manualshive.com logo in svg

Digisol DG-GS1550, Management Manual

The Digisol DG-GS1550 Management Manual is an essential resource for seamlessly configuring and operating this powerful networking device. Easily downloadable for free from our website, it provides comprehensive instructions and detailed insights to optimize your networking experience with the Digisol DG-GS1550.

Share
Download
background image

User Authentication

3-79

3

CLI

 – This example enables SSH, sets the authentication parameters, and displays

the current configuration. It shows that the administrator has made a connection via
SHH, and then disables this connection.

Configuring 802.1X Port Authentication 

Network switches can provide open and easy access to network resources by
simply attaching a client PC. Although this automatic configuration and access is a
desirable feature, it also allows unauthorized personnel to easily intrude and
possibly gain access to sensitive network data.

The IEEE 802.1X (dot1X) standard defines a port-based access control procedure
that prevents unauthorized access to a network by requiring users to first submit
credentials for authentication. Access to all switch ports in a network can be
centrally controlled from a server, which means that authorized users can use the
same credentials for authentication from any point within the network.

This switch uses the
Extensible Authentication
Protocol over LANs (EAPOL)
to exchange authentication
protocol messages with the
client, and a remote RADIUS
authentication server to verify
user identity and access
rights. When a client (i.e.,
Supplicant) connects to a
switch port, the switch (i.e.,
Authenticator) responds with an EAPOL identity request. The client provides its
identity (such as a user name) in an EAPOL response to the switch, which it
forwards to the RADIUS server. The RADIUS server verifies the client identity and
sends an access challenge back to the client. The EAP packet from the RADIUS
server contains not only the challenge, but the authentication method to be used.
The client can reject the authentication method and request another, depending on
the configuration of the client software and the RADIUS server. The encryption
method used to pass authentication messages can be MD5 (Message-Digest 5),

Console(config)#ip ssh server

4-115

Console(config)#ip ssh timeout 100

4-116

Console(config)#ip ssh authentication-retries 5

4-116

Console(config)#ip ssh server-key size 512

4-117

Console(config)#end
Console#show ip ssh

4-119

SSH Enabled - version 2.0
Negotiation timeout: 120 secs; Authentication retries: 5
Server key size: 512 bits
Console#show ssh

4-120

Connection Version State                Username Encryption
  0          2.0   Session-Started      admin    ctos aes128-cbc-hmac-md5
                                                 stoc aes128-cbc-hmac-md5
Console#disconnect 0

4-50

Console#

802.1x
client

RADIUS
server

1. Client attempts to access a switch port.
2. Switch sends client an identity request.
3. Client sends back identity information.
4. Switch forwards this to authentication server.
5. Authentication server challenges client.
6. Client responds with proper credentials.
7. Authentication server approves access.
8. Switch grants client access to this port.

Summary of Contents for DG-GS1550

Page 1: ...b Managed Switch Series DG GS1550 Layer 2 Gigabit Ethernet Web Managed Switch MANAGEMENT GUIDE v1 0 08 02 2012 As our products undergo continuous development the specifications are subject to change without prior notice ...

Page 2: ...specifically disclaims any warranties merchantability or fitness for any particular purpose Any software described in this manual is sold or licensed as is Should the programs prove defective following their purchase the buyer and not SNSL its distributor or its dealer assumes the entire cost of all necessary servicing repair and any incidental or consequential damages resulting from any defect in...

Page 3: ...DG GS1550 Gigabit Ethernet Switch Layer 2 Workgroup Switch with 46 10 100 1000BASE T RJ 45 Ports and 4 Combination Gigabit RJ 45 SFP Ports MANAGEMENT GUIDE ...

Page 4: ...es important information or calls your attention to related features or instructions Caution Alerts you to a potential hazard that could cause loss of data or damage the system or equipment Warning Alerts you to a potential hazard that could cause personal injury Related Publications The following publication gives specific information on how to operate and use the management functions of the swit...

Page 5: ...on 1 and 2c clients 2 6 Trap Receivers 2 7 Configuring Access for SNMP Version 3 Clients 2 8 Managing System Files 2 8 Saving Configuration Settings 2 9 Chapter 3 Configuring the Switch 3 1 Using the Web Interface 3 1 Navigating the Web Browser Interface 3 2 Home Page 3 2 Configuration Options 3 3 Panel Display 3 3 Main Menu 3 4 Basic Configuration 3 11 Displaying System Information 3 11 Displayin...

Page 6: ...ine ID 3 42 Specifying a Remote Engine ID 3 43 Configuring SNMPv3 Users 3 44 Configuring Remote SNMPv3 Users 3 46 Configuring SNMPv3 Groups 3 48 Setting SNMPv3 Views 3 51 User Authentication 3 53 Configuring User Accounts 3 53 Configuring Local Remote Logon Authentication 3 55 Configuring Encryption Keys 3 58 AAA Authorization and Accounting 3 60 Configuring AAA RADIUS Group Settings 3 61 Configur...

Page 7: ...an Access Control List 3 103 DHCP Snooping 3 104 DHCP Snooping Configuration 3 105 DHCP Snooping VLAN Configuration 3 106 DHCP Snooping Information Option Configuration 3 107 DHCP Snooping Port Configuration 3 108 DHCP Snooping Binding Information 3 109 IP Source Guard 3 110 Configuring Ports for IP Source Guard 3 110 Configuring Static Binding for IP Source Guard 3 112 Displaying Information for ...

Page 8: ...isplaying Current VLANs 3 176 Creating VLANs 3 177 Adding Static Members to VLANs VLAN Index 3 180 Adding Static Members to VLANs Port Index 3 182 Configuring VLAN Behavior for Interfaces 3 183 Configuring IEEE 802 1Q Tunneling 3 185 Enabling QinQ Tunneling on the Switch 3 188 Adding an Interface to a QinQ Tunnel 3 189 Traffic Segmentation 3 192 Configuring Global Settings for Traffic Segmentation...

Page 9: ...cast Services 3 230 Assigning Ports to Multicast Services 3 231 IGMP Filtering and Throttling 3 232 Enabling IGMP Filtering and Throttling 3 232 Configuring IGMP Filter Profiles 3 233 Configuring IGMP Filtering and Throttling for Interfaces 3 235 Multicast VLAN Registration 3 237 Configuring Global MVR Settings 3 238 Displaying MVR Interface Status 3 240 Displaying Port Members of Multicast Groups...

Page 10: ...w history 4 13 reload Privileged Exec 4 14 reload Global Configuration 4 14 show reload 4 16 prompt 4 16 end 4 16 exit 4 17 quit 4 17 System Management Commands 4 18 Device Designation Commands 4 18 hostname 4 18 Banner Information Commands 4 19 banner configure 4 20 banner configure company 4 21 banner configure dc power info 4 21 banner configure department 4 22 banner configure equipment info 4...

Page 11: ...hresh 4 46 silent time 4 47 databits 4 47 parity 4 48 speed 4 49 stopbits 4 49 disconnect 4 50 show line 4 50 Event Logging Commands 4 51 logging on 4 52 logging history 4 53 logging host 4 54 logging facility 4 54 logging trap 4 55 clear log 4 55 show logging 4 56 show log 4 57 SMTP Alert Commands 4 58 logging sendmail host 4 58 logging sendmail level 4 59 logging sendmail source email 4 60 loggi...

Page 12: ...ocation 4 75 snmp server host 4 76 snmp server enable traps 4 78 snmp server engine id 4 79 show snmp engine id 4 80 snmp server view 4 80 show snmp view 4 81 snmp server group 4 82 show snmp group 4 83 snmp server user 4 84 show snmp user 4 85 Authentication Commands 4 86 User Account and Privilege Level Commands 4 87 username 4 87 enable password 4 88 privilege 4 89 privilege rerun 4 89 show pri...

Page 13: ...6 aaa authorization exec 4 107 authorization exec 4 108 show accounting 4 108 Web Server Commands 4 109 ip http port 4 109 ip http server 4 110 ip http secure server 4 110 ip http secure port 4 111 Telnet Server Commands 4 112 ip telnet server 4 112 Secure Shell Commands 4 113 ip ssh server 4 115 ip ssh timeout 4 116 ip ssh authentication retries 4 116 ip ssh server key size 4 117 delete public ke...

Page 14: ...k access dynamic qos 4 139 network access guest vlan 4 140 mac authentication reauth time 4 140 mac authentication intrusion action 4 141 mac authentication max mac count 4 141 show network access 4 142 show network access mac address table 4 143 DHCP Snooping Commands 4 144 ip dhcp snooping 4 144 ip dhcp snooping vlan 4 146 ip dhcp snooping trust 4 147 ip dhcp snooping verify mac address 4 148 ip...

Page 15: ...4 170 flowcontrol 4 171 media type 4 172 shutdown 4 173 switchport packet rate 4 173 clear counters 4 174 show interfaces brief 4 175 show interfaces status 4 175 show interfaces counters 4 176 show interfaces switchport 4 177 Link Aggregation Commands 4 180 channel group 4 181 lacp 4 182 lacp system priority 4 183 lacp admin key Ethernet Interface 4 184 lacp admin key Port Channel 4 185 lacp port...

Page 16: ...9 mst vlan 4 210 mst priority 4 211 name 4 211 revision 4 212 max hops 4 212 spanning tree spanning disabled 4 213 spanning tree cost 4 214 spanning tree port priority 4 215 spanning tree edge port 4 216 spanning tree portfast 4 217 spanning tree link type 4 218 spanning tree loopback detection 4 219 spanning tree loopback detection release mode 4 219 spanning tree loopback detection trap 4 220 sp...

Page 17: ...vlan up link down link 4 244 show pvlan 4 244 Configuring Private VLANs 4 245 private vlan 4 246 private vlan association 4 247 switchport mode private vlan 4 248 switchport private vlan host association 4 248 switchport private vlan mapping 4 249 show vlan private vlan 4 249 Configuring Protocol based VLANs 4 250 protocol vlan protocol group Configuring Groups 4 251 protocol vlan protocol group C...

Page 18: ...lv mac phy 4 273 lldp dot3 tlv max frame 4 274 lldp med tlv inventory 4 274 lldp med tlv location 4 275 lldp med tlv med cap 4 275 lldp med tlv network policy 4 276 show lldp config 4 276 show lldp info local device 4 278 show lldp info remote device 4 279 show lldp info statistics 4 281 Class of Service Commands 4 282 Priority Commands Layer 2 4 282 queue mode 4 283 switchport priority default 4 ...

Page 19: ...e 4 308 show ip igmp snooping 4 309 show mac address table multicast 4 309 IGMP Query Commands Layer 2 4 310 ip igmp snooping querier 4 310 ip igmp snooping query count 4 311 ip igmp snooping query interval 4 312 ip igmp snooping query max response time 4 312 ip igmp snooping router port expire time 4 313 Static Multicast Routing Commands 4 314 ip igmp snooping vlan mrouter 4 314 show ip igmp snoo...

Page 20: ... 4 334 show dns 4 334 show dns cache 4 335 clear dns cache 4 335 IP Interface Commands 4 336 ip address 4 336 ip default gateway 4 337 ip dhcp restart 4 338 show ip interface 4 338 show ip redirects 4 339 ping 4 339 show arp 4 340 clear arp cache 4 341 Appendix A Software Specifications A 1 Software Features A 1 Management Features A 2 Standards A 2 Management Information Bases A 3 Appendix B Trou...

Page 21: ... 205 Table 3 18 Mapping IP Precedence 3 210 Table 3 19 Mapping DSCP Priority Values 3 211 Table 4 1 Command Modes 4 6 Table 4 2 Configuration Modes 4 8 Table 4 3 Command Line Processing 4 9 Table 4 4 Command Groups 4 10 Table 4 5 General Commands 4 11 Table 4 6 System Management Commands 4 18 Table 4 7 Device Designation Commands 4 18 Table 4 8 Banner Commands 4 19 Table 4 9 System Status Commands...

Page 22: ... 4 44 DHCP Snooping Commands 4 144 Table 4 45 IP Source Guard Commands 4 151 Table 4 46 Access Control Lists 4 155 Table 4 47 IP ACLs 4 155 Table 4 48 MAC ACL Commands 4 161 Table 4 49 ACL Information 4 166 Table 4 50 Interface Commands 4 167 Table 4 51 Interfaces Switchport Statistics 4 178 Table 4 52 Link Aggregation Commands 4 180 Table 4 53 show lacp counters display description 4 187 Table 4 ...

Page 23: ... 4 82 IP DSCP to CoS Vales 4 291 Table 4 83 Quality of Service Commands 4 295 Table 4 84 Multicast Filtering Commands 4 305 Table 4 85 IGMP Snooping Commands 4 305 Table 4 86 IGMP Query Commands Layer 2 4 310 Table 4 87 Static Multicast Routing Commands 4 314 Table 4 88 IGMP Filtering and Throttling Commands 4 316 Table 4 89 Multicast VLAN Registration Commands 4 323 Table 4 90 show mvr display de...

Page 24: ...Tables xxx ...

Page 25: ...g the System 3 33 Figure 3 21 SNTP Configuration 3 35 Figure 3 22 Setting the System Clock 3 36 Figure 3 23 Enabling SNMP Agent Status 3 38 Figure 3 24 Configuring SNMP Community Strings 3 39 Figure 3 25 Configuring IP Trap Managers 3 41 Figure 3 26 Setting an Engine ID 3 42 Figure 3 27 Setting a Remote Engine ID 3 43 Figure 3 28 Configuring SNMPv3 Users 3 45 Figure 3 29 Configuring Remote SNMPv3 ...

Page 26: ...3 64 DHCP Snooping Configuration 3 105 Figure 3 65 DHCP Snooping VLAN Configuration 3 106 Figure 3 66 DHCP Snooping Information Option Configuration 3 108 Figure 3 67 DHCP Snooping Port Configuration 3 109 Figure 3 68 DHCP Snooping Binding Information 3 110 Figure 3 69 IP Source Guard Port Configuration 3 112 Figure 3 70 Static IP Source Guard Binding Configuration 3 113 Figure 3 71 Dynamic IP Sou...

Page 27: ...Traffic Segmentation Link Status 3 193 Figure 3 108 Private VLAN Information 3 195 Figure 3 109 Private VLAN Configuration 3 196 Figure 3 110 Private VLAN Association 3 196 Figure 3 111 Private VLAN Port Information 3 197 Figure 3 112 Private VLAN Port Configuration 3 199 Figure 3 113 Protocol VLAN Configuration 3 200 Figure 3 114 Protocol VLAN Port Configuration 3 202 Figure 3 115 Port Priority C...

Page 28: ...ure 3 138 MVR Group IP Information 3 241 Figure 3 139 MVR Port Configuration 3 243 Figure 3 140 MVR Group Member Configuration 3 244 Figure 3 141 DNS General Configuration 3 246 Figure 3 142 DNS Static Host Table 3 248 Figure 3 143 DNS Cache 3 249 Figure 3 144 Cluster Member Choice 3 250 Figure 3 145 Cluster Configuration 3 251 Figure 3 146 Cluster Member Configuration 3 252 Figure 3 147 Cluster M...

Page 29: ...rmation IP Source Guard Network Access MAC Address Authentication Port Authentication IEEE 802 1X Port Security MAC address filtering Private VLANs Access Control Lists Supports up to 128 ACLs 96 MAC rules and 96 IP rules DHCP Client DNS Client and Proxy service Port Configuration Speed duplex mode and flow control Port Trunking Supports up to 32 trunks using either static or dynamic trunking LACP...

Page 30: ... uses the Extensible Authentication Protocol over LANs EAPOL to request user credentials from the 802 1X client and then verifies the client s right to access the network via an authentication server Other authentication options include HTTPS for secure management access via the web SSH for secure management access over a Telnet equivalent connection SNMP Version 3 IP address filtering for SNMP we...

Page 31: ...witch Port Trunking Ports can be combined into an aggregate connection Trunks can be manually set up or dynamically configured using Link Aggregation Control Protocol LACP IEEE 802 3 2005 The additional ports dramatically increase the throughput across any connection and provide redundancy by taking over the load if a port in the trunk should fail The switch supports up to 25 on the DG GS1550 Stor...

Page 32: ...y reconfiguring ports to STP compliant mode if they detect STP protocol messages from attached devices Multiple Spanning Tree Protocol MSTP IEEE 802 1D 2004 This protocol is a direct extension of RSTP It can provide an independent spanning tree for different VLANs It simplifies network management provides for even faster convergence than RSTP by limiting the size of each region and prevents VLAN m...

Page 33: ...k based on access lists IP Precedence or DSCP values or VLAN lists Using access lists allows you select traffic based on Layer 2 Layer 3 or Layer 4 information contained in each packet Based on network policies different kinds of traffic can be marked for different kinds of forwarding Multicast Filtering Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfer...

Page 34: ...rity none Local Console Timeout 0 disabled Authentication and Security Measures Privileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privileged Exec from Normal Exec Level Password super RADIUS Authentication Disabled TACACS Authentication Disabled 802 1X Port Authentication Disabled MAC Authentication Disabled HTTPS Enabled SSH Disabled Port S...

Page 35: ...Congestion Control Rate Limiting Disabled Storm Control Broadcast enabled all ports Multicast disabled Unknown Unicast disabled Address Table Aging Time 300 seconds Spanning Tree Algorithm Status Enabled RSTP Defaults Based on RSTP standard Fast Forwarding Edge Port Disabled LLDP Status Enabled Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Enabled Switchport Mode E...

Page 36: ...xy service Disabled BOOTP Disabled Multicast Filtering IGMP Snooping Snooping Enabled Querier Enabled Multicast VLAN Registration Disabled System Log Status Enabled Messages Logged to RAM Levels 0 7 all Messages Logged to Flash Levels 0 3 SMTP Email Alerts Event Handler Enabled but no server defined SNTP Clock Synchronization Disabled DHCP Snooping Status Disabled IP Source Guard Status Disabled a...

Page 37: ...e RS 232 serial console port on the switch or remotely by a Telnet or Secure Shell SSH connection over the network The switch s management agent also supports SNMP Simple Network Management Protocol This SNMP agent permits the switch to be managed from any system in the network using network management software such as HP OpenView The switch s web interface CLI configuration program and SNMP agent...

Page 38: ...erminal emulation software and tighten the captive retaining screws on the RS 232 connector 2 Connect the other end of the cable to the RS 232 serial port on the switch 3 Make sure the terminal emulation software is set as follows Select the appropriate serial port COM port 1 or COM port 2 Set to any of the following baud rates 9600 19200 38400 57600 115200 Note Set to 9600 baud if want to view al...

Page 39: ...provides access to basic configuration functions To access the full range of SNMP management functions you must use SNMP based network management software Basic Configuration Console Connection The CLI program provides two different command levels normal access level Normal Exec and privileged access level Privileged Exec The commands available at the Normal Exec level are a limited subset of thos...

