one port to another...

Page 249: ...ons Copper Forced SFP Forced or SFP Preferred Auto Default SFP Preferred Auto Trunk Member6 Shows if port is a trunk member Creation6 Shows if a trunk is manually configured or dynamically set via LACP WEB INTERFACE To display port connection parameters 1 Click Port Port Information Figure 109 Displaying Port Information CONFIGURING INTERFACE CONNECTIONS Use the Port Port Configuration or Trunk Co...

Page 250: ...s you to manually disable an interface You can disable an interface due to abnormal behavior e g excessive collisions and then re enable it after the problem has been resolved You may also disable an interface for security reasons Speed Duplex Allows you to manually set the port speed and duplex mode i e with auto negotiation disabled Flow Control Allows automatic or manual selection of flow contr...

Page 251: ...g traffic from end stations or segments connected directly to the switch when its buffers fill When enabled back pressure is used for half duplex operation and IEEE 802 3 2005 formally IEEE 802 3x for full duplex operation Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem Otherwise back pressure jamming signals may degrade overall performance f...

Page 252: ...e switch The switch supports both static trunking and dynamic Link Aggregation Control Protocol LACP Static trunks have to be manually configured at both ends of the link and the switches must comply with the Cisco EtherChannel standard On the other hand LACP configured ports can automatically negotiate a trunked link with LACP configured ports on another device You can configure any number of por...

Page 253: ...nk ports When configuring static trunks on switches of different types they must be compatible with the Cisco EtherChannel standard The ports at both ends of a trunk must be configured in an identical manner including communication mode i e speed duplex mode and flow control VLAN assignments and CoS settings Any of the Gigabit ports on the front panel can be trunked together including ports of dif...

Page 254: ... via the configuration interface before connecting the ports and also disconnect the ports before removing a static trunk via the configuration interface PARAMETERS These parameters are displayed Current Shows configured trunks Trunk ID Unit Port New Includes entry fields for creating new trunks Trunk Trunk identifier Range 1 8 Port Port identifier Range 1 28 WEB INTERFACE To create a static trunk...

Page 255: ...vailable trunk ID If more than eight ports attached to the same target switch have LACP enabled the additional ports will be placed in standby mode and will only be enabled if one of the active links fails All ports on both ends of an LACP trunk must be configured for full duplex and auto negotiation Trunks dynamically established through LACP will also be shown in the Member List on the Trunk Mem...

Page 256: ...et the following criteria Ports must have the same LACP System Priority Ports must have the same LACP port Admin Key Ports are only allowed to join the same Link Aggregation Group LAG if 1 the LACP port system priority matches 2 the LACP port admin key matches and 3 the LAG admin key matches if configured However if the LAG admin key is set then the port admin key must be set to the same value for...

Page 257: ... the Oper Key The Partner Admin Key is assigned zero and the Oper Key is set based upon LACP PDUs received from the Partner Port Priority If a link goes down LACP port priority is used to select a backup link Range 0 65535 Default 32768 NOTE Configuring LACP settings for a port only applies to its administrative state not its operational state and will only take effect the next time an aggregate l...

Page 258: ...atches if configured However if the LAG admin key is set then the port admin key must be set to the same value for a port to be allowed to join that group NOTE If the LAG admin key is not set when a channel group is formed i e it has a null value of 0 the operational value of this key is set to the same value as the port admin key used by the interfaces that joined the group see Configuring Parame...

Page 259: ...rt LACP Port Counters Information page to display statistics for LACP protocol messages CLI REFERENCES show lacp on page 697 PARAMETERS These parameters are displayed Table 18 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group LACPDUs Received Number of valid LACPDUs received on this channel group Marker Sent Number of valid Marker PDU...

Page 260: ...arry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type Marker Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value but contain a badly formed PDU or an illegal value of Protocol Subtype Table 18 LACP Port Counters Continued Parameter Description Ta...

Page 261: ...ed to be enabled in the absence of administrative changes or changes in received protocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information Synchronization The System considers this link to be IN_SYNC i e it has been ...

Page 262: ...ystem ID assigned by the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the pr...

Page 263: ...MAND USAGE Due to an ASIC chip limitation the supported storm control modes include broadcast broadcast multicast broadcast multicast unknown unicast This means that when multicast storm control is enabled broadcast storm control is also enabled using the threshold value set by the multicast storm control command And when unknown unicast storm control is enabled both broadcast and multicast storm ...

Page 264: ...ding the specified threshold will then be dropped COMMAND USAGE Broadcast Storm Control is enabled by default Broadcast control does not effect IP multicast traffic CLI REFERENCES switchport packet rate on page 680 PARAMETERS These parameters are displayed Port Port number Type Indicates interface type 100Base TX 100Base T or SFP Protect Status Enables or disables broadcast storm control Default E...

Page 265: ...will then be dropped COMMAND USAGE Multicast Storm Control is disabled by default CLI REFERENCES switchport packet rate on page 680 PARAMETERS These parameters are displayed Port Port number Type Indicates interface type 100Base TX 100Base T or SFP Protect Status Enables or disables multicast storm control Default Disabled Threshold Threshold level as a rate i e kilobits per second Range 64 100000...

Page 266: ...own Unicast Control or Trunk Unknown Unicast Control page to protect your network from excess unknown unicast traffic by setting thresholds for each port Any unknown unicast packets exceeding the specified threshold will then be dropped COMMAND USAGE Unknown Unicast Storm Control is disabled by default CLI REFERENCES switchport packet rate on page 680 PARAMETERS These parameters are displayed Port...

Page 267: ...thernet ports 64 1000000 kilobits per second for Gigabit ports Default 64 kilobits per second Trunk Shows if a port is a trunk member WEB INTERFACE To configure unknown unicast storm control thresholds 1 Click Port Port Unknown Unicast Control 2 Set the threshold and mark Enabled for the desired interface 3 Click Apply Figure 122 Configuring Unknown Unicast Storm Control ...

Page 268: ... on page 708 COMMAND USAGE Traffic can be mirrored from one or more source ports to a destination port on the same switch Monitor port speed should match or exceed source port speed otherwise traffic may be dropped from the monitor port When mirroring port traffic the target port must be included in the same VLAN as the source port when using MSTP see Spanning Tree Algorithm When mirroring VLAN tr...

Page 269: ...RING Use the Port MAC Mirror Configuration page to mirror traffic matching a specified source address from any port on the switch to a target port for real time analysis You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner CLI REFERENCES Port Mirroring Commands on page 708 COMMAND USAGE When mirrorin...

Page 270: ...h port mirroring and for mirroring of VLAN traffic or packets based on a MAC address the matching packets will not be sent to target port specified for port mirroring PARAMETERS These parameters are displayed Mirror Sessions Displays a list of current mirror sessions Source MAC Address MAC address in the form of xx xx xx xx xx xx or xxxxxxxxxxxx Destination Port The port that will mirror the traff...

Page 271: ...s configured with this feature the traffic rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped conforming traffic is forwarded without any changes CLI REFERENCES Rate Limit Commands on page 711 PARAMETERS These parameters are displayed Port Trunk Displays the port trunk number Rate Limit Status Enables or disables the rate limit Default Disabled Rate Limit...

Page 272: ... configured on switches A and B with VLAN trunking being used to pass traffic for these VLAN groups across switches C D and E Figure 127 Configuring VLAN Trunking Without VLAN trunking you would have to configure VLANs 1 and 2 on all intermediate switches C D and E otherwise these switches would drop any frames with unknown VLAN group tags However by enabling VLAN trunking on the intermediate swit...

Page 273: ...ng are disabled on an interface packets with unknown VLAN tags will still be allowed to enter this interface and will be flooded to all other ports where VLAN trunking is enabled In other words VLAN trunking will still be effectively enabled for the unknown VLAN PARAMETERS These parameters are displayed Interface Port or trunk identifier VLAN Trunking Enables VLAN trunking on the selected interfac...

Page 274: ...xamining the reflection of that pulse This cable test is only accurate for cables 7 140 meters long The test takes approximately 5 seconds The switch displays the results of the test immediately upon completion including common cable failures as well as the status and approximate length to a fault Potential conditions which may be listed by the diagnostics include OK Correctly terminated pair Open...

Page 275: ... statistics on network traffic from the Interfaces Group and Ethernet like MIBs as well as a detailed breakdown of traffic based on the RMON MIB Interfaces and Ethernet like statistics display errors on the traffic passing through each port This information can be used to identify potential problems with the switch such as a faulty port or unusually heavy loading RMON statistics provide access to ...

Page 276: ...t Packets The number of packets delivered by this sub layer to a higher sub layer which were addressed to a multicast address at this sub layer Transmitted Multicast Packets The total number of packets that higher level protocols requested be transmitted and which were addressed to a multicast address at this sub layer including those that were discarded or not sent Received Broadcast Packets The ...

Page 277: ... were less than 64 octets in length excluding framing bits but including FCS octets and had either an FCS or alignment error Collisions The best estimate of the total number of collisions on this Ethernet segment Received Octets Total number of octets of data received on the network This statistic can be used as a reasonable indication of Ethernet utilization Received Packets The total number of p...

Page 278: ...rom the drop down list 3 Click Query 4 Use the Refresh button at the bottom of the page if you need to update the screen Port Utilization Input Rate Shows the ingress rate in kilobits second packets second and utilization second Output Rate Shows the egress rate in kilobits second packets second and utilization second Table 21 Port Statistics Continued Parameter Description ...

Page 279: ...CHAPTER 8 Interface Configuration Showing Port or Trunk Statistics 279 Figure 130 Showing Port Statistics ...

Page 280: ...ces The switch s power management enables total switch power and individual port power to be controlled within a configured power budget Port power can be automatically turned on and off for connected devices and a per port power priority can be set so that the switch never exceeds its allocated power budget When a device is connected to a switch port its power requirements are detected by the swi...

Page 281: ...tch Software Version The version of software running on the PoE controller subsystem in the switch WEB INTERFACE To display the Power over Ethernet settings for the switch 1 Click PoE Power Status Figure 131 Displaying the Global PoE Status SETTING A SWITCH POWER BUDGET Use the Power Power Configuration page to configure the power budget for the switch A maximum PoE power budget for the switch pow...

Page 282: ...1 Click PoE Power Configuration 2 Specify the desired power budget for the switch 3 Click Apply Figure 132 Setting the Switch Power Budget DISPLAYING PORT POWER STATUS Use the Power Power Port Status page to display the current PoE power status for all ports CLI REFERENCES show power inline status on page 706 PARAMETERS These parameters are displayed Port The port number Admin Status The administr...

Page 283: ...ff If the power demand from devices connected to switch ports exceeds the power budget set for the switch the port power priority settings are used to control the supplied power For example If a device is connected to a low priority port and causes the switch to exceed its budget port power is not turned on If a device is connected to a critical or high priority port and would cause the switch to ...

Page 284: ...e is detected on the port providing that the power demanded does not exceed the switch or port power budget Default Enabled Priority Sets the power priority for the port Options low high or critical Default low Power Allocation Sets the power budget for the port Range 3000 15400 milliwatts Default 15400 milliwatts WEB INTERFACE To configure port power parameters 1 Click PoE Power Port Configuratio...

Page 285: ...the Address Table Static Addresses page to configure static MAC addresses A static address can be assigned to a specific interface on this switch CLI REFERENCES mac address table static on page 733 COMMAND USAGE The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add static addresses to the MAC Address Table Static addresses have the f...

Page 286: ...ssigned a static address MAC Address Physical address of a device mapped to this interface Enter an address in the form of xx xx xx xx xx xx or xxxxxxxxxxxx VLAN ID of configured VLAN Range 1 4093 WEB INTERFACE To configure a static MAC address 1 Click Address Table Static Addresses 2 Select Add from the Action list 3 Specify the interface the MAC address and VLAN to which the address will be assi...

Page 287: ... page 734 PARAMETERS These parameters are displayed Interface Indicates a port or trunk MAC Address Physical address associated with this interface VLAN ID of configured VLAN 1 4093 Address Table Sort Key You can sort the information displayed based on MAC address VLAN or interface port or trunk Dynamic Address Counts The number of addresses dynamically learned Current Dynamic Address Table Lists ...

Page 288: ...out dynamically learned forwarding information CLI REFERENCES mac address table aging time on page 732 PARAMETERS These parameters are displayed Aging Status Enables disables the aging function Aging Time The time after which a learned entry is discarded Range 10 844 seconds Default 300 seconds WEB INTERFACE To set the aging time for entries in the dynamic address table 1 Click Address Table Addre...

Page 289: ...CHAPTER 10 Address Table Settings Changing the Aging Time 289 4 Click Apply Figure 137 Setting the Address Aging Time ...

Page 290: ...iant switch bridge or router in your network to ensure that only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes down The spanning tree algorithms supported by this switch include these versions STP Spanning Tree Protocol IEEE 802 1D RSTP Rapid Spanning Tree Protocol IEEE 802 1w MSTP Multiple Spanning Tree Pro...

Page 291: ... 3 seconds compared to 30 seconds or more for STP by reducing the number of state changes before active ports start learning predefining an alternate route that can be used when a node or port fails and retaining the forwarding database for ports insensitive to changes in the tree structure when reconfiguration occurs MSTP When using STP or RSTP it may be difficult to maintain a stable path betwee...

Page 292: ...ons with STP or RSTP nodes in the global network Figure 140 Common Internal Spanning Tree Common Spanning Tree Internal Spanning Tree MSTP connects all bridges and LAN segments with a single Common and Internal Spanning Tree CIST The CIST is formed as a result of the running spanning tree algorithm between switches that support the STP RSTP MSTP protocols Once you specify the VLANs to include in a...

Page 293: ...face ceases to receive it s own BPDUs in a forward delay interval NOTE If loopback detection is not enabled and an interface receives it s own BPDU then the interface will drop the loopback BPDU according to IEEE Standard 802 1w 2001 9 3 4 Note 1 NOTE Loopback detection will not be active if Spanning Tree is disabled on the switch NOTE When configured for manual release mode then a link down up ev...

Page 294: ...r the following items Spanning Tree State Shows if the switch is enabled to participate in an STA compliant network Bridge ID A unique identifier for this bridge consisting of the bridge priority the MST Instance ID 0 for the Common Spanning Tree when spanning tree type is set to MSTP and MAC address where the address is taken from the switch system Max Age The maximum time in seconds a device can...

Page 295: ...discarding state otherwise temporary data loops might result Designated Root The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device Root Port The number of the port on this switch that is closest to the root This switch communicates with the root device through this port If there is no root port then this switch has been accepted as the roo...

Page 296: ...elow STP Mode If the switch receives an 802 1D BPDU i e STP BPDU after a port s migration delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port Multiple ...

Page 297: ...mes the STA root device However if all devices have the same priority the device with the lowest MAC address will then become the root device Note that lower numeric values indicate higher priority Default 32768 Range 0 61440 in steps of 4096 Options 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440 Spanning Tree BPDU Flooding Configures the system to flood ...

Page 298: ...ard frames In addition each port needs time to listen for conflicting information that would make it return to a discarding state otherwise temporary data loops might result Default 15 Minimum The higher of 4 or Max Message Age 2 1 Maximum 30 RSTP Configuration NOTE The following commands also apply to MSTP which is based upon RSTP and STP which is a backwards compatible subset of RSTP Path Cost M...

Page 299: ... the MST region before a BPDU is discarded Range 1 40 Default 20 WEB INTERFACE To configure global STA settings 1 Click Spanning Tree STA 2 Select Configure Global from the Step list 3 Select Configure from the Action list 4 Modify any of the required attributes Note that the parameters displayed for the spanning tree types STP RSTP MSTP varies as described in the preceding section 5 Click Apply 9...

Page 300: ...A Port Information page to display the current status of ports or trunks in the Spanning Tree CLI REFERENCES show spanning tree on page 762 PARAMETERS These parameters are displayed Spanning Tree Shows if STA has been enabled on this interface BPDU Flooding Shows if BPDUs will be flooded to other ports when spanning tree is disabled globally on the switch or disabled on a specific port ...

Page 301: ...number of times this port has transitioned from the Learning state to the Forwarding state Designated Cost The cost for a packet to travel from this port to the root in the current Spanning Tree configuration The slower the media the higher the cost Designated Bridge The bridge priority and MAC address of the device through which this port must communicate to reach the root of the Spanning Tree De...

Page 302: ...es bridge ports or LANs fail or are removed The role is set to disabled i e disabled port if a port has no role within the spanning tree Figure 144 STA Port Roles WEB INTERFACE To display interface settings for STA 1 Click Spanning Tree STA Port Information Figure 145 Displaying Interface Settings for STA Alternate port receives more useful BPDUs from another bridge and is therefore not selected a...

Page 303: ...g is enabled BPDUs are flooded to all other ports on the switch or to all other ports within the receiving port s native VLAN as specified by the Spanning Tree BPDU Flooding attribute page 296 STA State Displays current state of this port within the Spanning Tree See Displaying Interface Settings for STA for additional information Discarding Port receives STA configuration messages but does not fo...

Page 304: ...ult path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is set to 65 535 10 Refer to Configuring Global Settings for STA for information on setting the path cost method Table 22 Recommended STA Path Cost Range Port Type IEEE 802 1D 1998 IEEE 802 1w 2001 Ethernet 50 600 200 000 20 000 000 Fast Ethernet 10 60 20 000 2 000 000 Gigabit Ethernet 3 10 2 000 200 000 Table 23 Recom...

Page 305: ...t connected to low speed bridges which could potentially overload a slower link by taking over as the root port and forming a new spanning tree topology It could also be used to form a border around part of the network where the root bridge is allowed Default Disabled Migration If at any time the switch detects STP BPDUs including Configuration or Topology Change Notification BPDUs it will automat...

Page 306: ...onnected to an end node device Default Disabled Enabled Manually configures a port as an Edge Port Disabled Disables the Edge Port setting Auto The port will be automatically configured as an edge port if the edge delay time expires without receiving any RSTP or MSTP BPDUs Note that edge delay time 802 1D 2004 17 20 4 equals the protocol migration time if a port s link type is point to point which...

Page 307: ... unauthorized device The BPDU guard feature provides a secure response to invalid configurations because an administrator must manually enable the port Default Disabled BPDU Filter BPDU filtering allows you to avoid transmitting BPDUs on configured edge ports that are connected to end nodes By default STA sends BPDUs to all ports regardless of whether administrative edge is enabled on a port BDPU ...

Page 308: ... bridges within the same MSTI Region page 296 with the same set of instances and the same instance on each bridge with the same set of VLANs Also note that RSTP treats each MSTI region as a single node connecting all regions to the Common Spanning Tree To use multiple spanning trees 1 Set the spanning tree type to MSTP page 296 2 Enter the spanning tree priority for the selected MST instance on th...

Page 309: ... global attributes are described under Displaying Global Settings for STA WEB INTERFACE To create instances for MSTP 1 Click Spanning Tree MSTP VLAN Configuration 2 Select an instance identifier from the list set the instance priority and click Apply 3 To add the VLAN members to an MSTI instance enter the instance identifier the VLAN identifier and click Add Figure 148 Creating an MST Instance ...

Page 310: ...I REFERENCES show spanning tree on page 762 PARAMETERS These parameters are displayed MST Instance ID Instance identifier to configure Range 0 4094 Default 0 The other attributes are described under Displaying Interface Settings for STA WEB INTERFACE To create instances for MSTP 1 Click Spanning Tree MSTP Port Information or Trunk Information 2 Select the required MST instance to display the curre...

Page 311: ... port in the Spanning Tree Protocol If the path cost for all ports on a switch are the same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops Where more than one port is assigned the highest priority the port with lowe...

Page 312: ...able 23 on page 304 The default path costs are listed in Table 24 on page 304 Trunk Indicates if a port is a member of a trunk MSTP Port Configuration only WEB INTERFACE To configure MSTP parameters for a port or trunk 1 Click Spanning Tree MSTP Port Configuration 2 Enter the priority and path cost for an interface 3 Click Apply Figure 150 Configuring MSTP Interface Settings ...

Page 313: ...protocol such as an uplink port to the service provider s network to forward BPDU packets to other ports instead of discarding these packets or attempting to process them CONFIGURING THE TUNNEL ADDRESS FOR UPLINK TRAFFIC Use the L2 Protocol Tunnel Configuration page to set the destination address assigned to specified Layer 2 protocol packets entering the service provider s network CLI REFERENCES ...

Page 314: ...dress is changed to the proprietary tunnel address 01 12 CF 00 00 02 or a user specified address Default 01 12 CF 00 00 02 The tunnel address can be any multicast address except for the following IPv4 multicast addresses with prefix 01 00 5E IPv6 multicast addresses with prefix 33 33 33 Addresses used by the spanning tree protocol WEB INTERFACE To configure the tunnel address for L2PT 1 Click L2 P...

Page 315: ... access ports11 connected to the same metro VLAN The way in which L2PT processes packets is based on the following criteria 1 packet is received on a QinQ uplink port 2 packet is received on a QinQ access port or 3 received packet is Cisco compatible L2PT i e as indicated by a proprietary MAC address Processing protocol packets defined in IEEE 802 1ad Provider Bridges When an IEEE 802 1ad protocol...

Page 316: ... STP protocol packet and L2PT is enabled on this port it is forwarded to the following ports in the same S VLAN a other access ports for which L2PT is enabled and b uplink ports after rewriting the destination address to make it a GBPT protocol packet i e setting the destination address to 01 00 0C CD CD D0 L2PT is disabled on this port it is forwarded to the following ports in the same S VLAN a o...

Page 317: ...rotocol Cisco VTP Cisco VLAN Trunking Protocol Cisco PVST Cisco Per VLAN Spanning Tree Plus WEB INTERFACE To enable tunneling on an interface 1 Click L2 Protocol Tunnel Port Configuration or Trunk Configuration 2 Enable protocol tunneling for a port or trunk 3 Click Apply Figure 152 Enabling Layer 2 Protocol Tunneling ...

Page 318: ...VLANs Maps untagged ingress frames to a specified VLAN if the source address is found in the IP subnet to VLAN mapping table MAC based VLANs Maps untagged ingress frames to a specified VLAN if the source MAC address is found in the IP MAC address to VLAN mapping table IEEE 802 1Q VLANS In large networks routers are used to isolate broadcast traffic for each subnet into separate domains This switch...

Page 319: ... NOTE The switch allows 255 user manageable VLANs One extra unmanageable VLAN VLAN ID 4093 is maintained for IP clustering Assigning Ports to VLANs Before enabling VLANs for the switch you must first assign each port to the VLAN group s in which it will participate By default all ports are assigned to VLAN 1 as untagged ports Add a port as a tagged port if you want it to carry traffic for one or m...

Page 320: ...automate VLAN registration Automatic VLAN Registration GVRP GARP VLAN Registration Protocol defines a system whereby the switch can automatically learn the VLANs to which each end station should be assigned If an end station or its network adapter supports the IEEE 802 1Q VLAN protocol it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join When this...

Page 321: ...eral switches you should create a VLAN for that group and enable tagging on all ports Ports can be assigned to multiple tagged or untagged VLANs Each port on the switch is therefore capable of passing tagged or untagged frames When forwarding a frame from this switch along a path that contains any VLAN aware devices the switch should include VLAN tags When forwarding a frame from this switch along...

Page 322: ...permit automatic VLAN registration and to support VLANs which extend beyond the local switch Default Disabled WEB INTERFACE To configure GVRP on the switch 1 Click VLAN 802 1Q VLAN GVRP Status 2 Enable or disable GVRP 3 Click Apply Figure 155 Configuring Global Status of GVRP DISPLAYING BASIC VLAN INFORMATION Use the VLAN 802 1Q VLAN Basic Information page to display basic information on the VLAN ...

Page 323: ...ssigned to a large VLAN group that crosses several switches should use VLAN tagging However if you just want to create a small port based VLAN for one or two switches you can disable tagging CLI REFERENCES show vlan on page 806 PARAMETERS These parameters are displayed VLAN ID ID of configured VLAN 1 4094 Up Time at Creation Time this VLAN was created i e System Up Time Status Shows how this VLAN ...

Page 324: ...propagate information about VLAN groups used on this switch to external network devices you must specify a VLAN ID for each of these groups CLI REFERENCES Editing VLAN Groups on page 797 PARAMETERS These parameters are displayed VLAN ID ID of VLAN or range of VLANs 1 4094 Up to 255 VLAN groups can be defined VLAN 1 is the default untagged VLAN VLAN Name Name of the VLAN 1 128 characters no spaces ...

Page 325: ...Static Table page to configure port members for the selected VLAN index Assign ports as tagged if they are connected to 802 1Q VLAN compliant devices or untagged they are not connected to any VLAN aware devices Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol CLI REFERENCES Configuring VLAN Interfaces on page 799 Displaying VLAN In...

Page 326: ... via GVRP For more information see Automatic VLAN Registration on page 320 None Interface is not a member of the VLAN Packets associated with this VLAN will not be transmitted by the interface NOTE VLAN 1 is the default untagged VLAN containing all ports on the switch using Access mode Trunk Member Indicates if a port is a member of a trunk To add a trunk to the selected VLAN use the last table on...

Page 327: ...are displayed Interface Port or trunk identifier Member VLANs for which the selected interface is a tagged member Non Member VLANs for which the selected interface is not a tagged member WEB INTERFACE To assign VLAN groups to the selected interface as a tagged member 1 Click VLAN 802 1Q VLAN Static Membership by Port 2 Select an interface from the scroll down box Port or Trunk and click Query to d...

Page 328: ...efault 1 When using Access mode and an interface is assigned to a new VLAN its PVID is automatically set to the identifier for that VLAN When using Hybrid mode the PVID for an interface can be set to any VLAN for which it is an untagged member Acceptable Frame Type Sets the interface to accept all frame types including tagged or untagged frames or only tagged frames When set to receive all frame t...

Page 329: ...efore this setting can take effect see page 322 When disabled any GVRP packets received on this port will be discarded and no GVRP registrations will be propagated from other ports Default Disabled GARP Timers Group Address Registration Protocol is used by GVRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are independen...

Page 330: ...LANs supported VLAN ranges required by different customers in the same service provider network might easily overlap and traffic passing through the infrastructure might be mixed Assigning a unique range of VLAN IDs to each customer would restrict customer configurations require intensive processing of VLAN mapping tables and could easily exceed the maximum VLAN limit of 4096 QinQ tunneling uses a...

Page 331: ...igure 162 QinQ Operational Concept Layer 2 Flow for Packets Coming into a Tunnel Access Port A QinQ tunnel port may receive either tagged or untagged packets No matter how many tags the incoming packet has it is treated as tagged packet The ingress process does source and destination lookups If both lookups are successful the ingress process writes the packet to memory Then the egress process tran...

Page 332: ...llowing manner 1 If incoming packets are untagged the PVID VLAN native tag is added 2 If the ether type of an incoming packet single or double tagged is not equal to the TPID of the uplink port the VLAN tag is determined to be a Customer VLAN CVLAN tag The uplink port s PVID VLAN native tag is added to the packet This outer tag is used for learning and switching packets within the service provider...

Page 333: ...ed to transmitted frames Avoid using VLAN 1 as an SPVLAN tag for customer traffic to reduce the risk of misconfiguration Instead use VLAN 1 as a management VLAN instead of a data VLAN in the service provider network There are some inherent incompatibilities between Layer 2 and Layer 3 switching Tunnel ports do not support IP Access Control Lists Layer 3 Quality of Service QoS and other QoS feature...

Page 334: ...layed Tunnel Status Sets the switch to QinQ mode Default Disabled Ethernet Type The Tag Protocol Identifier TPID specifies the ethertype of incoming packets on a tunnel port Range hexadecimal 0800 FFFF Default 8100 Use this field to set a custom 802 1Q ethertype value This feature allows the switch to interoperate with third party switches that do not use the standard 0x8100 ethertype to identify ...

Page 335: ... a nonstandard 2 byte ethertype to identify 802 1Q tagged frames Then use the Tunnel Port Configuration or Tunnel Trunk Configuration page to set the access interface on the edge switch to Tunnel mode and set the uplink interface on the switch attached to the service provider network to Tunnel Uplink mode PARAMETERS These parameters are displayed Interface Displays a list of ports or trunks Port P...

Page 336: ...ic belonging to each client is isolated to the allocated downlink ports But the switch can be configured to either isolate traffic passing across a client s allocated uplink ports from the uplink ports assigned to other clients or to also forward traffic through the uplink ports used by other clients allowing different clients to share access to their uplink ports where security is less likely to ...

Page 337: ...n Configuration page to create a client session and assign to service the traffic associated with each session Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports Uplink ports can communicate with any other ports on the switch and with any designated downlink ports CLI REFERENCES Configuring Port based Traffic Segmentation on page 8...

Page 338: ... a community or secondary VLAN contains community ports that can only communicate with other hosts within the community VLAN and with any of the promiscuous ports in the associated primary VLAN The promiscuous ports are designed to provide open access to an external network such as the Internet while the community ports provide restricted access to local users Multiple primary VLANs can be configu...