Page 40: ...on for the stack to obtain management access through the network This can be done in either of the following ways Manual You have to input the information including IP address and subnet mask If your management station is not in the same IP subnet as the stack s master unit you will also need to specify the default gateway router Dynamic The switch sends IP configuration requests to BOOTP or DHCP ...

Page 41: ...d Requests will be sent periodically in an effort to obtain IP configuration information BOOTP and DHCP values can include the IP address subnet mask and default gateway If the DHCP BOOTP server is slow to respond you may need to use the ip dhcp restart command to re start broadcasting service requests If the bootp or dhcp option is saved to the startup config file step 6 then the switch will star...

Page 42: ...that supports SNMP version 1 2c and 3 clients To provide management access for version 1 or 2c clients you must specify a community string The switch provides a default MIB View i e an SNMPv3 construct for the default public community string that provides read access to the entire MIB tree and a default view for the private community string that provides read write access to the entire MIB tree Ho...

Page 43: ... are no community strings then SNMP management access from SNMP v1 and v2c clients is disabled Trap Receivers You can also specify SNMP stations that are to receive traps from the switch To configure a trap receiver use the snmp server host command From the Privileged Exec level global configuration mode prompt type snmp server host host address community string version 1 2c 3 auth noauth priv whe...

Page 44: ...iles are Configuration This file type stores system configuration information and is created when configuration settings are saved Saved configuration files can be selected as a system start up file or can be uploaded via TFTP to a server for backup The file named Factory_Default_Config cfg contains all the system default settings and cannot be deleted from the system If the system is booted with ...

Page 45: ...he start up configuration file using the copy command New startup configuration files must have a name specified File names on the switch are case sensitive can be from 1 to 31 characters must not contain slashes or and the leading letter of the file name must not be a period Valid characters A Z a z 0 9 _ There can be more than one user defined configuration file saved in the switch s flash memor...

Page 46: ...Initial Configuration 2 10 2 ...

Page 47: ...age 2 4 2 Set user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Setting Passwords on page 2 4 3 After you enter a user name and password you will have access to the system configuration program Notes 1 You are allowed three attempts to enter the correct password on the ...

Page 48: ...statistics The default user name and password for the administrator is admin Home Page When your web browser connects with the switch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used to navigate to other menus and display configuration parameters and statis...

Page 49: ... This option is available under Tools Internet Options General Browsing History Settings Temporary Internet Files 2 When using Internet Explorer 5 0 you may have to manually refresh the screen after making configuration changes by pressing the browser s refresh button Panel Display The web agent displays an image of the switch s ports The Mode can be set to display different information for the po...

Page 50: ... 3 20 Delete Allows deletion of files from the flash memory 3 20 Set Start Up Sets the startup file 3 20 Line 3 24 Console Sets console port connection parameters 3 24 Telnet Sets Telnet connection parameters 3 26 Log 3 28 Logs Stores and displays error messages 3 28 System Logs Sends error messages to a logging process 3 28 Remote Logs Configures the logging of messages to a remote logging proces...

Page 51: ...ic Update Sets the interval at which accounting updates are sent to RADIUS AAA servers 3 64 802 1X Port Settings Applies the specified accounting method to an interface 3 65 Command Privileges Specifies a method name to apply to commands entered at specific CLI privilege levels 3 66 Exec Settings Specifies console or Telnet authentication method 3 67 Summary Displays accounting information and sta...

Page 52: ...3 117 Trunk Configuration Configures trunk connection settings 3 117 Trunk Membership Specifies ports to group into static trunks 3 120 LACP Link Access Control Protocol 3 121 Configuration Allows ports to dynamically join trunks 3 121 Aggregation Port Configures parameters for link aggregation group members 3 123 Port Counters Information Displays statistics for LACP protocol messages 3 125 Port ...

Page 53: ...ys individual port settings for STA 3 158 Trunk Information Displays individual trunk settings for STA 3 158 Port Configuration Configures individual port settings for STA 3 161 Trunk Configuration Configures individual trunk settings for STA 3 161 MSTP Multiple Spanning Tree Protocol 3 165 VLAN Configuration Configures priority and VLANs for a spanning tree instance 3 165 Port Information Display...

Page 54: ...tion Each community VLAN must be associated with a primary VLAN 3 196 Port Information Shows VLAN port type and associated primary or secondary VLANs 3 197 Port Configuration Sets the private VLAN interface type and associates the interfaces with a private VLAN 3 198 Trunk Information Shows VLAN port type and associated primary or secondary VLANs 3 197 Trunk Configuration Sets the private VLAN int...

Page 55: ...ate Leave Enables the immediate leave function 3 226 Multicast Router Port Information Displays the ports that are attached to a neighboring multicast router for each VLAN ID 3 228 Static Multicast Router Port Configuration Assigns ports that are attached to a neighboring multicast router 3 229 IP Multicast Registration Table Displays all multicast groups active on this switch including multicast ...

Page 56: ...DHCP Snooping 3 104 Configuration Enables DHCP Snooping and DHCP Snooping MAC Address Verification 3 105 VLAN Configuration Enables DHCP Snooping for a VLAN 3 106 Information Option Configuration Enables DHCP Snooping Information Option 3 107 Port Configuration Selects the DHCP Snooping Information Option policy 3 108 Binding Information Displays the DHCP Snooping binding information 3 109 IP Sour...

Page 57: ...or the system System Up Time Length of time the management agent has been up These additional parameters are displayed for the CLI MAC Address The physical layer address for this switch Web Server Shows if management access via is enabled Web Server Port Shows the TCP port number used by the web interface Web Secure Server Shows if management access via HTTPS is enabled Web Secure Server Port Show...

Page 58: ...cation WC 9 4 75 Console config snmp server contact Ted 4 75 Console config exit Console show system System Description DG GS1550 System OID String 1 3 6 1 4 1 36293 1 1 1 15 System Information System Up Time 0 days 0 hours 46 minutes and 39 91 seconds System Name NONE System Location NONE System Contact NONE MAC Address Unit1 00 17 7C 0C 8F EE Web Server Enabled Web Server Port 80 Web Secure Serv...

Page 59: ...built in RJ 45 ports Hardware Version Hardware version of the main board Internal Power Status Displays the status of the internal power supply Management Software EPLD Version Version number of the Electronically Programmable Logic Device code Loader Version Version number of loader code Boot ROM Version Version of Power On Self Test POST and boot code Operation Code Version Version number of run...

Page 60: ...mation Console show version Unit 1 Serial Number AA16002532 Hardware Version R01 EPLD Version 3 02 Number of Ports 50 Main Power Status Up Redundant Power Status Not present Agent Master Unit ID 1 Loader Version 1 0 0 4 Boot ROM Version 1 0 0 5 Operation Code Version 112 2 14 2 Console ...

Page 61: ...ffic classes Refer to Class of Service Configuration on page 3 203 Static Entry Individual Port This switch allows static filtering for unicast and multicast addresses Refer to Setting Static Addresses on page 3 146 VLAN Learning This switch uses Independent VLAN Learning IVL where all VLANs share the same address table Configurable PVID Tagging This switch allows you to override the default Port ...

Page 62: ...ess IP Address Mode Specifies whether IP functionality is enabled via manual configuration Static Dynamic Host Configuration Protocol DHCP or Boot Protocol BOOTP If DHCP BOOTP is enabled IP will not function until a reply has been received from the server Requests will be broadcast periodically by the switch for an IP address DHCP BOOTP values can include the IP address subnet mask and default gat...

Page 63: ...ic enter the IP address subnet mask and gateway then click Apply Figure 3 6 Manual IP Configuration CLI Specify the management interface IP address and default gateway Console config Console config interface vlan 1 4 167 Console config if ip address 192 168 226 232 255 255 255 0 4 336 Console config if exit Console config ip default gateway 192 168 226 254 4 337 Console config ...

Page 64: ...lso broadcast a request for IP configuration settings on each power reset Figure 3 7 DHCP IP Configuration Note If you lose your management connection use a console connection and enter show ip interface to determine the new switch address CLI Specify the management interface and set the IP address mode to DHCP or BOOTP and then enter the ip dhcp restart command Console config Console config inter...

Page 65: ... frames that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields Command Usage To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able...

Page 66: ...ssigning it a new name file to tftp Copies a file from the switch to a TFTP server tftp to file Copies a file from a TFTP server to the switch TFTP Server IP Address The IP address of a TFTP server File Type Specify opcode operational code to copy firmware File Name The file name should not contain slashes or the leading letter of the file name should not be a period and the maximum length for fil...

Page 67: ... to start using the new operation code reboot the system via the System Reset menu Figure 3 9 Copy Firmware If you download to a new destination file go to the System File Set Start Up menu mark the operation code file used at startup and click Apply To start the new firmware reboot the system via the System Reset menu Figure 3 10 Setting the Startup Code To delete a file select System File Delete...

Page 68: ...g to tftp Copies the running configuration to a TFTP server startup config to file Copies the startup configuration to a file on the switch startup config to running config Copies the startup config to the running config startup config to tftp Copies the startup configuration to a TFTP server tftp to file Copies a file from a TFTP server to the switch tftp to running config Copies a file from a TF...

Page 69: ...tp to startup config or tftp to file and enter the IP address of the TFTP server Specify the name of the file to download and select a file on the switch to overwrite or specify a new file name then click Apply Figure 3 12 Downloading Configuration Settings for Startup If you download to a new file name using tftp to startup config or tftp to file the file is automatically set as the start up conf...

Page 70: ...Range 0 65535 seconds Default 600 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time set by the Silent Time parameter before allowing the next logon attempt Range 0 120 Default 3 attempts Silent Time Sets the amount of time th...

Page 71: ...word for the line connection When a connection is started on a line with password protection the system prompts for the password If you enter the correct password the system shows a prompt Default No password Login1 Enables password checking at login You can select authentication by a single global password as configured for the Password parameter or by passwords set up for specific user name acco...

Page 72: ...s the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is terminated Range 0 65535 seconds Default 600 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specifie...

Page 73: ... the connection parameters for Telnet access then click Apply Figure 3 15 Enabling Telnet CLI Enter Line Configuration mode for a virtual terminal then specify the connection parameters as required To display the current virtual terminal settings use the show line command from the Normal Exec level 2 CLI only Console config line vty 4 42 Console config line login local 4 43 Console config line pas...

Page 74: ... Enables disables the logging of debug or error messages to the logging process Default Enabled Flash Level Limits log messages saved to the switch s permanent flash memory for all levels up to the specified level For example if level 3 is specified all messages from level 0 to level 3 will be logged to flash Range 0 7 Default 3 RAM Level Limits log messages saved to the switch s temporary RAM mem...

Page 75: ...acility types specified by values of 16 to 23 The facility type is used by the syslog server to dispatch log messages to an appropriate service The attribute specifies the facility type tag sent in syslog messages See RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to process messages such as sorting or storing messages in...

Page 76: ...he syslog server host IP address choose the facility type and set the logging trap Console config logging host 192 168 1 15 4 54 Console config logging facility 23 4 54 Console config logging trap 4 4 55 Console config end Console show logging trap 4 55 Syslog logging Enabled REMOTELOG status Enabled REMOTELOG facility type local use 7 REMOTELOG level type Warning conditions REMOTELOG server ip ad...

Page 77: ...SMTP function Default Enabled Email Source Address Sets the email address used for the From field in alert messages You may use a symbolic email address that identifies the switch or the address of an administrator responsible for the switch Severity Sets the syslog severity threshold level see table on page 3 28 used to trigger alert messages All events at this level or higher will be sent to the...

Page 78: ...he list Email Destination Address This command specifies SMTP servers that may receive alert messages Web Click System Log SMTP Enable SMTP specify a source email address and select the minimum severity level To add an IP address to the SMTP Server List type the new IP address in the SMTP Server field and click Add To delete an IP address click the entry in the Server IP List and click Remove Spec...

Page 79: ...ompted confirm that you want to reset the switch Note When restarting the system it will always run the Power On Self Test It will also retain all configuration information stored in non volatile memory see Saving or Restoring Configuration Settings on page 3 22 Console config logging sendmail host 192 168 1 4 4 58 Console config logging sendmail level 3 4 59 Console config logging sendmail source...

Page 80: ...ed sequence Setting the Time Manually You can set the system time on the switch manually without using SNTP CLI This example sets the system clock time and then displays the current time and date Configuring SNTP You can configure the switch to send time synchronization requests to time servers Command Attributes SNTP Client Configures the switch to operate as an SNTP client This requires at least...

Page 81: ...number of hours and minutes your time zone is east before or west after of UTC Command Attributes Current Time Displays the current time Name Assigns a name to the time zone Range 1 29 characters Hours 0 12 The number of hours before after UTC Minutes 0 59 The number of minutes before after UTC Direction Configures the time zone to be before east or after west UTC Console config sntp server 10 1 0...

Page 82: ...erred to as an agent A defined set of variables known as managed objects is maintained by the SNMP agent and used to manage the device These objects are defined in a Management Information Base MIB that provides a standard presentation of the information controlled by the agent SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network ...

Page 83: ...deleted from the system You can then define customized groups and views for the SNMP clients that require access Table 3 4 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security v1 noAuthNoPriv public read only defaultview none none Community string only v1 noAuthNoPriv private read write defaultview defaultview none Community string only v1 noAuthNoPriv user...

Page 84: ... Managers should be listed in this table For security reasons you should consider removing the default strings Command Attributes SNMP Community Capability The switch supports up to five community strings Current Displays a list of the community strings currently configured Community String A community string that acts like a password and permits access to the SNMP protocol Default strings public ...

Page 85: ...Priv or authPriv the user name must first be defined in the SNMPv3 Users page page 3 44 Otherwise the authentication password and or privacy password will not exist and the switch will not authorize SNMP access for the host However if you specify a V3 host with the no authentication noAuth option an SNMP user account will be automatically generated and the switch will authorize SNMP access for the...

Page 86: ... table we recommend that you define this string in the SNMP Community section at the top of the SNMP Configuration page for Version 1 or 2c clients or define a corresponding User Name in the SNMPv3 Users page for Version 3 clients Range 1 32 characters case sensitive Trap UDP Port Specifies the UDP port number used by the trap manager Default 162 Trap Version Specifies whether to send notification...

Page 87: ...ap messages specify the UDP port trap version trap security level for v3 clients trap inform settings for v2c v3 clients and then click Add Select the trap types required using the check boxes for Authentication and Link up down traps and then click Apply Figure 3 25 Configuring IP Trap Managers CLI This example adds a trap manager and enables both authentication and link up link down traps 3 Thes...

Page 88: ...ainst message replay delay and redirection The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A local engine ID is automatically generated that is unique to the switch This is referred to as the default engine ID If the local engine ID is deleted or changed all SNMP users will be cleared You will need to reco...

Page 89: ...nt You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it See Specifying Trap Managers and Trap Types on page 3 39 and Configuring Remote SNMPv3 Users on page 3 46 A new engine ID can be specified by entering 10 to 64 hexadecimal characters Web Click SNMP SNMPv3 Remote Engine ID Figure 3 27 Setting a Remote Engine ID CLI This example s...

Page 90: ...AuthNoPriv There is no authentication or encryption used in SNMP communications This is the default for SNMPv3 AuthNoPriv SNMP communications use authentication but the data is not encrypted only available for the SNMPv3 security model AuthPriv SNMP communications use both authentication and encryption only available for the SNMPv3 security model Authentication Protocol The method used for user au...

Page 91: ...gned group of a user click Change Group in the Actions column of the users table and select the new group Figure 3 28 Configuring SNMPv3 Users CLI Use the snmp server user command to configure a new user name and assign it to a group Console config snmp server user chris group r d v3 auth md5 greenpeace priv des56 einstien 4 84 Console config exit Console show snmp user 4 84 EngineId 8301000003000...

Page 92: ...r the SNMP agent on the remote device where the remote user resides Note that the remote engine identifier must be specified before you configure a remote user See Specifying a Remote Engine ID on page 3 43 Remote IP The Internet address of the remote device where the user resides Security Model The user security model SNMP v1 v2c or v3 Default v3 Security Level The security level used for the use...

Page 93: ... then click Delete Figure 3 29 Configuring Remote SNMPv3 Users CLI Use the snmp server user command to configure a new user name and assign it to a group Console config snmp server user mark group r d remote 192 168 1 19 v3 auth md5 greenpeace priv des56 einstien 4 84 Console config exit Console show snmp user 4 84 No user exist SNMP remote user EngineId 80000000030004e2b316c54321 User Name mark A...

Page 94: ...or write access Range 1 64 characters Notify View The configured view for notifications Range 1 64 characters Table 3 5 Supported Notification Messages Object Label Object ID Description RFC 1493 Traps newRoot 1 3 6 1 2 1 17 0 1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree the trap is sent by a bridge soon after its election as the new root e g upo...

Page 95: ...ure 1 3 6 1 6 3 1 1 5 5 An authenticationFailure trap signifies that the SNMPv2 entity acting in an agent role has received a protocol message that is not properly authenticated While all implementations of the SNMPv2 must be capable of generating this trap the snmpEnableAuthenTraps object indicates whether this trap will be generated RMON Events V2 risingAlarm 1 3 6 1 2 1 16 0 1 The SNMP trap tha...

Page 96: ...ete Figure 3 30 Configuring SNMPv3 Groups CLI Use the snmp server group command to configure a new group specifying the security model and level and restricting MIB access to defined read write and notify views Console config snmp server group secure users v3 priv read defaultview write defaultview notify defaultview 4 82 Console config exit Console show snmp group 4 83 Group Name secure users Sec...

Page 97: ...in the MIB tree Wild cards can be used to mask a specific portion of the OID string Type Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view Web Click SNMP SNMPv3 Views Click New to configure a new view In the New View page define a name and specify OID subtrees in the switch MIB to be included or excluded in the view Click Back to save the...

Page 98: ...view ifEntry a 1 3 6 1 2 1 2 2 1 1 included 4 80 Console config exit Console show snmp view 4 81 View Name ifEntry a Subtree OID 1 3 6 1 2 1 2 2 1 1 View Type included Storage Type nonvolatile Row Status active View Name readaccess Subtree OID 1 3 6 1 2 View Type included Storage Type nonvolatile Row Status active View Name defaultview Subtree OID 1 View Type included Storage Type nonvolatile Row ...

Page 99: ...Accounts The guest only has read access for most configuration parameters However the administrator has write access for all parameters governing the onboard agent You should therefore assign a new administrator password as soon as possible and store it in a safe place The default guest name is guest with the password guest The default administrator name is admin with the password admin Command At...

Page 100: ...new user account and add it to the Account List To change the password for a specific user enter the user name and new password confirm the password by entering it again then click Apply Figure 3 32 Access Levels CLI Assign a user name to access level 15 i e administrator then specify the password Console config username bob access level 15 4 87 Console config username bob password 0 smith Console...

Page 101: ... you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol Local and remote logon authentication control management access via the console port web browser or Telnet RADIUS and TACACS logon authentication assign a specific privilege level for each user name password pair The user name password and privilege level must be configured on the ...

Page 102: ...r of Server Transmits Number of times the switch tries to authenticate logon access via the authentication server Range 1 30 Default 2 Timeout for a Reply The number of seconds the switch waits for a reply from the RADIUS server before it resends the request Range 1 65535 Default 5 TACACS Settings Global Provides globally applicable TACACS settings Server Index Specifies the index number of the se...

Page 103: ...cation Settings To configure local or remote authentication preferences specify the authentication sequence i e one to three methods fill in the parameters for RADIUS or TACACS authentication if selected and click Apply Figure 3 33 Authentication Settings ...

Page 104: ...4 94 Console config radius server retransmit 5 4 95 Console config radius server timeout 10 4 95 Console config radius server 1 host 192 168 1 25 4 93 Console config end Console show radius server 4 95 Global Settings Communication Key with RADIUS Server Auth Port 1812 Retransmit Times 2 Request Timeout 5 Server 1 Server IP Address 192 168 1 25 Communication Key with RADIUS Server Auth Port 181 Re...

Page 105: ...g Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters Confirm Secret Text String Re type the string entered in the previous field to ensure no errors were made The switch will not change the encryption key if these two fields do not match Change Clicking this button adds or modifies the selected encryption key Web Click Sec...

Page 106: ...he switch supports the following AAA features Accounting for IEEE 802 1X authenticated users that access the network through the switch Accounting for users that access management interfaces on the switch through the console and Telnet Accounting for commands that users enter at specific CLI privilege levels Authorization of users that access management interfaces on the switch through the console...

Page 107: ...ndex for a RADIUS sever the server index must already be defined see Configuring Local Remote Logon Authentication on page 3 55 Web Click Security AAA Radius Group Settings Enter the RADIUS group name followed by the number of the server then click Add Figure 3 35 AAA Radius Group Settings CLI Specify the group name for a list of RADIUS servers and then specify the index number of a RADIUS server ...

Page 108: ...to add it to the group Configuring AAA Accounting AAA accounting is a feature that enables the accounting of requested services for billing or security purposes Command Attributes Method Name Specifies an accounting method for service requests The default methods are used for a requested service if no other methods have been defined Range 1 255 characters The method name is only used to describe t...

Page 109: ...o a server group configured on the RADIUS or TACACS Group Settings pages Web Click Security AAA Accounting Settings To configure a new accounting method specify a method name and a group name then click Add Figure 3 37 AAA Accounting Settings CLI Specify the accounting method required followed by the chosen parameters Console config aaa accounting dot1x tps start stop group radius 4 102 Console co...

Page 110: ...which the local accounting service updates information to the accounting server Range 1 2147483647 minutes Default Disabled Web Click Security AAA Accounting Periodic Update Enter the required update interval and click Apply Figure 3 38 AAA Accounting Update CLI This example sets the periodic accounting update interval at 10 minutes Console config aaa accounting update periodic 10 4 105 Console co...

Page 111: ...ply to the interface This method must be defined in the AAA Accounting Settings menu page 3 61 Range 1 255 characters Web Click Security AAA Accounting 802 1X Port Settings Enter the required accounting method and click Apply Figure 3 39 AAA Accounting 802 1X Port Settings CLI Specify the accounting method to apply to the selected interface Console config interface ethernet 1 2 Console config if a...

Page 112: ...red at the specified CLI privilege level Web Click Security AAA Accounting Command Privileges Enter a defined method name for console and Telnet privilege levels Click Apply Figure 3 40 AAA Accounting Exec Command Privileges CLI Specify the accounting method to use for console and Telnet privilege levels Console config line console 4 42 Console config line accounting commands 15 tps method 4 106 C...

Page 113: ...ser sessions Command Attributes AAA Accounting Summary Accounting Type Displays the accounting service Method List Displays the user defined or default accounting method Group List Displays the accounting server group Interface Displays the port or trunk to which these rules apply This field is null if the accounting method and associated server group has not been assigned to an interface AAA Acco...

Page 114: ...Configuring the Switch 3 68 3 Web Click Security AAA Summary Figure 3 42 AAA Accounting Summary ...

Page 115: ...ers The group name tacacs specifies all configured TACACS hosts see Configuring Local Remote Logon Authentication on page 3 55 Any other group name refers to a server group configured on the TACACS Group Settings page Authorization is only supported for TACACS servers Console show accounting 4 108 Accounting Type dot1x Method List default Group List radius Interface Method List tps method Group Li...

Page 116: ...roup Authorization EXEC Settings This feature specifies an authorization method name to apply to console and Telnet connections Command Attributes Method Name Specifies a user defined method name to apply to console and Telnet connections Web Click Security AAA Authorization Exec Settings Enter a defined method name for console and Telnet connections and click Apply Figure 3 44 AAA Authorization E...

Page 117: ...ies This field is null if the authorization method and associated server group has not been assigned Web Click Security AAA Authorization Summary Figure 3 45 AAA Authorization Summary CLI This example displays the configured authorization methods and the interfaces to which they are applied Console config line console 4 42 Console config line authorization exec tps auth 4 108 Console config line e...

Page 118: ...connection The client and server generate session keys for encrypting and decrypting data The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 5 x or above Netscape 6 2 or above and Mozilla Firefox 2 0 0 0 or above The following web browsers and operating systems currently support HTTPS To specify a secure site certifica...

Page 119: ...btain a unique certificate and a private key and password from a recognized certification authority Caution For maximum security we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity This is because the default certificate for the switch is not unique to the hardware you have purchased When you have obtained these place them on your TFTP server and use the f...

Page 120: ...rd authentication is specified by the SSH client then the password can be authenticated either locally or via a RADIUS or TACACS remote authentication server as specified on the Authentication Settings page page 3 55 If public key authentication is specified by the client then you must configure authentication keys on both the client and the switch as described in the following section Note that r...

Page 121: ...2 Clients a The client sends its password to the server b The switch compares the client s password to those stored in memory c If a match is found the connection is allowed Note To use SSH with only password authentication the host public key must still be given to the client either during initial connection or manually entered into the known host file However you do not need to configure the cli...

Page 122: ... of Host Key The public key for the host RSA Version 1 The first field indicates the size of the host key e g 1024 the second field is the encoded public exponent e g 65537 and the last string is the encoded modulus DSA Version 2 The first field indicates that the encryption method used by SSH is based on the Digital Signature Standard DSS The last string is the encoded modulus Host Key Type The k...

Page 123: ...8320102524878965977592168322225584652387791546479807396314033 86925793105105765212243052807865885485789272602937866089236841423275912127 60325919683697053439336438445223335188287173896894511729290510813919642025 190932104328579045764891 DSA ssh dss AAAAB3NzaC1kc3MAAACBAN6zwIqCqDb3869jYVXlME1sHL0EcE Re6hlasfEthIwmj hLY4O0jqJZpcEQUgCfYlum0Y2uoLka Py9ieGWQ8f2gobUZKIICuKg6vjO9XTs7XKc05xfzkBi KviDa 2Or...

Page 124: ...onse from a client during an authentication attempt Range 1 120 seconds Default 120 seconds SSH Authentication Retries Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process Range 1 5 times Default 3 SSH Server Key Size Specifies the SSH server key size Range 512 896 bits Default 768 The server k...

Page 125: ...POL identity request The client provides its identity such as a user name in an EAPOL response to the switch which it forwards to the RADIUS server The RADIUS server verifies the client identity and sends an access challenge back to the client The EAP packet from the RADIUS server contains not only the challenge but the authentication method to be used The client can reject the authentication meth...

Page 126: ...st have an IP address assigned RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified 802 1X must be enabled globally for the switch Each switch port that will be used must be set to dot1X Auto mode Each client that needs to be authenticated must have dot1X client software installed and properly configured The RADIUS server and 802 1X client support E...

Page 127: ... Web Select Security 802 1X Configuration Enable 802 1X globally for the switch and click Apply Figure 3 50 802 1X Global Configuration CLI This example enables 802 1X globally for the switch Console show dot1x 4 129 Global 802 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 disabled Singl...

Page 128: ...se This is the default setting Force Unauthorized Forces the port to deny access to all clients either dot1x aware or otherwise Re authentication Sets the client to be re authenticated after the interval specified by the Re authentication Period Re authentication can be used to detect if a new device is plugged into a switch port Default Disabled Max Request Sets the maximum number of times the sw...

Page 129: ...User Authentication 3 83 3 Web Click Security 802 1X Port Configuration Modify the parameters required and click Apply Figure 3 51 802 1X Port Configuration ...

Page 130: ... control Enabled 802 1X Port Summary Port Type Operation Mode Port Control Authorized Eth 1 1 Disabled Single Host ForceAuthorized Yes Eth 1 2 Authenticator Single Host Auto No Eth 1 26 Disabled Single Host ForceAuthorized No 802 1X Port Details 802 1X is disabled on port 1 1 Authenticator Information Reauthentication Enabled Reauth Period 1800 seconds Quiet Period 30 seconds TX Period 40 seconds ...

Page 131: ... of any type that have been received by this Authenticator Rx EAP Resp Id The number of EAP Resp Id frames that have been received by this Authenticator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx EAP LenError The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Lengt...

Page 132: ... the switch will not accept overlapping address ranges When entering addresses for different groups the switch will accept overlapping address ranges You cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses You can delete an address range just by specifying the start address or by specifying both the start address and end address Com...

Page 133: ...he filter list Figure 3 53 Creating an IP Filter List CLI This example allows SNMP access for a specific client Console config management snmp client 10 1 2 3 4 132 Console config end Console show management all client Management IP Filter HTTP Client Start IP address End IP address SNMP Client Start IP address End IP address 1 10 1 2 3 10 1 2 3 TELNET Client Start IP address End IP address Consol...

Page 134: ...orts within the assigned VLAN See Private VLANs on page 3 194 Port Security Configure secure addresses for individual ports 802 1X Use IEEE 802 1X port authentication to control access to specific ports See Configuring 802 1X Port Authentication on page 3 79 Network Access Configures MAC authentication and dynamic VLAN assignment ACL Access Control Lists provide packet filtering for IPv4 frames ba...

Page 135: ...C addresses the selected port will stop learning The MAC addresses already in the address table will be retained and will not age out Any other device that attempts to use the port will be prevented from accessing the switch Command Usage A secure port has the following restrictions It cannot be used as a member of a static or dynamic trunk It should not be connected to a network interconnection d...

Page 136: ...thenticating device MAC addresses with a central RADIUS server Notes 1 RADIUS authentication must be activated and configured properly for the MAC Address authentication feature to work properly See Configuring Local Remote Logon Authentication on page 3 55 2 MAC authentication cannot be configured on trunk ports Command Usage Network Access authentication controls access to the network by authent...

Page 137: ...ied to the switch port The following attributes need to be configured on the RADIUS server Tunnel Type VLAN Tunnel Medium Type 802 Tunnel Private Group ID 1u 2t VLAN ID list The VLAN identifier list is carried in the RADIUS Tunnel Private Group ID attribute The VLAN list can contain multiple VLAN identifiers in the format 1u 2t 3u where u indicates an untagged VLAN and t a tagged VLAN Configuring ...

Page 138: ...rted for the switch system is 1024 When the limit is reached all new MAC addresses are treated as authentication failed Default 2048 Range 1 to 2048 Note MAC authentication cannot be configured on trunk ports Ports configured as trunk members are indicated on the Network Access Port Configuration page in the Trunk column Console config mac authentication reauth time 3000 4 140 Console config exit ...

Page 139: ...r of MAC addresses currently in the secure MAC address table Query By Specifies parameters to use in the MAC address query Port Specifies a port interface MAC Address Specifies a single MAC address information Attribute Displays static or dynamic addresses Address Table Sort Key Sorts the information displayed based on MAC address or port interface Unit Port The port interface associated with a se...

Page 140: ... displayed addresses by port MAC Address or attribute then select the method of sorting the displayed addresses Click Query Figure 3 57 Network Access MAC Address Information CLI This example displays all entries currently in the secure MAC address table Console show network access mac address table 4 143 Port MAC Address RADIUS Server Attribute Time 1 1 00 00 01 02 03 04 172 155 120 17 Static 00d...

Page 141: ...Max MAC Count The maximum allowed amount of MAC authenticated MAC addresses on the port Default 1024 Range 1 1024 Intrusion Action The switch can respond in two ways to an intrusion Block Traffic All traffic for the unauthenticated host is blocked Pass Traffic All traffic for the unauthenticated host is allowed Trunk Indicates if the port is a trunk member Web Click Security MAC Authentication Mod...

Page 142: ...llowing list types MAC ACLs IP ACLs including Standard and Extended ACLs The order in which active ACLs are checked is as follows 1 User defined rules in IP and MAC ACLs for ingress ports are checked in parallel Rules within an ACL are checked in the configured order from top to bottom If the result of checking an IP ACL is to permit a packet but the result of a MAC ACL on the same packet is to de...

Page 143: ...in the Name field select the list type IP Standard IP Extended or MAC and click Add to open the configuration page for the new list Figure 3 59 Selecting ACL Type CLI This example creates a standard IP ACL named david Console config access list ip standard david 4 156 Console config std acl ...

Page 144: ...ate match and 0 bits to indicate ignore The mask is bitwise ANDed with the specified source IP address and compared with the address for each IP packet entering the port s to which this ACL has been assigned Web Specify the action i e Permit or Deny Select the address type Any Host or IP If you select Host enter a specific address If you select IP enter a subnet address and the mask for an address...

Page 145: ...otocol number 0 255 Options TCP UDP Others Default TCP Source Destination Port Source destination port number for the specified protocol type Range 0 65535 Source Destination Port Bitmask Decimal number representing the port bits to match Range 0 65535 Control Code Decimal number representing a bit string that specifies flag bits in byte 14 of the TCP header Range 0 63 Control Code Bit Mask Decima...

Page 146: ...g packets if the source address is in subnet 10 7 1 x For example if the rule is matched i e the rule 10 7 1 0 255 255 255 0 equals the masked address 10 7 1 2 255 255 255 0 the packet passes through 2 Allow TCP packets from class C addresses 192 168 1 0 to any destination address when set for destination TCP port 80 i e HTTP 3 Permit all TCP packets from class C addresses 192 168 1 0 with the TCP...

Page 147: ...ination MAC address VID VLAN ID Range 1 4094 VID Mask VLAN bitmask Range 1 4094 Ethernet Type This option can only be used to filter Ethernet II formatted packets Range 600 fff hex A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX Ethernet Type Bitmask Protocol bitmask Range 600 fff hex Packet Format This attribu...

Page 148: ...ddress range Set any other required criteria such as VID Ethernet type or packet format Then click Add Figure 3 62 Configuring MAC ACLs CLI This example configures one permit rule for all source mac addresses to communicate with all destination mac addresses on VLAN 12 and another permit rule for source mac address to communicate with all destination mac addresses Console config mac acl permit any...

Page 149: ...ind one ACL to any port for ingress filtering Command Attributes Port Fixed port or SFP module Range 1 26 50 IP Specifies the IP ACL to bind to a port MAC Specifies the MAC ACL to bind to a port IN ACL for ingress packets OUT ACL for egress packets Not supported Web Click Security ACL Port Binding Click Edit to open the configuration page for the ACL type Mark the Enable field for the port you wan...

Page 150: ...ent receives or releases an IP address from a DHCP server Each entry includes a MAC address IP address lease time VLAN identifier and port identifier The rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second Any DHCP packets in excess of this limit are dropped When DHCP snooping is enabled DHCP messages entering an untrusted interface are filtered...

Page 151: ...gs are removed from the binding table Additional considerations when the switch itself is a DHCP client The port s through which the switch submits a client request to the DHCP server must be configured as trusted Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server Also when the switch sends out DHCP client packets fo...

Page 152: ...s globally re enabled When DHCP snooping is globally enabled and DHCP snooping is then disabled on a VLAN all dynamic bindings learned for this VLAN are removed from the binding table Command Attributes VLAN ID ID of a configured VLAN Range 1 4094 DHCP Snooping Status Enables or disables DHCP snooping for the selected VLAN When DHCP snooping is enabled globally on the switch and enabled on the spe...

Page 153: ...ust their MAC address DHCP client server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN If Option 82 is enabled on the switch information about the switch itself may be included in any relayed request packet In some cases the switch may receive DHCP packets from a client that already includes DHCP Option 82 information Th...

Page 154: ...iltering will be performed on any untrusted ports within the VLAN When an untrusted port is changed to a trusted port all the dynamic DHCP snooping bindings associated with this port are removed Set all ports connected to DHCP servers within the local network or fire wall to trusted state Set all other ports outside the local network or fire wall to untrusted state Command Attributes Trust Status ...

Page 155: ...P snooping binding information Unit Stack unit Port Port number VLAN ID VLAN for which DHCP snooping has been enabled MAC Address Physical address associated with the entry IP Address IP address corresponding to the client Console config interface ethernet 1 5 Console config if ip dhcp snooping trust 4 147 Console show ip dhcp snooping 4 150 Global DHCP Snooping status disable DHCP Snooping Inform...

Page 156: ...ttacks caused when a host tries to use the IP address of a neighbor to access the network This section describes commands used to configure IP Source Guard Note Due to a chip limitation IP source guard and Quality of Service for IP related QoS cannot be enabled at the same time Configuring Ports for IP Source Guard Use the IP Source Guard Port Configuration page to set the filtering type based on ...

Page 157: ... number and source MAC address for the SIP MAC option If a matching entry is found in the binding table and the entry type is static IP source guard binding the packet will be forwarded If DHCP snooping is enabled IP source guard will check the VLAN ID source IP address port number and source MAC address for the SIP MAC option If a matching entry is found in the binding table and the entry type is...

Page 158: ...ted with a value of zero in the table Command Usage Static addresses entered in the source guard binding table are automatically configured with an infinite lease time Dynamic entries learned via DHCP snooping are configured by the DHCP server itself Static bindings are processed as follows If there is no entry with the same VLAN ID and MAC address a new entry is added to the binding table using t...

Page 159: ...he table Port Switch port number Range 1 26 50 VLAN ID ID of a configured VLAN Range 1 4094 MAC Address A valid unicast MAC address IP Address A valid unicast IP address including classful types A B or C Web Click IP Source Guard Static Configuration Select the VLAN and port to which the entry will be bound enter the MAC address and associated IP address then click Add Figure 3 70 Static IP Source...

Page 160: ...ynamic Binding Table Counts Displays the number of IP addresses in the source guard binding table Current Dynamic Binding Table Displays the IP addresses in the source guard binding table Web Click IP Source Guard Dynamic Information Figure 3 71 Dynamic IP Source Guard Binding Information CLI This example shows how to configure a static source guard binding on port 5 Console show ip source guard b...

Page 161: ...dicates the type of flow control currently in use IEEE 802 3x Back Pressure or None Autonegotiation Shows if auto negotiation is enabled or disabled Media Type6 Media type used for the combo ports 45 48 DG GS1550 Options Copper Forced SFP Forced or SFP Preferred Auto Default SFP Preferred Auto Trunk Member6 Shows if port is a trunk member Creation7 Shows if a trunk is manually configured or dynami...