Page 339: ...onfigured on the switch including primary and community VLANs and their assigned interfaces CLI REFERENCES show vlan private vlan on page 825 PARAMETERS These parameters are displayed in the web interface VLAN ID ID of configured VLAN 1 4094 and VLAN type Primary VLAN The VLAN with which the selected VLAN ID is associated A primary VLAN displays its own ID and a community VLAN displays the associa...

Page 340: ...ANs Primary Conveys traffic between promiscuous ports and to community ports within secondary or community VLANs Community Conveys traffic between community ports and to their promiscuous ports in the associated primary VLAN WEB INTERFACE To configure private VLANs 1 Click VLAN Private VLAN Configuration 2 Enter the VLAN ID to assign to the private VLAN 3 Select Primary or Community from the Type ...

Page 341: ...munity VLANs not associated with the selected VLAN WEB INTERFACE To associate a community VLAN with a primary VLAN 1 Click VLAN Private VLAN Association 2 Select an entry from the Primary VLAN ID list 3 Highlight one or more community VLANs in the Non Association list box Note that a community VLAN can only be associated with one primary VLAN 4 Click Add Figure 169 Associating Private VLANs DISPLA...

Page 342: ...cate with the lone promiscuous port within its own isolated VLAN Promiscuous A promiscuous port can communicate with all the interfaces within a private VLAN Primary VLAN Conveys traffic between promiscuous ports and between promiscuous ports and community ports within the associated secondary VLANs Community VLAN A community VLAN conveys traffic between community ports and from community ports to...

Page 343: ...signated promiscuous port s Promiscuous A promiscuous port can communicate with all interfaces within a private VLAN Primary VLAN Conveys traffic between promiscuous ports and between promiscuous ports and community ports within the associated secondary VLANs If Port Mode is Promiscuous then specify the associated primary VLAN Community VLAN A community VLAN conveys traffic between community ports...

Page 344: ...l VLAN groups for each required protocol When a frame is received at a port its VLAN membership can then be determined based on the protocol type being used by the inbound packets COMMAND USAGE To configure protocol based VLANs follow these steps 1 First configure VLAN groups for the protocols you want to use page 797 Although not mandatory we suggest configuring a separate VLAN for each major pro...

Page 345: ...for the Frame Type the only available Protocol Type is IPX Raw NOTE Traffic which matches IP Protocol Ethernet Frames is mapped to the VLAN VLAN 1 that has been configured with the switch s administrative IP IP Protocol Ethernet traffic must not be mapped to another VLAN or you will lose administrative network connectivity to the switch If lost in this manner network access can be regained by remo...

Page 346: ...rd rules applied to tagged frames If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the default VLAN for this interface PARAMETERS These parameters are displayed Protocol Group ID Protocol Group ID assigned to the Protocol VLAN Group Range 1 2147483647 VLAN ID...

Page 347: ...LAN When VLAN mirroring and port mirroring are both enabled they must use the same target port When VLAN mirroring and port mirroring are both enabled the target port can receive a mirrored packet twice once from the source mirror port and again from the source mirrored VLAN The target port receives traffic from all monitored source VLANs and can become congested Some mirror traffic may therefore ...

Page 348: ...e monitored Range 1 4094 Target Port The destination port that receives the mirrored traffic from the source VLAN Range 1 28 WEB INTERFACE To configure VLAN mirroring 1 Click VLAN VLAN Mirror Configuration 2 Select the source VLAN 3 Select a target port that is not a member of the source VLAN 4 Click Add Figure 174 Configuring VLAN Mirroring ...

Page 349: ...net VLANs on page 829 COMMAND USAGE Each IP subnet can be mapped to only one VLAN ID An IP subnet consists of an IP address and a mask When an untagged frame is received by a port the source IP address is checked against the IP subnet to VLAN mapping table and if an entry is found the corresponding VLAN ID is assigned to the frame If no mapping is found the PVID of the receiving port is assigned t...

Page 350: ... to configure VLANs based on MAC addresses The MAC based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses When MAC based VLAN classification is enabled untagged frames received by a port are assigned to the VLAN which is mapped to the frame s source MAC address When no MAC address is matched untagged frames are assigned to the receiving port s native VLAN ...

Page 351: ...hich is to be mapped to a specific VLAN The MAC address must be specified in the format xx xx xx xx xx xx VLAN VLAN to which ingress traffic matching the specified source MAC address is forwarded Range 1 4094 WEB INTERFACE To map a MAC address to a VLAN 1 Click VLAN MAC based VLAN Configuration 2 Enter an address in the MAC Address field 3 Enter an identifier in the VLAN field Note that the specif...

Page 352: ...s on the switch OVERVIEW Link Layer Discovery Protocol LLDP is used to discover basic information about neighboring devices on the local broadcast domain LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device Advertised information is represented in Type Length Value TLV format according to the IEEE 802 1ab standard and can include details such a...

Page 353: ... 4 The time to live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner TTL in seconds is based on the following rule Transmission Interval Holdtime Multiplier 65536 Therefore the default TTL is 4 30 120 seconds Delay Interval Configures a delay between the successive transmission of advertisement...

Page 354: ...ue of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification events missed due to throttling or transmission loss MED Fast Start Count Configures the amount of LLDP MED Fast Start LLDPDUs to transmit during the activation process of the LLDP MED Fast Start mechanism Range 1 10 packets Default 4 packets The MED Fast Start Count parameter is part of the timer which ensures th...

Page 355: ...specific LLDP EXT DOT1 and LLDP EXT DOT3 MIBs For information on defining SNMP trap destinations see Specifying Trap Managers and Trap Types Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted Only state changes that exist at the time of a trap notification are included in the transmission An SNMP agent should therefore periodically check...

Page 356: ... address for the CPU or for the port sending this advertisement The management address TLV may also include information about the specific interface associated with this address and an object identifier indicating the type of hardware component or protocol entity associated with this address The interface number and OID are included to assist SNMP applications in the performance of network discove...

Page 357: ...tises extended Power over Ethernet capability details such as power availability from the switch and power state of the switch including whether the switch is operating from primary or backup power the Endpoint Device could use this information to decide to enter power conservation mode Inventory This option advertises device details useful for inventory management such as manufacturer model softw...

Page 358: ...assis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent There are several ways in which a chassis may be identified and a chassis ID subtype is used to indicate the type of component being referenced by the chassis ID field Table 25 Chassis ID Subtype ID Basis Reference Chassis component EntPhysicalAlias when entPhysClass has a value of chassis 3 IETF RFC 2737 Interfac...

Page 359: ...witch If no management address is available the address should be the MAC address for the CPU or for the port sending this advertisement Interface Settings The attributes listed below apply to both port and trunk interface types When a trunk is listed the descriptions apply to the first port of the trunk Port Trunk Description A string that indicates the port or trunk description If RFC 2863 is im...

Page 360: ... info remote device on page 918 PARAMETERS These parameters are displayed Local Port The local port to which a remote LLDP capable device is attached Chassis ID An octet string indicating the specific identifier for the particular chassis in this system Port ID A string that contains the specific identifier for the port from which this LLDPDU was transmitted Port Name A string that indicates the p...

Page 361: ...s attached Chassis Type Identifies the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent There are several ways in which a chassis may be identified and a chassis ID subtype is used to indicate the type of component being referenced by the chassis ID field See Table 25 Chassis ID Subtype on page 358 Chassis ID An octet string indicating the specific identifier ...

Page 362: ...tem Capabilities on page 359 System Capabilities Enabled The primary function s of the system which are currently enabled See Table 26 System Capabilities on page 359 Management Address The management address for this device If no management address is available the address should be the MAC address for the CPU or for the port sending this advertisement WEB INTERFACE To display detailed LLDP infor...

Page 363: ...stics on Remote Devices Neighbor Entries List Last Updated The time the LLDP neighbor entry list was last updated New Neighbor Entries Count The number of LLDP neighbors for which the remote TTL has not yet expired Neighbor Entries Deleted Count The number of LLDP neighbors which have been removed from the LLDP remote systems MIB for any reason Neighbor Entries Dropped Count The number of times wh...

Page 364: ...1 Click LLDP Device Statistics Figure 182 Displaying LLDP Device Statistics DISPLAYING DETAILED DEVICE STATISTICS Use the LLDP Device Statistics Details page to display detailed statistics for LLDP capable devices attached to specific interfaces on the switch CLI REFERENCES show lldp info statistics on page 919 PARAMETERS These parameters are displayed Frames Discarded Number of frames discarded b...

Page 365: ...ved and then discarded due to insufficient memory space missing or out of sequence attributes or any other reason Neighbor Ageouts A count of the times that a neighbor s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired WEB INTERFACE To display detailed statistics for LLDP capable devices attached to the switch 1 Click LLDP Device Statistics Det...

Page 366: ...ternal processing LAYER 2 QUEUE SETTINGS This section describes how to configure the default priority for untagged frames set the queue mode and map class of service tags to queues SETTING THE DEFAULT PRIORITY FOR INTERFACES Use the Priority Default Port Priority or Default Trunk Priority page to specify the default port priority for each interface on the switch All untagged packets entering the s...

Page 367: ...the Default Port Priority MAPPING COS VALUES TO EGRESS QUEUES Use the Priority Traffic Classes page to specify which of the hardware output queues to use for Class of Service CoS priority tagged traffic The switch processes priority tagged traffic by using four priority queues for each port with service schedules based on strict priority or Weighted Round Robin WRR Up to eight traffic priorities a...

Page 368: ...rity CoS value Range 0 7 where 7 is the highest priority Traffic Class Output queue buffer Range 0 3 where 3 is the highest CoS priority queue WEB INTERFACE To specify which of the output queues to use for CoS priority tagged traffic 1 Click Priority Traffic Classes 2 Assign priorities to the traffic classes i e output queues 3 Click Apply Table 29 CoS Priority Levels Priority Level Traffic Type 1...

Page 369: ... are serviced WRR uses a relative weighting for each queue which determines the amount of packets the switch transmits every time it services each queue before moving on to the next queue Thus a queue weighted 8 will be allowed to transmit up to 8 packets after which the next lower priority queue will be serviced according to it s weighting This prevents the head of line blocking that can occur wi...

Page 370: ... classes are mapped to one of the four egress queues provided for each port This weight sets the limit for the number of packets the switch will transmit each time the queue is serviced and subsequently affects the response time for software applications assigned a specific priority value NOTE This switch does not allow the queue service weights to be set The weights are fixed as 1 2 4 8 for queue...

Page 371: ...erent priority information may be contained in the traffic this switch maps priority values to the output queues in the following manner The precedence for priority mapping is DSCP Priority and then Default Port Priority NOTE The default settings used for mapping priority values from ingress traffic to internal DSCP values are used to determine the hardware queues used for egress traffic not to re...

Page 372: ...ices Code Point priority to CoS priority map CLI REFERENCES show map ip dscp on page 847 COMMAND USAGE The DSCP is six bits wide allowing coding for up to 64 different forwarding behaviors The DSCP retains backward compatibility with the three precedence bits so that non DSCP compliant devices will not conflict with the DSCP mapping Based on network policies different kinds of traffic can be marke...

Page 373: ... Note that 0 represents low priority and 7 represent high priority NOTE IP DSCP settings apply to all interfaces WEB INTERFACE To set the IP DSCP to CoS priority map 1 Click Priority IP DSCP Priority 2 Select an entry from the DSCP table and enter a value in the Class of Service Value field 3 Click Apply Figure 189 Mapping IP DSCP Priority Values 48 6 46 56 7 Table 30 Mapping DSCP Priority Values ...

Page 374: ...t kinds of traffic can be marked for different kinds of forwarding All switches or routers that access the Internet rely on class information to provide the same forwarding treatment to packets in the same class Class information can be assigned by end hosts or switches or routers along the path Priority can then be assigned based on a general policy or a detailed examination of the packet However...

Page 375: ...affic or the action to take for a policy violation 5 Use the Service Policy page to assign a policy map to a specific interface CONFIGURING A CLASS MAP Use the QoS DiffServ Class Map page to configure a class map A class map is used for matching packets to a specified class CLI REFERENCES Quality of Service Commands on page 848 COMMAND USAGE To configure a Class Map follow these steps Open the Cla...

Page 376: ...raffic on this page Remove Class Removes the selected class Class Configuration Add Class Class Name Name of the class map Range 1 16 characters Type Only one match command is permitted per class map so the match any field refers to the criteria specified by the lone match command Description A brief description of a class map Range 1 64 characters Add Adds the specified class Back Returns to prev...

Page 377: ...scription 4 Click Add Figure 190 Creating a Class Map To edit the rules for a class map 1 Click QoS DiffServ Class Map 2 Select the name of a class map 3 Click Edit Rules 4 Specify type of traffic for this class based on an access list a DSCP or IP Precedence value or a VLAN You can specify up to 16 items to match when assigning ingress traffic to a class map 5 Click Add ...

Page 378: ...ing and enforce bandwidth policing A policy map can then be bound by a service policy to one or more interfaces page 382 Configuring QoS policies requires several steps A class map must first be configured which indicates how to match the inbound packets according to an access list a DSCP or IP Precedence value or a member of specific VLAN A policy map is then configured which indicates the bounda...

Page 379: ...tings page 382 You can configure up to 64 policers i e meters or class maps for each of the following access list types MAC ACL IP ACL or IPv6 ACL Also note that the maximum number of classes that can be applied to a policy map is 200 Policing is based on a token bucket where bucket depth i e the maximum burst before the bucket overflows is specified by the Burst field and the average rate at whic...

Page 380: ...tching packet as specified in Match Class Settings on page 375 Meter The maximum throughput and burst rate Rate kbps Rate in kilobits per second Burst bytes Burst in bytes Exceed Action Specifies whether the traffic that exceeds the specified rate will be dropped or the DSCP service level will be reduced Remove Class Deletes a class Policy Options Class Name Name of class map Action Configures the...

Page 381: ...e policy map WEB INTERFACE 1 Click QoS DiffServ Policy Map 2 Click Add Policy 3 Enter a policy name and a description 4 Click Add Figure 192 Creating a Policy Map To edit the rules for a policy map 1 Click QoS DiffServ Policy Map 2 Select the name of a policy map 3 Click Edit Rules 4 Set the CoS or IP DSCP for matching packets to specify the quality of service to be assigned to the matching traffi...

Page 382: ...Service Policy page to bind a policy map to an ingress port CLI REFERENCES Quality of Service Commands on page 848 COMMAND USAGE First define a class map define a policy map and bind the service policy to the required interface Only one policy map can be bound to an interface The switch does not allow a policy map to be bound to an interface for egress traffic ...

Page 383: ...led Check this to enable a policy map on the specified port Policy Map Select the appropriate policy map from the scroll down box WEB INTERFACE To bind a policy map to a port 1 Click QoS DiffServ Service Policy 2 Check the box under the Ingress field to enable a policy map for a port 3 Select a policy map from the scroll down box 4 Click Apply Figure 194 Attaching a Policy Map to a Port ...

Page 384: ...packet delays packet loss and jitter This is best achieved by assigning all VoIP traffic to a single Voice VLAN The use of a Voice VLAN has several advantages It provides security by isolating the VoIP traffic from other data traffic End to end QoS policies and high priority can be applied to VoIP VLAN traffic across the network guaranteeing the bandwidth it needs VLAN isolation also protects agai...

Page 385: ...uto Detection Status Enables the automatic detection of VoIP traffic on switch ports Default Disabled Voice VLAN ID Sets the Voice VLAN ID for the network Only one Voice VLAN is supported and it must already be created on the switch Range 1 4094 Voice VLAN Aging Time The time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port Range 5 43200 minutes...

Page 386: ...Auto The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port You must select a method for detecting VoIP traffic either OUI or 802 1ab LLDP When OUI is selected be sure to configure the MAC address ranges in the Telephony OUI list Manual The Voice VLAN feature is enabled on the port but the port must be manually added to the Voice VLAN Security Enables...

Page 387: ...urned on See Link Layer Discovery Protocol for more information on LLDP Priority Defines a CoS priority for port traffic on the Voice VLAN The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port Range 0 6 Default 6 Remaining Age Number of minutes before this entry is aged out WEB INTERFACE To configure VoIP traffic settings f...

Page 388: ...e parameters are displayed Telephony OUI Specifies a MAC address range to add to the list Enter the MAC address in format 01 23 45 67 89 AB Mask Identifies a range of MAC addresses Selecting a mask of FF FF FF 00 00 00 identifies all devices with the same OUI the first three octets Other masks restrict the MAC address range Selecting FF FF FF FF FF FF specifies a single MAC address Default FF FF F...

Page 389: ...CHAPTER 17 VoIP Traffic Configuration Configuring Telephony OUI 389 ...

Page 390: ...audio A multicast server does not have to establish a separate connection with each client It merely broadcasts its service to the network and any hosts that want to receive the multicast register with their local multicast switch router Although this approach reduces the network overhead required by a multicast server the broadcast traffic must be carefully pruned at every multicast switch router...

Page 391: ...h need to forward multicast traffic IGMP Snooping conserves bandwidth on network segments where no node has expressed interest in receiving a specific multicast service For switches that do not support multicast routing or where multicast routing is already enabled on other switches in the local network segment IGMP Snooping is the only service required to support multicast filtering When using IG...

Page 392: ...h connected over the network to an interface on your switch page 396 This interface will then join all the current multicast groups supported by the attached router switch to ensure that multicast traffic is passed to all appropriate interfaces within the switch CONFIGURING IGMP SNOOPING AND QUERY PARAMETERS Use the IGMP Snooping IGMP Configuration page to configure the switch to forward multicast...

Page 393: ...port in the group the receiving port is not a router port and no IGMPv1 member port exists in the group the switch will generate and send a GS query to the member port which received the leave message and then start the last member query timer for that port When the conditions in the preceding item all apply except that the receiving port is a router port then the switch will not send a GS query b...

Page 394: ...ort query version used by IGMP snooping Versions 1 3 are all supported and versions 2 and 3 are backward compatible so the switch can operate with other devices regardless of the snooping version employed WEB INTERFACE To configure general settings for IGMP Snooping and Query 1 Click IGMP Snooping IGMP Configuration 2 Adjust the IGMP settings as required 3 Click Apply Figure 199 Configuring Genera...

Page 395: ...nected to only one IGMP enabled device either a service host or a neighbor running IGMP snooping Immediate leave is only effective if IGMP snooping is enabled and IGMPv2 or IGMPv3 snooping is used Immediate leave does not apply to a port if the switch has learned that a multicast router is attached to it Immediate leave can improve bandwidth usage for a network which frequently experiences many IG...

Page 396: ...ulticast Router List Multicast routers dynamically discovered by this switch or those that are statically assigned to an interface on this switch WEB INTERFACE To show the static interfaces attached to a multicast router 1 Click IGMP Snooping Multicast Router Port Information 2 Select the VLAN for which to display this information Figure 201 Showing Static Interfaces Attached a Multicast Router SP...

Page 397: ...ticast router WEB INTERFACE To specify a static interface attached to a multicast router 1 Click IGMP Snooping Multicast Router Port Configuration 2 Select the port or trunk attached to the multicast router and the VLAN which will forward all the corresponding multicast traffic 3 Click Apply Figure 202 Configuring a Static Interface for a Multicast Router DISPLAYING PORT MEMBERS OF MULTICAST SERVI...

Page 398: ...Figure 203 Showing Port Members of Multicast Services ASSIGNING INTERFACES TO MULTICAST SERVICES Use the IGMP Snooping IGMP Member Port Table to statically assign a multicast service to an interface Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages see Configuring IGMP Snooping and Query Parameters However for certain applications that require tighter co...

Page 399: ...y the interface attached to a multicast service through an IGMP enabled switch or multicast router select the VLAN that will propagate the multicast service and enter the multicast IP address 3 Click Apply Figure 204 Assigning an Interface to a Multicast Service FILTERING AND THROTTLING IGMP GROUPS In certain switch applications the administrator may want to control the multicast services that are...

Page 400: ...an existing group and replaces it with the new multicast group NOTE IGMP filtering and throttling only applies to dynamically learned multicast groups It does not apply to statically configured groups ENABLING IGMP FILTERING AND THROTTLING Use the IGMP Snooping IGMP Filter Configuration page to enable IGMP filtering and throttling globally on the switch CLI REFERENCES ip igmp filter Global Configu...

Page 401: ...y entering the same IP address for the start and end of the range PARAMETERS These parameters are displayed Profile ID Creates an IGMP profile Range 1 4294967295 Access Mode Sets the access mode of the profile either permit or deny Default Deny When the access mode is set to permit IGMP join reports are processed when a multicast group falls within the controlled range When the access mode is set ...

Page 402: ...and Throttling Port Configuration or Trunk Configuration page to assign and IGMP filter profile to interfaces on the switch or to throttle multicast traffic by limiting the maximum number of multicast groups an interface can join at the same time CLI REFERENCES IGMP Filtering and Throttling on page 871 COMMAND USAGE IGMP throttling sets a maximum number of multicast groups that a port can join at ...

Page 403: ...face has joined Throttling Action Mode Sets the action to take when the maximum number of multicast groups for the interface has been exceeded Default Deny deny The new multicast group join report is dropped replace The new multicast group replaces an existing group Throttling Status Indicates if the throttling action has been implemented on the interface Options True or False Trunk Indicates if a...

Page 404: ... traffic into other VLANs to which the subscribers belong Even though common multicast streams are passed onto different VLAN groups from the MVR VLAN users in different IEEE 802 1Q or private VLANs cannot exchange any information except through upper level routing services Figure 208 MVR Concept COMMAND USAGE General Configuration Guidelines for MVR 1 Enable MVR globally on the switch select the ...

Page 405: ...ERS These parameters are displayed MVR Status When MVR is enabled on the switch any multicast data associated with an MVR group is sent from all designated source ports to all receiver ports that have registered to receive data from that multicast group Default Disabled MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied Running status is Activ...

Page 406: ...ing Global Settings for MVR DISPLAYING MVR INTERFACE STATUS Use the MVR Port Information or Trunk Information page to display information about the interfaces attached to the MVR VLAN CLI REFERENCES show mvr on page 887 PARAMETERS These parameters are displayed Type Shows the MVR port type Oper Status Shows the link status MVR Status Shows the MVR status MVR status for source ports is Active if MV...

Page 407: ...mation Figure 210 Displaying MVR Interface Status DISPLAYING PORT MEMBERS OF MULTICAST GROUPS Use the MVR Group IP Information page to display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration CLI REFERENCES show mvr on page 887 PARAMETERS These parameters are displayed Group IP Multicast groups assigned to the MVR VLAN Group Port List Shows the int...

Page 408: ...P snooping to join or leave any other multicast groups using the standard rules for multicast filtering Receiver ports can belong to different VLANs but should not be configured as a member of the MVR VLAN IGMP snooping is used to allow a receiver port to dynamically join or leave multicast groups within an MVR VLAN Multicast groups can also be statically assigned to a receiver port see Assigning ...

Page 409: ...interface types are supported Source An uplink port that can send and receive multicast data for the groups assigned to the MVR VLAN Note that the source port must be manually configured as a member of the MVR VLAN see Adding Static Members to VLANs Receiver A subscriber port that can receive multicast data sent through the MVR VLAN Any port configured as an receiver port will be dynamically added...

Page 410: ...ation page to statically bind multicast groups to a port which will receive long term multicast streams associated with a stable set of hosts CLI REFERENCES mvr group on page 883 COMMAND USAGE Any multicast groups that use the MVR VLAN must be statically assigned to it under the MVR Configuration menu see Configuring Global MVR Settings The IP address range from 224 0 0 0 to 239 255 255 255 is use...

Page 411: ...ADDRESSES Multicast traffic forwarded to subscribers is normally stripped of frame tags to prevent hosts from discovering the identity of the MVR VLAN An MVR Receiver VLAN and the multicast services supported by this VLAN can be configured to hide the MVR VLAN while allowing multicast traffic with frame tags to be forwarded to subscribers If a port is manually assigned to the receiver VLAN as a ta...

Page 412: ...Group Addresses DISPLAYING MVR RECEIVER GROUPS Use the MVR Receiver Group IP Information page to display the interfaces assigned to the MVR receiver groups CLI REFERENCES show mvr on page 887 PARAMETERS These parameters are displayed Group IP Address Multicast groups assigned to the MVR VLAN Group Port List Shows the interfaces with subscribers for multicast services provided through the MVR Recei...

Page 413: ...icates a port or trunk Member List Multicast receiver groups assigned to the selected interface Note that the displayed multicast services have been configured as a receiver group to be managed through the MVR receiver VLAN see Configuring MVR Receiver VLAN and Group Addresses WEB INTERFACE To statically assign a multicast receiver group to the selected interface 1 Click Multicast Receiver Group M...

Page 414: ...CHAPTER 18 Multicast Filtering Multicast VLAN Registration 414 Figure 216 Configuring Static MVR Receiver Group Members ...

Page 415: ...le DNS service on this switch first configure one or more name servers and then enable domain lookup status To append domain names to incomplete host names received from a DNS client i e not formatted with dotted notation you can specify a default domain name or a list of domain names to be tried in sequential order If there is no domain list the default domain name is used If there is a domain li...

Page 416: ...ed to incomplete host names Range 1 64 alphanumeric characters 1 5 names Name Server List Specifies the address of one or more domain name servers to use for name to address resolution Range 1 6 IP addresses WEB INTERFACE To configure general settings for DNS 1 Click DNS General Configuration 2 Enable domain lookup status set the default domain name or list of domain names and specify one or more ...

Page 417: ...Servers or other network devices may support one or more connections via multiple IP addresses If more than one IP address is associated with a host name in the static table or via information returned from a name server a DNS client can try each address in succession until it establishes a connection with the target device PARAMETERS These parameters are displayed Host Name Name of a host device ...

Page 418: ...REFERENCES show dns cache on page 927 PARAMETERS These parameters are displayed No The entry number for each resource record Flag The flag is always 4 indicating a cache entry and therefore unreliable Type This field includes CNAME which specifies the host address for the owner and ALIAS which specifies an alias IP The IP address associated with this record TTL The time to live reported by the nam...

Page 419: ...CHAPTER 19 Domain Name Service Displaying the DNS Cache 419 WEB INTERFACE To display entries in the DNS cache 1 Click DNS Cache Figure 219 Showing Entries in the DNS Cache ...

Page 420: ...ands on page 516 Flow Sampling Commands on page 535 Authentication Commands on page 542 General Security Measures on page 602 Access Control Lists on page 649 Interface Commands on page 671 Link Aggregation Commands on page 690 Power over Ethernet Commands on page 701 Port Mirroring Commands on page 708 Rate Limit Commands on page 711 Automatic Traffic Control Commands on page 713 Loopback Detecti...

Page 421: ... 792 Class of Service Commands on page 840 Quality of Service Commands on page 848 Multicast Filtering Commands on page 859 MLD Snooping Commands on page 891 LLDP Commands on page 898 Domain Name Service Commands on page 921 DHCP Commands on page 929 IP Interface Commands on page 937 ...

Page 422: ...console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec But when the guest user name and password is entered the CLI displays the Console prompt and enters normal access ...

Page 423: ... 254 Console config If your corporate network is connected to another network outside your office or to the Internet you need to apply for a registered IP address However if you are attached to an isolated network then you can use any IP address that matches the network segment to which you are attached After you configure the switch with an IP address you can open a Telnet session by performing t...

Page 424: ...ch command in the required order For example to enable Privileged Exec command mode and display the startup configuration enter Console enable Console show startup config To enter commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username admin password 0 smith MINIMUM ABBREVIATION The C...

Page 425: ...tion dot1q tunnel dot1q tunnel dot1x 802 1X content eaps Displays EAPS infomation erps Displays ERPS configuration garp GARP properties gvrp GVRP interface information history Shows history information hosts Host information interfaces Shows interface information ip IP information ipv6 IPv6 information l2protocol tunnel Layer 2 protocol tunneling configuration lacp LACP statistics line TTY line in...

Page 426: ...ows web authentication configuration Console show The command show interfaces will display the following information Console show interfaces brief brief interface description counters Interface counters information status Shows interface status switchport Shows interface switchport information transceiver Interface of transceiver information Console Show commands which display more than one page o...

Page 427: ... commands on the other hand modify interface parameters or enable certain switching functions These classes are further divided into different modes Available commands depend on the selected mode You can always enter a question mark at the prompt to display a list of the commands available for the current mode The command classes and associated modes are displayed in the following table EXEC COMMA...

Page 428: ...level commands used to modify switch settings These commands modify the running configuration only and are not saved when the switch is rebooted To store the running configuration in non volatile storage use the copy running config startup config command The configuration commands are organized into different modes Access Control List Configuration These commands are used for packet filtering Clas...

Page 429: ...the command configure in Privileged Exec mode The system prompt will change to Console config which gives you access privilege to all Global Configuration commands Console configure Console config To enter the other modes at the configuration prompt type one of the following commands Use the exit or end command to return to the Privileged Exec mode Table 32 Configuration Command Modes Mode Command...