Page 162: ...bled or disabled Multicast Storm Limit Shows the multicast storm threshold 64 1 000 000 kilobits per second Unknown Unicast Storm Shows if unknown unicast storm control is enabled or disabled Unknown Unicast Storm Limit Shows the unknown unicast storm threshold 64 1 000 000 kilobits per second Flow Control Shows if flow control is enabled or disabled LACP Shows if LACP is enabled or disabled Port ...

Page 163: ...onnection over any 1000BASE T port or trunk If not used the success of the link process cannot be guaranteed when connecting to other types of switches Command Attributes Name Allows you to label an interface Range 1 64 characters Admin Allows you to manually disable an interface You can disable an interface due to abnormal behavior e g excessive collisions and then reenable it after the Console s...

Page 164: ...ports 100 Mbps half duplex operation 100full Supports 100 Mbps full duplex operation 1000full Combo ports only Supports 1000 Mbps full duplex operation Default Autonegotiation enabled Advertised capabilities for 100BASE TX 10half 10full 100half 100full 1000BASE T 10half 10full 100half 100full 1000full 1000BASE SX LX ZX 1000full Media Type Media type used for the combo ports 45 48 DG GS1550 Copper ...

Page 165: ...standby mode Should one link in the trunk fail one of the standby ports will automatically be activated to replace it Command Usage Besides balancing the load across each port in the trunk the other ports provide redundancy by taking over the load if a port in the trunk fails However before making any physical connections between devices use the web interface or CLI to specify the trunk on the dev...

Page 166: ...g on the manufacturer s implementation However note that the static trunks on this switch are Cisco EtherChannel compatible To avoid creating a loop in the network be sure you add a static trunk via the configuration interface before connecting the ports and also disconnect the ports before removing a static trunk via the configuration interface Command Attributes Member List Current Shows configu...

Page 167: ... of an LACP trunk must be configured for full duplex and auto negotiation Trunks dynamically established through LACP will also be shown in the Member List on the Trunk Membership menu see page 3 120 Console config interface port channel 2 4 167 Console config if exit Console config interface ethernet 1 1 4 167 Console config if channel group 2 4 181 Console config if exit Console config interface...

Page 168: ...New Includes entry fields for creating new trunks Port Port identifier Range 1 26 50 Web Click Port LACP Configuration Select any of the switch ports from the scroll down port list and click Add After you have completed adding ports to the member list click Apply Figure 3 75 LACP Trunk Configuration ...

Page 169: ...page 4 184 Command Attributes Set Port Actor This menu sets the local side of an aggregate link i e the ports on this switch Port Port number Range 1 26 50 System Priority LACP system priority is used to determine link aggregation group LAG membership and to identify this device to other switches during LAG negotiations Range 0 65535 Default 32768 Ports must be configured with the same system prio...

Page 170: ...tached device The command attributes have the same meaning as those used for the port actor However configuring LACP settings for the partner only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with the partner Web Click Port LACP Aggregation Port Set the System Priority Admin Key and Port Priority for the Port...

Page 171: ...nsole show lacp sysid 4 187 Port Channel System Priority System MAC Address 1 3 00 17 7C 31 31 31 2 32768 00 17 7C 31 31 31 3 32768 00 17 7C 31 31 31 4 32768 00 17 7C 31 31 31 Console show lacp 1 internal 4 187 Port channel 1 Oper Key 120 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP System Priority 3 LACP Port Priority 128 Admin Key 120 Oper Key 120 Admin State defaulted aggregation long timeo...

Page 172: ...ype value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type Marker Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value but contain a badly formed PDU or an illegal value of Protocol Subtype Console show lacp counters 4 187 Port channel 1 Eth 1 1 LACPDUs Sent 91 LACPDUs Receive 43 Marke...

Page 173: ...formation administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is n...

Page 174: ...he LACP configuration settings and operational state for the local side of port channel 1 Console show lacp 1 internal 4 187 Port channel 1 Oper Key 120 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP System Priority 3 LACP Port Priority 128 Admin Key 120 Oper Key 120 Admin State defaulted aggregation long timeout LACP activity Oper State distributing collecting synchronization aggregation long t...

Page 175: ...igned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port Oper Priority Priority value assigned to this aggregation po...

Page 176: ...ast Storm Control is enabled by default Broadcast control does not effect IP multicast traffic Command Attributes Port Port number Type Indicates the port type 1000BASE T or 1000BASE SFP Protect Status Enables or disables broadcast storm control Default Enabled Threshold Threshold level as a rate i e packets per second Range 500 262143 packets per second Default 500 pps Trunk Shows if a port is a ...

Page 177: ...onsole config if switchport broadcast packet rate 500 4 173 Console config if end Console show interfaces switchport ethernet 1 2 4 177 Broadcast Threshold Enabled 500 packets second Multicast Threshold Disabled Unknown Unicast Threshold Disabled LACP Status Disabled Ingress Rate Limit Disabled 1000 Mbits per second Egress Rate Limit Disabled 1000 Mbits per second VLAN Membership Mode Hybrid Ingre...

Page 178: ...value set by the multicast storm control command And when unknown unicast storm control is enabled both broadcast and multicast storm control are also enabled using the threshold value set by the unknown unicast storm control command Command Attributes Port Port number Range 1 26 50 Type Indicates the port type 1000BASE T or 1000BASE SFP Protect Status Enables or disables multicast storm control D...

Page 179: ...m control is enabled broadcast storm control is also enabled using the threshold value set by the multicast storm control command And when unknown unicast storm control is enabled both broadcast and multicast storm control are also enabled using the threshold value set by the unknown unicast storm control command Command Attributes Port Port number Range 1 26 50 Type Indicates the port type 1000BA...

Page 180: ...e port in a completely unobtrusive manner Command Usage Monitor port speed should match or exceed source port speed otherwise traffic may be dropped from the monitor port All mirror sessions must share the same destination port When mirroring port traffic the target port must be included in the same VLAN as the source port when using MSTP see Spanning Tree Algorithm Configuration on page 3 149 Com...

Page 181: ...urce port the traffic type to be mirrored and the monitor port then click Add Figure 3 83 Mirror Port Configuration CLI Use the interface command to select the monitor port then use the port monitor command to specify the source port and traffic type Console config interface ethernet 1 10 4 167 Console config if port monitor ethernet 1 13 tx 4 191 Console config if ...

Page 182: ...ote VLAN field on this page Default VLAN 1 and switch cluster VLAN 4093 are prohibited 2 Set up the source switch on the RSPAN Configuration page a Specify the mirror session the source port and the traffic type to monitor Rx Tx or Both After entering these items click Add to create an entry in the Sessions table b Specify the mirror session the switch s role Source the RSPAN VLAN and the uplink p...

Page 183: ... learning is not supported on RSPAN uplink ports when RSPAN is enabled on the switch Therefore even if spanning tree is enabled after RSPAN has been configured MAC address learning will still not be re started on the RSPAN uplink ports IEEE 802 1X RSPAN and 802 1X are mutually exclusive functions When 802 1X is enabled globally RSPAN uplink ports cannot be configured even though RSPAN source and d...

Page 184: ...o which it has been assigned Tag Specifies whether or not the traffic exiting the destination port to the monitoring device carries the RSPAN VLAN tag Remote VLAN The VLAN to which traffic mirrored from the source port will be flooded The VLAN specified in this field must first be reserved for the RSPAN application using the VLAN Static List see page 3 177 Uplink Port A port on any switch particip...

Page 185: ...he interface command to select the monitor port then use the port monitor command to specify the source port and traffic type Console config vlan database 4 230 Console config vlan vlan 2 media ethernet rspan 4 231 Console config vlan exit Console config rspan session 1 source interface ethernet 1 2 4 194 Console config rspan session 1 remote vlan 2 source uplink ethernet 1 26 4 196 Console config...

Page 186: ... changes Rate Limit Configuration Use the rate limit configuration pages to apply rate limiting Command Usage Input and output rate limits can be enabled or disabled for individual interfaces Command Attributes Port Trunk Displays the port trunk number Rate Limit Status Enables or disables the rate limit Default Disabled Rate Limit Sets the rate limit level Range 1 to 1000 Mbps Web Click Port Rate...

Page 187: ...b layer Received Broadcast Packets The number of packets delivered by this sub layer to a higher sub layer which were addressed to a broadcast address at this sub layer Received Discarded Packets The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher layer protocol One possible reason for discarding suc...

Page 188: ...articular interface fails due to an internal MAC sublayer transmit error Multiple Collision Frames A count of successfully transmitted frames for which transmission is inhibited by more than one collision Carrier Sense Errors The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame SQE Test Errors A count of times that the SQE TEST ERROR m...

Page 189: ...er of frames received that were longer than 1518 octets excluding framing bits but including FCS octets and were otherwise well formed Fragments The total number of frames received that were less than 64 octets in length excluding framing bits but including FCS octets and had either an FCS or alignment error 64 Bytes Frames The total number of frames including bad packets received and transmitted ...

Page 190: ...ing the Switch 3 144 3 Web Click Port Port Statistics Select the required interface and click Query You can also use the Refresh button at the bottom of the page to update the screen Figure 3 86 Port Statistics ...

Page 191: ...rrors 0 FCS errors 0 Single Collision frames 0 Multiple collision frames 0 SQE Test errors 0 Deferred transmissions 0 Late collisions 0 Excessive collisions 0 Internal mac transmit errors 0 Internal mac receive errors 0 Frame too longs 0 Carrier sense errors 0 Symbol errors 0 RMON stats Drop events 0 Octets 4422579 Packets 31552 Broadcast pkts 238 Multi cast pkts 17033 Undersize pkts 0 Oversize pk...

Page 192: ...ress will be ignored and will not be written to the address table Command Attributes Static Address Counts8 The number of manually configured addresses Current Static Address Table Lists all the static addresses Interface Port or trunk associated with the device assigned a static address MAC Address Physical address of a device mapped to this interface VLAN ID of configured VLAN 1 4094 Web Click A...

Page 193: ...nterface Indicates a port or trunk MAC Address Physical address associated with this interface VLAN ID of configured VLAN 1 4094 Address Table Sort Key You can sort the information displayed based on MAC address VLAN or interface port or trunk Dynamic Address Counts The number of addresses dynamically learned Current Dynamic Address Table Lists all the dynamic addresses Web Click Address Table Dyn...

Page 194: ...learned entry is discarded Range 10 630 seconds Default 300 seconds Web Click Address Table Address Aging Specify the new aging time click Apply Figure 3 89 Setting the Address Aging Time CLI This example sets the aging time to 300 seconds Console show mac address table interface ethernet 1 1 4 201 Interface Mac Address Vlan Type Eth 1 1 00 17 7C 48 82 93 1 Delete on reset Eth 1 1 00 17 7C 94 34 D...

Page 195: ... incurs the lowest path cost when forwarding a packet from that LAN to the root device All ports connected to designated bridging devices are assigned as designated ports After determining the lowest cost spanning tree it enables all root ports and designated ports and disables all other ports Network packets are therefore only forwarded between root ports and designated ports eliminating any poss...

Page 196: ...ilds a Internal Spanning Tree IST for the Region containing all commonly configured MSTP bridges An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers including the Region Name Revision Level and Configuration Digest see Configuring Multiple Spanning Trees on page 3 165 An MST Region may contain multiple MSTP Instances An Internal Spanning Tre...

Page 197: ...uration message becomes the designated port for the attached LAN If it is a root port a new root port is selected from among the device ports attached to the network References to ports in this section mean interfaces which includes both ports and trunks Hello Time Interval in seconds at which the root device transmits a configuration message Forward Delay The maximum time in seconds the root devi...

Page 198: ...ted ports should receive configuration messages at regular intervals If the root port ages out STA information provided in the last configuration message a new root port is selected from among the device ports attached to the network References to ports in this section means interfaces which includes both ports and trunks Root Forward Delay The maximum time in seconds this device will wait before ...

Page 199: ...onsole show spanning tree 4 223 Spanning tree information Spanning Tree Mode RSTP Spanning Tree Enabled Disabled Enabled Instance 0 VLANs Configuration 1 4094 Priority 32768 Bridge Hello Time sec 2 Bridge Max Age sec 20 Bridge Forward Delay sec 15 Root Hello Time sec 2 Root Max Age sec 20 Root Forward Delay sec 15 Max Hops 20 Remaining Hops 20 Designated Root 32768 00177CF8D8C6 Current Root Port 1...

Page 200: ... Tree Protocol MSTP generates a unique spanning tree for each instance This provides multiple pathways across the network thereby balancing the traffic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new topology for the failed instance To allow multiple spanning trees to operate over the network you must configure a rela...

Page 201: ...the designated port for the attached LAN If it is a root port a new root port is selected from among the device ports attached to the network References to ports in this section mean interfaces which includes both ports and trunks Default 20 Minimum The higher of 6 or 2 x Hello Time 1 Maximum The lower of 40 or 2 x Forward Delay 1 Forward Delay The maximum time in seconds this device will wait bef...

Page 202: ...switch can be assigned Configuration Digest An MD5 signature key that contains the VLAN ID to MST ID mapping table In other words this key is a mapping of all VLANs to the CIST Region Revision10 The revision for this MSTI Range 0 65535 Default 0 Region Name10 The name for this MSTI Maximum length 32 characters Maximum Hop Count The maximum number of hops allowed in the MST region before a BPDU is ...

Page 203: ...Spanning Tree Algorithm Configuration 3 157 3 Web Click Spanning Tree STA Configuration Modify the required attributes and click Apply Figure 3 91 Configuring Spanning Tree ...

Page 204: ... no other STA device attached to this segment the port with the smaller ID forwards packets and the other is discarding All ports are discarding when the switch is booted then some of them change state to learning and then to forwarding Forward Transitions The number of times this port has transitioned from the Learning state to the Forwarding state Designated Cost The cost for a packet to travel ...

Page 205: ...n on page 3 161 Oper Edge Port This parameter is initialized to the setting for Admin Edge Port in STA Port Configuration on page 3 161 i e true or false but will be set to false if a BPDU is received indicating that another bridge is attached to this port Port Role Roles are assigned according to whether the port is part of the active topology connecting the bridge to the root bridge i e root por...

Page 206: ... has accepted as the root device Fast forwarding This field provides the same information as Admin Edge port and is only included for backward compatibility with earlier products Admin Edge Port You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to...

Page 207: ...ing Interface Settings for STA on page 3 158 for additional information Discarding Port receives STA configuration messages but does not forward packets Learning Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information Port address table is cleared and the port begins learning addresses Forwarding Port forwards packe...

Page 208: ... precedence over port priority Range 0 for auto configuration 1 65535 for the short path cost method11 1 200 000 000 for the long path cost method By default the system automatically detects the speed and duplex mode used on each port and configures the path cost according to the values shown below Path cost 0 is used to indicate auto configuration mode When the short path cost method is selected ...

Page 209: ...t of frame flooding required to rebuild address tables during reconfiguration events does not cause the spanning tree to initiate reconfiguration when the interface changes state and also overcomes other STA related timeout problems However remember that Edge Port should only be enabled for ports connected to an end node device Default Disabled Migration If at any time the switch detects STP BPDUs...

Page 210: ...e 3 93 Configuring Spanning Tree per Port CLI This example sets STA attributes for port 7 Console config interface ethernet 1 7 4 167 Console config if spanning tree port priority 0 4 215 Console config if spanning tree cost 50 4 214 Console config if spanning tree link type auto 4 218 Console config if no spanning tree edge port 4 216 Console config if ...

Page 211: ... To use multiple spanning trees 1 Set the spanning tree type to MSTP STA Configuration page 3 149 2 Enter the spanning tree priority for the selected MST instance MSTP VLAN Configuration 3 Add the VLANs that will share this MSTI MSTP VLAN Configuration Note Note All VLANs are automatically added to the IST Instance 0 To ensure that the MSTI maintains connectivity across the network you must config...

Page 212: ...LAN members to an MSTI instance enter the instance identifier the VLAN identifier and click Add Figure 3 94 Configuring Multiple Spanning Trees CLI This example sets the priority for MSTI 1 and adds VLANs 1 5 to this MSTI Console config spanning tree mst configuration 4 209 Console config mst mst 1 priority 4096 4 211 Console config mstp mst 1 vlan 1 5 4 210 Console config mst ...

Page 213: ...signated Root 32768 1 00177C123123 Current Root Port 0 Current Root Cost 0 Number of Topology Changes 1 Last Topology Change Time sec 5 Transmission Limit 3 Path Cost Method Long Eth 1 1 Information Admin Status Enabled Role Master State Forwarding External Admin Path Cost 100000 Internal Admin Path Cost 100000 External Oper Path Cost 100000 Internal Oper Path Cost 100000 Priority 128 Designated C...

Page 214: ...in the selected MST instance Command Attributes MST Instance ID Instance identifier to configure Default 0 The other attributes are described under Displaying Interface Settings for STA on page 3 158 Web Click Spanning Tree MSTP Port or Trunk Information Select the required MST instance to display the current spanning tree values Figure 3 95 Displaying MSTP Interface Settings ...

Page 215: ... Age sec 20 Root Forward Delay sec 15 Max Hops 20 Remaining Hops 20 Designated Root 32768 0 00177CF8D8C6 Current Root Port 1 Current Root Cost 100000 Number of Topology Changes 2 Last Topology Change Time sec 158 Transmission Limit 3 Path Cost Method Long Eth 1 1 Information Admin Status Enabled Role Root State Forwarding External Admin Path Cost 100000 Internal Admin Path Cost 100000 External Ope...

Page 216: ...are the same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Default 128 Range 0 240 in steps of 16 Ad...

Page 217: ...2 1Q VLAN is a group of ports that can be located anywhere in the network but communicate as though they belong to the same physical segment VLANs help to simplify network management by allowing you to move devices to a new VLAN without having to change any physical connections VLANs can be easily organized to reflect departmental groups such as Marketing or R D usage groups such as e mail or mult...

Page 218: ... path that will carry this traffic to the same VLAN s either manually or dynamically using GVRP However if you want a port on this switch to participate in one or more VLANs but none of the intermediate network devices nor the host at the other end of the connection supports VLANs then you should add this port to the VLAN as an untagged port Note VLAN tagged frames can pass through VLAN aware or V...

Page 219: ...age to all other ports When the message arrives at another switch that supports GVRP it will also place the receiving port in the specified VLANs and pass the message on to all other ports VLAN requirements are propagated in this way throughout the network This allows GVRP compliant devices to be automatically configured for VLAN groups based solely on endstation requests To implement GVRP in a ne...

Page 220: ...e frame When the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag However when this switch receives an untagged frame from a VLAN unaware device it first decides where to forward the frame and then inserts a VLAN tag reflecting the ingress port s default VID Enabling or Disabling GVRP Global Setting GARP VLAN Registration Protocol GVRP defines a way...