Page 430: ...fig sg tacacs 560 Time Range time range Console config time range 504 VLAN vlan database Console config vlan 798 Table 32 Configuration Command Modes Continued Mode Command Prompt Page Table 33 Keystroke Commands Keystroke Function Ctrl A Shifts cursor to start of command line Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E S...

Page 431: ...mmands can be broken down into the functional groups shown below Table 34 Command Group Index Command Group Description Page General Basic commands for entering privileged access mode restarting the system or quitting the CLI 434 System Management Display and setting of system information basic modes of operation maximum frame size file management console port and telnet settings system logs SMTP ...

Page 432: ...n Configures detection of loopback conditions caused by hardware problems or faulty protocol settings 727 Address Table Configures the address table for filtering specified addresses displays current entries clears the table or sets the aging time 732 Spanning Tree Configures Spanning Tree settings for the switch 736 Ethernet Automatic Protection Switching Configures EAPS for increased availabilit...

Page 433: ...GC Global Configuration IC Interface Configuration IPC IGMP Profile Configuration LC Line Configuration MST Multiple Spanning Tree NE Normal Exec PE Privileged Exec PM Policy Map Configuration SG Server Group TR Time Range Configuration VC VLAN Database Configuration Dynamic Host Configuration Protocol Configures DHCP client functions 929 IP Interface Configures IP address for the switch 937 Table...

Page 434: ...tarts the system at a specified time after a specified delay or at a periodic interval GC enable Activates privileged mode NE quit Exits a CLI session NE PE show history Shows the command history buffer NE PE configure Activates global configuration mode PE disable Returns to normal mode from privileged mode PE reload Restarts the system immediately PE show reload Displays the current reload setti...

Page 435: ...which to reload Range 0 23 minute The minute at which to reload Range 0 59 month The month at which to reload january december day The day of the month at which to reload Range 1 31 year The year at which to reload Range 2001 2050 reload in An interval after which to reload the switch hours The number of hours combined with the minutes before the switch resets Range 0 576 minutes The number of min...

Page 436: ...2007 Are you sure to reboot the system at the specified time y n enable This command activates Privileged Exec mode In privileged mode additional commands are available and certain commands display additional information See Understanding Command Modes SYNTAX enable level level Privilege level to log into the device The device has two predefined privilege levels 0 Normal Exec 15 Privileged Exec En...

Page 437: ... Exec COMMAND USAGE The quit and exit commands can both exit the configuration program EXAMPLE This example shows how to quit a CLI session Console quit Press ENTER to start session User Access Verification Username show history This command shows the contents of the command history buffer DEFAULT SETTING None COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE The history buffer size is fixed ...

Page 438: ...and history buffer when you are in any of the configuration modes In this example the 2 command repeats the second command in the Execution history buffer config Console 2 Console config Console config configure This command activates Global Configuration mode You must enter this mode to modify any settings on the switch You must also enter Global Configuration mode prior to enabling some of the o...

Page 439: ...cate that the system is in normal access mode EXAMPLE Console disable Console RELATED COMMANDS enable 436 reload Privileged Exec This command restarts the system NOTE When the system is restarted it will always run the Power On Self Test It will also retain all configuration information stored in non volatile memory by the copy running config startup config command DEFAULT SETTING None COMMAND MOD...

Page 440: ...days 0 hours 29 minutes 52 seconds Console end This command returns to Privileged Exec mode DEFAULT SETTING None COMMAND MODE Global Configuration Interface Configuration Line Configuration VLAN Database Configuration and Multiple Spanning Tree Configuration EXAMPLE This example shows how to return to the Privileged Exec mode from the Interface Configuration mode Console config if end Console exit...

Page 441: ...1 EXAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console config exit Console exit Press ENTER to start session User Access Verification Username ...

Page 442: ...les support for jumbo frames File Management Manages code image or switch configuration files Line Sets communication parameters for the serial port including baud rate and console time out Event Logging Controls logging of error messages SMTP Alerts Configures SMTP email alerts Time System Clock Sets the system clock automatically via NTP SNTP server or manually Time Range Sets a time range for u...

Page 443: ...d is automatically displayed before login as soon as a console or telnet connection has been established Table 38 Banner Commands Command Function Mode banner configure Configures the banner information that is displayed before login GC banner configure company Configures the Company information that is displayed by banner GC banner configure dc power info Configures the DC Power information that ...

Page 444: ...mple a mistake is made in the company name it can be corrected with the banner configure company command EXAMPLE Console config banner configure Company Smartlink Network Systems Limited Responsible department R D Dept Name and telephone to Contact the management people Manager1 name Sr Network Admin phone number 123 555 1212 Manager2 name Jr Network Admin phone number 123 555 1213 Manager3 name N...

Page 445: ...e company information displayed in the banner Use the no form to remove the company name from the banner display SYNTAX banner configure company name no banner configure company name The name of the company Maximum length 32 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The banner configure company command interprets spaces as d...

Page 446: ...e COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The banner configure dc power info command interprets spaces as data input boundaries The use of underscores _ or other unobtrusive non letter characters is suggested for situations where white space is necessary for clarity EXAMPLE Console config banner configure dc power info floor 3 row 15 rack 24 electrical c...

Page 447: ...SYNTAX banner configure equipment info manufacturer id mfr id floor floor id row row id rack rack id shelf rack sr id manufacturer mfr name no banner configure equipment info floor manufacturer manufacturer id rack row shelf rack mfr id The name of the device model number floor id The floor number row id The row number rack id The rack number sr id The shelf number in the rack mfr name The name of...

Page 448: ... None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The banner configure equipment location command interprets spaces as data input boundaries The use of underscores _ or other unobtrusive non letter characters is suggested for situations where white space is necessary for clarity EXAMPLE Console config banner configure equipment location 710_Network_Path _Ind...

Page 449: ...figure lp number This command is used to configure the LP number information displayed in the banner Use the no form to restore the default setting SYNTAX banner configure lp number lp num no banner configure lp number lp num The LP number Maximum length 32 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The banner configure lp nu...

Page 450: ...umber The phone number of the third manager Maximum length of each parameter 32 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The banner configure manager info command interprets spaces as data input boundaries The use of underscores _ or other unobtrusive non letter characters is suggested for situations where white space is ne...

Page 451: ...he no form to restore the default setting SYNTAX banner configure note note info no banner configure note note info Miscellaneous information that does not fit the other banner categories or any other information of importance to users of the switch CLI Maximum length 150 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The banner ...

Page 452: ...ection describes commands used to display system information Table 39 System Status Commands Command Function Mode show access list tcam utilization Shows utilization parameters for TCAM PE show memory Shows memory utilization parameters NE PE show process cpu Shows CPU utilization parameters NE PE show running config Displays the configuration data currently in use PE show startup config Displays...

Page 453: ...CL to a port each rule in an ACL will use two PCEs and when setting an IP Source Guard filter rule for a port the system will also use two PCEs EXAMPLE Console show access list tcam utilization Total Policy Control Entries 512 Free Policy Control Entries 352 TCAM Utilization 31 25 Console show memory This command shows memory utilization parameters COMMAND MODE Normal Exec Privileged Exec COMMAND ...

Page 454: ... stored in non volatile memory This command displays settings for key command modes Each mode group is separated by symbols and includes the configuration mode command and corresponding commands This command displays the following information MAC address for the switch SNTP server settings SNMP community strings Users names access levels and encrypted passwords VLAN database VLAN ID name and state...

Page 455: ...3eddf27d254ca vlan database VLAN 1 name DefaultVlan media ethernet state active no vlan 4093 spanning tree mst configuration interface vlan 1 ip address dhcp interface ethernet 1 1 switchport allowed vlan add 1 untagged line console silent time 0 line VTY end Console RELATED COMMANDS show startup config 455 show startup config This command displays the configuration file stored in non volatile mem...

Page 456: ...xample for the running configuration file RELATED COMMANDS show running config 454 show system This command displays system information DEFAULT SETTING None COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE For a description of the items shown by this command refer to Displaying System Information EXAMPLE Console show system System Description DIGISOL FE L2 Switch DG FS4528P System OID String...

Page 457: ...pport show system System Description DIGISOL FE L2 Switch DG FS4528P System OID String 1 3 6 1 4 1 36293 1 1 1 8 System Information System Up Time 0 days 2 hours 17 minutes and 6 23 seconds System Name NONE System Location NONE System Contact NONE MAC Address Unit1 00 17 7C 61 24 2F Web Server Enabled Web Server Port 80 Web Secure Server Enabled Web Secure Server Port 443 Telnet Server Enable Teln...

Page 458: ...admin 0 00 00 Console show version This command displays hardware and software version information for the system COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE See Displaying Switch Hardware Software Versions for detailed information on the items displayed by this command EXAMPLE Console show version Unit 1 Serial Number A622016012 Hardware Version R01 Chip Device ID Marvell 98DX106 B0 88...

Page 459: ... that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extend...

Page 460: ...me and then set as the startup file or the current startup configuration file can be specified as the destination file to directly replace it Note that the file Factory_Default_Config cfg can be copied to the FTP TFTP server but cannot be used as the destination on the switch Table 41 Flash File Commands Command Function Mode boot system Specifies the file or image used to start up the system GC c...

Page 461: ...ig Configuration file opcode Run time operation code filename Name of configuration file or code image The colon is required DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE A colon is required after the specified file type If the file contains an error it cannot be set as the default file EXAMPLE Console config boot system config startup Console config RELATED COMMANDS dir 466...

Page 462: ... a file ftp Keyword that allows you to copy to from an FTP server https certificate Keyword that allows you to copy the HTTPS secure site certificate public key Keyword that allows you to copy a SSH key from a TFTP server See Secure Shell running config Keyword that allows you to copy to from the current running configuration startup config The configuration used for system initialization tftp Key...

Page 463: ... shows how to download new firmware from a TFTP server Console copy tftp file TFTP server ip address 10 1 0 19 Choose file type 1 config 2 opcode 4 diag 5 loader 2 Source file name m360 bix Destination file name m360 bix Write to FLASH Programming Write to FLASH finish Success Console The following example shows how to upload the configuration settings to a file on the TFTP server Console copy fil...

Page 464: ...ificate Source private file name SS private Private password Success Console reload System will be restarted continue y n y This example shows how to copy a public key used by SSH from an TFTP server Note that public key authentication via SSH is only supported for users configured locally on the switch Console copy tftp public key TFTP server IP address 192 168 1 19 Choose public key type 1 RSA 2...

Page 465: ...the test2 cfg configuration file from flash memory Console delete test2 cfg Console RELATED COMMANDS dir 466 delete public key 575 delete non active This command deletes all configuration or operation code files which are not set as startup files SYNTAX delete non active config opcode config Switch configuration file opcode Run time operation code image file COMMAND MODE Privileged Exec COMMAND US...

Page 466: ...OM or diagnostic image file config Switch configuration file opcode Run time operation code image file filename Name of configuration file or code image If this file exists but contains errors information on this file cannot be shown DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE If you enter the command dir without any parameters the system displays all files File information is ...

Page 467: ...FAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE This example shows the information displayed by the whichboot command See the table under the dir command for a description of the file information displayed by this command Console whichboot File name File type Startup Size byte Unit1 DG FS4528P DIAG V1 2 1 0 bix Boot Rom Image Y 1404800 DG FS4528P_OP_V1 4 8 2 bix Operation Code Y 4842204 st...

Page 468: ...he system will be overwritten by the new version 2 After the image has been downloaded the switch will send a trap message to log whether or not the upgrade operation was successful 3 It sets the new version as the startup image 4 It then restarts the system to start using the new image Any changes made to the default setting can be displayed with the show running config or show startup config com...

Page 469: ...P bix However note that file name is not to be included in this command When specifying a TFTP server the following syntax must be used where filedir indicates the path to the directory containing the new image tftp 192 168 0 1 filedir When specifying an FTP server the following syntax must be used where filedir indicates the path to the directory containing the new image ftp username password 192...

Page 470: ...Applies an accounting method to local console Telnet or SSH connections LC authorization exec Applies an authorization method to local console Telnet or SSH connections LC databits Sets the number of data bits per character that are interpreted and generated by hardware LC exec timeout Sets the interval that the command interpreter waits until user input is detected LC login Enables password check...

Page 471: ...SAGE Telnet is considered a virtual terminal connection and will be shown as VTY in screen displays such as show users However the serial communication parameters e g databits do not affect Telnet connections EXAMPLE To enter console line mode enter the following command Console config line console Console config line RELATED COMMANDS show line 479 show users 457 disconnect Terminates a line conne...

Page 472: ... input from devices that generate 7 data bits with parity If parity is being generated specify 7 data bits per character If no parity is required specify 8 data bits per character EXAMPLE To specify 7 data bits enter this command Console config line databits 7 Console config line RELATED COMMANDS parity 474 exec timeout This command sets the interval that the system waits until user input is detec...

Page 473: ... local Selects local password checking Authentication is based on the user name specified with the username command DEFAULT SETTING login local COMMAND MODE Line Configuration COMMAND USAGE There are three authentication modes provided by the switch itself at login login selects authentication by a single global password as specified by the password line configuration command When using this metho...

Page 474: ...ATED COMMANDS username 544 password 475 parity This command defines the generation of a parity bit Use the no form to restore the default setting SYNTAX parity none even odd no parity none No parity even Even parity odd Odd parity DEFAULT SETTING No parity COMMAND MODE Line Configuration COMMAND USAGE Communication protocols provided by devices such as terminals and modems often require a specific...

Page 475: ...ection the system prompts for the password If you enter the correct password the system shows a prompt You can use the password thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state The encrypted password is required for compatibility with legacy password settings i e plain text o...

Page 476: ...fore allowing the next logon attempt Use the silent time command to set this interval When this threshold is reached for Telnet the Telnet logon interface shuts down EXAMPLE To set the password threshold to five attempts enter this command Console config line password thresh 5 Console config line RELATED COMMANDS silent time 476 silent time This command sets the amount of time the management conso...

Page 477: ...om terminal speeds Use the no form to restore the default setting SYNTAX speed bps no speed bps Baud rate in bits per second Options 9600 19200 38400 bps DEFAULT SETTING 115200 bps COMMAND MODE Line Configuration COMMAND USAGE Set the speed to match the baud rate of the device connected to the serial port Some baud rates available on devices connected to the port might not be supported The system ...

Page 478: ...esponse This command sets the interval that the system waits for a user to log into the CLI Use the no form to restore the default setting SYNTAX timeout login response seconds no timeout login response seconds Integer that specifies the timeout interval Range 0 300 seconds 0 disabled DEFAULT SETTING CLI Disabled 0 seconds Telnet 300 seconds COMMAND MODE Line Configuration COMMAND USAGE If a login...

Page 479: ...n SSH Telnet or console connection Range 0 4 COMMAND MODE Privileged Exec COMMAND USAGE Specifying session identifier 0 will disconnect the console connection Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection EXAMPLE Console disconnect 1 Console RELATED COMMANDS show ssh 578 show users 457 show line This command displays the terminal line s paramete...

Page 480: ...s commands used to configure event logging on the switch Table 44 Event Logging Commands Command Function Mode logging facility Sets the facility type for remote logging of syslog messages GC logging history Limits syslog messages saved to switch memory based on severity GC logging host Adds a syslog server host IP address that will receive logging messages GC logging on Controls logging of error ...

Page 481: ...y the syslog server to sort messages or to store messages in the corresponding database EXAMPLE Console config logging facility 19 Console config logging history This command limits syslog messages saved to switch memory based on severity The no form returns the logging of syslog messages to the default level SYNTAX logging history flash ram level no logging history flash ram flash Event history s...

Page 482: ...m to remove a syslog server host SYNTAX no logging host host ip address host ip address The IP address of a syslog server DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Use this command more than once to build up a list of host IP addresses The maximum number of host IP addresses allowed is five 4 warnings Warning conditions e g return false unexpected return 3 errors Error c...

Page 483: ...error messages that are stored in memory You can use the logging trap command to control the type of error messages that are sent to specified syslog servers EXAMPLE Console config logging on Console config RELATED COMMANDS logging history 481 logging trap 483 clear log 484 logging trap This command enables the logging of system messages to a remote server or limits the syslog messages saved to a ...

Page 484: ...level also enables remote logging but restores the minimum severity level to the default EXAMPLE Console config logging trap 4 Console config clear log This command clears messages from the log buffer SYNTAX clear log flash ram flash Event history stored in flash memory i e permanent memory ram Event history stored in temporary RAM i e memory flushed on power reset DEFAULT SETTING Flash and RAM CO...

Page 485: ...module 5 function 1 and event no 1 0 00 01 30 2001 01 01 Unit 1 Port 1 link up notification level 6 module 5 function 1 and event no 1 Console show logging This command displays the configuration settings for logging messages to local switch memory to an SMTP event handler or to a remote syslog server SYNTAX show logging flash ram sendmail trap flash Displays settings for storing event messages in...

Page 486: ...ddress 0 0 0 0 REMOTELOG server IP Address 0 0 0 0 Console Table 46 show logging flash ram display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command History logging in FLASH The message level s reported based on the logging history command History logging in RAM The message level s reported based on the logging history command Table 47...

Page 487: ...il This command specifies the email recipients of alert messages Use the no form to remove a recipient SYNTAX no logging sendmail destination email email address email address The source email address used in alert messages Range 1 41 characters Table 48 Event Logging Commands Command Function Mode logging sendmail Enables SMTP event handling GC logging sendmail destination email Email recipients ...

Page 488: ...ETTING None COMMAND MODE Global Configuration COMMAND USAGE You can specify up to three SMTP servers for event handing However you must enter a separate command to specify each server To send email alerts the switch first opens a connection sends all the email alerts waiting in the queue one by one and finally closes the connection To open a connection the switch first selects the server that succ...

Page 489: ...e configured email recipients For example using Level 7 will report all events from level 7 to level 0 EXAMPLE This example will send email alerts for system errors from level 3 through 0 Console config logging sendmail level 3 Console config logging sendmail source email This command sets the email address used for the From field in alert messages Use the no form to restore the default value SYNT...

Page 490: ...cified time servers NTP or SNTP Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries If the clock is not set the switch will only record the time from the factory default set at the last bootup Table 49 Time Commands Command Function Mode SNTP Commands sntp client Accepts time from specified time servers GC sntp poll Sets the inte...

Page 491: ...ntp poll command EXAMPLE Console config sntp server 10 1 0 19 Console config sntp poll 60 Console config sntp client Console config end Console show sntp ntp server Specifies NTP servers to poll for time updates GC show ntp Shows current NTP configuration settings NE PE Manual Configuration Commands clock summer time date Configures summer time for the switch s internal clock GC clock summer time ...

Page 492: ...YNTAX sntp poll seconds no sntp poll seconds Interval between time requests Range 16 16384 seconds DEFAULT SETTING 16 seconds COMMAND MODE Global Configuration EXAMPLE Console config sntp poll 60 Console RELATED COMMANDS sntp client 491 sntp server This command sets the IP address of the servers to which SNTP time requests are issued Use the this command with no arguments to clear all time servers...

Page 493: ...r 10 1 0 19 Console RELATED COMMANDS sntp client 491 sntp poll 492 show sntp 493 show sntp This command displays the current time and configuration settings for the SNTP client and indicates whether or not the local time has been properly updated COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE This command displays the current time the poll interval used for sending time synchronization req...

Page 494: ... match on both the server and client EXAMPLE Console config ntp authenticate Console config RELATED COMMANDS ntp authentication key 494 ntp authentication key This command configures authentication keys and key numbers to use when NTP authentication is enabled Use the no form of the command to clear a specific authentication key or all keys from the current list SYNTAX ntp authentication key numbe...

Page 495: ...e config RELATED COMMANDS ntp authenticate 494 ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command Use the no form to disable NTP client requests SYNTAX no ntp client DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE The SNTP and NTP clients cannot be enabled at the same time First disable ...

Page 496: ...65535 DEFAULT SETTING Version number 3 COMMAND MODE Global Configuration COMMAND USAGE This command specifies time servers that the switch will poll for time updates when set to NTP client mode It issues time synchronization requests based on the interval set with the ntp poll command The client will poll all the time servers configured the responses received are filtered and compared to determine...

Page 497: ... sending time synchronization requests and the current NTP mode i e unicast EXAMPLE Console show ntp Current Time Jan 1 00 09 30 2001 Polling 1024 seconds Current Mode unicast NTP Status Enabled NTP Authenticate Status Enabled Last Update NTP Server 0 0 0 0 Port 0 Last Update Time Dec 31 00 00 00 2000 UTC NTP Server 192 168 3 20 version 3 NTP Server 192 168 3 21 version 3 NTP Server 192 168 3 22 v...

Page 498: ...The hour summer time will begin Range 0 23 hours b minute The minute summer time will begin Range 0 59 minutes e month The month when summer time will end Options january february march april may june july august september october november december e day The day summer time will end Options sunday monday tuesday wednesday thursday friday saturday e year The year summer time will end e hour The hou...

Page 499: ...e predefined australia europe new zealand usa no clock summer time name Name of the timezone while summer time is in effect usually an acronym Range 1 30 characters DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE In some countries or regions clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less This is known as Summer Ti...

Page 500: ...ay The day of the week when summer time will begin Options sunday monday tuesday wednesday thursday friday saturday b month The month when summer time will begin Options january february march april may june july august september october november december b hour The hour when summer time will begin Range 0 23 hours b minute The minute when summer time will begin Range 0 59 minutes e week The week ...

Page 501: ...nfiguration COMMAND USAGE In some countries or regions clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less This is known as Summer Time or Daylight Savings Time DST Typically clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn This command sets the summer time time zone relative to the currently con...

Page 502: ...TC formerly Greenwich Mean Time or GMT based on the earth s prime meridian zero degrees longitude To display a time corresponding to your local time you must indicate the number of hours and minutes your time zone is east before or west after of UTC EXAMPLE Console config clock timezone Japan hours 8 minute 0 after UTC Console config RELATED COMMANDS show sntp 493 clock timezone predefined This co...

Page 503: ...fig clock timezone predefined GMT 0930 Taiohae Console config RELATED COMMANDS show sntp 493 calendar set This command sets the system clock It may be used if there is no time server on your network or if you have not configured the switch to receive signals from a time server SYNTAX calendar set hour min sec day month year month day year hour Hour in 24 hour format Range 0 23 min Minute Range 0 5...

Page 504: ...s a time range for use by other functions such as Access Control Lists time range This command specifies the name of a time range and enters time range configuration mode Use the no form to remove a previously specified time range SYNTAX no time range name name Name of the time range Range 1 30 characters Table 51 Time Range Commands Command Function Mode time range Specifies the name of a time ra...

Page 505: ...o remove a previously specified time SYNTAX absolute start hour minute day month year end hour minutes day month year absolute end hour minutes day month year no absolute hour Hour in 24 hour format Range 0 23 minute Minute Range 0 59 day Day of month Range 1 31 month january february march april may june july august september october november december year Year 4 digit Range 2009 2109 DEFAULT SET...

Page 506: ...y saturday sunday thursday tuesday wednesday weekdays weekend hour minute to daily friday monday saturday sunday thursday tuesday wednesday weekdays weekend hour minute daily Daily friday Friday monday Monday saturday Saturday sunday Sunday thursday Thursday tuesday Tuesday wednesday Wednesday weekdays Weekdays weekend Weekends hour Hour in 24 hour format Range 0 23 minute Minute Range 0 59 DEFAUL...

Page 507: ... are connected to the same local network Using Switch Clustering A switch cluster has a primary unit called the Commander which is used to manage all other Member switches in the cluster The management station can use either Telnet or the web interface to communicate directly with the Commander through its IP address and Table 52 Switch Cluster Commands Command Function Mode cluster Configures clu...

Page 508: ...ent connection to the Commander When using a console connection from the Commander CLI prompt use the rcommand to connect to the Member switch cluster This command enables clustering on the switch Use the no form to disable clustering SYNTAX no cluster DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE To create a switch cluster first be sure that clustering is enabled on the...

Page 509: ...idate switches only become cluster Members when manually selected by the administrator through the management station Cluster Member switches can be managed through a Telnet connection to the Commander From the Commander CLI prompt use the rcommand id command to connect to the Member switch EXAMPLE Console config cluster commander Console config cluster ip pool This command sets the cluster IP add...

Page 510: ...ange the cluster IP pool when the switch is currently in Commander mode Commander mode must first be disabled EXAMPLE Console config cluster ip pool 10 2 3 4 Console config cluster member This command configures a Candidate switch as a cluster Member Use the no form to remove a Member switch from the cluster SYNTAX cluster member mac address mac address id member id no cluster member id member id ...

Page 511: ...r switch Managing cluster Members using the local console CLI on the Commander is not supported There is no need to enter the username and password for access to the Member switch CLI EXAMPLE Console rcommand id 1 CLI session with the DG FS4528P is opened To end the CLI session enter Exit Vty 0 show cluster This command shows the switch clustering configuration COMMAND MODE Privileged Exec EXAMPLE...

Page 512: ...7C 00 00 FE DIGISOL FE L2 Switch DG FS4528P CANDIDATE 00 17 7C 0B 47 A0 DIGISOL FE L2 Switch DG FS4528P Console UPNP Universal Plug and Play UPnP is a set of protocols that allows devices to connect seamlessly and simplifies the deployment of home and office networks UPnP achieves this by issuing UPnP device control protocols designed upon open Internet based communication standards The commands d...

Page 513: ...e Console config upnp device Console config RELATED COMMANDS upnp device ttl 513 upnp device advertise duration 514 upnp device ttl This command sets the time to live TTL value for sending of UPnP messages from the device SYNTAX upnp device ttl value value The number of router hops a UPnP packet can travel before it is discarded Range 1 255 DEFAULT SETTING 4 COMMAND MODE Global Configuration upnp ...

Page 514: ...resence on the local network SYNTAX upnp device advertise duration value value A time out value expressed in seconds Range 6 86400 seconds DEFAULT SETTING 100 seconds COMMAND MODE Global Configuration EXAMPLE In the following example the device advertise duration is set to 200 seconds Console config upnp device advertise duration 200 Console config RELATED COMMANDS upnp device ttl 513 show upnp Th...

Page 515: ...CHAPTER 22 System Management Commands UPnP 515 TTL 20 Console ...

Page 516: ...s to these groups along with their specific authentication and privacy passwords Table 54 SNMP Commands Command Function Mode General SNMP Commands snmp server Enables the SNMP agent GC snmp server community Sets up the community access string to permit access to SNMP commands GC snmp server contact Sets the system contact string GC snmp server location Sets the system location string GC show snmp...

Page 517: ...alarm fire Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control IC Port snmp server enable port traps atc broadcast control apply Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires IC Port snmp server enable port traps atc broadcast control release Sends a trap when broadcast traffic falls b...

Page 518: ...ess Authorized management stations are only able to retrieve MIB objects rw Specifies read write access Authorized management stations are able to both retrieve and modify MIB objects DEFAULT SETTING public Read only access Authorized management stations are only able to retrieve MIB objects private Read write access Authorized management stations are able to both retrieve and modify MIB objects C...

Page 519: ...orm to remove the location string SYNTAX snmp server location text no snmp server location text String that describes the system location Maximum length 255 characters DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE Console config snmp server location WC 19 Console config RELATED COMMANDS snmp server contact 518 show snmp This command can be used to check the status of SNMP communic...

Page 520: ...Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get request PDUs 0 Get next PDUs 0 Set request PDUs 0 SNMP packets output 0 Too big errors 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging Disabled Console snmp server e...

Page 521: ... encryption of packets passed between the switch and a user on the remote host SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it Trailing zeroes need not be entered to uniquely specify a engine I...

Page 522: ... the view for notifications 1 32 characters DEFAULT SETTING Default groups public14 read only private15 read write readview Every object belonging to the Internet OID space 1 writeview Nothing is defined notifyview Nothing is defined COMMAND MODE Global Configuration COMMAND USAGE A group sets the access policy for the assigned users When authentication is selected the MD5 or SHA algorithm is used...

Page 523: ... password Authentication password Enter as plain text if the encrypted option is not used Otherwise enter an encrypted password A minimum of eight characters is required priv des56 Uses SNMPv3 with privacy with DES56 encryption priv password Privacy password Enter as plain text if the encrypted option is not used Otherwise enter an encrypted password DEFAULT SETTING None COMMAND MODE Global Config...

Page 524: ...onfig snmp server user steve group r d v3 auth md5 greenpeace priv des56 einstien Console config snmp server user mark group r d remote 192 168 1 19 v3 auth md5 greenpeace priv des56 einstien Console config snmp server view This command adds an SNMP view which controls user access to the MIB Use the no form to remove an SNMP view SYNTAX snmp server view view name oid tree included excluded no snmp...

Page 525: ...g show snmp engine id This command shows the SNMP engine ID COMMAND MODE Privileged Exec EXAMPLE This example shows the default engine ID Console show snmp engine id Local SNMP EngineID 8000002a80000000177c666672 Local SNMP EngineBoots 1 Remote SNMP EngineID IP address 80000000030004e2b316c54321 192 168 1 19 Console Table 55 show snmp engine id display description Field Description Local SNMP engi...

Page 526: ...e Storage Type volatile Row Status active Group Name public Security Model v2c Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name private Security Model v1 Read View defaultview Write View defaultview Notify View none Storage Type volatile Row Status active Group Name private Security Model v2c Read View defaultview Write View defaultview Noti...

Page 527: ... active Console notifyview The associated notify view storage type The storage type for this entry Row Status The row status of this entry Table 56 show snmp group display description Continued Field Description Table 57 show snmp user display description Field Description EngineId String identifying the engine ID User Name Name of user connecting to the SNMP agent Authentication Protocol The auth...

Page 528: ...tions SYNTAX no snmp server enable traps authentication link up down user authentication authentication authentication Keyword to issue authentication failure notifications link up down Keyword to issue link up or link down notifications user authentication authentication Keyword to issue user login authentication failure or success notifications Refer to the authentication login command DEFAULT S...

Page 529: ... type related to that keyword is enabled The snmp server enable traps command is used in conjunction with the snmp server host command Use the snmp server host command to specify which host or hosts receive SNMP notifications In order to send notifications you must configure at least one snmp server host command The authentication link up and link down traps are legacy notifications and therefore ...

Page 530: ...econds Default 1500 centiseconds community string Password like community string sent with the notification operation to SNMP V1 and V2c hosts Although you can set this string using the snmp server host command by itself we recommend defining it with the snmp server community command prior to using the snmp server host command Maximum length 32 characters version Specifies whether to send notifica...

Page 531: ...ese steps 1 Enable the SNMP agent page 517 2 Create a view with the required notification messages page 524 3 Create a group that includes the required notify view page 522 4 Allow the switch to send SNMP traps i e notifications page 528 5 Specify the target host that will receive inform messages with the snmp server host command as described in this section To send an inform to a SNMPv3 host comp...

Page 532: ...d in the address table are determined by examining the source address of ingress packets This command is used to generate SNMP traps when a dynamic address is added to or removed from the MAC address table of an interface for which MAC notification traps have been enabled with the snmp server enable port traps mac notification command Changes to dynamic address entries in the MAC address table may...

Page 533: ... MAC address table for an interface Use the no form to disable these traps SYNTAX no snmp server enable port traps mac notification DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE MAC notification traps must also be globally enabled with the snmp server enable traps mac notification command for this interface level command to take effect EXAMPLE Th...

Page 534: ...AC address table for an interface SYNTAX show snmp server enable port traps interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 port channel channel id Range 1 8 COMMAND MODE Privileged Exec EXAMPLE Console show snmp server enable port traps interface ethernet 1 1 Interface MAC Notification Trap Eth 1 1 Yes Console ...

Page 535: ...bled Table 59 sFlow Commands Command Function Mode sflow Enables sFlow globally for the switch GC sflow source Due to the switch s hardware design these commands can only be enabled for specific port groups 1 8 9 16 17 24 However sampling for each of the Gigabit ports 25 28 can be controlled individually Enables sFlow on the source ports to be monitored IC sflow sample Configures the packet sampli...

Page 536: ...rts SYNTAX no sflow source DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE The 100BASE TX ports are organized into groups of 8 based on a restriction in the switch ASIC 1 8 9 16 17 24 25 32 33 48 Selecting any port in one of these groups effectively configures all of the group members as an sFlow source port However the four Gigabit ports 25 28 can be independe...

Page 537: ...terface ethernet 1 9 Console config if sflow sample 100 Console config if sflow polling interval This command configures the interval at which counters are added to the sample datagram Use the no form to restore the default polling interval SYNTAX sflow polling interval seconds no sflow polling interval seconds The interval at which the sFlow process adds counter values to the sample datagram Rang...

Page 538: ...meout This command configures the length of time samples are sent to the Collector before resetting all sFlow port parameters Use the no form to restore the default time out SYNTAX sflow timeout seconds no sflow timeout seconds The length of time the sFlow process continuously sends samples to the Collector before resetting all sFlow port parameters Range 0 10000000 seconds where 0 indicates no ti...

Page 539: ...he UDP port on which the Collector is listening for sFlow streams Range 0 65534 DEFAULT SETTING IP Address null UDP Port 6343 COMMAND MODE Interface Configuration Ethernet EXAMPLE This example configures the Collector s IP address and uses the default UDP port Console config interface ethernet 1 9 Console config if sflow destination ipv4 192 168 0 4 Console config if sflow max header size This com...

Page 540: ...tagram size max datagram size no max datagram size max datagram size The maximum size of the sFlow datagram payload Range 200 1500 bytes DEFAULT SETTING 1400 bytes COMMAND MODE Interface Configuration Ethernet EXAMPLE Console config interface ethernet 1 9 Console config if sflow max datagram size 1500 Console config if show sflow This command shows the global and interface settings for the sFlow p...

Page 541: ...bal status Enabled Console sh sf int e 1 9 Interface of Ethernet 1 9 Interface status Enabled Owner name Lamar Owner destination 192 168 0 4 Owner socket port 6343 Time out 10000 Maximum header size 256 Maximum datagram size 1500 Sample rate 1 100 Polling interval 10 Console ...

Page 542: ...ion Sequence Defines logon authentication method and precedence RADIUS Client Configures settings for authentication via a RADIUS server TACACS Client Configures settings for authentication via a TACACS server AAA Configures authentication authorization and accounting for network access Web Server Enables management access via a web browser Telnet Server Enables management access via Telnet Secure...

Page 543: ...ec Levels 0 14 are not used 0 7 0 means plain password 7 means encrypted password password password for this privilege level Maximum length 8 characters plain text 32 encrypted case sensitive DEFAULT SETTING The default is level 15 The default password is super COMMAND MODE Global Configuration COMMAND USAGE You cannot set a null password You will have to enter a password to change the command mod...

Page 544: ...o predefined privilege levels 0 Normal Exec 15 Privileged Exec nopassword No password is required for this user to log in 0 7 0 means plain password 7 means encrypted password password password The authentication password for the user Maximum length 8 characters plain text 32 encrypted case sensitive DEFAULT SETTING The default access level is Normal Exec The factory defaults for the user names an...

Page 545: ...de with the enable command Use the no form to restore the default SYNTAX authentication enable local radius tacacs no authentication enable local Use local password only radius Use RADIUS server password only tacacs Use TACACS server password DEFAULT SETTING Local COMMAND MODE Global Configuration COMMAND USAGE RADIUS uses UDP while TACACS uses TCP UDP only offers best effort delivery while TCP of...

Page 546: ...anging command modes 543 authentication login This command defines the login authentication method and precedence Use the no form to restore the default SYNTAX authentication login local radius tacacs no authentication login local Use local password radius Use RADIUS server password tacacs Use TACACS server password DEFAULT SETTING Local COMMAND MODE Global Configuration COMMAND USAGE RADIUS uses ...

Page 547: ...base of multiple user name password pairs with associated privilege levels for each user or group that require management access to a switch radius server acct port This command sets the RADIUS server network port for accounting messages Use the no form to restore the default SYNTAX radius server acct port port number no radius server acct port port number RADIUS server UDP port used for accountin...

Page 548: ...rt 181 Console config radius server host This command specifies primary and backup RADIUS servers and authentication and accounting parameters that apply to each server Use the no form to remove a specified server or to restore the default values SYNTAX no radius server index host host ip address auth port auth port acct port acct port key key retransmit retransmit timeout timeout index Allows you...

Page 549: ...t 1812 acct port 1813 timeout 5 seconds retransmit 2 COMMAND MODE Global Configuration EXAMPLE Console config radius server 1 host 192 168 1 20 port 181 timeout 10 retransmit 5 key green Console config radius server key This command sets the RADIUS encryption key Use the no form to restore the default SYNTAX radius server key key string no radius server key key string Encryption key used to authen...

Page 550: ... SETTING 2 COMMAND MODE Global Configuration EXAMPLE Console config radius server retransmit 5 Console config radius server timeout This command sets the interval between transmitting authentication requests to the RADIUS server Use the no form to restore the default SYNTAX radius server timeout number of seconds no radius server timeout number of seconds Number of seconds the switch waits for a r...

Page 551: ...ole TACACS CLIENT Terminal Access Controller Access Control System TACACS is a logon authentication protocol that uses software running on a central server to control access to TACACS aware devices on the network An authentication server contains a database of multiple user name password pairs with associated privilege levels for each user or group that require management access to a switch Table ...

Page 552: ...tring Maximum length 48 characters port number TACACS server TCP port used for authentication messages Range 1 65535 DEFAULT SETTING 10 11 12 13 COMMAND MODE Global Configuration EXAMPLE Console config tacacs server host 192 168 1 25 Console config tacacs server host This command specifies the TACACS server Use the no form to restore the default SYNTAX tacacs server host host ip address no tacacs ...

Page 553: ...y used to authenticate logon access for the client Do not use blank spaces in the string Maximum length 48 characters DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE Console config tacacs server key green Console config tacacs server port This command specifies the TACACS server network port Use the no form to restore the default SYNTAX tacacs server port port number no tacacs serve...

Page 554: ...S server Range 1 30 DEFAULT SETTING 2 COMMAND MODE Global Configuration EXAMPLE Console config tacacs server retransmit 5 Console config tacacs server timeout This command sets the interval between transmitting authentication requests to the TACACS server Use the no form to restore the default SYNTAX tacacs server timeout number of seconds no tacacs server timeout number of seconds Number of secon...

Page 555: ...ation and Accounting AAA feature provides the main framework for configuring access control on the switch The AAA functions require the use of configured RADIUS or TACACS servers in the network Table 66 AAA Commands Command Function Mode aaa accounting commands Enables accounting of Exec mode commands GC aaa accounting dot1x Enables accounting of 802 1X services GC aaa accounting exec Enables acco...

Page 556: ... command server group Specifies the name of a server group configured with the aaa group server command Range 1 255 characters DEFAULT SETTING Accounting is not enabled No servers are specified COMMAND MODE Global Configuration COMMAND USAGE The accounting of Exec mode commands is only supported by TACACS servers Note that the default and method name fields are only used to describe the accounting...

Page 557: ...equests Range 1 255 characters start stop Records accounting from starting point and stopping point group Specifies the server group to use radius Specifies all RADIUS hosts configure with the radius server host command tacacs Specifies all TACACS hosts configure with the tacacs server host command server group Specifies the name of a server group configured with the aaa group server command Range...

Page 558: ...pecifies all RADIUS hosts configure with the radius server host command tacacs Specifies all TACACS hosts configure with the tacacs server host command server group Specifies the name of a server group configured with the aaa group server command Range 1 255 characters DEFAULT SETTING Accounting is not enabled No servers are specified COMMAND MODE Global Configuration COMMAND USAGE This command ru...

Page 559: ...n interim interval enables updates but does not change the current interval setting EXAMPLE Console config aaa accounting update periodic 30 Console config aaa authorization exec This command enables the authorization for Exec access Use the no form to disable the authorization service SYNTAX aaa authorization exec default method name group tacacs server group no aaa authorization exec default met...

Page 560: ...ization type applies except those that have a named method explicitly defined EXAMPLE Console config aaa authorization exec default group tacacs Console config aaa group server Use this command to name a group of security server hosts To remove a server group from the configuration list enter the no form of this command SYNTAX no aaa group server radius tacacs group name radius Defines a RADIUS se...

Page 561: ...r host command When specifying the index for a TACACS server that server index must already be defined by the tacacs server host command EXAMPLE Console config aaa group server radius tps Console config sg radius server 10 2 68 120 Console config sg radius accounting dot1x This command applies an accounting method for 802 1X service requests on an interface Use the no form to disable accounting on...

Page 562: ...ated with the aaa accounting commands command list name Specifies a method list created with the aaa accounting commands command DEFAULT SETTING None COMMAND MODE Line Configuration EXAMPLE Console config line console Console config line accounting commands 15 default Console config line accounting exec This command applies an accounting method to local console or Telnet connections Use the no for...

Page 563: ...et connections Use the no form to disable authorization on the line SYNTAX authorization exec default list name no authorization exec default Specifies the default method list created with the aaa authorization exec command list name Specifies a method list created with the aaa authorization exec command DEFAULT SETTING None COMMAND MODE Line Configuration EXAMPLE Console config line console Conso...

Page 564: ...e command level dot1x Displays dot1x accounting information exec Displays Exec accounting records statistics Displays accounting records user name Displays accounting records for a specifiable username interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show accounting Accounting type dot1x Method l...

Page 565: ...t to be used by the browser interface Range 1 65535 DEFAULT SETTING 80 COMMAND MODE Global Configuration EXAMPLE Console config ip http port 769 Console config RELATED COMMANDS ip http server 568 show system 456 Table 67 Web Server Commands Command Function Mode ip http port Specifies the port to be used by the web browser interface GC ip http secure port Specifies the UDP port number for HTTPS GC...

Page 566: ...s to use the same port If you change the HTTPS port number clients attempting to connect to the HTTPS server must specify the port number in the URL in this format https device port number EXAMPLE Console config ip http secure port 1000 Console config RELATED COMMANDS ip http secure server 566 show system 456 ip http secure server This command enables the secure hypertext transfer protocol HTTPS o...

Page 567: ...d connection A padlock icon should appear in the status bar for Internet Explorer 5 x or above Netscape Navigator 6 2 or above and Mozilla Firefox 2 0 0 0 or above The following web browsers and operating systems currently support HTTPS To specify a secure site certificate see Replacing the Default Secure site Certificate Also refer to the copy tftp https certificate command EXAMPLE Console config...

Page 568: ...OMMANDS ip http port 565 show system 456 TELNET SERVER This section describes commands used to configure Telnet management access to the switch NOTE This switch also supports a Telnet client function A Telnet connection can be made from this switch to another device by entering the telnet command at the Privileged Exec configuration level Table 69 Telnet Server Commands Command Function Mode ip te...

Page 569: ...bal Configuration EXAMPLE Console config ip telnet server Console config ip telnet server port 123 Console config SECURE SHELL This section describes the commands used to configure the SSH server Note that you also need to install a SSH client on the management station when using this protocol to configure the switch NOTE The switch supports both SSH Version 1 5 and 2 0 clients Table 70 Secure She...

Page 570: ...own hosts file on the management station and place the host public key in it An entry for a public key in the known hosts file would appear similar to the following example 10 1 0 54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233765468017262725714134287629413011961955667825 95664104869574278881462065194174677...

Page 571: ...h server command to enable the SSH server on the switch 6 Authentication One of the following authentication methods is employed Password Authentication for SSH v1 5 or V2 Clients a The client sends its password to the server b The switch compares the client s password to those stored in memory c If a match is found the connection is allowed NOTE To use SSH with only password authentication the ho...

Page 572: ...rejects the request c The client sends a signature generated using the private key to the switch d When the server receives this message it checks whether the supplied key is acceptable for authentication and if so it then checks whether the signature is correct If both checks succeed the client is authenticated NOTE The SSH server supports up to four client sessions The maximum number of client s...

Page 573: ...A or RSA for key exchange when the client first establishes a connection with the switch and then negotiates with the client to select either DES 56 bit or 3DES 168 bit for data encryption You must generate DSA and RSA host keys before enabling the SSH server EXAMPLE Console ip ssh crypto host key generate dsa Console configure Console config ip ssh server Console config RELATED COMMANDS ip ssh cr...

Page 574: ...er Use the no form to restore the default setting SYNTAX ip ssh timeout seconds no ip ssh timeout seconds The timeout for client response during SSH negotiation Range 1 120 DEFAULT SETTING 10 seconds COMMAND MODE Global Configuration COMMAND USAGE The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase Once an SSH session has been est...

Page 575: ...rate dsa rsa dsa DSA Version 2 key type rsa RSA Version 1 key type DEFAULT SETTING Generates both the DSA and RSA key pairs COMMAND MODE Privileged Exec COMMAND USAGE The switch uses only RSA Version 1 for SSHv1 5 clients and DSA Version 2 for SSHv2 clients This command stores the host key pair in memory i e RAM Use the ip ssh save host key command to save the host key pair to flash memory Some SS...

Page 576: ...sa rsa dsa DSA key type rsa RSA key type DEFAULT SETTING Clears both the DSA and RSA key COMMAND MODE Privileged Exec COMMAND USAGE This command clears the host key from volatile memory RAM Use the no ip ssh save host key command to clear the host key from flash memory The SSH server must be disabled before you can execute this command EXAMPLE Console ip ssh crypto zeroize dsa Console RELATED COMM...

Page 577: ...5 show ip ssh This command displays the connection settings used when authenticating client access to the SSH server COMMAND MODE Privileged Exec EXAMPLE Console show ip ssh SSH Enabled Version 2 0 Negotiation Timeout 120 seconds Authentication Retries 3 Server Key Size 768 bits Console show public key This command shows the public key for the specified user or for the host SYNTAX show public key ...

Page 578: ...2831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA ssh dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV yrDbKStIlnzD Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH p9cnrfwFTMU01VFDly3IR 2G395NLy5Q...

Page 579: ...entication fails IC dot1x max req Sets the maximum number of times that the switch retransmits an EAP request identity packet to the client before it times out the authentication session IC dot1x operation mode Allows single or multiple hosts on an dot1x port IC dot1x port control Sets dot1x mode for a port interface IC dot1x re authentication Enables re authentication for all ports IC dot1x timeo...

Page 580: ...e used to forward EAPOL frames from other switches on to the authentication servers thereby allowing the authentication process to still be carried out by switches located on the edge of the network When this device is functioning as an edge switch but does not require any attached clients to be authenticated the no dot1x eapol pass through command can be used to discard unnecessary EAPOL traffic ...

Page 581: ...ot1x system auth control Console config dot1x intrusion action This command sets the port s response to a failed authentication either to block all traffic or to assign all traffic for the port to a guest VLAN Use the no form to reset the default SYNTAX dot1x intrusion action block traffic guest vlan no dot1x intrusion action block traffic Blocks traffic on this port guest vlan Assigns the user to...

Page 582: ...sole config if dot1x max req 2 Console config if dot1x operation mode This command allows hosts clients to connect to an 802 1X authorized port Use the no form with no keywords to restore the default to single host Use the no form with the multi host max count keywords to restore the default maximum count SYNTAX dot1x operation mode single host multi host max count count mac based auth no dot1x op...

Page 583: ...ess to a port operating in this mode is limited only by the available space in the secure address table i e up to 1024 addresses EXAMPLE Console config interface eth 1 2 Console config if dot1x operation mode multi host max count 10 Console config if dot1x port control This command sets the dot1x mode on a port interface Use the no form to restore the default SYNTAX dot1x port control auto force a...

Page 584: ... the process is handled transparently by the dot1x client software Only if re authentication fails is the port blocked The connected client is re authenticated after the interval specified by the dot1x timeout re authperiod command The default is 3600 seconds EXAMPLE Console config interface eth 1 2 Console config if dot1x re authentication Console config if RELATED COMMANDS dot1x timeout re authp...

Page 585: ...ot1x timeout re authperiod seconds The number of seconds Range 1 65535 DEFAULT 3600 seconds COMMAND MODE Interface Configuration EXAMPLE Console config interface eth 1 2 Console config if dot1x timeout re authperiod 300 Console config if dot1x timeout supp timeout This command sets the time that an interface on the switch waits for a response to an EAP request from a client before re transmitting ...

Page 586: ...ce eth 1 2 Console config if dot1x timeout supp timeout 300 Console config if dot1x timeout tx period This command sets the time that an interface on the switch waits during an authentication session before re transmitting an EAP packet Use the no form to reset to the default value SYNTAX dot1x timeout tx period seconds no dot1x timeout tx period seconds The number of seconds Range 1 65535 DEFAULT...

Page 587: ...gs SYNTAX dot1x identity profile username username password password no dot1x identity profile username password username Specifies the supplicant user name Range 1 8 characters password Specifies the supplicant password Range 1 8 characters DEFAULT No user name or password COMMAND MODE Global Configuration COMMAND USAGE The global supplicant user name and password are used to identify this switch...

Page 588: ...licant mode on a port SYNTAX no dot1x pae supplicant DEFAULT Disabled COMMAND MODE Interface Configuration COMMAND USAGE When devices attached to a port must submit requests to another authenticator on the network configure the identity profile parameters see dot1x identity profile command on page 587 which identify this switch as a supplicant and enable dot1x supplicant mode for those ports which...

Page 589: ...no dot1x timeout auth period seconds The number of seconds Range 1 65535 DEFAULT 30 seconds COMMAND MODE Interface Configuration COMMAND USAGE This command sets the time that the supplicant waits for a response from the authenticator for packets other than EAPOL Start EXAMPLE Console config interface eth 1 2 Console config if dot1x timeout auth period 60 Console config if dot1x timeout held period...

Page 590: ...YNTAX dot1x timeout start period seconds no dot1x timeout start period seconds The number of seconds Range 1 65535 DEFAULT 30 seconds COMMAND MODE Interface Configuration EXAMPLE Console config interface eth 1 2 Console config if dot1x timeout start period 60 Console config if show dot1x This command shows general port authentication related settings on the switch or a specific interface SYNTAX sh...

Page 591: ... authentication page 584 Reauth Period Time after which a connected client must be re authenticated page 585 Quiet Period Time a port waits after Max Request Count is exceeded before attempting to acquire a new client page 584 TX Period Time a port waits during authentication session before re transmitting EAP packet page 586 Supplicant Timeout Supplicant timeout Server Timeout Server timeout Reau...

Page 592: ...ole show dot1x Global 802 1X Parameters System auth control Enabled Authenticator Parameters EAPOL Pass Through Disabled Supplicant Parameters Identity Profile Username steve 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 Disabled Single Host ForceAuthorized N A 1 2 Disabled Single Host ForceAuthorized N A 1 27 Disabled Single Host ForceAuthorized Yes 1 28 Enabled Single H...

Page 593: ...no form to restore the default setting SYNTAX no management all client http client snmp client telnet client start address end address all client Adds IP address es to all groups http client Adds IP address es to the web group snmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group start address A single IP address or the starting address of a range en...

Page 594: ...You cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses You can delete an address range just by specifying the start address or by specifying both the start address and end address EXAMPLE This example restricts management access to the indicated addresses Console config management all client 192 168 1 19 Console config management a...

Page 595: ...ervers Table 74 PPPoE Intermediate Agent Commands Command Function Mode pppoe intermediate agent Enables the PPPoE IA globally on the switch GC pppoe intermediate agent format type Sets the access node identifier and generic error message for the switch GC pppoe intermediate agent port enable Enables the PPPoE IA on an interface IC pppoe intermediate agent port format type Sets the circuit id or r...

Page 596: ...t Id tag inserted by the switch during the PPPoE discovery phase and sends this tag as a NAS port Id attribute in PPP authentication and AAA accounting requests to a RADIUS server PPPoE IA must be enabled globally by this command before this feature can be enabled on an interface using the pppoe intermediate agent port enable command EXAMPLE Console config pppoe intermediate agent Console config p...

Page 597: ...ry packets These messages are forwarded to all trusted ports designated by the pppoe intermediate agent trust command EXAMPLE Console config pppoe intermediate agent format type access node identifier billibong Console config pppoe intermediate agent port enable This command enables the PPPoE IA on an interface Use the no form to disable this feature SYNTAX no pppoe intermediate agent port enable ...

Page 598: ...m PPPoE discovery stage messages and uses the Circuit Id field of that tag as a NAS Port Id attribute in AAA access and accounting requests The switch intercepts PPPoE discovery frames from the client and inserts a unique line identifier using the PPPoE Vendor Specific tag 0x0105 to PPPoE Active Discovery Initiation PADI and Request PADR packets The switch then forwards these packets to the PPPoE ...

Page 599: ...interface must be configured on the switch for the PPPoE IA to function EXAMPLE Console config int ethernet 1 5 Console config if pppoe intermediate agent trust Console config if pppoe intermediate agent vendor tag strip This command enables the stripping of vendor tags from PPPoE Discovery packets sent from a PPPoE server Use the no form to disable this feature SYNTAX no pppoe intermediate agent ...

Page 600: ...ort number Range 1 28 port channel channel id Range 1 8 COMMAND MODE Privileged Exec EXAMPLE Console clear pppoe intermediate agent statistics Console show pppoe intermediate agent info This command displays configuration settings for the PPPoE Intermediate Agent SYNTAX show pppoe intermediate agent info interface interface interface ethernet unit port unit Stack unit Range 1 port Port number Rang...

Page 601: ...ermediate agent statistics interface interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 8 COMMAND MODE Privileged Exec EXAMPLE Console show pppoe intermediate agent statistics interface ethernet 1 1 Eth 1 1 statistics Received All PADI PADO PADR PADS PADT 3 0 0 0 0 3 Dropped Response from untrusted Request towards untrusted Ma...

Page 602: ...The priority of execution for these filtering commands is Port Security Port Authentication Network Access Web Authentication Access Control Lists DHCP Snooping and then IP Source Guard Configures secure addresses for a port 802 1X Port Authentication Configures host authentication on specific ports using 802 1X Network Access Configures MAC authentication and dynamic VLAN assignment Web Authentic...

Page 603: ... configures port security Use the no form without any keywords to disable port security Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses SYNTAX port security action shutdown trap trap and shutdown max mac count address count no port security action max mac count action Response to take w...

Page 604: ...rt The specified maximum address count is effective when port security is enabled or disabled Use the no port security max mac count command to disable port security and reset the maximum number of addresses to the default You can also manually add secure addresses with the mac address table static command A secure port has the following restrictions Cannot be connected to a network interconnectio...

Page 605: ...access link detection Enables the link detection feature IC network access link detection link down Configures the link detection feature to detect and act upon link down events IC network access link detection link up Configures the link detection feature to detect and act upon link up events IC network access link detection link up down Configures the link detection feature to detect and act upo...

Page 606: ...gured by the MAC Address Authentication process described in this section as well as to any secure MAC addresses authenticated by 802 1X regardless of the 802 1X Operation Mode Single Host Multi Host or MAC Based authentication as described on page 582 The maximum number of secure MAC addresses supported for the switch system is 1024 EXAMPLE Console config if network access aging Console config if...

Page 607: ...ig network access mac filter 1 mac address 11 22 33 44 55 66 Console config mac authentication reauth time Use this command to set the time period after which a connected MAC address must be re authenticated Use the no form of this command to restore the default value SYNTAX mac authentication reauth time seconds no mac authentication reauth time seconds The reauthentication time period Range 120 ...

Page 608: ...l QoS configuration for the port When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port the user is denied access While a port has an assigned dynamic QoS profile any manual QoS configuration changes only take effect after all users have logged off of the port NOTE Any configuration changes for dynamic QoS ar...

Page 609: ...n or they are treated as an authentication failure If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration the authentication is still treated as a success and the host assigned to the default untagged VLAN When the dynamic VLAN assignment status is changed on a port all authenticated addresses are cleared from the secure MAC address table EXAMPLE The fo...

Page 610: ...be effective see the dot1x intrusion action command EXAMPLE Console config interface ethernet 1 1 Console config if network access guest vlan 25 Console config if network access link detection Use this command to enable link detection for the selected port Use the no form of this command to restore the default SYNTAX no network access link detection DEFAULT SETTING Disabled COMMAND MODE Interface ...

Page 611: ...disable the port DEFAULT SETTING Disabled COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 1 Console config if network access link detection link down action trap Console config if network access link detection link up Use this command to detect link up events When detected the switch can shut down the port send an SNMP trap or both Use the no form of this command t...

Page 612: ...ponse to take when port security is violated shutdown Disable port only trap Issue SNMP trap message only trap and shutdown Issue SNMP trap message and disable the port DEFAULT SETTING Disabled COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 1 Console config if network access link detection link up down action trap Console config if network access max mac count Use...

Page 613: ...en enabled on a port the authentication process sends a Password Authentication Protocol PAP request to a configured RADIUS server The user name and password are both equal to the MAC address being authenticated On the RADIUS server PAP user name and passwords must be configured in the MAC address format XX XX XX XX XX XX all in upper case Authenticated MAC addresses are stored as dynamic entries ...

Page 614: ...Type attribute set to 802 EXAMPLE Console config if network access mode mac authentication Console config if network access port mac filter Use this command to enable the specified MAC address filter Use the no form of this command to disable the specified MAC address filter SYNTAX network access port mac filter filter id no network access port mac filter filter id Specifies a MAC address filter t...

Page 615: ...ce Con figuration EXAMPLE Console config if mac authentication intrusion action block traffic Console config if mac authentication max mac count Use this command to set the maximum number of MAC addresses that can be authenticated on a port via MAC authentication Use the no form of this command to restore the default SYNTAX mac authentication max mac count count no mac authentication max mac count...

Page 616: ...try Format xx xx xx xx xx xx interface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 28 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console clear network access mac address table interface ethernet 1 1 Console show network access Use this command to display the MAC authentication settings for port interfaces SYNTAX show network access inte...

Page 617: ... table entries SYNTAX show network access mac address table static dynamic address mac address mask interface interface sort address interface static Specifies static address entries dynamic Specifies dynamic address entries mac address Specifies a MAC address entry Format xx xx xx xx xx xx mask Specifies a MAC address bit mask for filtering displayed addresses interface Specifies a port interface...