Page 221: ...ch Maximum Number of Supported VLANs Maximum number of VLANs that can be configured on this switch Web Click VLAN 802 1Q VLAN Basic Information Figure 3 98 Displaying Basic VLAN Information CLI Enter the following command 12 Web Only Console show bridge ext 4 227 Max Support VLAN Numbers 256 Max Support VLAN ID 4094 Extended Multicast Filtering Services No Static Entry Individual Port Yes VLAN Lea...

Page 222: ...ed VLAN 1 4094 Up Time at Creation Time this VLAN was created i e System Up Time Status Shows how this VLAN was added to the switch Dynamic GVRP Automatically learned via GVRP Permanent Added as a static entry Egress Ports Shows all the VLAN port members Untagged Ports Shows the untagged VLAN port members Web Click VLAN 802 1Q VLAN Current Table Select any ID from the scroll down list Figure 3 99 ...

Page 223: ...for management on this system it is not added to the VLAN tag VLAN ID ID of configured VLAN 1 4094 no leading zeroes VLAN Name Name of the VLAN 1 to 32 characters Remote VLAN Reserves this VLAN for RSPAN see Configuring Remote Port Mirroring on page 3 136 Status Web Enables or disables the specified VLAN Enabled VLAN is operational Disabled VLAN is suspended i e does not pass packets State CLI Ena...

Page 224: ... Switch 3 178 3 Web Click VLAN 802 1Q VLAN Static List To create a new VLAN enter the VLAN ID and VLAN name mark the Enable checkbox to activate the VLAN and then click Add Figure 3 100 Configuring a VLAN Static List ...

Page 225: ...9 S Eth1 10 S Eth1 11 S Eth1 12 S Eth1 13 S Eth1 14 S Eth1 15 S Eth1 16 S Eth1 17 S Eth1 18 S Eth1 19 S Eth1 20 S Eth1 21 S Eth1 22 S Eth1 23 S Eth1 24 S Eth1 25 S Eth1 26 S VLAN ID 2 Type Static Name R D Status Active Ports Port Channels VLAN ID 4093 Type Static Name Status Active Ports Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 9 S Eth1 10 S Eth1 1...

Page 226: ...of the VLAN 1 to 32 characters Status Enables or disables the specified VLAN Enable VLAN is operational Disable VLAN is suspended i e does not pass packets Port Port identifier Membership Type Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk Tagged Interface is a member of the VLAN All packets transmitted by the port will be tagged that is carry...

Page 227: ... Apply Figure 3 101 Configuring a VLAN Static Table CLI The following example adds tagged and untagged ports to VLAN 2 Console config interface ethernet 1 1 4 167 Console config if switchport allowed vlan add 2 tagged 4 236 Console config if exit Console config interface ethernet 1 2 Console config if switchport allowed vlan add 2 untagged Console config if exit Console config interface ethernet 1...

Page 228: ... Membership by Port Select an interface from the scroll down box Port or Trunk Click Query to display membership information for the interface Select a VLAN ID and then click Add to add the interface as a tagged member or click Remove to remove the interface After configuring VLAN membership for each interface click Apply Figure 3 102 VLAN Static Membership by Port CLI This example adds Port 3 to ...

Page 229: ...cluding tagged or untagged frames or only tagged frames When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Options All Tagged Default All Ingress Filtering Determines how to process frames tagged for VLANs for which the ingress port is not a member Default Disabled Ingress filtering only affects tagged frames If ingress filtering is disabled ...

Page 230: ...port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames Hybrid Specifies a hybrid VLAN interface The port may transmit tagged or untagged frames Also note that this is the only port type that can participate in RSPAN see Configuring Remote Port Mirroring on page 3 136 Trunk M...

Page 231: ...provider s network even when they use the same customer specific VLAN IDs QinQ tunneling expands VLAN space by using a VLAN in VLAN hierarchy preserving the customer s original tagged packets and adding SPVLAN tags to each frame also called double tagging A port configured to support QinQ tunneling must be set to tunnel port mode The Service Provider VLAN SPVLAN ID for the specific customer must b...

Page 232: ...PVLAN into the packet based on the default VLAN ID and Tag Protocol Identifier TPID that is the ether type of the tag This outer tag is used for learning and switching packets The priority of the inner tag is copied to the outer tag if it is a tagged or priority tagged packet 2 After successful source and destination lookup the ingress process sends the packet to the switching process with two tag...

Page 233: ...bled If ingress filtering is not enabled the packet will still be forwarded If the VLAN is not listed in the VLAN table the packet will be dropped 4 After successful source and destination lookup the packet is double tagged The switch uses the TPID of 0x8100 to indicate that an incoming packet is double tagged If the outer tag of an incoming double tagged packet is equal to the port TPID and the i...

Page 234: ...ed to as an SPVLAN see Creating VLANs on page 3 177 4 Configure the QinQ tunnel access port to 802 1Q Tunnel mode see Adding an Interface to a QinQ Tunnel on page 3 189 5 Configure the QinQ tunnel access port to join the SPVLAN as an untagged member see Adding Static Members to VLANs VLAN Index on page 3 180 6 Configure the SPVLAN ID as the native VID on the QinQ tunnel access port see Configuring...

Page 235: ...LI This example sets the switch to operate in QinQ mode Adding an Interface to a QinQ Tunnel Follow the guidelines in the preceding section to set up a QinQ tunnel on the switch Command Usage Use the VLAN Port Configuration or VLAN Trunk Configuration screen to set the access port on the edge switch to 802 1Q Tunnel mode Use the 802 1Q Tunnel Configuration screen to set the switch to QinQ mode bef...

Page 236: ...Q tunneling QinQ for a client access port to segregate and preserve customer VLAN IDs for traffic crossing the service provider network 802 1Q Tunnel Uplink Configures IEEE 802 1Q tunneling QinQ for an uplink port to another device within the service provider network Trunk Member Shows if a port is a member or a trunk Web Click VLAN 802 1Q VLAN 802 1Q Tunnel Configuration or Tunnel Trunk Configura...

Page 237: ...sole show dot1q tunnel 4 242 Current double tagged status of the system is Enabled The dot1q tunnel mode of the set interface 1 1 is Access mode TPID is 0x9100 The dot1q tunnel mode of the set interface 1 2 is Uplink mode TPID is 0x8100 The dot1q tunnel mode of the set interface 1 3 is Normal mode TPID is 0x8100 The dot1q tunnel mode of the set interface 1 4 is Normal mode TPID is 0x8100 The dot1q...

Page 238: ... shown below When traffic segmentation is disabled all ports operate in normal forwarding mode based on the settings specified by other functions such as VLANs and spanning tree protocol Configuring Global Settings for Traffic Segmentation Use the Traffic Segmentation Link Status page to enable traffic segmentation Command Attributes Traffic Segmentation Status Enables port based traffic segmentat...

Page 239: ...ick VLAN Traffic Segmentation Link Status Mark the ports that will serve as uplinks and downlinks then click Apply Figure 3 107 Traffic Segmentation Link Status CLI This configures port 3 as an uplink and port 5 and 6 as downlinks Console config pvlan 4 243 Console config exit Console show pvlan 4 244 Private VLAN status Enabled Up link Port Down link Port Console Console config pvlan up link ethe...

Page 240: ...ciated groups follow these steps 1 Use the Private VLAN Configuration menu page 3 195 to designate one or more community VLANs and the primary VLAN that will channel traffic outside of the VLAN groups 2 Use the Private VLAN Association menu page 3 196 to map the secondary i e community VLAN s to the primary VLAN 3 Use the Private VLAN Port Configuration menu page 3 198 to set the port type to prom...

Page 241: ...nly pass through port 3 Configuring Private VLANs The Private VLAN Configuration page is used to create remove primary or community VLANs Command Attributes VLAN ID ID of configured VLAN 2 4094 Type There are three types of private VLANs Primary VLANs Conveys traffic between promiscuous ports and to community ports within secondary or community VLANs Community VLANs Conveys traffic between communi...

Page 242: ...ociated with a primary VLAN Command Attributes Primary VLAN ID ID of primary VLAN 2 4094 Association Community VLANs associated with the selected primary VLAN Non Association Community VLANs not associated with the selected VLAN Web Click VLAN Private VLAN Association Select the required primary VLAN from the scroll down box highlight one or more community VLANs in the Non Association list box and...

Page 243: ... is an isolated port that can only communicate with the lone promiscuous port within its own isolated VLAN Promiscuous A promiscuous port can communicate with all the interfaces within a private VLAN Primary VLAN Conveys traffic between promiscuous ports and between promiscuous ports and community ports within the associated secondary VLANs Community VLAN A community VLAN conveys traffic between c...

Page 244: ...ot assigned to a private VLAN Host The port is a community port A community port can communicate with other ports in its own community VLAN and with designated promiscuous port s Promiscuous A promiscuous port can communicate with all interfaces within a private VLAN Primary VLAN Conveys traffic between promiscuous ports and between promiscuous ports and community ports within the associated secon...

Page 245: ...ent VLANs in order to encompass all the devices participating in a specific protocol This kind of configuration deprives users of the basic benefits of VLANs including security and easy accessibility To avoid these problems you can configure this switch with protocol based VLANs that divide the physical network into logical VLAN groups for each required protocol When a frame is received at a port ...

Page 246: ...1 2147483647 Frame Type Choose either Ethernet RFC 1042 or LLC Other as the frame type used by this protocol Protocol Type Specifies the protocol type to match The available options are IP ARP RARP and user defined 0801 FFFF hexadecimal If LLC Other is chosen for the Frame Type the only available Protocol Type is IPX Raw Note Traffic which matches IP Protocol Ethernet Frames is mapped to the VLAN ...

Page 247: ... into the associated VLAN When a frame enters a port that has been assigned to a protocol VLAN it is processed in the following manner If the frame is tagged it will be processed according to the standard rules applied to tagged frames If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match ...

Page 248: ... 3 114 Protocol VLAN Port Configuration CLI The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 2 to VLAN 2 Console config interface ethernet 1 1 4 167 Console config if protocol vlan protocol group 3 vlan 2 4 251 Console config if ...

Page 249: ...y the default port priority for each interface on the switch All untagged packets entering the switch are tagged with the specified default port priority and then sorted into the appropriate priority queue at the output port Command Usage This switch provides four priority queues for each port It uses Weighted Round Robin to prevent head of queue blockage The default priority applies for an untagg...

Page 250: ... interface ethernet 1 3 4 167 Console config if switchport priority default 5 4 283 Console config if end Console show interfaces switchport ethernet 1 3 4 177 Information of Eth 1 3 Broadcast Threshold Enabled 500 packets second Multicast Threshold Disabled Unknown Unicast Threshold Disabled LACP Status Disabled Ingress Rate Limit Disabled 1000 Mbits per second Egress Rate Limit Disabled 1000 Mbi...

Page 251: ...priority levels to the switch s output queues in any way that benefits application traffic for your own network Command Attributes Priority CoS value Range 0 7 where 7 is the highest priority Traffic Class15 Output queue buffer Range 0 3 where 3 is the highest CoS priority queue Note Mapping specific values for CoS priorities is implemented as an interface command but any changes will apply to the...

Page 252: ...to change the CoS assignments Mapping specific values for CoS priorities is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Console config interface ethernet 1 1 4 167 Console config if queue cos map 0 0 4 285 Console config if queue cos map 1 1 Console config if queue cos map 2 2 Console config if end Console show queue cos map ethe...

Page 253: ...eue weighted 8 will be allowed to transmit up to 8 packets after which the next lower priority queue will be serviced according to it s weighting This prevents the head of line blocking that can occur with strict priority queuing Command Attributes WRR Weighted Round Robin shares bandwidth at the egress ports by using scheduling weights with default values of 1 2 4 8 for queues 0 through 3 respect...

Page 254: ...d for service and subsequently affects the response time for software applications assigned a specific priority value Command Attributes Interface Selects a port or trunk as an interface WRR Setting Table16 Displays a list of weights for each traffic class i e queue Weight Value Set a new weight for the selected traffic class Range 1 15 Web Click Priority Queue Scheduling Select the required inter...

Page 255: ...o the output queues in the following manner The precedence for priority mapping is IP Port Priority IP Precedence or DSCP Priority and then Default Port Priority IP Precedence and DSCP Priority cannot both be enabled Enabling one of these priority types will automatically disable the other Selecting IP Precedence DSCP Priority The switch allows you to choose between using IP Precedence or DSCP pri...

Page 256: ...n types ToS bits are defined in the following table Command Attributes IP Precedence Priority Table Shows the IP Precedence to CoS map Class of Service Value Maps a CoS value to the selected IP Precedence value Note that 0 represents low priority and 7 represent high priority Web Click Priority IP Precedence Priority Select an entry from the IP Precedence Priority Table enter a value in the Class ...

Page 257: ...ces will not conflict with the DSCP mapping Based on network policies different kinds of traffic can be marked for different kinds of forwarding The DSCP default values are defined in the following table Note that all the DSCP values that are not specified are mapped to CoS value 0 Console config map ip precedence 4 289 Console config interface ethernet 1 1 4 167 Console config if map ip precedenc...

Page 258: ...P Priority Values CLI The following example globally enables DSCP Priority service on the switch maps DSCP value 0 to CoS value 1 on port 1 and then displays the DSCP Priority settings Mapping specific values for IP DSCP is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Console config map ip dscp 4 290 Console config interface ether...

Page 259: ...e IP port to CoS map IP Port Number TCP UDP Set a new IP port number Class of Service Value Sets a CoS value for a new IP port Note that 0 represents low priority and 7 represent high priority Note Up to 8 entries can be specified IP Port Priority settings apply to all interfaces Web Click Priority IP Port Priority Status Set IP Port Priority Status to Enabled Figure 3 122 IP Port Priority Status ...

Page 260: ...nt to packets in the same class Class information can be assigned by end hosts or switches or routers along the path Priority can then be assigned based on a general policy or a detailed examination of the packet However note that detailed examination of packets should take place close to the network edge so that core switches and routers are not overloaded Switches and routers along the path can ...

Page 261: ...the Class Map page and click Add Class When the Class Configuration page opens fill in the Class Name field and click Add When the Match Class Settings page opens specify type of traffic for this class based on an access list a DSCP or IP Precedence value or a VLAN and click the Add button next to the field for the selected traffic criteria You can specify up to 16 items to match when assigning in...

Page 262: ...dd Adds the specified class Back Returns to previous page with making any changes Match Class Settings Class Name List of class maps ACL List Name of an access control list Any type of ACL can be specified including standard or extended IP ACLs and MAC ACLs Range 1 16 characters IP DSCP A DSCP value Range 0 63 IP Precedence An IP Precedence value Range 0 7 VLAN A VLAN Range 1 4094 Add Adds specifi...

Page 263: ...les to change the rules of an existing class Figure 3 124 Configuring Class Maps CLI This example creates a class map call rd class and sets it to match packets marked for DSCP service value 3 Console config class map rd_class match any 4 296 Console config cmap match ip dscp 3 4 297 Console config cmap ...

Page 264: ...L Also note that the maximum number of classes that can be applied to a policy map is 16 Policing is based on a token bucket where bucket depth i e the maximum burst before the bucket overflows is by specified the Burst field and the average rate tokens are removed from the bucket is by specified by the Rate option After using the policy map to define packet classification service tagging and band...

Page 265: ...ass map Action Configures the service provided to ingress traffic by setting a CoS DSCP or IP Precedence value in a matching packet as specified in Match Class Settings on page 3 215 Range CoS 0 7 DSCP 0 63 IP Precedence 0 7 Meter Check this to define the maximum throughput burst rate and the action that results from a policy violation Rate kbps Rate in kilobits per second Range 1 100000 kbps or m...

Page 266: ...h 3 220 3 Web Click QoS DiffServ Policy Map to display the list of existing policy maps To add a new policy map click Add Policy To configure the policy rule settings click Edit Classes Figure 3 125 Configuring Policy Maps ...

Page 267: ... interface The current firmware does not allow you to bind a policy map to an egress queue Command Attributes Ports Specifies a port Ingress Applies the rule to ingress traffic Enabled Check this to enable a policy map on the specified port Policy Map Select the appropriate policy map from the scroll down box Web Click QoS DiffServ Service Policy Settings Check Enabled and choose a Policy Map for ...

Page 268: ...hat want to join a multicast group and set its filters accordingly If there is no multicast router attached to the local subnet multicast traffic and query messages may not be received by the switch In this case Layer 2 IGMP Query can be used to actively ask the attached hosts if they want to receive a specific multicast service IGMP Query thereby identifies the ports containing hosts requesting t...

Page 269: ...In this case traffic is filtered from sources in the Exclude list and forwarded from all other available sources Notes 1 When the switch is configured to use IGMPv3 snooping the snooping version may be downgraded to version 2 or version 1 depending on the version of the IGMP query packets detected on each VLAN 2 IGMP snooping will not function unless a multicast router port is enabled on the switc...

Page 270: ...uter or multicast enabled switch can periodically ask their hosts if they want to receive multicast traffic If there is more than one router switch on the LAN performing IP multicasting one of these devices is elected querier and assumes the role of querying the LAN for group members It then propagates the service requests on to any upstream multicast switch router to ensure that it will continue ...

Page 271: ...he frequency at which the switch sends IGMP host query messages Range 60 125 seconds Default 125 IGMP Report Delay Sets the time between receiving an IGMP Report for an IP multicast address on a port before the switch sends an IGMP Query out of that port and removes the entry from its list Range 5 25 seconds Default 10 IGMP Query Timeout The time the switch waits after the previous querier stops b...

Page 272: ...ected to the interface Therefore immediate leave should only be enabled on an interface if it is connected to only one IGMP enabled device either a service host or a neighbor running IGMP snooping Immediate leave is only effective if IGMP snooping is enabled and IGMPv2 or IGMPv3 snooping is used Immediate leave does not apply to a port if the switch has learned that a multicast router is attached ...

Page 273: ...Immediate Leave CLI This example enables IGMP immediate leave for VLAN 1 and then displays the current IGMP snooping status Console config interface vlan 1 Console config if ip igmp snooping immediate leave 4 308 Console config if end Console show ip igmp snooping 4 307 Service Status Enabled Querier Status Disabled Leave proxy status Enabled Query Count 2 Query Interval 125 sec Query Max Response...

Page 274: ...ched to a neighboring multicast router switch for each VLAN ID Command Attributes VLAN ID ID of configured VLAN 1 4094 Multicast Router List Multicast routers dynamically discovered by this switch or those that are statically assigned to an interface on this switch Web Click IGMP Snooping Multicast Router Port Information Select the required VLAN ID from the scroll down list to display the associa...

Page 275: ...or Trunk scroll down list VLAN ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router Port or Trunk Specifies the interface attached to a multicast router Web Click IGMP Snooping Static Multicast Router Port Configuration Specify the interfaces attached to a multicast router indicate the VLAN which will forward all the corresponding multicast traffic and t...

Page 276: ...cast service Web Click IGMP Snooping IP Multicast Registration Table Select a VLAN ID and the IP address for a multicast service from the scroll down lists The switch will display all the interfaces that are propagating this multicast service Figure 3 131 IP Multicast Registration Table CLI This example displays all the known multicast services supported on VLAN 1 along with the ports propagating ...

Page 277: ... interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN Command Attributes Interface Activates the Port or Trunk scroll down list VLAN ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router switch Range 1 4094 Multicast IP The IP address for a specific multicast service Port or Trunk Specifies the interface a...

Page 278: ...ed as normal If a requested multicast group is denied the IGMP join report is dropped IGMP throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can take one of two actions either deny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replac...

Page 279: ...Command Usage Each profile has only one access mode either permit or deny When the access mode is set to permit IGMP join reports are processed when a multicast group falls within the controlled range When the access mode is set to deny IGMP join reports are only processed when a multicast group is not in the controlled range Command Attributes Profile ID Selects an existing profile number to conf...

Page 280: ... start and end of the range Click the Add button to add a range to the current list Current Multicast Address Range List Lists multicast groups currently included in the profile Select an entry and click the Remove button to delete it from the list Web Click IGMP Snooping IGMP Filter Profile Configuration Select the profile number you want to configure then click Query to display the current setti...

Page 281: ...join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group Command Attributes Profile Selects an existing profile number to assign to an interface Max Multicast Groups Sets the maximum number of multicast groups an interface can join at the same time Range 0 256 Default 256 Current Multicast Groups Display...

Page 282: ...rrent IGMP filtering and throttling settings for the interface are then displayed Console config interface ethernet 1 1 Console config if ip igmp filter 19 4 318 Console config if ip igmp max groups 10 4 319 Console config if ip igmp max groups action replace 4 320 Console config if end Console show ip igmp filter interface ethernet 1 1 4 320 Information of Eth 1 1 IGMP Profile 19 deny range 239 1...

Page 283: ...n though common multicast streams are passed onto different VLAN groups from the MVR VLAN users in different IEEE 802 1Q or private VLANs cannot exchange any information except through upper level routing services General Configuration Guidelines for MVR 1 Enable MVR globally on the switch select the MVR VLAN and add the multicast groups that will stream traffic to attached hosts see Configuring G...

Page 284: ...receive data from that multicast group Default Disabled MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied Running status is true as long as MVR Status is enabled and the specified MVR VLAN exists MVR VLAN Identifier of the VLAN that serves as the channel for streaming multicast services using MVR MVR source ports should be configured as membe...

Page 285: ...at will stream traffic to attached hosts and then click Apply Figure 3 136 MVR Global Configuration CLI This example first enables IGMP snooping enables MVR globally and then configures a range of MVR group addresses Console config ip igmp snooping 4 306 Console config mvr 4 323 Console config mvr group 228 1 23 1 10 4 323 Console config ...

Page 286: ... if there are subscribers receiving multicast traffic from one of the MVR groups or a multicast group has been statically assigned to an interface Immediate Leave Shows if immediate leave is enabled or disabled Trunk Member17 Shows if port is a trunk member Web Click MVR Port or Trunk Information Figure 3 137 MVR Port Information CLI This example shows information about interfaces attached to the ...

Page 287: ...d through the MVR VLAN Web Click MVR Group IP Information Figure 3 138 MVR Group IP Information CLI This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN Console show mvr interface 4 326 MVR Group IP Status Members 225 0 0 1 ACTIVE eth1 1 d eth1 2 s 225 0 0 2 INACTIVE None 225 0 0 3 INACTIVE None 225 0 0 4 INACTIVE None 225 0 0 5 IN...

Page 288: ...ch have been statically assigned see Assigning Static Multicast Groups to Interfaces on page 3 244 Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message When immediate leave is disabled the switch follows the standard rules by sending a group specific query to the receiver port and waiting for a...

Page 289: ...d as an MVR receiver Trunk18 Shows if port is a trunk member Web Click MVR Port or Trunk Configuration Figure 3 139 MVR Port Configuration CLI This example configures an MVR source port and receiver port and then enables immediate leave on the receiver port 18 Port Information only Console config interface ethernet 1 1 Console config if mvr type source 4 325 Console config if exit Console config i...

Page 290: ... of 224 0 0 x Command Attributes Interface Indicates a port or trunk Member Shows the IP addresses for MVR multicast groups which have been statically assigned to the selected interface Non Member Shows the IP addresses for all MVR multicast groups which have not been statically assigned to the selected interface Web Click MVR Group Member Configuration Select a port or trunk from the Interface fi...

Page 291: ...ential order If there is no domain list the default domain name is used If there is a domain list the default domain name is not used When an incomplete host name is received by the DNS service on this switch and a domain name list has been specified the switch will work through the domain list appending each domain name in the list to the host name and checking with the specified name servers for...

Page 292: ...d a domain list However remember that if a domain list is specified the default domain name is not used Console config ip domain name sample com 4 330 Console config ip domain list sample com uk 4 331 Console config ip domain list sample com jp Console config ip name server 192 168 1 55 10 1 0 55 4 332 Console config ip domain lookup 4 333 Console show dns 4 334 Domain Lookup Status DNS enabled De...

Page 293: ...sewhere on the network Servers or other network devices may support one or more connections via multiple IP addresses If more than one IP address is associated with a host name in the static table or via information returned from a name server a DNS client can try each address in succession until it establishes a connection with the target device Field Attributes Host Name Name of a host device th...

Page 294: ...ick Apply Figure 3 142 DNS Static Host Table CLI This example maps two address to a host name and then configures an alias host name for the same addresses Console config ip host rd5 192 168 1 55 10 1 0 55 4 329 Console config ip host rd6 10 1 0 55 Console show hosts 4 334 Hostname rd5 Inet address 10 1 0 55 192 168 1 55 Console ...

Page 295: ... an alias IP The IP address associated with this record TTL The time to live reported by the name server Domain The domain name associated with this record Web Select DNS Cache Figure 3 143 DNS Cache CLI This example displays all the resource records learned from the designated name servers Console show dns cache 4 335 NO FLAG TYPE DOMAIN TTL IP 0 4 Address www times com 198 199 239 136 200 1 4 Ad...

Page 296: ...tor through the management station There can be up to 100 candidates and 16 member switches in one cluster A switch can only be a member of one cluster After the Commander and Members have been configured any switch in the cluster can be managed from the web agent by choosing the desired Member ID from the Cluster drop down menu To connect to the Member switch from the Commander CLI prompt use the...

Page 297: ...rs The current number of Member switches in the cluster Number of Candidates The current number of Candidate switches discovered in the network that are available to become Members Web Click Cluster Configuration Figure 3 145 Cluster Configuration CLI This example first enables clustering on the switch sets the switch as the cluster Commander and then configures the cluster IP pool Console config ...

Page 298: ...e Table or enter a specific MAC address of a known switch Web Click Cluster Member Configuration Figure 3 146 Cluster Member Configuration CLI This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID Console config cluster member mac address 00 00 00 12 34 56 id 1 4 69 Console config exit Console show cluster candidates 4 71 Cluster Candidate...

Page 299: ... IP Address The internal cluster IP address assigned to the Member switch MAC Address The MAC address of the Member switch Description The system description string of the Member switch Web Click Cluster Member Information Figure 3 147 Cluster Member Information CLI This example shows information about cluster Member switches Console show cluster members 4 71 Cluster Members ID 1 Role Active membe...

Page 300: ...Indicates the current status of Candidate switches in the network MAC Address The MAC address of the Candidate switch Description The system description string of the Candidate switch Web Click Cluster Candidate Information Figure 3 148 Cluster Candidate Information CLI This example shows information about cluster Candidate switches Console show cluster candidates 4 71 Cluster Candidates Role Mac ...

Page 301: ... the console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec But when the guest user name and password is entered the CLI displays the Console prompt and enters normal ac...

Page 302: ... isolated network then you can use any IP address that matches the network segment to which you are attached After you configure the switch with an IP address you can open a Telnet session by performing these steps 1 From the remote host enter the Telnet command and the IP address of the device you want to access 2 At the prompt enter the user name and system password The CLI will display the Vty ...

Page 303: ...how startup config To enter commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username admin password 0 smith Minimum Abbreviation The CLI will accept a minimum number of characters that uniquely identify a command For example the command configure can be entered as con If an entry is am...

Page 304: ...stics line TTY line information lldp LLDP log Login records logging Login setting mac MAC access list mac address table Configuration of the address table management Management IP filter map Maps priority mvr Show mvr interface information network access Shows the entries of the secure port policy map Display policy maps port Port characteristics port channel Port Channel privilege Shows current p...

Page 305: ...the effect of a command or reset the configuration to the default value For example the logging command will log system messages to a host server To disable logging specify the no logging command This guide describes the negation effect for all applicable commands Using Command History The CLI maintains a history of commands that have been entered You can scroll back through the history of command...

Page 306: ...limited number of the commands are available in this mode You can access all commands only from the Privileged Exec command mode or administrator mode To access Privilege Exec mode open a new console session with the user name and password admin The system will now display the Console command prompt You can also enter Privileged Exec mode from within Normal Exec mode by entering the enable command...

Page 307: ...e Interface Configuration These commands modify the port configuration such as speed duplex and negotiation Line Configuration These commands modify the console port and Telnet configuration and include command such as parity and databits Multiple Spanning Tree Configuration These commands configure settings for the selected multiple spanning tree instance Policy Map Configuration Creates a DiffSe...

Page 308: ...ntrol List access list ip standard access list ip extended access list mac Console config std acl Console config ext acl Console config mac acl 4 155 4 158 4 162 Class Map class map Console config cmap 4 296 Interface interface ethernet port port channel id vlan id Console config if 4 167 MSTP spanning tree mst configuration Console config mstp 4 209 Policy Map policy map Console config pmap 4 299...

Page 309: ...ine Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor to the right one character Ctrl K Deletes all characters from the cursor to the end of the line Ctrl L Repeats current command line on a new line Ctrl N Enters the next command line in the history buffer Ctrl P Enters...

Page 310: ...t type 4 155 Interface Configures the connection parameters for all Ethernet ports aggregated links and VLANs 4 167 Link Aggregation Statically groups multiple ports into a single logical trunk configures Link Aggregation Control Protocol for port trunks 4 180 Mirror Port Mirrors data to another port for analysis without affecting the data passing through or the performance of the monitored port 4...

Page 311: ...unction Mode Page enable Activates privileged mode NE 4 12 disable Returns to normal mode from privileged mode PE 4 12 configure Activates global configuration mode PE 4 13 show history Shows the command history buffer NE PE 4 13 reload Restarts the system PE 4 14 reload Restarts the system at a specified time after a specified delay or at a periodic interval GC 4 14 show reload Displays the curre...

Page 312: ...ormal Exec to Privileged Exec To set this password see the enable password command on page 4 88 The character is appended to the end of the prompt to indicate that the system is in privileged access mode Example Related Commands disable 4 12 enable password 4 88 disable This command returns to Normal Exec mode from privileged mode In normal access mode you can only display basic information on the...

Page 313: ...ing Command Modes on page 4 6 Command Mode Privileged Exec Example Related Commands end 4 16 show history This command shows the contents of the command history buffer Command Mode Normal Exec Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands Example In this example the show history command lists the contents of the command histor...

Page 314: ...red in non volatile memory by the copy running config startup config command Example This example shows how to reset the switch reload Global Configuration This command restarts the system at a specified time after a specified delay or at a periodic interval You can reboot the system immediately or you can configure the switch to reset after a specified amount of time Use the cancel option to remo...

Page 315: ...to reload Range 1 31 reload cancel Cancels the specified reload option Default Setting None Command Mode Global Configuration Command Usage This command resets the entire system Any combination of reload options may be specified If the same option is re specified the previous setting will be overwritten When the system is restarted it will always run the Power On Self Test It will also retain all ...

Page 316: ...t Setting Console Command Mode Global Configuration Example end This command returns to Privileged Exec mode Command Mode Global Configuration Interface Configuration Line Configuration VLAN Database Configuration and Multiple Spanning Tree Configuration Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode Console show reload Reloading switch i...

Page 317: ... then quit the CLI session quit This command exits the configuration program Default Setting None Command Mode Normal Exec Privileged Exec Command Usage The quit and exit commands can both exit the configuration program Example This example shows how to quit a CLI session Console config exit Console exit Press ENTER to start session User Access Verification Username Console quit Press ENTER to sta...

Page 318: ... identification and location 4 19 System Status Displays system configuration active managers and version information 4 28 Frame Size Enables support for jumbo frames 4 34 File Management Manages code image or switch configuration files 4 35 Line Sets communication parameters for the serial port including baud rate and console time out 4 42 Event Logging Controls logging of error messages 4 51 SMT...

Page 319: ...configure dc power info Configures the DC Power information that is displayed by banner GC 4 21 banner configure department Configures the Department information that is displayed by banner GC 4 22 banner configure equipment info Configures the Equipment information that is displayed by banner GC 4 23 banner configure equipment location Configures the Equipment Location information that is display...

Page 320: ...t arrow keys terminate the script The use of the backspace key during script mode is not supported If for example a mistake is made in the company name it can be corrected with the banner configure company command Example Console config banner configure Company Smartlink Network Systems Limited Responsible department R D Dept Name and telephone to Contact the management people Manager1 name Sr Net...

Page 321: ...acters is suggested for situations where white space is necessary for clarity Example banner configure dc power info This command is use to configure DC power information displayed in the banner Use the no form to restore the default setting Syntax banner configure dc power info floor floor id row row id rack rack id electrical circuit ec id no banner configure dc power info floor row rack electri...

Page 322: ...rm to restore the default setting Syntax banner configure department dept name no banner configure company dept name The name of the department Maximum length 32 characters Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces The banner configure department command interprets spaces as data input boundaries The use of underscores _ or other unobt...

Page 323: ...2 characters Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces The banner configure equipment info command interprets spaces as data input boundaries The use of underscores _ or other unobtrusive non letter characters is suggested for situations where white space is necessary for clarity Example banner configure equipment location This command...

Page 324: ...ner Use the no form to restore the default setting Syntax banner configure ip lan ip mask no banner configure ip lan ip mask The IP address and subnet mask of the device Maximum length 32 characters Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces The banner configure ip lan command interprets spaces as data input boundaries The use of unders...

Page 325: ...ce is necessary for clarity Example banner configure manager info This command is used to configure the manager contact information displayed in the banner Use the no form to restore the default setting Syntax banner configure manager info name mgr1 name phone number mgr1 number name2 mgr2 name phone number mgr2 number name3 mgr3 name phone number mgr3 number no banner configure manager info name1...

Page 326: ...ntax banner configure mux muxinfo no banner configure mux muxinfo The circuit and PVC to which the switch is connected Maximum length 32 characters Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces The banner configure mux command interprets spaces as data input boundaries The use of underscores _ or other unobtrusive non letter characters is ...

Page 327: ...ngth 150 characters Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces The banner configure note command interprets spaces as data input boundaries The use of underscores _ or other unobtrusive non letter characters is suggested for situations where white space is necessary for clarity Example show banner This command displays all banner inform...

Page 328: ...k Electrical circuit 3 15 24 48V id_3 15 24 2 Number of LP 4 Position MUX telco 9734212kx_PVC 1 23 IP LAN 216 241 132 3 255 255 255 0 Note ROUTINE_MAINTENANCE_firmware upgrade_0100 0500_GMT 0500_20071022 _20min_network_impact_expected Console Table 4 9 System Status Commands Command Function Mode Page show startup config Displays the contents of the configuration file stored in flash memory that i...

Page 329: ...ion settings for each interface Multiple spanning tree instances name and interfaces Interface settings IP address configured for the switch Any configured settings for the console port and Telnet Example Console show startup config building startup config please wait stackingDB 00 stackingDB stackingMac 01_00 17 7C 12 31 23_01 stackingMac phymap 00 17 7c 12 31 23 SNTP server 0 0 0 0 0 0 0 0 0 0 0...

Page 330: ...ated by symbols and includes the configuration mode command and corresponding commands This command displays the following information Switch s MAC address SNTP server settings Time zone SNMP community strings Users names and access levels VLAN database VLAN ID name and state VLAN configuration settings for each interface Multiple spanning tree instances name and interfaces vlan database VLAN 1 na...

Page 331: ...dinburgh Lisbon London SNMP server community private rw SNMP server community public ro username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca VLAN database VLAN 1 name DefaultVlan media ethernet state active VLAN 40...

Page 332: ...xec Privileged Exec Command Usage The session used to execute this command is indicated by a symbol next to the Line i e session index number Console show system System Description DG GS1550 System OID String 1 3 6 1 4 1 36293 1 1 1 15 System Information System Up Time 0 days 0 hours 44 minutes and 29 51 seconds System Name NONE System Location NONE System Contact NONE MAC Address Unit1 00 17 7C 0...

Page 333: ...ublic Key admin 15 None guest 0 None steve 15 RSA Online users Line Username Idle time h m s Remote IP addr 0 console admin 0 14 14 1 VTY 0 admin 0 00 00 192 168 1 19 2 SSH 1 steve 0 00 06 192 168 1 19 Web online users Line Remote IP addr Username Idle time h m s 1 HTTP 192 168 1 19 admin 0 00 00 Console Console show version Unit1 Serial Number S123123123 Hardware Version R01A EPLD Version 1 06 Nu...

Page 334: ...bo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extended frame size And for half duplex connections all devices in the collision domain would need to support jumbo frames Enabling jumbo frames will limit the...

Page 335: ...on settings can be uploaded and downloaded to and from an TFTP server The configuration file can be later downloaded to restore switch settings The configuration file can be downloaded under a new file name and then set as the startup file or the current startup configuration file can be specified as the destination file to directly replace it Note that the file Factory_Default_Config cfg can be c...

Page 336: ...tialization tftp Keyword that allows you to copy to from a TFTP server https certificate Copies an HTTPS certificate from an TFTP server to the switch public key Keyword that allows you to copy a SSH key from a TFTP server Secure Shell Commands on page 4 113 Default Setting None Command Mode Privileged Exec Command Usage The system prompts for data required to complete the copy command The destina...

Page 337: ...TP server The following example shows how to upload the configuration settings to a file on the TFTP server The following example shows how to copy the running configuration to a startup file Console copy tftp file TFTP server ip address 10 1 0 19 Choose file type 1 config 2 opcode 1 2 2 Source file name V3 1 16 20 BIX Destination file name V311620 Write to FLASH Programming Write to FLASH finish ...

Page 338: ...up config TFTP server ip address 10 1 0 99 Source configuration file name startup 01 Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Console Console copy tftp https certificate TFTP server ip address 10 1 0 19 Source certificate file name SS certificate Source private file name SS private Private password Success Console reload System will be restar...

Page 339: ...guration file from flash memory Related Commands dir 4 39 delete public key 4 117 dir This command displays a list of files in flash memory Syntax dir boot rom config opcode filename The type of file or image to display includes boot rom Boot ROM or diagnostic image file config Switch configuration file opcode Run time operation code image file filename Name of the configuration file or code image...