Page 618: ...filter id filter id Specifies a MAC address filter table Range 1 64 DEFAULT SETTING Displays all filters COMMAND MODE Privileged Exec EXAMPLE Console show network access mac filter Filter ID MAC Address MAC Mask 1 00 00 01 02 03 08 FF FF FF FF FF FF Console WEB AUTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802 1X or Network Access auth...

Page 619: ...ion Command Function Mode web auth login attempts Defines the limit for failed web authentication login attempts GC web auth quiet period Defines the amount of time to wait after the limit for failed login attempts is exceeded GC web auth session timeout Defines the amount of time a session remains valid GC web auth system auth control Enables web authentication globally for the switch GC web auth...

Page 620: ...D MODE Global Configuration EXAMPLE Console config web auth quiet period 120 Console config web auth session timeout This command defines the amount of time a web authentication session remains valid When the session timeout has been reached the host is logged off and must re authenticate itself the next time data transmission takes place Use the no form to restore the default SYNTAX web auth sess...

Page 621: ...h and web auth for an interface must be enabled for the web authentication feature to be active EXAMPLE Console config web auth system auth control Console config web auth This command enables web authentication for an interface Use the no form to restore the default SYNTAX no web auth DEFAULT SETTING Disabled COMMAND MODE Interface Configuration COMMAND USAGE Both web auth system auth control for...

Page 622: ...eged Exec EXAMPLE Console web auth re authenticate interface ethernet 1 2 Failed to reauth Console web auth re authenticate IP This command ends the web authentication session associated with the designated IP address and forces the user to re authenticate SYNTAX web auth re authenticate interface interface ip interface Specifies a port interface ethernet unit port unit This is unit 1 port Port nu...

Page 623: ...od 60 Max Login Attempts 3 Console show web auth interface This command displays interface specific web authentication parameters and statistics SYNTAX show web auth interface interface interface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 28 COMMAND MODE Privileged Exec EXAMPLE Console Web Auth Status Enabled Host Summary IP address Web Auth State Re...

Page 624: ...ip dhcp snooping Enables DHCP snooping globally GC ip dhcp snooping information option Enables or disables the use of DHCP Option 82 information and specifies frame format for the remote id GC ip dhcp snooping information policy Sets the information option policy for DHCP client packets that include Option 82 information GC ip dhcp snooping verify mac address Verifies the client s hardware address...

Page 625: ...ng an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping Table entries are only learned for trusted interfaces Each entry includes a MAC address IP address lease time VLAN identifier and port identifier When DHCP snooping is enabled the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second Any DHCP packets in exc...

Page 626: ...s not a recognizable type it is dropped If a DHCP packet from a client passes the filtering criteria above it will only be forwarded to trusted ports in the same VLAN If a DHCP packet is from server is received on a trusted port it will be forwarded to both trusted and untrusted ports in the same VLAN If the DHCP snooping is globally disabled all dynamic bindings are removed from the binding table...

Page 627: ...rmation mac address Inserts a MAC address in the remote ID sub option for the DHCP snooping agent that is the MAC address of the switch s CPU ip address Inserts an IP address in the remote ID sub option for the DHCP snooping agent that is the IP address of the management interface encode Indicates encoding in ASCII or hexadecimal string An arbitrary string inserted into the remote identifier field...

Page 628: ...ng the DHCP snooping information option will add option 82 information to the packet If an incoming packet is a DHCP reply packet with option 82 information enabling the DHCP snooping information option will remove option 82 information from the packet EXAMPLE This example enables the DHCP Snooping Information Option Console config ip dhcp snooping information option Console config ip dhcp snoopin...

Page 629: ... command verifies the client s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header Use the no form to disable this function SYNTAX no ip dhcp binding verify mac address DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE If MAC address verification is enabled and the source MAC address in the Ethernet header of the packet is not same...

Page 630: ...e performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust command When the DHCP snooping is globally disabled DHCP snooping can still be configured for specific VLANs but the changes will not take effect until DHCP snooping is globally re enabled When DHCP snooping is globally enabled configuration changes for specific VLANs have the following effects If DHCP sn...

Page 631: ...r VLAN 1 Console config interface ethernet 1 1 Console config if ip dhcp snooping information option circuit id string b9 Console config if ip dhcp snooping trust This command configures the specified interface as trusted Use the no form to restore the default setting SYNTAX no ip dhcp snooping trust DEFAULT SETTING All interfaces are untrusted COMMAND MODE Interface Configuration Ethernet Port Ch...

Page 632: ... interface ethernet 1 5 Console config if no ip dhcp snooping trust Console config if RELATED COMMANDS ip dhcp snooping 625 ip dhcp snooping vlan 630 clear ip dhcp snooping database flash This command removes all dynamically learned snooping entries from flash memory COMMAND MODE Privileged Exec EXAMPLE Console config ip dhcp snooping database flash Console config ip dhcp snooping database flash T...

Page 633: ...ion Format extra subtype included DHCP Snooping Information Option Remote ID mac address hex encoded DHCP Snooping Information Policy replace DHCP Snooping is configured on the following VLANs 1 Verify Source Mac Address enabled Interface Trusted Circuit ID Value Eth 1 1 No Eth 1 2 No Eth 1 3 No Eth 1 4 No Eth 1 5 Yes show ip dhcp snooping binding This command shows the DHCP snooping binding table...

Page 634: ...terface ethernet unit port no ip source guard binding mac address vlan vlan id mac address A valid unicast MAC address vlan id ID of a configured VLAN Range 1 4094 ip address A valid unicast IP address including classful types A B or C unit Unit identifier Range 1 port Port number Range 1 28 DEFAULT SETTING No configured entries COMMAND MODE Global Configuration Table 82 IP Source Guard Commands C...

Page 635: ...e is no entry with same VLAN ID and MAC address a new entry is added to binding table using the type of static IP source guard binding If there is an entry with same VLAN ID and MAC address and the type of entry is static IP source guard binding then the new entry will replace the old one If there is an entry with same VLAN ID and MAC address and the type of the entry is dynamic DHCP snooping bind...

Page 636: ...lected port Use the sip option to check the VLAN ID source IP address and port number against all entries in the binding table Use the sip mac option to check these same parameters plus the source MAC address Use the no ip source guard command to disable this function on the selected port When enabled traffic is filtered based upon dynamic entries learned via DHCP snooping or static addresses conf...

Page 637: ...ard if enabled on an interface for which IP source bindings dynamically learned via DHCP snooping or manually configured are not yet configured the switch will drop all IP traffic on that port except for DHCP packets Only unicast addresses are accepted for static bindings EXAMPLE This example enables IP source guard on port 5 Console config interface ethernet 1 5 Console config if ip source guard ...

Page 638: ...ax binding 1 Console config if show ip source guard This command shows whether source guard is enabled or disabled on each interface COMMAND MODE Privileged Exec EXAMPLE Console show ip source guard Interface Filter type Max binding Eth 1 1 DISABLED 16 Eth 1 2 DISABLED 16 Eth 1 3 DISABLED 16 Eth 1 4 DISABLED 16 Eth 1 5 SIP 1 Eth 1 6 DISABLED 16 show ip source guard binding This command shows the s...

Page 639: ...r hosts with statically configured IP addresses This section describes commands used to configure ARP Inspection Table 83 ARP Inspection Commands Command Function Mode ip arp inspection Enables ARP Inspection globally on the switch GC ip arp inspection filter Specifies an ARP ACL to apply to one or more VLANs GC ip arp inspection log buffer logs Sets the maximum number of entries saved in a log me...

Page 640: ...ection is enabled When ARP Inspection is disabled all ARP request and reply packets bypass the ARP Inspection engine and their manner of switching matches that of all other packets Disabling and then re enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for individua...

Page 641: ... not checked DEFAULT SETTING ARP ACLs are not bound to any VLAN Static mode is not enabled COMMAND MODE Global Configuration COMMAND USAGE ARP ACLs are configured with the commands described on page 667 If static mode is enabled the switch compares ARP packets to the specified ARP ACLs Packets matching an IP to MAC address binding in a permit or deny rule are processed accordingly Packets not matc...

Page 642: ...logging is active for ARP Inspection and cannot be disabled When the switch drops a packet it places an entry in the log buffer Each entry contains flow information such as the receiving VLAN the port number the source and destination IP addresses and the source and destination MAC addresses If multiple identical invalid ARP packets are received consecutively on the same VLAN then the logging faci...

Page 643: ...le target IP addresses are checked only in ARP responses src mac Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with different MAC addresses are classified as invalid and are dropped DEFAULT SETTING No additional validation is performed COMMAND MODE Global Configurat...

Page 644: ...gine and their manner of switching matches that of all other packets Disabling and then re enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for individual VLANs These configuration changes will only become active after ARP Inspection is globally enabled again EXAMP...

Page 645: ... arp inspection trust This command sets a port as trusted and thus exempted from ARP Inspection Use the no form to restore the default setting SYNTAX no ip arp inspection trust DEFAULT SETTING Untrusted COMMAND MODE Interface Configuration Port COMMAND USAGE Packets arriving on untrusted ports are subject to any configured ARP Inspection and additional validation checks Packets arriving on trusted...

Page 646: ...age Interval 10 s Log Message Number 1 Need Additional Validation s Yes Additional Validation Type Destination MAC address Console show ip arp inspection interface This command shows the trust status and ARP Inspection rate limit for ports SYNTAX show ip arp inspection interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 COMMAND MODE Privileged ...

Page 647: ...ics ARP packets received before rate limit 150 ARP packets dropped due to rate limt 5 Total ARP packets processed by ARP Inspection 150 ARP packets dropped by additional validation source MAC address 0 ARP packets dropped by additional validation destination MAC address 0 ARP packets dropped by additional validation IP address 0 ARP packets dropped by ARP ACLs 0 ARP packets dropped by DHCP snoopin...

Page 648: ...CHAPTER 26 General Security Measures ARP Inspection 648 EXAMPLE Console show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status 1 disabled sales static Console ...

Page 649: ...s TCP UDP port number protocol type and TCP control code IPv6 ACLs Configures ACLs based on IPv6 addresses or DSCP traffic class MAC ACLs Configures ACLs based on hardware addresses packet format and Ethernet type ARP ACLs Configures ACLs based on ARP messages addresses ACL Information Displays ACLs and associated rules shows ACLs assigned to each port Table 85 IPv4 ACL Commands Command Function M...

Page 650: ...her more specific criteria acl name Name of the ACL Maximum length 16 characters no spaces or other special characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To remove a rule use the no permit or no deny command followed b...

Page 651: ...figuration file and the switch rebooted for the new mode to take effect When using extended rule mode each rule used in an ACL occupies the space of two standard rules When using mixed rule mode either standard or extended rules can be used However the rules used in the same ACL must either be all standard or all extended rules If standard rules are used for all ACLs the maximum number of rules pe...

Page 652: ...None COMMAND MODE Standard IPv4 ACL COMMAND USAGE New rules are appended to the end of the list Address bit masks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP pa...

Page 653: ...it deny tcp any source address bitmask host source any destination address bitmask host destination precedence precedence tos tos dscp dscp source port sport bitmask destination port dport port bitmask control flag control flags flag bitmask time range time range name no permit deny tcp any source address bitmask host source any destination address bitmask host destination precedence precedence to...

Page 654: ...itmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned You can specify both Precedence and ToS in the same rule However if DSCP is used then neither Precedence nor ToS can be specified The control code bitmask is a decimal number representing an equivalent bit mask that is applied to...

Page 655: ...1 0 255 255 255 0 any destination port 80 Console config ext acl This permits all TCP packets from class C addresses 192 168 1 0 with the TCP control code set to SYN Console config ext acl permit tcp 192 168 1 0 255 255 255 0 any control flag 2 2 Console config ext acl RELATED COMMANDS access list ip 650 Time Range 504 ip access group This command binds an IPv4 ACL to a port Use the no form to rem...

Page 656: ...access list 656 Time Range 504 show ip access group This command shows the ports assigned to IP ACLs COMMAND MODE Privileged Exec EXAMPLE Console show ip access group Interface ethernet 1 2 IP access list david in Console RELATED COMMANDS ip access group 655 show ip access list This command displays the rules for configured IPv4 ACLs SYNTAX show ip access list standard extended acl name standard S...

Page 657: ...ccess list ipv6 standard extended acl name standard Specifies an ACL that filters packets based on the source IP address extended Specifies an ACL that filters packets based on the destination IP address and other more specific criteria acl name Name of the ACL Maximum length 16 characters DEFAULT SETTING None Table 86 IPv4 ACL Commands Command Function Mode access list ipv6 Creates an IPv6 ACL an...

Page 658: ...dard IPv6 ACL The rule sets a filter condition for packets emanating from the specified source Use the no form to remove a rule SYNTAX permit deny any host source ipv6 address source ipv6 address prefix length time range time range name no permit deny any host source ipv6 address source ipv6 address prefix length any Any source IP address host Keyword followed by a specific IP address source ipv6 ...

Page 659: ...dress source ipv6 address prefix length any destination ipv6 address prefix length dscp dscp time range time range name no permit deny any host source ipv6 address source ipv6 address prefix length any destination ipv6 address prefix length dscp dscp any Any IP address an abbreviation for the IPv6 prefix 0 host Keyword followed by a specific source IP address source ipv6 address An IPv6 source add...

Page 660: ...les are appended to the end of the list EXAMPLE This example accepts any incoming packets if the destination address is 2009 DB9 2229 79 8 Console config ext ipv6 acl permit 2009 DB9 2229 79 8 Console config ext ipv6 acl This allows packets to any destination address when the DSCP value is 5 Console config ext ipv6 acl permit any dscp 5 Console config ext ipv6 acl RELATED COMMANDS access list ipv6...

Page 661: ...pv6 access group acl name in acl name Name of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets time range name Name of the time range Range 1 30 characters DEFAULT SETTING None COMMAND MODE Interface Configuration Ethernet COMMAND USAGE A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch w...

Page 662: ...r more ports access list mac This command adds a MAC access list and enters MAC ACL configuration mode Use the no form to remove the specified ACL SYNTAX no access list mac acl name acl name Name of the ACL Maximum length 16 characters no spaces or other special characters DEFAULT SETTING None COMMAND MODE Global Configuration Table 87 MAC ACL Commands Command Function Mode access list mac Creates...

Page 663: ...atching a specified MAC source or destination address i e physical layer address or Ethernet protocol type Use the no form to remove a rule SYNTAX permit deny any host source source address bitmask any host destination destination address bitmask cos cos cos bitmask vid vid vid bitmask ethertype protocol protocol bitmask time range time range name no permit deny any host source source address bitm...

Page 664: ... deny tagged 802 3 any host source source address bitmask any host destination destination address bitmask cos cos cos bitmask vid vid vid bitmask permit deny untagged 802 3 any host source source address bitmask any host destination destination address bitmask time range time range name no permit deny untagged 802 3 any host source source address bitmask any host destination destination address b...

Page 665: ... in RFC 1060 A few of the more common types include the following 0800 IP 0806 ARP 8137 IPX EXAMPLE This rule permits packets from any source MAC address to the destination address 00 e0 29 94 34 de where the Ethernet type is 0800 Console config mac acl permit any host 00 e0 29 94 34 de ethertype 0800 Console config mac acl RELATED COMMANDS access list mac 662 Time Range 504 mac access group This ...

Page 666: ...sole config if mac access group jerry in Console config if RELATED COMMANDS show mac access list 666 Time Range 504 show mac access group This command shows the ports assigned to MAC ACLs COMMAND MODE Privileged Exec EXAMPLE Console show mac access group Interface ethernet 1 5 MAC access list M5 in Console RELATED COMMANDS mac access group 665 show mac access list This command displays the rules f...

Page 667: ...mode Use the no form to remove the specified ACL SYNTAX no access list arp acl name acl name Name of the ACL Maximum length 16 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one ru...

Page 668: ...y host source ip source ip ip address bitmask mac any host source mac source mac mac address bitmask log no permit deny response ip any host source ip source ip ip address bitmask any host destination ip destination ip ip address bitmask mac any host source mac source mac mac address bitmask any host destination mac destination mac mac address bitmask log source ip Source IP address destination ip...

Page 669: ...response ip any 192 168 0 0 255 255 0 0 mac any any Console config mac acl RELATED COMMANDS access list arp 667 show arp access list This command displays the rules for configured ARP ACLs SYNTAX show arp access list acl name acl name Name of the ACL Maximum length 16 characters COMMAND MODE Privileged Exec EXAMPLE Console show arp access list ARP access list factory permit response ip any 192 168...

Page 670: ...ec EXAMPLE Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 0 0 255 255 15 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 255 255 255 0 any destination port 80 80 permit 192 168 1 0 255 255 255 0 any protocol tcp control code 2 2 MAC access list jerry permit any host 00 30 29 94 34 de ethertype 800 800 IP extended access...

Page 671: ...and duplex operation of a given interface when autonegotiation is disabled IC switchport packet rate Enabling hardware level storm control with this command on a port will disable software level automatic storm control on the same port if configured by the auto traffic control command Configures broadcast multicast and unknown unicast storm control thresholds IC clear counters Clears statistics on...

Page 672: ...apabilities This command advertises the port capabilities of a given interface during auto negotiation Use the no form with parameters to remove an advertised capability or the no form without parameters to restore the default values SYNTAX no capabilities 1000full 100full 100half 10full 10half flowcontrol symmetric 1000full Supports 1 Gbps full duplex operation 100full Supports 100 Mbps full dupl...

Page 673: ...sabled you must manually specify the link attributes with the speed duplex and flowcontrol commands EXAMPLE The following example configures Ethernet port 5 capabilities to include 100half and 100full Console config interface ethernet 1 5 Console config if capabilities 100half Console config if capabilities 100full Console config if capabilities flowcontrol Console config if RELATED COMMANDS negot...

Page 674: ... connection over any 1000BASE T port or trunk Flow control can eliminate frame loss by blocking traffic from end stations or segments connected directly to the switch when its buffers fill When enabled back pressure is used for half duplex operation and IEEE 802 3 2002 formally IEEE 802 3x for full duplex operation To force flow control on or off with the flowcontrol or no flowcontrol command use ...

Page 675: ...he other end of the link auto prefer slave Uses slave mode as the initial configuration regardless of the mode configured at the other end of the link DEFAULT SETTING master COMMAND MODE Interface Configuration Ethernet Ports 25 28 COMMAND USAGE The 1000BASE T standard does not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T port or trunk If...

Page 676: ...cts the pinout configuration of the attached device and negotiates with the link partner to determine which side will adjust the pinout signals if required to ensure a proper connection crossover Specifies a fixed setting for MDI X i e crossover straight Specifies a fixed setting for MDI i e straight through DEFAULT SETTING auto COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Auto nego...

Page 677: ...NTAX media type mode no media type mode copper forced Always uses the built in RJ 45 port sfp forced Always uses the SFP port even if module not installed sfp preferred auto Uses SFP port if both combination types are functioning and the SFP port has a valid link DEFAULT SETTING sfp preferred auto COMMAND MODE Interface Configuration Ethernet Ports 25 28 EXAMPLE This forces the switch to use the b...

Page 678: ...based on the capabilities command When auto negotiation is disabled you must manually specify the link attributes with the speed duplex and flowcontrol commands If auto negotiation is disabled auto MDI MDI X pin signal configuration will also be disabled for the RJ 45 ports EXAMPLE The following example configures port 10 to use auto negotiation Console config interface ethernet 1 10 Console confi...

Page 679: ...LT SETTING Auto negotiation is enabled by default When auto negotiation is disabled the default speed duplex setting is Fast Ethernet ports 100full for 100BASE TX ports Gigabit Ethernet ports 100full for 1000BASE T ports COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE The 1000BASE T standard does not support forced mode Auto negotiation should always be used to establish a...

Page 680: ...unicast broadcast Specifies storm control for broadcast traffic multicast Specifies storm control for multicast traffic unicast Specifies storm control for unknown unicast traffic rate Threshold level as a rate i e kilobits per second Range 64 100000 Kbps for Fast Ethernet ports 64 1000000 Kbps for Gigabit Ethernet ports DEFAULT SETTING Broadcast Storm Control Enabled packet rate limit 64 kbps Mul...

Page 681: ...traffic control action command Using both rate limiting and storm control on the same interface may lead to unexpected results For example suppose broadcast storm control is set to 500 Kbps by the command switchport broadcast packet rate 500 and the rate limit is set to 20000 Kbps by the command rate limit input 20000 on a Fast Ethernet port Since 20000 Kbps is 1 5 of line speed 100 Mbps the recei...

Page 682: ...is command displays a summary of key information including operational status native VLAN ID default priority speed duplex mode and port type for all ports COMMAND MODE Privileged Exec EXAMPLE Console show interfaces brief Interface Name Status PVID Pri Speed Duplex Type Trunk Eth 1 1 Up 1 0 Auto 100full 100TX None Eth 1 2 Down 1 0 Auto 100TX None Eth 1 3 Down 1 0 Auto 100TX None Eth 1 4 Down 1 0 ...

Page 683: ...t 26 Broadcast Output 3 Ether like Stats Alignment Errors 0 FCS Errors 0 Single Collision Frames 0 Multiple Collision Frames 0 SQE Test Errors 0 Deferred Transmissions 0 Late Collisions 0 Excessive Collisions 0 Internal Mac Transmit Errors 0 Internal Mac Receive Errors 0 Frames Too Long 0 Carrier Sense Errors 0 Symbol Errors 0 RMON Stats Drop Events 0 Octets 1631150 Packets 4434 Broadcast PKTS 29 ...

Page 684: ...AMPLE Console show interfaces status ethernet 1 25 Basic Information Port Type 1000T Mac Address 00 17 7C 61 24 48 Configuration Name Port Admin Up MDIX mode Auto Speed duplex Auto Capabilities 10half 10full 100half 100full 1000full Broadcast Storm Enabled Broadcast Storm Limit 64 Kbits second Multicast Storm Disabled Multicast Storm Limit 64 Kbits second UnknownUnicast Storm Disabled UnknownUnica...

Page 685: ...splayed EXAMPLE This example shows the configuration setting for port 1 Console show interfaces switchport ethernet 1 1 Broadcast Threshold Enabled 256 Kbits second Multicast Threshold Enabled 256 Kbits second Unknown unicast Threshold Enabled 256 Kbits second LACP Status Disabled Ingress Rate Limit Disabled 100000 Kbits per second Egress Rate Limit Disabled 100000 Kbits per second VLAN Membership...

Page 686: ...pes or tagged frames only page 800 Native VLAN Indicates the default Port VLAN ID page 804 Priority for Untagged Traffic Indicates the default priority for untagged frames page 843 GVRP Status Shows if GARP VLAN Registration Protocol is enabled or disabled page 795 Allowed VLAN Shows the VLANs this interface has joined where u indicates untagged and t indicates tagged page 801 Forbidden VLAN Shows...

Page 687: ...ch can display diagnostic information for SFP modules which support the SFF 8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers This information allows administrators to remotely diagnose problems with optical devices EXAMPLE Console show interfaces transceiver ethernet 1 27 Information of Eth 1 27 Connector Type LC Fiber Type Single Mode SM Eth Compliance Codes 1000BAS...

Page 688: ...ccurate for cables 7 140 meters long The test takes approximately 5 seconds The switch displays the results of the test immediately upon completion including common cable failures as well as the status and approximate length of each cable pair Potential conditions which may be listed by the diagnostics include OK Correctly terminated pair Open Open pair no link partner Short Shorted pair Impedance...

Page 689: ...able diagnostics interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 COMMAND MODE Privileged Exec EXAMPLE Console show cable diagnostics tdr interface ethernet 1 1 Port Type Link Status Pair A meters Pair B meters Last Update Eth 1 1 FE Up OK 0 OK 0 2001 01 01 08 25 32 Console ...

Page 690: ...ports at both ends of a connection must be configured as trunk ports All ports in a trunk must be configured in an identical manner including communication mode i e speed and duplex mode VLAN assignments and CoS settings Table 92 Link Aggregation Commands Command Function Mode Manual Configuration Commands interface port channel Configures a trunk and enters interface configuration mode for the tr...

Page 691: ...t when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group However if the port channel admin key is set then the port admin key must be set to the same value for a port to be allowed to join a channel group If a link goes down LACP port priority is used to sel...

Page 692: ...h another switch using LACP will automatically be assigned the next available port channel ID If the target switch has also enabled LACP on the connected ports the trunk will be activated automatically If more than eight ports attached to the same target switch have LACP enabled the additional ports will be placed in standby mode and will only be enabled if one of the active links fails EXAMPLE Th...

Page 693: ...rt s LACP administration key Use the no form to restore the default setting SYNTAX lacp actor partner admin key key no lacp actor partner admin key actor The local side an aggregate link partner The remote side of an aggregate link key The port admin key must be set to the same value for ports that belong to the same link aggregation group LAG Range 0 65535 DEFAULT SETTING 0 COMMAND MODE Interface...

Page 694: ...mode actor partner active passive no lacp mode actor partner actor The local side of an aggregate link partner The remote side of an aggregate link active Enables active initiation of LACP negotiation on a port automatically sending LACP negotiation packets passive Enables passive initiation of LACP negotiation on a port which starts negotiations only if an LACP device is detected at the other end...

Page 695: ... indicates a higher effective priority If an active port link goes down the backup port with the highest priority is selected to replace the downed link However if two or more ports have the same LACP port priority the port with the lowest physical port number will be selected as the backup port Once the remote side of a link has been established LACP operational settings are already in use on tha...

Page 696: ... switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a link has been established LACP operational settings are already in use on that side Configuring LACP settings for the partner only applies to its administrative state not its operational state and will only take effect the next ti...

Page 697: ...the interfaces that joined the group Note that when the LAG is no longer used the port channel admin key is reset to 0 EXAMPLE Console config interface port channel 1 Console config if lacp admin key 3 Console config if show lacp This command displays LACP information SYNTAX show lacp port channel counters internal neighbors sys id port channel Local identifier for a link aggregation group Range 1...

Page 698: ...nel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group LACPDUs Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Ty...

Page 699: ...strative changes or changes in received protocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information Synchronization The System considers this link to be IN_SYNC i e it has been allocated to the correct Link Aggregation...

Page 700: ... the protocol partner Port Oper Priority Priority value assigned to this aggregation port by the partner Admin Key Current administrative value of the Key for the protocol partner Oper Key Current operational value of the Key for the protocol partner Admin State Administrative values of the partner s state parameters See preceding table Oper State Operational values of the partner s state paramete...

Page 701: ... the switch i e the power available to all switch ports Use the no form to restore the default setting SYNTAX power mainpower maximum allocation watts watts The power budget for the switch Range 37 180 watts DEFAULT SETTING 180 watts Table 97 PoE Commands Command Function Mode power mainpower maximum allocation Sets the maximum power available to all switch ports GC power inline compatible Provide...

Page 702: ...e SYNTAX no power inline compatible DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE The switch automatically detects attached PoE devices by periodically transmitting test voltages that over the Fast Ethernet or Gigabit Ethernet copper media ports When an IEEE 802 3af or 802 3at compatible device is plugged into one of these ports the powered device reflects the test voltag...

Page 703: ...ow Disabled Eth 1 12 Enabled Off 15400 mW 0 mW Low Disabled Eth 1 12 Enabled Off 15400 mW 0 mW Low Disabled power inline This command instructs the switch to automatically detect if a PoE compliant device is connected to the specified port and turn power on or off accordingly Use the no form to turn off power for a port SYNTAX no power inline DEFAULT SETTING Detection is enabled for PoE compliant ...

Page 704: ...more than the maximum power allocated to the port or to the overall switch no power is supplied to the device i e port power remains off EXAMPLE Console config interface ethernet 1 1 Console config if power inline maximum allocation 8000 Console config if power inline overload auto recover This command enables automatic recovery from power overload for a specified ports Use the no form to disable ...

Page 705: ...f the power demand from devices connected to the switch exceeds the power budget setting as determined during bootup the switch uses port power priority settings to control the supplied power For example A device connected to a low priority port that causes the switch to exceed its budget is not supplied power If a device is connected to a critical or high priority port and causes the switch to ex...

Page 706: ... Low Disabled Eth 1 3 Enabled Off 30000 mW 7505 mW Low Disabled Eth 1 4 Enabled Off 15400 mW 0 mW Low Disabled Eth 1 5 Enabled Off 15400 mW 0 mW Low Disabled Eth 1 6 Enabled Off 15400 mW 0 mW Low Disabled Eth 1 7 Enabled Off 15400 mW 8597 mW Low Disabled Eth 1 8 Enabled Off 15400 mW 0 mW Low Disabled Eth 1 9 Enabled Off 15400 mW 0 mW Low Disabled Eth 1 10 Enabled Off 15400 mW 0 mW Low Disabled Eth...

Page 707: ...er priority setting see power inline priority Overload Auto recover Shows if automatic recovery from power overload is enabled Table 98 show power inline status display description Continued Field Description Table 99 show power mainpower display description Field Description Maximum Available Power The available power budget for the switch System Operation Status The current operating power statu...

Page 708: ...et unit port source port unit Unit identifier Range 1 port Port number Range 1 28 rx Mirror received packets tx Mirror transmitted packets both Mirror both received and transmitted packets vlan id VLAN ID Range 1 4094 mac address MAC address in the form of xx xx xx xx xx xx or xxxxxxxxxxxx DEFAULT SETTING No mirror session is defined When enabled for an interface default mirroring is for both rece...

Page 709: ...heavy loads When VLAN mirroring and port mirroring are both enabled the target port can receive a mirrored packet twice once from the source mirror port and again from the source mirror VLAN When mirroring traffic from a MAC address ingress traffic with the specified source address entering any port in the switch other than the target port will be mirrored to the destination port Spanning Tree BPD...

Page 710: ...on port and source VLAN are displayed When the source is a MAC address only the destination port and MAC address are displayed EXAMPLE The following shows mirroring configured from port 6 to port 5 Console config interface ethernet 1 5 Console config if port monitor ethernet 1 6 both Console config if end Console show port monitor Port Mirroring Destination Port listen port Eth1 5 Source Port moni...

Page 711: ...f disabled SYNTAX rate limit input output rate no rate limit input output input Input rate for specified interface output Output rate for specified interface rate Maximum value in Kbps Range 64 100000 Kbps for Fast Ethernet ports 64 1000000 Kbps for Gigabit Ethernet ports DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Using both rate limiting and storm control...

Page 712: ...m control command It is therefore not advisable to use both of these commands on the same interface EXAMPLE Console config interface ethernet 1 1 Console config if rate limit input 64 Console config if RELATED COMMAND show interfaces switchport 685 ...

Page 713: ... timer expires IC Port auto traffic control control release Manually releases a control response IC Port auto traffic control auto control release Automatically releases a control response PE SNMP Trap Commands snmp server enable port traps atc broadcast alarm clear Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered IC Port snmp ...

Page 714: ...beneath the lower threshold after a storm control response has been triggered and the release timer expires IC Port ATC Display Commands show auto traffic control Shows global configuration settings for automatic storm control PE show auto traffic control interface Shows interface configuration settings and storm control status for the specified port PE Enabling automatic storm control on a port w...

Page 715: ...enable the port FUNCTIONAL LIMITATIONS Automatic storm control is a software level control function Traffic storms can also be controlled at the hardware level using the switchport packet rate command However only one of these control types can be applied to a port Enabling automatic storm control on a port will disable hardware level storm control on that port auto traffic control apply timer Thi...

Page 716: ...ts the time at which to release the control response after ingress traffic has fallen beneath the lower threshold Use the no form to restore the default setting SYNTAX auto traffic control broadcast multicast release timer seconds no auto traffic control broadcast multicast release timer broadcast Specifies automatic storm control for broadcast traffic multicast Specifies automatic storm control f...

Page 717: ...TING Disabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Automatic storm control can be enabled for either broadcast or multicast traffic It cannot be enabled for both of these traffic types at the same time Automatic storm control is a software level control function Traffic storms can also be controlled at the hardware level using the switchport packet rate command However only ...

Page 718: ...an only be manually re enabled DEFAULT SETTING rate control COMMAND MODE Interface Configuration Ethernet COMMAND USAGE When the upper threshold is exceeded and the apply timer expires a control response will be triggered based on this command When the control response is set to rate limiting by this command the rate limits are determined by the auto traffic control alarm clear threshold command I...

Page 719: ...ds COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Once the traffic rate falls beneath the lower threshold a trap message may be sent if configured by the snmp server enable port traps atc broadcast alarm clear command or snmp server enable port traps atc multicast alarm clear command If rate limiting has been configured as a control response it will discontinued after the traffic rate...

Page 720: ...nfiguration Ethernet COMMAND USAGE Once the upper threshold is exceeded a trap message may be sent if configured by the snmp server enable port traps atc broadcast alarm fire command or snmp server enable port traps atc multicast alarm fire command After the upper threshold is exceeded the control timer must first expire as configured by the auto traffic control apply timer command before a contro...

Page 721: ...ntrol for broadcast traffic multicast Specifies automatic storm control for multicast traffic COMMAND MODE Interface Configuration Ethernet COMMAND USAGE This command can be used to automatically stop a control response after the specified action has been triggered and the release timer has expired EXAMPLE Console config interface ethernet 1 1 Console config if auto traffic control broadcast auto ...

Page 722: ...snmp server enable port traps atc broadcast alarm fire DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet EXAMPLE Console config interface ethernet 1 1 Console config if snmp server enable port traps atc broadcast alarm fire Console config if RELATED COMMANDS auto traffic control alarm fire threshold 720 snmp server enable port traps atc broadcast control apply This command sen...

Page 723: ... server enable port traps atc broadcast control release DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet EXAMPLE Console config interface ethernet 1 1 Console config if snmp server enable port traps atc broadcast control release Console config if RELATED COMMANDS auto traffic control alarm clear threshold 719 auto traffic control action 718 auto traffic control release timer ...

Page 724: ...snmp server enable port traps atc multicast alarm fire DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet EXAMPLE Console config interface ethernet 1 1 Console config if snmp server enable port traps atc multicast alarm fire Console config if RELATED COMMANDS auto traffic control alarm fire threshold 720 snmp server enable port traps atc multicast control apply This command sen...

Page 725: ...r expires Use the no form to disable this trap SYNTAX no snmp server enable port traps atc multicast control release DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet EXAMPLE Console config interface ethernet 1 1 Console config if snmp server enable port traps atc multicast control release Console config if RELATED COMMANDS auto traffic control alarm clear threshold 719 auto t...

Page 726: ... unit port unit Unit identifier Range 1 port Port number Range 1 28 COMMAND MODE Privileged Exec EXAMPLE Console show auto traffic control interface ethernet 1 1 Eth 1 1 Information Storm Control Broadcast Multicast State Disabled Disabled Action rate control rate control Auto Release Control Disabled Disabled Alarm Fire Threshold Kpps 128 128 Alarm Clear Threshold Kpps 128 128 Trap Storm Fire Dis...

Page 727: ...opback event is detected on an interface or when a interface is released from a shutdown state caused by a loopback event a trap message is sent and the event recorded in the system log Loopback detection must be enabled both globally and on an interface for loopback detection to take effect Table 103 Loopback Detection Commands Command Function Mode loopback detection Enables loopback detection g...

Page 728: ... port 1 and then enables general loopback detection for that port Console config loopback detection Console config interface ethernet 1 1 Console config if no spanning tree loopback detection Console config if loopback detection Console config loopback detection mode This command specifies shutdown by dropping packets for a port detected in loopback state or by dropping packets belonging to a VLAN...

Page 729: ...ased Console config loopback detection recover time This command specifies the interval to wait before the switch automatically releases an interface from shutdown state Use the no form to restore the default setting SYNTAX loopback detection recover time seconds no loopback detection recover time seconds Recovery time from shutdown state Range 60 1 000 000 seconds or 0 to disable automatic recove...

Page 730: ...G 10 seconds COMMAND MODE Global Configuration EXAMPLE Console config loopback detection transmit interval 60 Console config loopback detection release This command releases all interfaces currently shut down by the loopback detection feature SYNTAX loopback detection release COMMAND MODE Privileged Exec EXAMPLE Console loopback detection release Console config show loopback detection This command...

Page 731: ...on Global Status Enabled Transmit Interval 10 Recover Time 60 Mode Port based Loopback Detection Port Information Port Admin State Oper State Eth 1 1 Enabled Normal Eth 1 2 Disabled Disabled Eth 1 3 Disabled Disabled Console show loopback detection ethernet 1 1 Loopback Detection Information of Eth 1 1 Admin State Enabled Oper State Normal Console ...

Page 732: ...g DEFAULT SETTING 300 seconds COMMAND MODE Global Configuration COMMAND USAGE The aging time is used to age out dynamically learned forwarding information EXAMPLE Console config mac address table aging time 100 Console config Table 104 Address Table Commands Command Function Mode mac address table aging time Sets the aging time of the address table GC mac address table static Maps a static address...

Page 733: ... The default mode is permanent COMMAND MODE Global Configuration COMMAND USAGE The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add static addresses to the MAC Address Table Static addresses have the following characteristics Static addresses will not be removed from the address table when a given interface link is down Static addre...

Page 734: ...ss interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 port channel channel id Range 1 8 vlan id VLAN ID Range 1 4094 sort Sort by address vlan or interface DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE The MAC Address Table contains the MAC addresses associated with each interface Note that the Type field may include the following types Learned ...

Page 735: ...XAMPLE Console show mac address table Interface MAC Address VLAN Type Eth 1 1 00 E0 29 94 34 64 1 Learned Eth 1 1 00 E0 29 94 34 DE 1 Permanent Eth 1 8 00 17 7C DA FC E8 1 Delete on Reset Console show mac address table aging time This command shows the aging time for entries in the address table DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show mac address table aging time Agi...

Page 736: ... mode GC spanning tree system bpdu flooding Floods BPDUs to all other ports or just to all other ports in the same VLAN when global spanning tree is disabled GC spanning tree transmission limit Configures the transmission limit for RSTP MSTP GC max hops Configures the maximum number of hops allowed in the region before a BPDU is discarded MST mst priority Configures the priority of a spanning tree...

Page 737: ...cost of an instance in the MST IC spanning tree mst port priority Configures the priority of an instance in the MST IC spanning tree portfast Sets an interface to fast forwarding IC spanning tree port bpdu flooding Floods BPDUs to other ports when global spanning tree is disabled IC spanning tree port priority Configures the spanning tree priority of an interface IC spanning tree root guard Preven...

Page 738: ...OS Release 12 2 25 SEC do not fully follow the IEEE standard causing some state machine procedures to function incorrectly The command forces the spanning tree protocol to function in a manner compatible with Cisco prestandard versions EXAMPLE Console config spanning tree cisco prestandard Console config spanning tree forward time This command configures the spanning tree bridge forward time globa...

Page 739: ...LE Console config spanning tree forward time 20 Console config spanning tree hello time This command configures the spanning tree bridge hello time globally for this switch Use the no form to restore the default SYNTAX spanning tree hello time time no spanning tree hello time time Time in seconds Range 1 10 seconds The maximum value is the lower of 10 or max age 2 1 DEFAULT SETTING 2 seconds COMMA...

Page 740: ...configure All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message becomes the designated port for the attached LAN If it is a root port a new root port is selected from among the device ports attached to the network EXAMPLE Console config spanning tree max age 40 Consol...

Page 741: ...n delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port Multiple Spanning Tree Protocol To allow multiple spanning trees to operate over the network you ...

Page 742: ...path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Note that path cost page 750 takes precedence over port priority page 758 The path cost methods apply to all spanning tree modes STP RSTP and MSTP Specifically the long method can be applied to STP since this mode is supported by a backward compatib...

Page 743: ... the lowest MAC address will then become the root device EXAMPLE Console config spanning tree priority 40000 Console config spanning tree mst configuration This command changes to Multiple Spanning Tree MST configuration mode DEFAULT SETTING No VLANs are mapped to any MST instance The region name is set the switch s MAC address COMMAND MODE Global Configuration EXAMPLE Console config spanning tree...

Page 744: ...ed by port s PVID DEFAULT SETTING Floods to all other ports in the same VLAN COMMAND MODE Global Configuration COMMAND USAGE The spanning tree system bpdu flooding command has no effect if BPDU flooding is disabled on a port see the spanning tree port bpdu flooding command EXAMPLE Console config spanning tree system bpdu flooding Console config spanning tree transmission limit This command configu...

Page 745: ...stance within a region and the internal spanning tree IST that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU Each bridge decrements the hop count by one before passing on the BPDU When the hop count reaches zero the message is dropped EXAMPLE Console config mstp max hops 30 Console config mstp mst priority This command configures the p...

Page 746: ...tance Use the no form to remove the specified VLANs Using the no form without any VLAN parameters to remove all VLANs SYNTAX no mst instance id vlan vlan range instance id Instance identifier of the spanning tree Range 0 4094 vlan range Range of VLANs Range 1 4094 DEFAULT SETTING none COMMAND MODE MST Configuration COMMAND USAGE Use this command to group VLANs into spanning tree instances MSTP gen...

Page 747: ... Use the no form to clear the name SYNTAX name name name Name of the spanning tree DEFAULT SETTING Switch s MAC address COMMAND MODE MST Configuration COMMAND USAGE The MST region name and revision number page 747 are used to designate a unique MST region A bridge i e spanning tree compliant device such as this switch can only belong to one MST region And all bridges in the same region must be con...

Page 748: ...ature SYNTAX no spanning tree bpdu filter DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This command filters all Bridge Protocol Data Units BPDUs received on an interface to save CPU processing time This function is designed to work in conjunction with edge ports which should only connect end stations to the switch and therefore do not need to pr...

Page 749: ...to end nodes which do not generate BPDUs If a BPDU is received on an edge port this indicates an invalid network configuration or that the switch may be under attack by a hacker If an interface is shut down by BPDU Guard it must be manually re enabled using the no spanning tree spanning disabled command Before enabling BPDU Guard the interface must be configured as an edge port with the spanning t...

Page 750: ...ended by the IEEE 8021w standard exceeds 65 535 the default is set to 65 535 20 Use the spanning tree pathcost method command to set the path cost method Table 106 Recommended STA Path Cost Range Port Type IEEE 802 1D 1998 IEEE 802 1w 2001 Ethernet 50 600 200 000 20 000 000 Fast Ethernet 10 60 20 000 2 000 000 Gigabit Ethernet 3 10 2 000 200 000 Table 107 Recommended STA Path Cost Port Type Link T...

Page 751: ...port auto Automatically determines if an interface is an edge port DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding ...

Page 752: ...e and its role changes the interface cannot continue to function as an edge port even if the edge delay time has expired If the port does not receive any BPDUs after the edge delay timer expires its role changes to designated port and it immediately enters forwarding state see Displaying Interface Settings for STA The edge delay time equals the protocol migration time when the port link type is po...

Page 753: ... an extension of RSTP this same restriction applies EXAMPLE Console config interface ethernet 1 5 Console config if spanning tree link type point to point spanning tree loopback detection This command enables the detection and response to Spanning Tree loopback BPDU packets on the port Use the no form to disable this feature SYNTAX no spanning tree loopback detection DEFAULT SETTING Enabled COMMAN...

Page 754: ...port is configured for automatic loopback release then the port will only be returned to the forwarding state if one of the following conditions is satisfied The port receives any other BPDU except for it s own or The port s link status changes to link down and then link up again or The port ceases to receive it s own BPDUs in a forward delay interval If Port Loopback Detection is not enabled and ...

Page 755: ...nce identifier of the spanning tree Range 0 4094 no leading zeroes cost Path cost for an interface Range 0 for auto configuration 1 65535 for short path cost method21 1 200 000 000 for long path cost method The recommended path cost range is listed in Table 106 The recommended path cost is listed in Table 107 DEFAULT SETTING By default the system automatically detects the speed and duplex mode use...

Page 756: ...ree Use the no form to restore the default SYNTAX spanning tree mst instance id port priority priority no spanning tree mst instance id port priority instance id Instance identifier of the spanning tree Range 0 4094 no leading zeroes priority Priority for an interface Range 0 240 in steps of 16 DEFAULT SETTING 128 COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This comman...

Page 757: ...g loops they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time Fast forwarding can achieve quicker convergence for end node workstations and servers and also overcome other STA related timeout problems Remember that fast forwarding should only be enabled for ports connected to a LAN segment that is at the end of a bridged LAN or for an end...

Page 758: ...t if BPDU flooding is disabled on a port by the spanning tree port bpdu flooding command EXAMPLE Console config interface ethernet 1 5 Console config if spanning tree port bpdu flooding Console config if spanning tree port priority This command configures the priority for the specified interface Use the no form to restore the default SYNTAX spanning tree port priority priority no spanning tree por...

Page 759: ...root bridge at any time When Root Guard is enabled and the switch receives a superior BPDU on this port it is set to the Discarding state until it stops receiving superior BPDUs for a fixed recovery period While in the discarding state no traffic is forwarded across the port Root Guard can be used to ensure that the root bridge is not formed at a suboptimal location Root Guard should be enabled on...

Page 760: ...This example disables the spanning tree algorithm for port 5 Console config interface ethernet 1 5 Console config if spanning tree spanning disabled Console config if spanning tree loopback detection release This command manually releases a port placed in discarding state by loopback detection SYNTAX spanning tree loopback detection release interface interface ethernet unit port unit Unit identifi...

Page 761: ...rt Port number Range 1 28 port channel channel id Range 1 8 COMMAND MODE Privileged Exec COMMAND USAGE If at any time the switch detects STP BPDUs including Configuration or Topology Change Notification BPDUs it will automatically set the selected interface to forced STP compatible mode However you can also use the spanning tree protocol migration command at any time to manually re check the appro...

Page 762: ...parameters to display the spanning tree configuration for the switch for the Common Spanning Tree CST and for every interface in the tree Use the show spanning tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree CST Use the show spanning tree mst instance id command to display the spanning tree configuration for an instance within the ...

Page 763: ...h Cost 0 Internal Admin Path Cost 0 External Oper Path Cost 100000 Internal Oper Path Cost 100000 Priority 128 Designated Cost 0 Designated Port 128 14 Designated Root 32768 0 00177CF8D8C6 Designated Bridge 32768 0 00177CF8D8C6 Fast Forwarding Enabled Forward Transitions 1 Last Topology Change Time sec 14210 Admin Edge Port Enabled Oper Edge Port Disabled Admin Link Type Auto Oper Link Type Point ...

Page 764: ...onfiguration This command shows the configuration of the multiple spanning tree COMMAND MODE Privileged Exec EXAMPLE Console show spanning tree mst configuration Mstp Configuration Information Configuration Name R D Revision Level 0 Instance VLANs 0 1 4094 Console ...

Page 765: ...es Each node has two ports connected to the ring One port of the master node is designated as the primary port to the ring carrying control messages and data while the other port is designated as the secondary port and runs in backup mode In normal operation the master node blocks the secondary port for all non control Ethernet frames belonging to the given EAPS Domain thereby avoiding a loop in t...

Page 766: ...tored the next health check frame will be received on the master node s secondary port This will cause the master node to transition back to the normal state logically block non control frames on the secondary port flush its own bridge table and send a control frame to the transit nodes instructing them to flush their bridging tables and re learn the topology During the time between the transit no...

Page 767: ...aster node the master node will unblock the blocked port on the Protected VLAN and send a message to flush the forwarding database FDB to all transit nodes If this event occurs on the secondary port the master node will enter failed state If this event occurs on a transit node the transit node will send a link down control message to the master node and the master node will unblock the blocked por...

Page 768: ...abit Ethernet ports can be configured as EAPS ring ports but these ports should not be a member of any trunk Each EAPS domain can have only one master node The hello timer and fail timer must be configured on the master node Afterwards the master node will send timer configuration messages to the transit nodes to reset their hello timer and fail timer One VLAN must be added to an EAPS domain as th...

Page 769: ... other direction in the ring 4 Configure the primary and secondary ports Each node on the ring connects to it through two ring ports Use the port primary command page 775 to configure one port as the primary port and the port secondary command to configure the other as the secondary port 5 Configure the EAPS Control VLAN CVLAN Use the control vlan command to create the VLAN used to pass ring integ...

Page 770: ... port primary or no port secondary command to unconfigure an EAPS primary or secondary ring port for an EAPS domain 10 Display EAPS status information Use the show eaps command to display general EAPS status information or more detailed EAPS status information eaps This command enables EAPS on the switch Use the no form to disable EAPS SYNTAX no eaps DEFAULT SETTING Disabled COMMAND MODE Global Co...

Page 771: ...ading zeroes DEFAULT SETTING None COMMAND MODE EAPS Domain Configuration COMMAND USAGE Only one Control VLAN can be configured in an EAPS domain First create the VLAN to be used as the Control VLAN vlan page 798 add the primary and secondary ring ports as tagged members to this VLAN switchport allowed vlan page 801 and then use the control vlan command to add the Control VLAN to the EAPS domain Th...

Page 772: ...Domain Configuration COMMAND USAGE An EAPS domain containing one Control VLAN and one or more Protected VLANs must be enabled with the enable command and the EAPS function enabled on the switch with the eaps command before these domains start running on the ring Once enabled the master node and transit node state machines will start and the domain will enter the active state EXAMPLE Console config...

Page 773: ...e fail timer expires the master node moves from the normal state to the ring fault state and unblocks its secondary port The master node also flushes its bridging table and sends a control frame to all other nodes instructing them to also flush their bridging tables Immediately after flushing its bridge table each node starts learning the new topology This ring polling mechanism provides a backup ...

Page 774: ... master Configures the switch as the master node of the EAPS domain This node actively monitors ring integrity and sends health check and state change messages to transit nodes Only one master node can be set for a domain transit Configures the switch as a transit node in the EAPS domain Transit nodes receive master control messages detect ring topology changes and send status messages to the mast...

Page 775: ...m this port secondary This port is blocked on the Protected VLAN and is used only to receive control messages on the master node port number Range 1 28 DEFAULT SETTING None COMMAND MODE EAPS Domain Configuration COMMAND USAGE If the ring is complete the master node prevents a loop by logically blocking all data traffic in the transmit and receive directions on its secondary port If the master node...

Page 776: ...tagged members to this VLAN switchport allowed vlan page 801 and then use the protect vlan command to add the Protected VLAN to the EAPS domain Once the domain has been activated with the enable command the configuration of the Protected VLAN cannot be modified Use the no enable command to stop the EAPS domain before making any configuration changes to this domain EXAMPLE Console config eaps prote...

Page 777: ...ef list of status information State Shows the following EAPS states Master Node Idle The EAPS domain has been enabled but the configuration is not complete Init The EAPS domain has started but has not yet determined the status of the ring Complete The ring is in the COMPLETE state for this EAPS domain Failed There is a break in the ring for this EAPS domain Transit Node Idle The EAPS domain has be...

Page 778: ...n name Admin Status Shows if the specified domain is enabled State See Table 110 Mode Shows if the switch is a master or transit node Primary Port Shows the primary port and its operational status where potential port states include Init Complete Failed or Down Secondary Port Shows the secondary port and its operational status Hello Timer Interval The interval at which the master node sends health...

Page 779: ... when more that 16 nodes are used but should always run under than 500 ms Operational Concept Loop avoidance in the ring is achieved by guaranteeing that at any time traffic may flow on all but one of the ring links This particular link is called the ring protection link RPL and under normal conditions this link is blocked to traffic One designated node the RPL owner is responsible for blocking tr...

Page 780: ...e no local request When the RPL owner receives an R APS NR message it starts the Wait To Recover WTR timer Once WTR timer expires the RPL owner blocks the RPL and transmits an R APS NR RB ring blocked message Nodes receiving this message flush the forwarding database and unblock their previously blocked ports The ring is now returned to Idle state Configuration Limitations for ERPS The following c...

Page 781: ...ailure brings down any other link in the ring the RPL will be unblocked Protection state to ensure proper connectivity among all ring nodes until the failure is recovered 4 Configure ERPS timers Use the guard timer command to set the timer is used to prevent ring nodes from receiving outdated R APS messages the holdoff timer command to filter out intermittent link faults and the Table 112 ERPS Com...

Page 782: ... If ERPS has not yet been enabled or has been disabled with the no erps command no ERPS rings will work 7 Enable an ERPS ring Before an EAPS ring can work it must be enabled using the enable command When configuration is completed and the ring enabled R APS messages will start flowing in the control VLAN and normal traffic will begin to flow in the data VLANs To stop a ring it can be disabled on a...

Page 783: ...the VLAN to be used as the control VLAN vlan page 798 add the ring ports for the east and west interface as tagged members to this VLAN switchport allowed vlan page 801 and then use the control vlan command to add it to the ring The Control VLAN must not be configured as a Layer 3 interface with an IP address a dynamic VLAN with GVRP enabled nor as a private VLAN In addition only ring ports may be...

Page 784: ...d activates the current ERPS ring Use the no form to disable the current ring SYNTAX no enable DEFAULT SETTING Disabled COMMAND MODE ERPS Configuration COMMAND USAGE Before enabling a ring the global ERPS function should be enabled with the erps command the east and west ring ports configured on each node with the ring port command the RPL owner specified with the rpl owner command and the control...

Page 785: ...aximum expected forwarding delay for an R APS message to pass around the ring A side effect of the guard timer is that during its duration a node will be unaware of new or existing ring requests transmitted from other nodes EXAMPLE Console config erps guard timer 300 Console config erps holdoff timer This command sets the timer to filter out intermittent link faults Use the no form to restore the ...

Page 786: ...ed defect need not be the same one that started the timer EXAMPLE Console config erps holdoff timer 300 Console config erps meg level This command sets the Maintenance Entity Group level for a ring Use the no form to restore the default setting SYNTAX meg level level level The maintenance entity group MEG level which provides a communication channel for ring automatic protection switching R APS in...

Page 787: ...used for debugging such as to distinguish messages when a node is connected to more than one ring EXAMPLE Console config erps node id 00 17 7C 61 24 2D Console config erps ring port This command configures a node s connection to the ring through the east or west interface Use the no form to disassociate a node from the ring SYNTAX ring port east west interface east Connects to next ring node to th...

Page 788: ...SAGE Only one RPL owner can be configured on a ring The owner blocks traffic on the RPL during Idle state and unblocks it during Protection state that is when a signal fault is detected on the ring The east and west connections to the ring must be specified for all ring nodes using the ring port command When this switch is configured as the RPL owner the west ring port is set as being connected to...

Page 789: ...gs or for a specified ring SYNTAX show erps domain ring name ring name Name of a specific ERPS ring Range 1 32 characters COMMAND MODE Privileged Exec EXAMPLE This example displays a summary of all the ERPS rings configured on the switch Console show erps ERPS Status Enabled Number of ERPS Domains 1 Domain State MEL Enabled West East RPL Owner Ctrl VLAN rd1 Idle 0 Yes Eth 1 20 Eth 1 10 Yes 100 rd2...

Page 790: ...tate it means that a link failure has occurred This state will switch to idle state if all the failed links recover MEL The maintenance entity group MEG level providing a communication channel for ring automatic protection switching R APS information Enabled Shows if the ring is enabled West Shows the west ring port for this node East Shows the east ring port for this node RPL Owner Shows if this ...

Page 791: ...up East Port Shows the west ring port for this node and the interface state as described in the preceding item RPL Port If node is connected to the RPL this shows by which interface RPL Owner Shows if this node is the RPL owner Holdoff Timer The hold off timer interval used to filter out intermittent link faults Guard Timer The guard timer interval used to prevent ring nodes from receiving outdate...

Page 792: ... ingress filtering PVID and GVRP Displaying VLAN Information Displays VLAN groups status port members and MAC addresses Configuring IEEE 802 1Q Tunneling Configures 802 1Q Tunneling QinQ Tunneling Configuring L2CP Tunneling Configures Layer 2 Control Protocol L2CP tunneling either by discarding processing or transparently passing control packets across a QinQ tunnel Configuring Port based Traffic ...

Page 793: ...D USAGE GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration and to support VLANs which extend beyond the local switch EXAMPLE Console config bridge ext gvrp Console config Table 116 GVRP and Bridge Extension Commands Command Function Mode bridge ext gvrp Enab...

Page 794: ...SAGE Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are independent of the media access method or data rate These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration deregistration Timer values are applied to GVRP...

Page 795: ...ING No VLANs are included in the forbidden list COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This command prevents a VLAN from being automatically added to the specified interface via GVRP If a VLAN has been added to the set of allowed VLANs for an interface then you cannot add it to the set of forbidden VLANs for that same interface EXAMPLE The following example shows ...

Page 796: ... show bridge ext Maximum Supported VLAN Numbers 4092 Maximum Supported VLAN ID 4094 Extended Multicast Filtering Services No Static Entry Individual Port Yes VLAN Learning IVL Configurable PVID Tagging Yes Local VLAN Capable No Traffic Classes Enabled Global GVRP Status Disabled GMRP Disabled Console show garp timer This command shows the GARP timers for the selected interface SYNTAX show garp tim...

Page 797: ...face interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 port channel channel id Range 1 8 DEFAULT SETTING Shows both global and interface specific configuration COMMAND MODE Normal Exec Privileged Exec EXAMPLE Console show gvrp configuration ethernet 1 7 Eth 1 7 GVRP Configuration Disabled Console EDITING VLAN GROUPS Table 117 Commands for Editing VLAN Groups Com...

Page 798: ...ou can display this file by entering the show running config command EXAMPLE Console config vlan database Console config vlan RELATED COMMANDS show vlan 806 vlan This command configures a VLAN Use the no form to restore the default settings or delete a VLAN SYNTAX vlan vlan id name vlan name media ethernet state active suspend no vlan vlan id name state vlan id VLAN ID specified as a single number...