Page 340: ...e of the file File type File types Boot Rom Operation Code and Config file Startup Shows if this file is used when the system is started Size The length of the file in bytes Console dir File name File type Startup Size byte Unit1 DG GS1550_diag_V1 0 0 5 bix Boot Rom Image Y 1881912 DG GS1550_opcode_V1 4 0 1 bix Operation Code N 3777360 DG GS1550_opcode_V1 4 0 2 bix Operation Code Y 4235464 Factory...

Page 341: ...ig Configuration file opcode Run time operation code filename Name of the configuration file or code image The colon is required Default Setting None Command Mode Global Configuration Command Usage A colon is required after the specified unit number and file type If the file contains an error it cannot be set as the default file Example Related Commands dir 4 39 whichboot 4 40 Console config boot ...

Page 342: ...the command interpreter waits until user input is detected LC 4 45 password thresh Sets the password intrusion threshold which limits the number of failed logon attempts LC 4 46 silent time Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password thresh command LC 4 47 databits Sets the number of data b...

Page 343: ...thentication is based on the user name specified with the username command Default Setting login local Command Mode Line Configuration Command Usage There are three authentication modes provided by the switch itself at login login selects authentication by a single global password as specified by the password line configuration command When using this method the management interface starts in Norm...

Page 344: ...ode Line Configuration Command Usage When a connection is started on a line with password protection the system prompts for the password If you enter the correct password the system shows a prompt You can use the password thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state The e...

Page 345: ...onnection is terminated for the session This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the default setting Example To set the timeout to two minutes enter this command Related Commands silent time 4 47 exec timeout 4 14 exec timeout This command sets the interval that the system...

Page 346: ...mpts Use the no form to remove the threshold value Syntax password thresh threshold no password thresh threshold The number of allowed password attempts Range 1 120 0 no threshold Default Setting The default value is three attempts Command Mode Line Configuration Command Usage When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time before allo...

Page 347: ...onsole response Range 0 65535 0 no silent time Default Setting The default value is no silent time Command Mode Line Configuration Example To set the silent time to 60 seconds enter this command Related Commands password thresh 4 46 databits This command sets the number of data bits per character that are interpreted and generated by the console port Use the no form to restore the default value Sy...

Page 348: ...ds parity 4 48 parity This command defines the generation of a parity bit Use the no form to restore the default setting Syntax parity none even odd no parity none No parity even Even parity odd Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting Examp...

Page 349: ...ted to the serial port Some baud rates available on devices connected to the port might not be supported The system indicates if the speed you selected is not supported If you select the auto option the switch will automatically detect the baud rate configured on the attached terminal and adjust the speed accordingly Example To specify 57600 bps enter this command stopbits This command sets the nu...

Page 350: ...fier 0 will disconnect the console connection Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection Example Related Commands show ssh 4 120 show users 4 32 show line This command displays the terminal line s parameters Syntax show line console vty console Console terminal line vty Virtual terminal for remote console access i e Telnet Default Setting Sho...

Page 351: ...Event Logging Commands Command Function Mode Page logging on Controls logging of error messages GC 4 52 logging history Limits syslog messages saved to switch memory based on severity GC 4 53 logging host Adds a syslog server host IP address that will receive logging messages GC 4 54 logging facility Sets the facility type for remote logging of syslog messages GC 4 54 logging trap Limits syslog me...

Page 352: ... Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers You can use the logging history command to control the type of error messages that are stored in memory You can use the logging trap command to control the type of error messages that are sent to specified syslog servers Example Related Commands logging history 4 53 logging trap 4 55 ...

Page 353: ...d Mode Global Configuration Command Usage The message level specified for flash memory must be a higher priority i e numerically lower than that specified for RAM Example Table 4 15 Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition such as cold start 4 warnings Warning condition...

Page 354: ...e facility type for remote logging of syslog messages Use the no form to return the type to the default Syntax no logging facility type type A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service Range 16 23 Default Setting 23 Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog message...

Page 355: ...t Setting Enabled Level 7 0 Command Mode Global Configuration Command Usage Using this command with a specified level enables remote logging and sets the minimum severity level to be saved Using this command without a specified level also enables remote logging but restores the minimum severity level to the default Example clear log This command clears messages from the log buffer Syntax clear log...

Page 356: ...efault Setting None Command Mode Privileged Exec Example The following example shows that system logging is enabled the message level for flash memory is errors i e default level 3 0 the message level for RAM is informational i e default level 7 0 Console show logging flash Syslog logging Enabled History logging in FLASH level errors Console show logging ram Syslog logging Enabled History logging ...

Page 357: ... Enable REMOTELOG Status disable REMOTELOG Facility Type local use 7 REMOTELOG Level Type Debugging messages REMOTELOG Server IP Address 1 2 3 4 REMOTELOG Server IP Address 0 0 0 0 REMOTELOG Server IP Address 0 0 0 0 REMOTELOG Server IP Address 0 0 0 0 REMOTELOG Server IP Address 0 0 0 0 Console Table 4 17 show logging trap display description Field Description Syslog logging Shows if system loggi...

Page 358: ... 01 STA root change notification level 6 module 6 function 1 and event no 1 3 00 00 54 2001 01 01 STA root change notification level 6 module 6 function 1 and event no 1 2 00 00 50 2001 01 01 STA topology change notification level 6 module 6 function 1 and event no 1 1 00 00 48 2001 01 01 VLAN 1 link up notification level 6 module 6 function 1 and event no 1 Console Table 4 18 SMTP Alert Commands ...

Page 359: ...the process at a periodic interval A trap will be triggered if the switch cannot successfully open a connection Example logging sendmail level This command sets the severity threshold used to trigger alert messages Syntax logging sendmail level level level One of the system message levels page 4 53 Messages sent include the selected level down to level 0 Range 0 7 Default 7 Default Setting Level 7...

Page 360: ... the switch Example This example will set the source email john acme com logging sendmail destination email This command specifies the email recipients of alert messages Use the no form to remove a recipient Syntax no logging sendmail destination email email address email address The source email address used in alert messages Range 1 41 characters Default Setting None Command Mode Global Configur...

Page 361: ...onfiguration Example show logging sendmail This command displays the settings for the SMTP event handler Command Mode Normal Exec Privileged Exec Example Console config logging sendmail Console config Console show logging sendmail SMTP servers 1 192 168 1 200 SMTP minimum severity level 4 SMTP destination email addresses 1 geoff acme com SMTP source email address john acme com SMTP status Enabled ...

Page 362: ... to record accurate dates and times for log events Without SNTP the switch only records the time starting from the factory default set at the last bootup i e 00 00 00 Jan 1 2001 This command enables client time requests to time servers specified via the sntp servers command It issues time synchronization requests based on the interval set via the sntp poll command Table 4 19 Time Commands Command ...

Page 363: ...es time servers from which the switch will poll for time updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issues time synchronization requests based on the interval set via the sntp poll command Example Related Commands sntp client 4 62 sntp poll 4 64 show sntp 4 64 Console config sntp server 10 1 0 19 Console config ...

Page 364: ...ntp This command displays the current time and configuration settings for the SNTP client and indicates whether or not the local time has been properly updated Command Mode Normal Exec Privileged Exec Command Usage This command displays the current time the poll interval used for sending time synchronization requests and the current SNTP mode i e unicast Example Console config sntp poll 60 Console...

Page 365: ...he local time zone before east of UTC after utc Sets the local time zone after west of UTC Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time UTC formerly Greenwich Mean Time or GMT based on the earth s prime meridian zero degrees longitude To display a time corresponding to your local time you must ...

Page 366: ... 59 sec Second Range 0 59 day Day of month Range 1 31 month january february march april may june july august september october november december year Year 4 digit Range 2001 2100 Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15 12 34 April 1st 2004 show calendar This command displays the system clock Default Setting None Command Mode N...

Page 367: ...tically discovers other cluster enabled switches in the network These Candidate switches only become cluster Members when manually selected by the administrator through the management station Note Cluster Member switches can be managed either through a Telnet connection to the Commander or through a web management connection to the Commander When using a console connection from the Commander CLI p...

Page 368: ...switch clusters are maintained across power resets and network changes Example cluster commander This command enables the switch as a cluster Commander Use the no form to disable the switch as cluster Commander Syntax no cluster commander Default Setting Disabled Command Mode Global Configuration Command Usage Once a switch has been configured to be a cluster Commander it automatically discovers o...

Page 369: ...n 1 and 16 Set a Cluster IP Pool that does not conflict with addresses in the network IP subnet Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander You cannot change the cluster IP pool when the switch is currently in Commander mode Commander mode must first be disabled Example cluster member This command c...

Page 370: ...ommander switch Managing cluster Members using the local console CLI on the Commander is not supported There is no need to enter the username and password for access to the Member switch CLI Example show cluster This command shows the switch clustering configuration Command Mode Privileged Exec Example Console config cluster member mac address 00 12 34 56 78 9a id 5 Console config Vty 0 rcommand i...

Page 371: ...he network Command Mode Privileged Exec Example Console show cluster members Cluster Members ID 1 Role Active member IP Address 10 254 254 2 MAC Address 00 17 7c 23 49 c0 Description DIGISOL 10 100 1000 SPORT MANAGE Console Console show cluster candidates Cluster Candidates Role Mac Description ACTIVE MEMBER 00 17 7c 23 49 c0 DIGISOL 10 100 1000 SPORT MANAGE CANDIDATE 00 17 7c 0b 47 a0 DIGISOL 10 ...

Page 372: ...Page General SNMP Commands snmp server Enables the SNMP agent GC 4 73 show snmp Displays the status of SNMP communications NE PE 4 73 snmp server community Sets up the community access string to permit access to SNMP commands GC 4 74 snmp server contact Sets the system contact string GC 4 75 snmp server location Sets the system location string GC 4 75 SNMP Target Host Commands snmp server host Spe...

Page 373: ...onfiguration Example show snmp This command can be used to check the status of SNMP communications Default Setting None Command Mode Normal Exec Privileged Exec Command Usage This command provides information on the community access strings counter information for SNMP input and output protocol data units and whether or not SNMP logging has been enabled with the snmp server enable traps command Co...

Page 374: ...objects Default Setting public Read only access Authorized management stations are only able to retrieve MIB objects private Read write access Authorized management stations are able to both retrieve and modify MIB objects Console show snmp SNMP Agent enabled SNMP traps Authentication enable Link up down enable SNMP communities 1 private and the privilege is read write 2 public and the privilege i...

Page 375: ...ters Default Setting None Command Mode Global Configuration Example Related Commands snmp server location 4 75 snmp server location This command sets the system location string Use the no form to remove the location string Syntax snmp server location text no snmp server location text String that describes the system location Maximum length 255 characters Default Setting None Command Mode Global Co...

Page 376: ... wait for an acknowledgment before resending an inform message Range 0 2147483647 centiseconds Default 1500 centiseconds community string Password like community string sent with the notification operation to SNMP V1 and V2c hosts Although you can set this string using the snmp server host command by itself we recommend that you define this string using the snmp server community command prior to u...

Page 377: ... these effects when deciding whether to issue notifications as traps or informs To send an inform to a SNMPv2c host complete these steps 1 Enable the SNMP agent page 4 73 2 Allow the switch to send SNMP traps i e notifications page 4 78 3 Specify the target host that will receive inform messages with the snmp server host command as described in this section 4 Create a view with the required notifi...

Page 378: ... notifications controlled by this command are sent In order to configure this device to send SNMP notifications you must enter at least one snmp server enable traps command If you enter the command with no keywords both authentication and link up down notifications are enabled If you enter the command with a keyword only the notification type related to that keyword is enabled The snmp server enab...

Page 379: ...play delay and redirection The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A remote engine ID is required when using SNMPv3 informs See snmp server host on page 4 76 The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host SNMP ...

Page 380: ...the OID string Refer to the examples included Defines an included view excluded Defines an excluded view Default Setting defaultview includes access to the entire MIB tree Command Mode Global Configuration Console show snmp engine id Local SNMP EngineID 8000002a8000000000e8666672 Local SNMP Engine Boots 1 Remote SNMP EngineID IP Address 80000000030004e2b316c54321 192 168 1 19 Console Table 4 22 sh...

Page 381: ...ample Console config snmp server view mib 2 1 3 6 1 2 1 included Console config Console config snmp server view ifEntry 2 1 3 6 1 2 1 2 2 1 2 included Console config Console config snmp server view ifEntry a 1 3 6 1 2 1 2 2 1 1 included Console config Console show snmp view View Name mib 2 Subtree OID 1 2 2 3 6 2 1 View Type included Storage Type permanent Row Status active View Name defaultview S...

Page 382: ...e view for notifications 1 64 characters Default Setting Default groups public20 read only private21 read write readview Every object belonging to the Internet OID space 1 3 6 1 writeview Nothing is defined notifyview Nothing is defined Command Mode Global Configuration Command Usage A group sets the access policy for the assigned users When authentication is selected the MD5 or SHA algorithm is u...

Page 383: ...tive Group Name public Security Model v1 Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name public Security Model v2c Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name private Security Model v1 Read View defaultview Write View defaultview Notify View none Storage Type volatile Row Status ...

Page 384: ... 1 2c or 3 encrypted Accepts the password as encrypted input auth Uses SNMPv3 with authentication md5 sha Uses MD5 or SHA authentication auth password Authentication password Enter as plain text if the encrypted option is not used Otherwise enter an encrypted password A minimum of eight characters is required priv des56 Uses SNMPv3 with privacy with DES56 encryption priv password Privacy password ...

Page 385: ...e user will fail SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it Example show snmp user This command shows information on SNMP users Command Mode Privileged Exec Example Console config snmp ser...

Page 386: ...user associated with an SNMP engine on a remote device Table 4 26 Authentication Commands Command Group Function Page User Accounts Configures the basic user names and passwords for management access 4 87 Authentication Sequence Defines logon authentication method and precedence 4 91 RADIUS Client Configures settings for authentication via a RADIUS server 4 93 TACACS Client Configures settings for...

Page 387: ...ivilege levels 0 Normal Exec 15 Privileged Exec nopassword No password is required for this user to log in 0 7 0 means plain password 7 means encrypted password password password The authentication password for the user Maximum length 32 characters plain text 32 encrypted case sensitive Default Setting The default access level is Normal Exec The factory defaults for the user names and passwords ar...

Page 388: ...el from the Normal Exec level Use the no form to reset the default password Syntax enable password level level 0 7 password no enable password level level level level Level 15 for Privileged Exec Levels 0 14 are not used 0 7 0 means plain password 7 means encrypted password password password for this privilege level Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting...

Page 389: ...Manager 15 Privileged Exec Range 0 15 command Specifies any command contained within the specified mode Default Setting Privilege level 0 provides access to a limited number of the commands which display the current status of the switch as well as several database clear and reset functions Level 8 provides access to all display status and configuration commands except for those controlling various...

Page 390: ...ig file Example show privilege This command shows the privilege level for the current user or the privilege level for commands modified by the privilege command see page 4 89 Syntax show privilege command command Displays the privilege level for all commands modified by the privilege command Command Mode Privileged Exec Example This example shows the privilege level for any command modified by the...

Page 391: ... the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command to indic...

Page 392: ...ts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command t...

Page 393: ...the retransmit period expires host ip address IP address of server auth port RADIUS server UDP port used for authentication messages Range 1 65535 timeout Number of seconds the switch waits for a reply before resending a request Range 1 65535 retransmit Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 key Encryption key used to authenticate logon ac...

Page 394: ... key This command sets the RADIUS encryption key Use the no form to restore the default Syntax radius server key key string no radius server key key string Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters Default Setting None Command Mode Global Configuration Example Console config radius server 1 host 192 168 1 20 auth ...

Page 395: ...s command sets the interval between transmitting authentication requests to the RADIUS server Use the no form to restore the default Syntax radius server timeout number of seconds no radius server timeout number of seconds Number of seconds the switch waits for a reply before resending a request Range 1 65535 Default Setting 5 Command Mode Global Configuration Example show radius server This comma...

Page 396: ...cation Key with RADIUS Server Auth Port 1812 Retransmit Times 2 Request Timeout 5 Sever 1 Server IP Address 192 168 1 1 Communication Key with RADIUS Server Auth Port 1812 Retransmit Times 2 Request Timeout 5 Radius server group Group Name Member Index radius 1 Console Table 4 31 TACACS Commands Command Function Mode Page tacacs server host Specifies the TACACS server GC 4 97 tacacs server port Sp...

Page 397: ...540 seconds retransmit Number of times the switch will resend an authentication request to the TACACS server Range 1 30 key Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters Default Setting port 49 timeout 5 seconds retransmit 2 Command Mode Global Configuration Example tacacs server port This command specifies the TACACS...

Page 398: ...ommand Mode Global Configuration Example tacacs server retransmit This command sets the number of retries Use the no form to restore the default Syntax tacacs server retransmit number_of_retries no tacacs server retransmit number_of_retries Number of times the switch will try to authenticate logon access via the TACACS server Range 1 30 Default Setting 2 Command Mode Global Configuration Example C...

Page 399: ...and Mode Global Configuration Example show tacacs server This command displays the current settings for the TACACS server Default Setting None Command Mode Privileged Exec Example Console config tacacs server timeout 10 Console config Console show tacacs server Remote TACACS server configuration Global Settings Communication Key with TACACS Server Server Port Number 49 Retransmit Times 2 Request T...

Page 400: ...ver Groups security servers in to defined lists GC 4 100 server Configures the IP address of a server in a group list SG 4 101 aaa accounting dot1x Enables accounting of 802 1X services GC 4 102 aaa accounting exec Enables accounting of Exec services GC 4 103 aaa accounting commands Enables accounting of Exec mode commands GC 4 104 aaa accounting update Enables periodoc updates to be sent to the a...

Page 401: ...etting None Command Mode Server Group Configuration Command Usage When specifying the index for a RADIUS server that server index must already be defined by the radius server host command see page 4 93 When specifying the index for a TACACS server that server index must already be defined by the tacacs server host command see page 4 97 Example Console config aaa group server radius tps Console con...

Page 402: ...o use radius Specifies all RADIUS hosts configure with the radius server host command described on page 4 93 tacacs Specifies all TACACS hosts configure with the tacacs server host command described on page 4 97 server group Specifies the name of a server group configured with the aaa group server command described on 4 100 Range 1 255 characters Default Setting Accounting is not enabled No server...

Page 403: ...th the radius server host command described on page 4 93 tacacs Specifies all TACACS hosts configure with the tacacs server host command described on page 4 97 server group Specifies the name of a server group configured with the aaa group server command described on 4 100 Range 1 255 characters Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Co...

Page 404: ...g point group Specifies the server group to use tacacs Specifies all TACACS hosts configure with the tacacs server host command described on page 4 97 server group Specifies the name of a server group configured with the aaa group server command described on 4 100 Range 1 255 characters Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Command Usa...