Page 799: ... config vlan database Console config vlan vlan 105 name RD5 media ethernet Console config vlan RELATED COMMANDS show vlan 806 CONFIGURING VLAN INTERFACES Table 118 Commands for Configuring VLAN Interfaces Command Function Mode interface vlan Enters interface configuration mode for a specified VLAN IC switchport acceptable frame types Configures frame types to be accepted by an interface IC switchp...

Page 800: ...e vlan 1 Console config if ip address 192 168 1 254 255 255 255 0 Console config if RELATED COMMANDS shutdown 678 interface 672 vlan 798 switchport acceptable frame types This command configures the acceptable frame types for a port Use the no form to restore the default SYNTAX switchport acceptable frame types all tagged no switchport acceptable frame types all The port accepts all frames tagged ...

Page 801: ...orm to restore the default SYNTAX switchport allowed vlan add vlan list tagged untagged remove vlan list no switchport allowed vlan add vlan list List of VLAN identifiers to add remove vlan list List of VLAN identifiers to remove vlan list Separate nonconsecutive VLAN identifiers with a comma and no spaces use a hyphen to designate a range of IDs Do not enter leading zeros Range 1 4094 DEFAULT SET...

Page 802: ...d 6 to the allowed list as tagged VLANs for port 1 Console config interface ethernet 1 1 Console config if switchport allowed vlan add 1 2 5 6 tagged Console config if switchport ingress filtering This command enables ingress filtering for an interface Use the no form to restore the default setting SYNTAX no switchport ingress filtering DEFAULT SETTING Disabled COMMAND MODE Interface Configuration...

Page 803: ...nt for a VLAN trunk A trunk is a direct link between two switches so the port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames private vlan For an explanation of this command see the switchport mode private vlan command DEFAULT SETTING All ports are in access mode with the ...

Page 804: ...PVID is automatically set to the identifier for that VLAN When using Hybrid mode the PVID for an interface can be set to any VLAN for which it is an untagged member If acceptable frame types is set to all or switchport mode is set to hybrid the PVID will be inserted into all untagged frames entering the ingress port EXAMPLE The following example shows how to set the PVID for port 1 to VLAN 3 Conso...

Page 805: ... are unknown to those switches to pass through their VLAN trunking ports VLAN trunking is mutually exclusive with the access switchport mode see the switchport mode command If VLAN trunking is enabled on an interface then that interface cannot be set to access mode and vice versa To prevent loops from forming in the spanning tree all unknown VLANs will be bound to a single instance either STP RSTP...

Page 806: ...rivate VLAN type Options community primary DEFAULT SETTING Shows all VLANs COMMAND MODE Normal Exec Privileged Exec EXAMPLE The following example shows how to display information for VLAN 1 Console show vlan id 1 Default VLAN ID 1 VLAN ID 1 Type Static Name DefaultVlan Status Active Ports Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 9 S Eth1 10 S Eth1 ...

Page 807: ...PVLAN vlan 3 Configure the QinQ tunnel access port to dot1Q tunnel access mode switchport dot1q tunnel mode 4 Set the Tag Protocol Identifier TPID value of the tunnel access port This step is required if the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is 0x8100 See switchport dot1q tunnel tpid 5 Configure the QinQ tunnel acc...

Page 808: ...a tunnel access port If the spanning tree protocol is enabled be aware that a tunnel access or tunnel uplink port may be disabled if the spanning tree structure is automatically reconfigured to overcome a break in the tree It is therefore advisable to disable spanning tree on these ports dot1q tunnel system tunnel control This command sets the switch to operate in QinQ mode Use the no form to disa...

Page 809: ...control command before the switchport dot1q tunnel mode interface command can take effect When a tunnel uplink port receives a packet from a customer the customer tag regardless of whether there are one or more tag layers is retained in the inner tag and the service provider s tag added to the outer tag When a tunnel uplink port receives a packet from the service provider the outer service provide...

Page 810: ...s is performed in a transparent manner as described under IEEE 802 1Q Tunneling on page 330 When priority bits are found in the inner tag these are also copied to the outer tag This allows the service provider to differentiate service based on the indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel Rather than relying on standard service paths and...

Page 811: ...e with third party switches that do not use the standard 0x8100 ethertype to identify 802 1Q tagged frames For example 0x1234 is set as the custom 802 1Q ethertype on a trunk port incoming frames containing that ethertype are assigned to the VLAN contained in the tag following the ethertype field as they would be with a standard 802 1Q trunk Frames arriving on the port containing any other etherty...

Page 812: ...Tunneling L2PT Use the no form to restore the default setting SYNTAX l2protocol tunnel tunnel dmac mac address no l2protocol tunnel tunnel dmac mac address The switch rewrites the destination MAC address in specified upstream L2PT protocol packets e g STP BPDUs to this value and forwards them on to uplink ports The MAC address must be specified in the format xx xx xx xx xx xx or xxxxxxxxxxxx DEFAU...

Page 813: ...l control Console config l2protocol tunnel tunnel dmac 01 80 C2 00 00 01 Console config switchport l2protocol tunnel This command enables Layer 2 Protocol Tunneling L2PT for the specified protocol Use the no form to disable L2PT for the specified protocol SYNTAX no switchport l2protocol tunnel cdp lldp pvst spanning tree vtp cdp Cisco Discovery Protocol lldp Link Layer Discovery Protocol pvst Cisc...

Page 814: ... by a proprietary MAC address Processing protocol packets defined in IEEE 802 1ad Provider Bridges When an IEEE 802 1ad protocol packet is received on an uplink port i e an 802 1Q tunnel ingress port connecting the edge switch to the service provider network with the destination address 01 80 C2 00 00 00 0B 0F C VLAN tag it is forwarded to all QinQ uplink ports and QinQ access ports in the same S ...

Page 815: ...or which L2PT is enabled and b uplink ports after rewriting the destination address to make it a GBPT protocol packet i e setting the destination address to 01 00 0C CD CD D0 L2PT is disabled on this port it is forwarded to the following ports in the same S VLAN a other access ports for which L2PT is disabled and b all uplink ports recognized as a GBPT protocol packet i e having the destination ad...

Page 816: ...cated downlink ports But the switch can be configured to either isolate traffic passing across a client s allocated uplink ports from the uplink ports assigned to other clients or to forward traffic through the uplink ports used by other clients allowing different clients to share access to their uplink ports where security is less likely to be compromised pvlan This command enables port based tra...

Page 817: ...m to restore a port to normal operating mode SYNTAX no pvlan session session id uplink interface list downlink interface list downlink interface list session id Traffic segmentation session Range 1 15 Table 123 Traffic Segmentation Forwarding Destination Source Session 1 Downlinks Session 1 Uplinks Session 2 Downlinks Session 2 Downlinks Normal Ports Session 1 Downlink Ports Blocking Forwarding Bl...

Page 818: ... is not configured for a session the assigned downlink ports will not be able to communicate with any other ports If a downlink port is not configured for the session the assigned uplink ports will operate as normal ports Due to switch ASIC limitations ports 1 8 9 16 17 24 on the DG FS4528P are grouped together when any group member is configured as an uplink or downlink interface EXAMPLE Console ...

Page 819: ...t sessions Use the no form to restore the default SYNTAX no pvlan up to up blocking forwarding blocking Blocks traffic between uplink ports assigned to different sessions forwarding Forwards traffic between uplink ports assigned to different sessions DEFAULT SETTING Blocking COMMAND MODE Global Configuration EXAMPLE This example enables forwarding of traffic between uplink ports assigned to differ...

Page 820: ...in the community VLAN and with any of the promiscuous ports in the associated primary VLAN The promiscuous ports are designed to provide open access to an external network such as the Internet while the community ports provide restricted access to local users Multiple primary VLANs can be configured on this switch and multiple community VLANs can be associated with each primary VLAN Note that priv...

Page 821: ...t to a primary VLAN 6 Use the show vlan private vlan command to verify your configuration settings private vlan Use this command to create a primary or community private VLAN Use the no form to remove the specified private VLAN SYNTAX private vlan vlan id community primary no private vlan vlan id vlan id ID of private VLAN Range 2 4094 no leading zeroes community A VLAN in which traffic is restric...

Page 822: ...nfig vlan private vlan 3 community Console config private vlan association Use this command to associate a primary VLAN with a secondary i e community VLAN Use the no form to remove all associations for the specified primary VLAN SYNTAX private vlan primary vlan id association secondary vlan id add secondary vlan id remove secondary vlan id no private vlan primary vlan id association primary vlan ...

Page 823: ...terface Configuration Ethernet Port Channel COMMAND USAGE To assign a promiscuous port to a primary VLAN use the switchport private vlan mapping command To assign a host port to a community VLAN use the switchport private vlan host association command EXAMPLE Console config interface ethernet 1 2 Console config if switchport mode private vlan promiscuous Console config if exit Console config inter...

Page 824: ...g if switchport private vlan mapping Use this command to map an interface to a primary VLAN Use the no form to remove this mapping SYNTAX switchport private vlan mapping primary vlan id no switchport private vlan mapping primary vlan id ID of primary VLAN Range 1 4094 no leading zeroes DEFAULT SETTING None COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE Promiscuous ports a...

Page 825: ...upport multiple protocols cannot be easily grouped into a common VLAN This may require non standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol This kind of configuration deprives users of the basic benefits of VLANs including security and easy accessibility To avoid these problems you can configure this switch with pro...

Page 826: ...etwork connectivity to the switch If lost in this manner network access can be regained by removing the offending Protocol VLAN rule via the console Alternately the switch can be power cycled however all unsaved configuration changes will be lost protocol vlan protocol group Configuring Groups This command creates a protocol group or adds specific protocols to a group Only one frame type and proto...

Page 827: ...iguring Interfaces This command maps a protocol group entering any interface to a VLAN Use the no form to remove the protocol mapping SYNTAX protocol vlan protocol group group id vlan vlan id no protocol vlan protocol group group id vlan group id Group identifier of this protocol group Range 1 2147483647 vlan id VLAN to which matching protocol traffic is forwarded Range 1 4094 DEFAULT SETTING No p...

Page 828: ...XAMPLE The following example maps the traffic matching the protocol type specified in protocol group 1 to VLAN 2 Console config interface ethernet 1 1 Console config if protocol vlan protocol group 1 vlan 2 Console config if show protocol vlan protocol group This command shows the frame and protocol type associated with protocol groups SYNTAX show protocol vlan protocol group group id group id Gro...

Page 829: ...NG IP SUBNET VLANS When using IEEE 802 1Q port based VLAN classification all untagged frames received by a port are classified as belonging to the VLAN whose VID PVID is associated with that port When IP subnet based VLAN classification is enabled the source address of untagged ingress frames are checked against the IP subnet to VLAN mapping table If an entry is found for that subnet these frames ...

Page 830: ... COMMAND USAGE Each IP subnet can be mapped to only one VLAN ID An IP subnet consists of an IP address and a subnet mask When an untagged frame is received by a port the source IP address is checked against the IP subnet to VLAN mapping table and if an entry is found the corresponding VLAN ID is assigned to the frame If no mapping is found the PVID of the receiving port is assigned to the frame Th...

Page 831: ...8 12 252 255 255 255 254 8 192 168 12 254 255 255 255 255 9 192 168 12 255 255 255 255 255 10 Console CONFIGURING MAC BASED VLANS When using IEEE 802 1Q port based VLAN classification all untagged frames received by a port are classified as belonging to the VLAN whose VID PVID is associated with that port When MAC based VLAN classification is enabled the source address of untagged ingress frames a...

Page 832: ...ETTING None COMMAND MODE Global Configuration COMMAND USAGE The MAC to VLAN mapping applies to all ports on the switch Source MAC addresses can be mapped to only one VLAN ID Configured MAC addresses cannot be broadcast or multicast addresses When MAC based IP subnet based and protocol based VLANs are supported concurrently priority is applied in this sequence and then port based VLANs last EXAMPLE...

Page 833: ...manually configured voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID Use the no form to disable the Voice VLAN SYNTAX voice vlan voice vlan id no voice vlan voice vlan id Specifies the voice VLAN ID Range 1 4094 DEFAULT SETTING Disabled Table 128 Voice VLAN Commands Command Function Mode voice vlan Defines the Voice VLAN ID GC voice vlan aging Configures the agi...

Page 834: ...ort as a tagged member of the Voice VLAN Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN The Voice VLAN ID cannot be modified when the global auto detection status is enabled see the switchport voice vlan command EXAMPLE The following example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234 Console con...

Page 835: ... text that identifies the VoIP devices Range 1 32 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE VoIP devices attached to the switch can be identified by the manufacturer s Organizational Unique Identifier OUI in the source MAC address of received packets OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses The MAC OUI n...

Page 836: ... must select the method to use for detecting VoIP traffic either OUI or 802 1AB LLDP using the switchport voice vlan rule command When OUI is selected be sure to configure the MAC address ranges in the Telephony OUI list using the voice vlan mac address command EXAMPLE The following example sets port 1 to Voice VLAN auto mode Console config interface ethernet 1 1 Console config if switchport voice...

Page 837: ...ic from VoIP devices is detected by the Organizationally Unique Identifier OUI of the source MAC address lldp Uses LLDP to discover VoIP devices attached to the port DEFAULT SETTING OUI Enabled LLDP Disabled COMMAND MODE Interface Configuration COMMAND USAGE When OUI is selected be sure to configure the MAC address ranges in the Telephony OUI list see the voice vlan mac address command MAC address...

Page 838: ... devices attached to the switch Packets received from non VoIP sources are dropped When enabled be sure the MAC address ranges for VoIP devices are configured in the Telephony OUI list voice vlan mac address EXAMPLE The following example enables security filtering on port 1 Console config interface ethernet 1 1 Console config if switchport voice vlan security Console config if show voice vlan This...

Page 839: ...Enabled OUI 5 Eth 1 4 Auto Enabled OUI 6 Eth 1 5 Disabled Disabled OUI 6 Eth 1 6 Disabled Disabled OUI 6 Eth 1 7 Disabled Disabled OUI 6 Eth 1 8 Disabled Disabled OUI 6 Eth 1 9 Disabled Disabled OUI 6 Eth 1 10 Disabled Disabled OUI 6 Console show voice vlan oui OUIAddress Mask Description 00 12 34 56 78 9A FF FF FF 00 00 00 old phones 00 11 22 33 44 55 FF FF FF 00 00 00 new phones 00 98 76 54 32 1...

Page 840: ... switch Table 129 Priority Commands Command Group Function Priority Commands Layer 2 Configures the queue mode the default priority for untagged frames and maps class of service tags to hardware queues Priority Commands Layer 3 and 4 Maps IP DSCP tags to class of service values Table 130 Priority Commands Layer 2 Command Function Mode queue mode Sets the queue mode to strict priority or Weighted R...

Page 841: ...ing weights 1 2 4 8 for queues 0 3 servicing each queue in a round robin fashion DEFAULT SETTING Weighted Round Robin COMMAND MODE Global Configuration COMMAND USAGE Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced WRR uses a relative weight for each queue which determines the number of packets the switch transmits every time...

Page 842: ...ing for each port Eight separate traffic classes are defined in IEEE 802 1p The default priority levels are assigned according to recommendations in the IEEE 802 1p standard as shown below COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE CoS values assigned at the ingress port are also used at the egress port This command sets the CoS priority for all interfaces EXAMPLE The...

Page 843: ...frames This priority does not apply to IEEE 802 1Q VLAN tagged frames If the incoming frame is an IEEE 802 1Q VLAN tagged frame the IEEE 802 1p User Priority bits will be used The switch provides four priority queues for each port It can be configured to use strict priority queuing or weighted queuing using the queue mode command Inbound frames that do not have VLAN tags are tagged with the input ...

Page 844: ...ueue bandwidth Queue ID Weight 0 1 1 2 2 4 3 8 Console show queue cos map This command shows the class of service priority map SYNTAX show queue cos map interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 8 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show queue cos map ethernet 1 1 Information of Eth 1 1 C...

Page 845: ...SCP mapping i e Differentiated Services Code Point mapping Use the no form to disable IP DSCP mapping SYNTAX no map ip dscp DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE The precedence for priority mapping is IP DSCP and default switchport priority EXAMPLE The following example shows how to enable IP DSCP mapping globally Console config map ip dscp Console config Table 1...

Page 846: ...o CoS value 0 COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE The precedence for priority mapping is IP DSCP and default switchport priority DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802 1p standard and then subsequently mapped to the four hardware priority queues This command sets the IP DSCP priority for a...

Page 847: ... interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 8 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show map ip dscp ethernet 1 1 DSCP mapping status disabled Port DSCP COS Eth 1 1 0 0 Eth 1 1 1 0 Eth 1 1 2 0 Eth 1 1 3 0 Eth 1 1 61 7 Eth 1 1 62 7 Eth 1 1 63 7 Console ...

Page 848: ...map for a type of traffic GC description Specifies the description of a class map CM match Defines the criteria used to classify traffic CM rename Redefines the name of a class map CM policy map Creates a policy map for multiple interfaces GC description Specifies the description of a policy map PM class Defines a traffic classification for the policy to act on PM rename Redefines the name of a po...

Page 849: ...Class Map before creating a Policy Map Otherwise you will not be able to specify a Class Map with the class command after entering Policy Map Configuration mode class map This command creates a class map used for matching packets to the specified class and enters Class Map configuration mode Use the no form to delete a class map SYNTAX no class map class map name match any class map name Name of t...

Page 850: ... map SYNTAX description string string Description of the class map or policy map Range 1 64 characters COMMAND MODE Class Map Configuration Policy Map Configuration EXAMPLE Console config class map rd class 1 Console config cmap description matches packets marked for DSCP service value 3 Console config cmap match This command defines the criteria used to classify traffic Use the no form to delete ...

Page 851: ...L or VLAN rule then neither an IP ACL nor IP priority rule can be included in the same class map Up to 1024 match entries can be included in a class map EXAMPLE This example creates a class map called rd class 1 and sets it to match packets marked for DSCP service value 3 Console config class map rd class 1 match any Console config cmap match ip dscp 3 Console config cmap This example creates a cl...

Page 852: ... multiple interfaces and enters Policy Map configuration mode Use the no form to delete a policy map SYNTAX no policy map policy map name policy map name Name of the policy map Range 1 16 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Use the policy map command to specify the name of the policy map and then use the class command to configure policies for traffic th...

Page 853: ...p SYNTAX no class class map name class map name Name of the class map Range 1 16 characters DEFAULT SETTING None COMMAND MODE Policy Map Configuration COMMAND USAGE Use the policy map command to specify a policy map and enter Policy Map configuration mode Then use the class command to enter Policy Map Class configuration mode And finally use the set and police commands to specify the match criteri...

Page 854: ...ING Drop out of profile packets COMMAND MODE Policy Map Class Configuration COMMAND USAGE You can configure up to 64 policers i e meters or class maps for each of the following access list types MAC ACL IP ACL including Standard ACL and Extended ACL IPv6 Standard ACL and IPv6 Extended ACL Policing is based on a token bucket where bucket depth i e the maximum burst before the bucket overflows is sp...

Page 855: ...fined rd class uses the set command to classify the service that incoming packets will receive and then uses the police command to limit the average bandwidth to 100 000 Kbps the burst rate to 1522 bytes and configure the response to drop any violating packets Console config policy map rd policy Console config pmap class rd class Console config pmap c set ip dscp 3 Console config pmap c police 100...

Page 856: ...an ingress interface Console config interface ethernet 1 1 Console config if service policy input rd policy Console config if show class map This command displays the QoS class maps which define matching criteria used for classifying traffic SYNTAX show class map class map name class map name Name of the class map Range 1 16 characters DEFAULT SETTING Displays all class maps COMMAND MODE Privilege...

Page 857: ...characters DEFAULT SETTING Displays all policy maps and all classes COMMAND MODE Privileged Exec EXAMPLE Console show policy map Policy Map rd policy Description class rd class set phb 3 Console show policy map rd policy class rd class Policy Map rd policy class rd class set phb 3 Console show policy map interface This command displays the service policy assigned to the specified interface SYNTAX ...

Page 858: ...CHAPTER 41 Quality of Service Commands 858 EXAMPLE Console show policy map interface 1 5 input Service policy rd policy Console ...

Page 859: ...ic Multicast Routing Configures static multicast router ports which forward all inbound multicast traffic to the attached VLANs IGMP Filtering and Throttling Configures IGMP filtering and throttling Multicast VLAN Registration Configures a single network wide multicast VLAN shared by hosts residing in other standard or private VLAN groups preserving security and data isolation for normal traffic T...

Page 860: ...orm to disable the feature SYNTAX no ip igmp snooping leave proxy DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE This function is only effective if IGMP snooping is enabled The IGMP snooping leave proxy feature suppresses all unnecessary IGMP leave messages so that the non querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multica...

Page 861: ...S query but will immediately start the last member query timer for that port EXAMPLE Console config ip igmp snooping leave proxy Console config ip igmp snooping priority This command assigns a priority to all multicast traffic Use the no form to restore the default setting SYNTAX ip igmp snooping priority priority no ip igmp snooping priority priority The CoS priority assigned to all multicast tra...

Page 862: ...y IGMP snooping Versions 1 3 are all supported and versions 2 and 3 are backward compatible so the switch can operate with other devices regardless of the snooping version employed EXAMPLE The following configures IGMP snooping to version 1 Console config ip igmp snooping version 1 Console config ip igmp snooping vlan static This command adds a port to a multicast group Use the no form to remove t...

Page 863: ...VLAN Use the no form to restore the default SYNTAX no ip igmp snooping immediate leave DEFAULT SETTING Disabled COMMAND MODE Interface Configuration VLAN COMMAND USAGE If immediate leave is not used a multicast router or querier will send a group specific query message when an IGMPv2 v3 group leave message is received The router querier stops forwarding traffic for that group only if no host repli...

Page 864: ...s for a description of the displayed items EXAMPLE The following shows the current IGMP snooping configuration Console show ip igmp snooping Service Status Enabled Querier Status Disabled Leave proxy status Disabled Priority 2 Query Count 2 Query Interval 125 sec Query Max Response Time 10 sec Router Port Expire Time 300 sec Immediate Leave Processing Disabled on all VLANs IGMP Snooping Version Ve...

Page 865: ...ress table multicast vlan vlan id user igmp snooping vlan id VLAN ID 1 4094 user Display only the user configured multicast entries igmp snooping Display only entries learned through IGMP snooping DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Member types displayed include IGMP or USER depending on selected options EXAMPLE The following shows the multicast entries learned through...

Page 866: ...he switch will serve as querier if elected The querier is responsible for asking hosts if they want to receive multicast traffic EXAMPLE Console config ip igmp snooping querier Console config RELATED COMMANDS ip igmp snooping version 862 Table 137 IGMP Query Commands Command Function Mode ip igmp snooping querier Allows this device to act as the querier for IGMP snooping GC ip igmp snooping query ...

Page 867: ...r has sent a number of queries defined by this command but a client has not responded a countdown timer is started using the time defined by ip igmp snooping query max response time If the countdown finishes and the client still has not responded then that client is considered to have left the multicast group EXAMPLE The following shows how to configure the query count to 10 Console config ip igmp...

Page 868: ...conds COMMAND MODE Global Configuration COMMAND USAGE The switch must be using IGMPv2 v3 for this command to take effect This command defines the time after a query during which a response is expected from a multicast client If a querier has sent a number of queries defined by the ip igmp snooping query count command but a client has not responded a countdown timer is started using an initial valu...

Page 869: ...AULT SETTING 300 seconds COMMAND MODE Global Configuration COMMAND USAGE The switch must use IGMPv2 v3 snooping for this command to take effect EXAMPLE The following shows how to configure the time out to 400 seconds Console config ip igmp snooping router port expire time 400 Console config RELATED COMMANDS ip igmp snooping version 862 STATIC MULTICAST ROUTING This section describes commands used ...

Page 870: ...nections IGMP snooping may not always be able to locate the IGMP querier Therefore if the IGMP querier is a known multicast router or switch connected over the network to an interface port or trunk on this switch that interface can be manually configured to join all the current multicast groups EXAMPLE The following shows how to configure port 10 as a multicast router port within VLAN 1 Console co...

Page 871: ... and IGMP throttling limits the number of simultaneous multicast groups a port can join Table 139 IGMP Filtering and Throttling Commands Command Function Mode ip igmp filter Enables IGMP filtering and throttling on the switch GC ip igmp profile Sets a profile number and enters IGMP filter profile configuration mode GC permit deny Sets a profile access mode to permit or deny IPC range Specifies one...

Page 872: ...eived on the port are checked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP filtering and throttling only applies to dynamically learned multicast groups it does not apply to statically configured groups The IGMP filtering feature operates in the same m...

Page 873: ...ation COMMAND USAGE Each profile has only one access mode either permit or deny When the access mode is set to permit IGMP join reports are processed when a multicast group falls within the controlled range When the access mode is set to deny IGMP join reports are only processed when a multicast group is not in the controlled range EXAMPLE Console config ip igmp profile 19 Console config igmp prof...

Page 874: ...e to an interface on the switch Use the no form to remove a profile from an interface SYNTAX no ip igmp filter profile number profile number An IGMP filter profile number Range 1 4294967295 DEFAULT SETTING None COMMAND MODE Interface Configuration COMMAND USAGE The IGMP filtering profile must first be created with the ip igmp profile command before it can be assigned to an interface Only one profi...

Page 875: ...place as specified by the ip igmp max groups action command If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group IGMP throttling can also be set on a trunk interface When ports are configured as trunk members the trunk uses the throttling settings of the firs...

Page 876: ...g interface ethernet 1 1 Console config if ip igmp max groups action replace Console config if show ip igmp filter This command displays the global and interface settings for IGMP filtering SYNTAX show ip igmp filter interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 port channel channel id Range 1 8 DEFAULT SETTING None COMMAND MODE Privilege...

Page 877: ...profile IGMP Profile 19 IGMP Profile 50 Console show ip igmp profile 19 IGMP Profile 19 deny range 239 1 1 1 239 1 1 1 range 239 2 3 1 239 2 3 100 Console show ip igmp throttle interface This command displays the interface settings for IGMP throttling SYNTAX show ip igmp throttle interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 port channel ...

Page 878: ...e 140 Multicast VLAN Registration Commands Command Function Mode mvr Globally enables MVR GC mvr group Statically configures MVR group address es GC mvr priority Assigns a priority to all multicast traffic in the MVR VLAN GC mvr receiver group Specifies groups to be managed through the MVR receiver VLAN GC mvr receiver vlan Allows multicast traffic to be forwarded from the specified receiver VLAN ...

Page 879: ...onsole config mvr group This command statically configures MVR multicast group IP address es Use the no form of this command to remove a specific address or range of addresses SYNTAX no mvr group ip address count group Defines a multicast service sent to all attached subscribers ip address IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 count The number of contiguous MVR grou...

Page 880: ...config mvr group 228 1 23 1 10 Console config mvr priority This command assigns a priority to all multicast traffic in the MVR VLAN Use the no form of this command to restore the default setting SYNTAX mvr priority priority no mvr priority priority The CoS priority assigned to all multicast traffic forwarded into the MVR VLAN Range 0 6 where 6 is the highest priority DEFAULT SETTING 2 COMMAND MODE...

Page 881: ...ames to be sent to subscribers without revealing the identity of the MVR VLAN both the mvr receiver group and mvr receiver vlan must be specifically defined If a port is manually assigned to the receiver VLAN as a tagged member multicast traffic forwarded to the subscriber will also carry tags The mvr receiver group and mvr group cannot be configured with the same addresses EXAMPLE Console config ...

Page 882: ...VLANs such as 802 1Q or private VLANs EXAMPLE Console config mvr receiver vlan 228 Console config RELATED COMMANDS mvr receiver group 881 mvr unspecified source ip This command sets the source IP address to an unspecified address in IGMP report and leave messages forwarded to the MVR VLAN Use the no form disable this feature SYNTAX no mvr unspecified source ip DEFAULT SETTING Disabled COMMAND MODE...

Page 883: ... specified by this command must be an existing VLAN configured with the vlan command MVR source ports can be configured as members of the MVR VLAN using the switchport allowed vlan command and switchport native vlan command but MVR receiver ports should not be statically configured as members of this VLAN EXAMPLE Console config mvr vlan 228 Console config mvr group This command statically binds a ...

Page 884: ...to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group Use the no form to restore the default settings SYNTAX no mvr immediate DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This option only applies to an interface configured as an MVR receiver using the mvr type command Immediate leave app...

Page 885: ...lly configures an interface to receive multicast traffic from the IP address specified for an MVR multicast group Range 224 0 1 0 239 255 255 255 DEFAULT SETTING No receiver port is a member of any configured multicast group COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE The specified multicast service must already be configured as a receiver group which will be managed t...

Page 886: ...lan command the receiver port s MVR status will be inactive IGMP snooping can be used to allow a receiver port to dynamically join or leave multicast groups sourced through the MVR VLAN Multicast groups can also be statically assigned to a receiver port using the mvr group Interface Configuration command Also note that VLAN membership for MVR receiver ports cannot be set to trunk mode see the swit...