Page 405: ...accounting records for all users on the system Using the command without specifying an interim interval enables updates but does not change the current interval setting Example accounting dot1x This command applies an accounting method for 802 1X service requests on an interface Use the no form to disable accounting on the interface Syntax accounting dot1x default list name no accounting dot1x def...

Page 406: ...n accounting method to entered CLI commands Use the no form to disable accounting for entered CLI commands Syntax accounting commands level default list name no accounting commands level level The privilege level for executing commands Range 0 15 default Specifies the default method list created with the aaa accounting commands command page 4 104 list name Specifies a method list created with the ...

Page 407: ...e 4 97 server group Specifies the name of a server group configured with the aaa group server command described on 4 100 Range 1 255 characters Default Setting Authorization is not enabled No servers are specified Command Mode Global Configuration Command Usage This command performs authorization to determine if a user is allowed to run an Exec shell AAA authentication must be enabled before autho...

Page 408: ...settings per function and per port Syntax show accounting commands level dot1x statistics username user name interface interface exec statistics statistics commands Displays command accounting information level Displays command accounting information for a specifiable command level dot1x Displays dot1x accounting information exec Displays Exec accounting records statistics Displays accounting reco...

Page 409: ...lt Setting 80 Command Mode Global Configuration Console show accounting Accounting type dot1x Method list default Group list radius Interface Method list tps Group list radius Interface eth 1 2 Accounting type Exec Method list default Group list radius Interface vty Console Table 4 33 Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the web browser inter...

Page 410: ...HTTPS over the Secure Socket Layer SSL providing secure access i e an encrypted connection to the switch s web interface Use the no form to disable this function Syntax no ip http secure server Default Setting Enabled Command Mode Global Configuration Command Usage Both HTTP and HTTPS service can be enabled independently on the switch However you cannot configure the HTTP and HTTPS servers to use ...

Page 411: ...ure site Certificate on page 3 73 Also refer to the copy command on page 4 36 Example Related Commands ip http secure port 4 111 copy tftp https certificate 4 36 ip http secure port This command specifies the UDP port number used for HTTPS connection to the switch s web interface Use the no form to restore the default port Syntax ip http secure port port_number no ip http secure port port_number T...

Page 412: ...by the Telnet interface Use the no form without the port keyword to disable this function Use the no from with the port keyword to use the default port Syntax ip telnet server port port number no telnet server port port The TCP port used by the Telnet interface port number The TCP port number to be used by the browser interface Range 1 65535 Default Setting Server Enabled Server Port 23 Command Mo...

Page 413: ... to create a host public private key pair 2 Provide Host Public Key to Clients Many SSH client programs automatically import the host public key during the initial connection setup with the switch Table 4 36 SSH Commands Command Function Mode Page ip ssh server Enables the SSH server on the switch GC 4 115 ip ssh timeout Specifies the authentication timeout for the SSH server GC 4 116 ip ssh authe...

Page 414: ...1781943722884025331159521348610229029789827213532671 31629432532818915045306393916643 steve 192 168 1 19 4 Set the Optional Parameters Set other optional parameters including the authentication timeout the number of retries and the server key size 5 Enable SSH Service Use the ip ssh server command to enable the SSH server on the switch 6 Authentication One of the following authentication methods i...

Page 415: ...ther the supplied key is acceptable for authentication and if so it then checks whether the signature is correct If both checks succeed the client is authenticated Note The SSH server supports up to four client sessions The maximum number of client sessions includes both current Telnet sessions and SSH sessions ip ssh server This command enables the Secure Shell SSH server on this switch Use the n...

Page 416: ... wait for a response from the client during the SSH negotiation phase Once an SSH session has been established the timeout for user input is controlled by the exec timeout command for vty sessions Example Related Commands exec timeout 4 45 show ip ssh 4 119 ip ssh authentication retries This command configures the number of times the SSH server attempts to reauthenticate a user Use the no form to ...

Page 417: ...Configuration Command Usage The server key is a private key that is never shared outside the switch The host key is shared with the SSH client and is fixed at 1024 bits Example delete public key This command deletes the specified user s public key Syntax delete public key username dsa rsa username Name of an SSH user Range 1 8 characters dsa DSA public key type rsa RSA public key type Default Sett...

Page 418: ... key command to save the host key pair to flash memory Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process Otherwise you must manually create a known hosts file and place the host public key in it The SSH server uses this host key to negotiate a session key and encryption method with the client trying to connect to it Example Relat...

Page 419: ...y generate 4 118 ip ssh save host key 4 119 no ip ssh server 4 115 ip ssh save host key This command saves host key from RAM to flash memory Syntax ip ssh save host key dsa rsa dsa DSA key type rsa RSA key type Default Setting Saves both the DSA and RSA key Command Mode Privileged Exec Example Related Commands ip ssh crypto host key generate 4 118 show ip ssh This command displays the connection s...

Page 420: ...hentication Started Session Started Username The user name of the client Encryption The encryption method is automatically negotiated between the client and server Options for SSHv1 5 include DES 3DES Options for SSHv2 0 can include different algorithms for the client to server ctos and server to client stoc aes128 cbc hmac sha1 aes192 cbc hmac sha1 aes256 cbc hmac sha1 3des cbc hmac sha1 blowfish...

Page 421: ...ing is the encoded modulus Example Console show public key host Host RSA 1024 35 1568499540186766925933394677505461732531367489083654725415020245593199868 5443583616519999233297817660658309586108259132128902337654680172627257141 3428762941301196195566782595664104869574278881462065194174677298486546861 5717739390164779355942303577413098022737087794545240839717526463580581767 16709574804776117 DSA s...

Page 422: ...x max req Sets the maximum number of times that the switch retransmits an EAP request identity packet to the client before it times out the authentication session IC 4 124 dot1x port control Sets dot1x mode for a port interface IC 4 124 dot1x operation mode Allows single or multiple hosts on an dot1x port IC 4 125 dot1x re authenticate Forces re authentication on specific ports PE 4 125 dot1x re a...

Page 423: ...er switches on to the authentication servers thereby allowing the authentication process to still be carried out by switches located on the edge of the network When this device is functioning as an edge switch but does not require any attached clients to be authenticated the no dot1x eapol pass through command can be used to discard unnecessary EAPOL traffic Example This example instructs the swit...

Page 424: ...estore the default Syntax dot1x port control auto force authorized force unauthorized no dot1x port control auto Requires a dot1x aware connected client to be authorized by the RADIUS server Clients that are not dot1x aware will be denied access force authorized Configures the port to grant access to all clients either dot1x aware or otherwise force unauthorized Configures the port to deny access ...

Page 425: ...rt Range 1 1024 Default 5 Default Single host Command Mode Interface Configuration Command Usage The max count parameter specified by this command is only effective if the dot1x mode is set to auto by the dot1x port control command page 4 124 In multi host mode only one host connected to a port needs to pass authentication for all other hosts to be granted network access Similarly a port can becom...

Page 426: ...ion Syntax no dot1x re authentication Command Mode Interface Configuration Command Usage The re authentication process verifies the connected client s user ID and password on the RADIUS server During re authentication the client remains connected the network and the process is handled transparently by the dot1x client software Only if re authentication fails is the port blocked The connected clien...

Page 427: ...t 60 seconds Command Mode Interface Configuration Example dot1x timeout re authperiod This command sets the time period after which a connected client must be re authenticated Syntax dot1x timeout re authperiod seconds no dot1x timeout re authperiod seconds The number of seconds Range 1 65535 Default 3600 seconds Command Mode Interface Configuration Example Console config interface eth 1 2 Console...

Page 428: ... no form to reset to the default value Syntax dot1x timeout supp timeout seconds no dot1x timeout supp timeout seconds The number of seconds Range 1 65535 Default 30 seconds Command Mode Interface Configuration Command Usage This command sets the timeout for EAP request frames other than EAP request identity frames If dot1x authentication is enabled on a port the switch will initiate authenticatio...

Page 429: ...gured and set as active vlan database on page 4 230 and assigned as the guest VLAN for the port network access guest vlan on page 4 140 Example show dot1x This command shows general port authentication related settings on the switch or a specific interface Syntax show dot1x statistics interface interface statistics Displays dot1x status for each port interface ethernet unit port unit Stack unit Ra...

Page 430: ...7 tx period Time a port waits during authentication session before re transmitting EAP packet page 4 128 supplicant timeout Supplicant timeout server timeout Server timeout reauth max Maximum number of reauthentication attempts max req Maximum number of times a port will retransmit an EAP request identity packet to the client before it times out the authentication session page 4 124 Status Authori...

Page 431: ...ntrol enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 enabled Single Host auto yes 1 26 disabled Single Host ForceAuthorized n a 802 1X Port Details 802 1X is disabled on port 1 1 802 1X is enabled on port 1 2 reauth enabled Enable reauth period 1800 quiet period 30 tx period 40 supplicant timeout 30 server timeout 10 reau...

Page 432: ...gement interface on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respectively Each of these groups can include up to five different sets of addresses either individual addresses or address ranges When entering addresses for the...

Page 433: ...nmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group Command Mode Privileged Exec Example Console config management all client 192 168 1 19 Console config management all client 192 168 1 25 192 168 1 30 Console config Console show management all client Management IP Filter HTTP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 ...

Page 434: ...ivate VLANs Configures private VLANs including uplink and downlink ports 4 243 Port Security The priority of execution for these filtering commands is Port Security Port Authentication Network Access Access Control Lists DHCP Snooping and then IP Source Guard Configures secure addresses for a port 4 135 Port Authentication Configures host authentication on specific ports using 802 1X 4 122 Network...

Page 435: ...se the no form without any keywords to disable port security Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses Syntax port security action shutdown trap trap and shutdown max mac count address count no port security action max mac count action Response to take when port security is violat...

Page 436: ...ommand to set the maximum number of addresses allowed on a port You can also manually add secure addresses with the mac address table static command A secure port has the following restrictions Cannot be connected to a network interconnection device Cannot be a trunk port If a port is disabled due to a security violation it must be manually re enabled using the no shutdown command Example The foll...

Page 437: ...count The maximum number of authenticated MAC addresses allowed Range 1 to 2048 0 for unlimited Default Setting 2048 Command Mode Interface Configuration Table 4 42 Network Access Command Function Mode Page network access max mac count Sets a maximum number for authenticated MAC addresses on an interface IC 4 137 network access mode Enables MAC authentication on an interface IC 4 138 network acces...

Page 438: ...format XX XX XX XX XX XX all in upper case Authenticated MAC addresses are stored as dynamic entries in the switch s secure MAC address table and are removed when the aging time expires The maximum number of secure MAC addresses supported for the switch system is 1024 Configured static MAC addresses are added to the secure address table when seen on a switch port Static addresses are treated as au...

Page 439: ...uration for the port When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port the user is denied access While a port has an assigned dynamic QoS profile any manual QoS configuration changes only take effect after all users have logged off of the port Note Any configuration changes for dynamic QoS are not saved ...

Page 440: ...t be defined and set as active vlan database on page 4 230 When used with 802 1X authentication the intrusion action must be set for guest vlan to be effective see dot1x intrusion action on page 4 129 Example mac authentication reauth time Use this command to set the time period after which a connected MAC address must be re authenticated Use the no form of this command to restore the default valu...

Page 441: ...the default Syntax mac authentication intrusion action block traffic pass traffic no mac authentication intrusion action Default Setting Block Traffic Command Mode Interface Configuration Example mac authentication max mac count Use this command to set the maximum number of MAC addresses that can be authenticated on a port via MAC authentication Use the no form of this command to restore the defau...

Page 442: ...rt number Range 1 26 50 Default Setting Displays the settings for all interfaces Command Mode Privileged Exec Example Console config if mac authentication max mac count 32 Console config if Console show network access interface ethernet 1 1 Global secure port information Reauthentication Time 1800 Port 1 1 MAC Authentication Disabled MAC Authentication Intrusion action Block traffic MAC Authentica...

Page 443: ...ge 1 26 50 sort Sorts displayed entries by either MAC address or interface Default Setting Displays all entries Command Mode Privileged Exec Command Usage When using a bit mask to filter displayed MAC addresses a 1 means care and a 0 means don t care For example a MAC of 00 00 01 02 03 04 and mask FF FF FF 00 00 00 would result in all MACs in the range 00 00 01 00 00 00 to 00 00 01 FF FF FF to be ...

Page 444: ...fied by the no ip dhcp snooping trust command page 4 147 from a device not listed in the DHCP snooping table will be dropped When enabled DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping Table entries are only learned for untrusted interfaces Each entry includes a Table 4 44 DHCP Snooping Commands Command Function Mode Page ip dhcp sno...

Page 445: ... forwarded if MAC address verification is disabled as specified by the ip dhcp snooping verify mac address command page 4 148 However if MAC address verification is enabled then the packet will only be forwarded if the client s hardware address stored in the DHCP packet is the same as the source MAC address in the Ethernet header If the DHCP packet is not a recognizable type it is dropped If a DHC...

Page 446: ...packet filtering will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust command page 4 147 When the DHCP snooping is globally disabled DHCP snooping can still be configured for specific VLANs but the changes will not take effect until DHCP snooping is globally re enabled When DHCP snooping is globally enabled configuration changes for specific VLANs hav...

Page 447: ...ll to untrusted When DHCP snooping ia enabled globally using the ip dhcp snooping command page 4 144 and enabled on a VLAN with ip dhcp snooping vlan command page 4 146 DHCP packet filtering will be performed on any untrusted ports within the VLAN according to the default status or as specifically configured for an interface with the no ip dhcp snooping trust command When an untrusted port is chan...

Page 448: ...ple This example enables MAC address verification Related Commands ip dhcp snooping 4 144 ip dhcp snooping vlan 4 146 ip dhcp snooping trust 4 147 ip dhcp snooping information option This command enables the DHCP Option 82 information relay for the switch Use the no form to disable this function Syntax no ip dhcp snooping information option Default Setting Disabled Command Mode Global Configuratio...

Page 449: ...ng information policy This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information Syntax ip dhcp snooping information policy drop keep replace drop Drops the client s request packet instead of relaying it keep Retains the Option 82 information in the client request and forwards the packets to trusted ports replace Replaces the Option 82 ...

Page 450: ...Example Console show ip dhcp snooping Global DHCP Snooping status disable DHCP Snooping Information Option Status disable DHCP Snooping Information Policy replace DHCP Snooping is configured on the following VLANs 1 Verify Source Mac Address enable Interface Trusted Eth 1 1 No Eth 1 2 No Eth 1 3 No Eth 1 4 No Eth 1 5 Yes Console show ip dhcp snooping binding MacAddress IpAddress Lease sec Type VLA...

Page 451: ... Setting Disabled Command Mode Interface Configuration Ethernet Command Usage Source guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor Setting source guard mode to sip or sip mac enables this function on the selected port Use th...

Page 452: ... snooping is disabled see page 4 144 IP source guard will check the VLAN ID source IP address port number and source MAC address for the sip mac option If a matching entry is found in the binding table and the entry type is static IP source guard binding the packet will be forwarded If the DHCP snooping is enabled IP source guard will check the VLAN ID source IP address port number and source MAC ...

Page 453: ...ich is indicated with a value of zero by the show ip source guard command page 4 154 When source guard is enabled traffic is filtered based upon dynamic entries learned via DHCP snooping or static addresses configured in the source guard binding table with this command Static bindings are processed as follows If there is no entry with same VLAN ID and MAC address a new entry is added to binding ta...

Page 454: ...ource guard binding dhcp snooping static dhcp snooping Shows dynamic entries configured with DHCP Snooping commands see page 4 144 static Shows static entries configured with the ip source guard binding command see page 4 153 Command Mode Privileged Exec Example Console show ip source guard Interface Filter type Eth 1 1 DISABLED Eth 1 2 DISABLED Eth 1 3 DISABLED Eth 1 4 DISABLED Eth 1 5 SIP Eth 1 ...

Page 455: ...le 4 46 Access Control Lists Command Groups Function Page IP ACLs Configures ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code 4 155 MAC ACLs Configures ACLs based on hardware addresses packet format and Ethernet type 4 161 ACL Information Displays ACLs and associated rules shows ACLs assigned to each port 4 166 Table 4 47 IP ACLs Command Function Mode Page access...

Page 456: ...acl name Name of the ACL Maximum length 16 characters no spaces Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command follo...

Page 457: ...les are appended to the end of the list Address bitmasks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assig...

Page 458: ...rt sport bitmask destination port dport port bitmask control flag control flags flag bitmask protocol number A specific protocol number Range 0 255 source Source IP address destination Destination IP address address bitmask Decimal number representing the address bits to match host Keyword followed by a specific IP address precedence IP precedence level Range 0 7 tos Type of Service level Range 0 ...

Page 459: ... syn Synchronize 4 rst Reset 8 psh Push 16 ack Acknowledgement 32 urg Urgent pointer For example use the code value and mask below to catch packets with the following flags set SYN flag valid use control code 2 2 Both SYN and ACK valid use control code 18 18 SYN valid and ACK invalid use control code 2 18 Example This example accepts any incoming packets if the source address is within subnet 10 7...

Page 460: ...4 160 ip access group This command binds a port to an IP ACL Use the no form to remove the port Syntax no ip access group acl name in acl name Name of the ACL Maximum length 16 characters no spaces in Indicates that this list applies to ingress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to ...

Page 461: ... the access list to one or more ports Console config int eth 1 25 Console config if ip access group david in Console config if Console show ip access group Interface ethernet 1 25 IP access list david in Console Table 4 48 MAC ACL Commands Command Function Mode Page access list mac Creates a MAC ACL and enters configuration mode GC 4 162 permit deny Filters packets matching a specified source and ...

Page 462: ...previously configured rule An ACL can contain up to 32 rules Example Related Commands permit deny 4 162 mac access group 4 164 show mac access list 4 164 permit deny MAC ACL This command adds a rule to a MAC ACL The rule filters packets matching a specified MAC source or destination address i e physical layer address or Ethernet protocol type Use the no form to remove a rule Syntax no permit deny ...

Page 463: ...Ethernet 802 3 packets any Any MAC source or destination address host A specific MAC address source Source MAC address destination Destination MAC address range with bitmask address bitmask23 Bitmask for MAC address in hexidecimal format vid VLAN ID Range 1 4094 vid bitmask VLAN bitmask Range 1 4094 protocol A specific Ethernet protocol number Range 600 fff hex protocol bitmask Protocol bitmask Ra...

Page 464: ... access group This command binds a port to a MAC ACL Use the no form to remove the port Syntax mac access group acl name in acl name Name of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to an ACL and you bind ...

Page 465: ...p This command shows the ports assigned to MAC ACLs Command Mode Privileged Exec Example Related Commands mac access group 4 164 Console config interface ethernet 1 2 Console config if mac access group jerry in Console config if Console show mac access group Interface ethernet 1 5 MAC access list M5 in Console ...

Page 466: ...gned to each port PE 4 166 Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 16 0 255 255 240 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 255 255 255 0 any destination port 80 80 permit 