Page 887: ...eyword SYNTAX show mvr interface interface members ip address receiver group members ip address interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 port channel channel id Range 1 8 ip address IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 DEFAULT SETTING Displays global configuration settings for MVR when no keywords are used COMMAND MODE P...

Page 888: ...st groups which can assigned to the MVR VLAN MVR Current Multicast Groups Shows the number of multicast groups currently assigned to the MVR VLAN MVR Unspecified Source IP Shows if an unspecified source address is used in IGMP report and leave messages forwarded to the MVR VLAN MVR Receiver VLAN VLAN used to froward multicast traffic with tagged frames without revealing the identity of the MVR VLA...

Page 889: ...traffic for each group Console show mvr receiver group members MVR Group IP Status Members 224 0 0 1 ACTIVE eth1 1 224 0 0 2 INACTIVE None 224 0 1 1 INACTIVE None 224 0 1 2 INACTIVE None 224 0 1 3 INACTIVE None Console Table 143 show mvr members display description Field Description MVR Group IP Multicast groups assigned to the MVR VLAN Status Shows whether or not the there are active subscribers ...

Page 890: ...s whether or not the there are active subscribers for this multicast group Note that this field will also display ACTIVE if an interface has been statically assigned to a group Members Shows the interfaces with subscribers for multicast services provided through the MVR Receiver VLAN Also shows if an interface has dynamically joined a multicast group d or if a multicast group has been statically b...

Page 891: ...that IGMP Snooping and MLD Snooping are independent functions and can therefore both function at the same time Table 145 MLD Snooping Commands Command Function Mode ipv6 mld snooping Enables MLD Snooping globally GC ipv6 mld snooping robustness Configures the robustness variable GC ipv6 mld snooping router port expire time Configures the router port expire time GC ipv6 mld snooping unknown multica...

Page 892: ...nd configures the MLD Snooping robustness variable Use the no form to restore the default value SYNTAX ipv6 mld snooping robustness value no ipv6 mld snooping robustness value The number of the robustness variable Range 2 10 DEFAULT SETTING 2 COMMAND MODE Global Configuration COMMAND USAGE A port will be removed from receiving a multicast service when no MLD reports are detected in response to a n...

Page 893: ...e interface that had been receiving query packets to have expired EXAMPLE Console config ipv6 mld snooping router port expire time 300 Console config ipv6 mld snooping unknown multicast mode This command sets the action for dealing with unknown multicast packets Use the no form to restore the default SYNTAX ipv6 mld snooping unknown multicast mode flood to router port no ipv6 mld snooping unknown ...

Page 894: ...ult SYNTAX ipv6 mld snooping version 1 2 1 MLD version 1 2 MLD version 2 DEFAULT SETTING Version 2 COMMAND MODE Global Configuration EXAMPLE Console config ipv6 mld snooping version 1 Console config ipv6 mld snooping vlan mrouter This command statically configures an IPv6 multicast router port Use the no form to remove the configuration SYNTAX no ipv6 mld snooping vlan vlan id mrouter interface vl...

Page 895: ...lticast router port within VLAN 1 Console config ipv6 mld snooping vlan 1 mrouter ethernet 1 1 Console config ipv6 mld snooping vlan static This command adds a port to an IPv6 multicast group Use the no form to remove the port SYNTAX no ipv6 mld snooping vlan vlan id static ipv6 address interface vlan VLAN ID Range 1 4094 ipv6 address An IPv6 address of a multicast group Format X X X X X interface...

Page 896: ...plies to the query within the specified timeout period If MLD immediate leave is enabled the switch assumes that only one host is connected to the interface Therefore immediate leave should only be enabled on an interface if it is connected to only one MLD enabled device either a service host or a neighbor running MLD snooping EXAMPLE The following shows how to enable MLD immediate leave Console c...

Page 897: ... MLD Snooping group configuration information Console show ipv6 mld snooping group VLAN Multicast IPv6 Address Member port Type 1 FF08 10C Eth 1 6 User Console show ipv6 mld snooping mrouter This command shows MLD Snooping multicast router information SYNTAX show ipv6 mld snooping mrouter vlan vlan id vlan id A VLAN identification number Range 1 4094 COMMAND MODE Privileged Exec EXAMPLE Console sh...

Page 898: ...d Function Mode lldp Enables LLDP globally on the switch GC lldp holdtime multiplier Configures the time to live TTL value sent in LLDP advertisements GC lldp med fast start count Configures how many medFastStart packets are transmitted GC lldp notification interval Configures the allowed interval for sending SNMP notifications about LLDP changes GC lldp refresh interval Configures the periodic tr...

Page 899: ...nges IC lldp med tlv extpoe Configures an LLDP MED enabled port to advertise its extended Power over Ethernet configuration and usage information IC lldp med tlv inventory Configures an LLDP MED enabled port to advertise its inventory identification details IC lldp med tlv location Configures an LLDP MED enabled port to advertise its location identification details IC lldp med tlv med cap Configur...

Page 900: ...o form to restore the default setting SYNTAX lldp holdtime multiplier value no lldp holdtime multiplier value Calculates the TTL in seconds based on holdtime multiplier refresh interval 65536 Range 2 10 DEFAULT SETTING Holdtime multiplier 4 TTL 4 30 120 seconds COMMAND MODE Global Configuration COMMAND USAGE The time to live tells the receiving LLDP agent how long to retain all information pertain...

Page 901: ...cy Call Service EXAMPLE Console config lldp medfaststartcount 6 Console config lldp notification interval This command configures the allowed interval for sending SNMP notifications about LLDP MIB changes Use the no form to restore the default setting SYNTAX lldp notification interval seconds no lldp notification interval seconds Specifies the periodic interval at which SNMP notifications are sent...

Page 902: ... seconds Specifies the periodic interval at which LLDP advertisements are sent Range 5 32768 seconds DEFAULT SETTING 30 seconds COMMAND MODE Global Configuration COMMAND USAGE This attribute must comply with the following rule refresh interval holdtime multiplier 65536 EXAMPLE Console config lldp refresh interval 60 Console config lldp reinit delay This command configures the delay before attempti...

Page 903: ...Use the no form to restore the default setting SYNTAX lldp tx delay seconds no lldp tx delay seconds Specifies the transmit delay Range 1 8192 seconds DEFAULT SETTING 2 seconds COMMAND MODE Global Configuration COMMAND USAGE The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects and to increase the probabilit...

Page 904: ...nfigures an LLDP enabled port to advertise the management address for this device Use the no form to disable this feature SYNTAX no lldp basic tlv management ip address DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE The management address protocol packet includes the IPv4 address of the switch If no management address is available the address shoul...

Page 905: ...nt address reported by this TLV EXAMPLE Console config interface ethernet 1 1 Console config if lldp basic tlv management ip address Console config if lldp basic tlv port description This command configures an LLDP enabled port to advertise its port description Use the no form to disable this feature SYNTAX no lldp basic tlv port description DEFAULT SETTING Enabled COMMAND MODE Interface Configura...

Page 906: ...PLE Console config interface ethernet 1 1 Console config if lldp basic tlv system capabilities Console config if lldp basic tlv system description This command configures an LLDP enabled port to advertise the system description Use the no form to disable this feature SYNTAX no lldp basic tlv system description DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMA...

Page 907: ...and is in turn based on the hostname command EXAMPLE Console config interface ethernet 1 1 Console config if lldp basic tlv system name Console config if lldp dot1 tlv proto ident This command configures an LLDP enabled port to advertise the supported protocols Use the no form to disable this feature SYNTAX no lldp dot1 tlv proto ident DEFAULT SETTING Enabled COMMAND MODE Interface Configuration E...

Page 908: ...rotocol based VLANs EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot1 tlv proto vid Console config if lldp dot1 tlv pvid This command configures an LLDP enabled port to advertise its default VLAN ID Use the no form to disable this feature SYNTAX no lldp dot1 tlv pvid DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE The port...

Page 909: ...LE Console config interface ethernet 1 1 Console config if no lldp dot1 tlv vlan name Console config if lldp dot3 tlv link agg This command configures an LLDP enabled port to advertise link aggregation capabilities Use the no form to disable this feature SYNTAX no lldp dot3 tlv link agg DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This option adv...

Page 910: ...lities and operational Multistation Access Unit MAU type EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot3 tlv mac phy Console config if lldp dot3 tlv max frame This command configures an LLDP enabled port to advertise its maximum frame size Use the no form to disable this feature SYNTAX no lldp dot3 tlv max frame DEFAULT SETTING Enabled COMMAND MODE Interface Configurat...

Page 911: ...ion This command enables the transmission of SNMP trap notifications about LLDP MED changes Use the no form to disable LLDP MED notifications SYNTAX no lldp med notification DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification in...

Page 912: ...p med tlv extpoe DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This option advertises extended Power over Ethernet capability details such as power availability from the switch and power state of the switch including whether the switch is operating from primary or backup power the Endpoint Device could use this information to decide to enter power...

Page 913: ... its location identification details Use the no form to disable this feature SYNTAX no lldp med tlv location DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This option advertises location identification details EXAMPLE Console config interface ethernet 1 1 Console config if lldp medtlv location Console config if lldp med tlv med cap This command co...

Page 914: ...DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This option advertises network policy configuration information aiding in the discovery and diagnosis of VLAN configuration mismatches on a port Improper network policy configurations frequently result in voice quality degradation or complete service disruption EXAMPLE Console config interface ethernet...

Page 915: ...SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification events missed due to throttling or transmission loss EXAMPLE Console config interface ethernet 1 1 Console config if lldp notification Console config if show lldp config This command shows LLDP configuration settings for all ports SYNTAX show lldp config detail...

Page 916: ...uration Detail Port Eth 1 1 Admin Status Tx Rx Notification Enabled True Basic TLVs Advertised port description system name system description system capabilities management ip address 802 1 specific TLVs Advertised port vid vlan name proto vlan proto ident 802 3 specific TLVs Advertised mac phy poe link agg max frame MED Configuration MED Notification Enabled True MED Enabled TLVs Advertised med ...

Page 917: ...3 04 05 System Name System Description DIGISOL FE L2 Switch DG FS4528P System Capabilities Support Bridge System Capabilities Enable Bridge Management Address 192 168 0 101 IPv4 LLDP Port Information Interface PortID Type PortID PortDesc Eth 1 1 MAC Address 00 01 02 03 04 06 Ethernet Port on unit 1 port 1 Eth 1 2 MAC Address 00 01 02 03 04 07 Ethernet Port on unit 1 port 2 Eth 1 3 MAC Address 00 0...

Page 918: ... Console show lldp info remote device detail ethernet 1 1 LLDP Remote Devices Information Detail Local PortName Eth 1 1 Chassis Type MAC Address Chassis Id 00 01 02 03 04 05 PortID Type MAC Address PortID 00 01 02 03 04 06 SysName SysDescr DIGISOL FE L2 Switch DG FS4528P PortDescr Ethernet Port on unit 1 port 1 SystemCapSupported Bridge SystemCapEnabled Bridge Remote Management Address 192 168 0 3...

Page 919: ...dp info statistics detail interface detail Shows configuration summary interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 port channel channel id Range 1 8 COMMAND MODE Privileged Exec EXAMPLE Console show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated 2450279 seconds New Neighbor Entries Count 1 Neighbor Entries Deleted Count 0 Ne...

Page 920: ...CHAPTER 44 LLDP Commands 920 Frames Invalid 0 Frames Received 12 Frames Sent 13 TLVs Unrecognized 0 TLVs Discarded 0 Neighbor Ageouts 0 Console ...

Page 921: ... SYNTAX no ip domain list name name Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 64 characters DEFAULT SETTING None Table 147 Address Table Commands Command Function Mode ip domain list Defines a list of default domain names for incomplete host names GC ip domain lookup Enables DNS based host name to address translation GC ip domain name...

Page 922: ... the default domain name is not used EXAMPLE This example adds two domain names to the current list and then displays the list Console config ip domain list sample com jp Console config ip domain list sample com uk Console config end Console show dns Domain Lookup Status DNS disabled Default Domain Name sample com Domain Name List sample com jp sample com uk Name Server List Console RELATED COMMAN...

Page 923: ...in name 923 ip name server 925 ip domain name This command defines the default domain name appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation Use the no form to remove the current domain name SYNTAX ip domain name name no ip domain name name Name of the host Do not include the initial dot that separates the host name from the domain na...

Page 924: ... No static entries COMMAND MODE Global Configuration COMMAND USAGE Servers or other network devices may support one or more connections via multiple IP addresses If more than one IP address is associated with a host name using this command a DNS client can try each address in succession until it establishes a connection with the target device Use the no ip host command to clear static entries or t...

Page 925: ...e servers DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE The listed name servers are queried in the specified sequence until a response is received or the end of the list is reached with no response EXAMPLE This example adds two domain name servers to the list and then displays the list Console config ip name server 192 168 1 55 10 1 0 55 Console config end Console show dns D...

Page 926: ...sole clear host This command deletes dynamic entries from the DNS table SYNTAX clear host name name Name of the host Range 1 64 characters Removes all entries DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Use the clear host command to clear dynamic entries or the no ip host command to clear static entries EXAMPLE This example clears all dynamic entries from the DNS table Console ...

Page 927: ... 61 213 189 120 19 a1116 x akamai net 2 4 Address 61 213 189 104 19 a1116 x akamai net 3 4 CNAME POINTER TO 2 19 graphics8 nytimes com 4 4 CNAME POINTER TO 2 19 graphics478 nytimes com edgesui Console Table 148 show dns cache display description Field Description NO The entry number for each resource record FLAG The flag is always 4 indicating a cache entry and therefore unreliable TYPE This field...

Page 928: ...e static host name to address mapping table COMMAND MODE Privileged Exec EXAMPLE Note that a host name will be displayed as an alias if it is mapped to the same address es as a previously configured entry Console show hosts Hostname rd5 Inet address 192 168 1 55 10 1 0 55 Console ...

Page 929: ...re IP address information ip dhcp client class id This command specifies the DCHP client vendor class identifier for the current interface Use the no form to remove this identifier SYNTAX ip dhcp client class id text text hex hex no ip dhcp client class id text A text string Range 1 32 characters hex A hexadecimal value DEFAULT SETTING None Table 149 DHCP Commands Command Group Function DHCP Clien...

Page 930: ...server should reply with Option 43 information which encapsulates Option 66 attributes including the TFTP server name and boot file name EXAMPLE Console config interface vlan 2 Console config if ip dhcp client class id hex 00177c666572 Console config if RELATED COMMANDS ip dhcp restart 930 ip dhcp restart This command submits a BOOTP or DHCP client request DEFAULT SETTING None COMMAND MODE Privile...

Page 931: ...HCP relay service and specifies the address of the server to use Use the no form to clear a server address SYNTAX ip dhcp relay server address 1 address 2 address 5 no ip dhcp relay server address IP address of a DHCP server Range 1 5 addresses DEFAULT SETTING None COMMAND MODE Global Configuration Table 151 DHCP Relay Commands Command Function Mode ip dhcp relay server Specifies DHCP server addre...

Page 932: ... the switch s DHCP relay agent will not forward client requests to a DHCP server Up to five DHCP servers can be specified in order of preference To terminate DHCP relay service all configured server addresses must be cleared with the no form of this command EXAMPLE Console config ip dhcp relay server 192 168 10 19 Console config ip dhcp relay information option This command enables DHCP Option 82 ...

Page 933: ...e identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server Depending on the selected frame format set for the remote id by this command this information may specify the MAC address or IP address of the requesting device that is the relay agent in this context By default the relay agent also fills in the Option 82 circuit id field with infor...

Page 934: ...requesting client and unicasts the reply packet to the client DHCP reply packets are flooded onto the VLAN which received the reply if DHCP relay service is enabled on the switch and any of the following situations apply The reply packet does not contain Option 82 information The reply packet contains a valid relay agent address field that is not the address of this switch or receives a reply pack...

Page 935: ...elf inserts the relay agent s address and unicasts the packet to the DHCP server DEFAULT SETTING replace COMMAND MODE Global Configuration USAGE GUIDELINES Refer to the Usage Guidelines under the ip dhcp relay information option command for information on when Option 82 information is processed by the switch When the Option 82 policy is set to keep the original information in the request packet th...

Page 936: ...d Exec EXAMPLE Console show ip dhcp relay Status of DHCP relay information Insertion of relay information disabled DHCP option policy drop DHCP relay server address 192 168 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 DHCP sub option format extra subtype included DHCP remote id sub option mac address hex encoded Console RELATED COMMANDS ip dhcp relay server 931 ...

Page 937: ...over your network This section describes commands used to configure IP addresses for VLAN interfaces on the switch Table 153 Basic IP Configuration Commands Command Function Mode IP Configuration Commands ip address Sets the IP address for the current interface IC ip default gateway Defines the default gateway through which this router can reach other subnetworks GC ip dhcp restart Submits a BOOTP...

Page 938: ... Anything other than this format is not be accepted by the configuration program If bootp or dhcp options are selected the system will immediately start broadcasting service requests for all VLANs configured to obtain address assignments through BOOTP or DHCP IP is enabled but will not function until a BOOTP or DHCP reply has been received Requests are broadcast periodically by the switch in an ef...

Page 939: ...on another network segment Use the no form to remove a default gateway SYNTAX ip default gateway gateway no ip default gateway gateway IP address of the default gateway DEFAULT SETTING No default gateway is established COMMAND MODE Global Configuration COMMAND USAGE A default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on ...

Page 940: ...his device DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show ip redirects IP default gateway 10 1 0 254 Console RELATED COMMANDS ip default gateway 939 ping This command sends ICMP echo request packets to another node on the network SYNTAX ping host count count size size host IP address or IP alias of the host count Number of packets to send Range 1 16 size Number of bytes in ...

Page 941: ... is unreachable Network or host unreachable The gateway found no corresponding entry in the route table When pinging a host name be sure the DNS server has been enabled see page 922 If necessary local devices can also be specified in the DNS static host table see page 924 EXAMPLE Console ping 10 1 0 9 Type ESC to abort PING to 10 1 0 9 by 5 32 byte payload ICMP packets timeout is 5 seconds respons...

Page 942: ...ocol ARP cache COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE This command displays information about the ARP cache It shows each cache entry including the IP address MAC address type static dynamic other and VLAN interface Note that entry type other indicates local addresses for this switch EXAMPLE This example displays all entries in the ARP cache Console show arp IP Address MAC Address ...

Page 943: ... 943 SECTION IV APPENDICES This section provides additional information and includes these items Software Specifications on page 944 Troubleshooting on page 948 ...

Page 944: ... duplex 1000 Mbps at full duplex 1000BASE SX LX LH 1000 Mbps at full duplex SFP FLOW CONTROL Full Duplex IEEE 802 3 2005 Half Duplex Back pressure STORM CONTROL Broadcast multicast or unicast traffic throttled above a critical threshold PORT MIRRORING One or more source ports to one destination port RATE LIMITS Input Output Limits Range configured per port PORT TRUNKING Static trunks Cisco EtherCh...

Page 945: ...ING IGMP Snooping IPv4 MLD Snooping IPv6 Multicast VLAN Registration ADDITIONAL FEATURES BOOTP Client DHCP Client DHCP Snooping DNS Client Proxy IP Source Guard LLDP Link Layer Discover Protocol Power over Ethernet RMON Remote Monitoring groups 1 2 3 9 SMTP Email Alerts SNMP Simple Network Management Protocol SNTP Simple Network Time Protocol MANAGEMENT FEATURES IN BAND MANAGEMENT Telnet web based...

Page 946: ...Port Authentication IEEE 802 3 2005 Ethernet Fast Ethernet Gigabit Ethernet Link Aggregation Control Protocol LACP Full duplex flow control ISO IEC 8802 3 IEEE 802 3ac VLAN tagging IEEE 802 3af 2003 Power over Ethernet PoE DHCP Client RFC 2131 FTP RFC 959 RIP RFC 1058 DHCP Options RFC 2132 HTTPS ICMP RFC 792 IGMP RFC 1112 IGMPv2 RFC 2236 IGMPv3 RFC 3376 partial support IPv4 IGMP RFC 3228 RADIUS RF...

Page 947: ...674P Port Access Entity MIB IEEE 802 1X Port Access Entity Equipment MIB Power Ethernet MIB RFC 3621 Private MIB Q Bridge MIB RFC 2674Q QinQ Tunneling IEEE 802 1ad Provider Bridges Quality of Service MIB RIP1 MIB RFC 1058 RIP2 MIB RFC 2453 OSPF MIB RFC 1850 RADIUS Accounting Server MIB RFC 2621 RADIUS Authentication Client MIB RFC 2621 RMON MIB RFC 2819 RMON II Probe Configuration Group RFC 2021 p...

Page 948: ...nt Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH client software is properly configure...

Page 949: ...6 Repeat the sequence of commands or other actions that lead up to the error 7 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 8 Set up your terminal emulation software so that it can capture all console output to a file Then enter the show tech support command to record all system settings in this file 9 Contact your distributor ...

Page 950: ...round robin service to enforce priority service and prevent blockage of lower level queues Priority may be set according to the port default the packet s priority bit in the VLAN tag TCP UDP port number IP Precedence bit or DSCP priority bit DHCP Dynamic Host Control Protocol Provides a framework for passing configuration information to hosts on a TCP IP network DHCP is based on the Bootstrap Prot...

Page 951: ...l used by this switch to verify the network access rights for any device that is plugged into the switch A user name and password is requested by the switch and then passed to an authentication server e g RADIUS for verification EAPOL is implemented as part of the IEEE 802 1X Port Authentication standard FILE TRANSFER PROTOCOL FTP A TCP IP protocol commonly used for software downloads GARP Generic...

Page 952: ... to about 10 of that required by the older IEEE 802 1D STP standard Now incorporated in IEEE 802 1D 2004 IEEE 802 1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication IEEE 802 3AC Defines frame extensions for VLAN tagging IEEE 802 3AF POE An IEEE standard for providing Power over Ethernet PoE capabilities When Ethern...

Page 953: ...eby this switch can pass multicast traffic along to participating hosts IP PRECEDENCE The Type of Service ToS octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic The eight values are mapped one to one to the Class of Service categories by default but may be ...

Page 954: ... forwards them to all ports contained within the designated multicast VLAN group MVR Multicast VLAN Registration is a method of using a single network wide multicast VLAN to transmit common services such as such as television channels or video on demand across a service provider s network MVR simplifies the configuration of multicast services by using a common VLAN for distribution while still pre...

Page 955: ... to the capability of a network to provide better service to selected traffic flows using features such as data prioritization queuing congestion avoidance and traffic shaping These features effectively provide preferential treatment to specific flows either by raising the priority of one flow or limiting the priority of another flow RADIUS Remote Authentication Dial in User Service RADIUS is a lo...

Page 956: ...tion protocol that uses software running on a central server to control access to TACACS compliant devices on the network TCP IP Transmission Control Protocol Internet Protocol Protocol suite that includes TCP as the primary transport protocol and IP as the network layer protocol TELNET Defines a remote communication facility for interfacing to a terminal device over TCP IP TFTP Trivial File Trans...

Page 957: ...s of their physical location or connection point in the network A VLAN serves as a logical workgroup with no physical barriers and allows users to share information and resources as though located on the same LAN XMODEM A protocol used to transfer files between devices Data is grouped in 128 byte blocks and error corrected ...

Page 958: ...6 authorization exec 563 auto traffic control 717 auto traffic control action 718 auto traffic control alarm clear threshold 719 auto traffic controlalarm fire threshold 720 auto traffic control apply timer 715 auto traffic controlauto control release 721 auto traffic control control release 720 auto traffic control release timer 716 banner configure 444 banner configure company 445 banner configu...

Page 959: ...ol 581 dot1x timeout auth period 589 dot1x timeout held period 589 dot1x timeout quiet period 584 dot1x timeout re authperiod 585 dot1x timeout start period 590 dot1x timeout supp timeout 585 dot1x timeout tx period 586 eaps 770 eaps domain 771 enable 436 enable 772 enable 784 enable password 543 end 440 erps 782 erps domain 783 exec timeout 472 exit 440 failtime 772 flowcontrol 674 garp timer 794...

Page 960: ...de 694 lacp port priority 695 lacp system priority 696 line 471 lldp 900 lldp admin status 904 lldp basic tlv management ip address 904 lldp basic tlv port description 905 lldp basic tlv system capabilities 906 lldp basic tlv system description 906 lldp basic tlv system name 907 lldp dot1 tlv proto ident 907 lldp dot1 tlv proto vid 908 lldp dot1 tlv pvid 908 lldp dot1 tlv vlan name 909 lldp dot3 t...

Page 961: ... ping 940 police 854 policy map 852 port 775 port monitor 708 port security 603 power inline 703 power inline compatible 702 power inline maximum allocation 704 power inline overload auto recover 704 power inline priority 705 power mainpower maximum allocation 701 pppoe intermediate agent 596 pppoe intermediate agent format type 596 pppoe intermediate agent port enable 597 pppoe intermediate agent...

Page 962: ...ard 638 show ip source guard binding 638 show ip ssh 577 show ipv6 access group 662 show ipv6 access list 660 show ipv6 mld snooping 896 show ipv6 mld snooping group 897 show ipv6 mld snooping mrouter 897 show l2protocol tunnel 816 show lacp 697 show line 479 show lldp config 915 show lldp info local device 917 show lldp info remote device 918 show lldp info statistics 919 show log 485 show loggin...

Page 963: ...nning tree cost 750 spanning tree edge port 751 spanning tree forward time 738 spanning tree hello time 739 spanning tree link type 752 spanning tree loopback detection 753 spanning tree loopback detection release 760 spanning tree loopback detection release mode 754 spanning tree loopback detection trap 755 spanning tree max age 740 spanning tree mode 740 spanning tree mst configuration 743 spann...

Page 964: ...p device advertise duration 514 upnp device ttl 513 username 544 vlan 798 vlan database 798 vlan trunking 804 voice vlan 833 voice vlan aging 834 voice vlan mac address 835 web auth 621 web auth login attempts 619 web auth quiet period 620 web auth re authenticate IP 622 web auth re authenticate Port 622 web auth session timeout 620 web auth system auth control 621 whichboot 467 wtr timer 788 ...

Page 965: ...andard 211 216 657 658 MAC 211 218 662 restricting rule types 651 time range 504 address table 285 732 aging time 288 732 aging time displaying 288 735 aging time setting 288 732 administrative users displaying 457 ARP ACL 220 641 ARP inspection 224 639 ACL filter 227 641 additional validation criteria 643 ARP ACL 228 667 enabling globally 226 640 enabling per VLAN 228 643 trusted ports 229 645 AT...

Page 966: ...d Services See DiffServ DiffServ 374 848 binding policy to interface 382 855 class map 375 849 853 class map description 850 classifying QoS traffic 375 850 configuring 374 848 description 850 policy map 378 852 policy map description 376 850 QoS policy 378 852 service policy 382 855 DNS default domain name 415 923 displaying the cache 418 927 domain name list 415 924 enabling lookup 415 922 name ...

Page 967: ...filtering throttling enabling 400 872 filtering throttling interface configuration 402 874 filtering throttling interface settings 874 875 filtering throttling status 400 872 groups displaying 397 865 immediate leave status 394 863 Layer 2 391 859 query 391 393 866 query Layer 2 393 866 snooping 391 393 860 snooping query parameters 392 snooping configuring 392 859 snooping immediate leave 394 863...

Page 968: ...ngs 158 546 TACACS client 157 551 TACACS server 157 551 logon banner configuring 443 loopback detection non STA 727 STA 293 753 M MAC address authentication 201 605 ports configuring 205 605 613 reauthentication 204 607 MAC address mirroring 269 708 main menu web interface 74 management access filtering per address 232 593 management access IP filter 232 593 Management Information Bases MIBs 947 m...

Page 969: ... 284 705 PPPoE 595 601 primary VLAN 339 340 821 priority default port ingress 366 843 private key 177 569 private VLANs configuring 338 340 820 private VLANs displaying 339 825 problems troubleshooting 948 promiscuous ports 338 820 protocol migration 305 761 protocol tunnel layer 2 313 812 protocol tunnel layer 2 protocol types 314 813 protocol tunnel layer 2 tunnel address 313 812 protocol VLANs ...

Page 970: ...detecting loopbacks 293 753 edge port 301 305 306 751 global settings configuring 296 737 744 global settings displaying 294 762 interface settings configuring 303 748 760 interface settings displaying 300 762 link type 301 305 752 loopback detection 293 753 MSTP interface settings configuring 311 MSTP path cost 311 755 path cost 301 742 750 path cost method 298 742 port priority 303 758 port trun...

Page 971: ... 328 800 804 IP subnet based 349 829 MAC based 350 831 mirroring 347 708 port members displaying 323 325 806 private 338 820 protocol 344 825 protocol configuring 345 826 827 protocol configuring groups 345 826 protocol interface configuration 346 827 protocol system configuration 345 826 PVID 328 804 tunneling unknown groups 272 804 voice 384 833 voice VLANs 384 833 detecting VoIP devices 385 833...

Page 972: ......

Page 973: ...DG FS4528P ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands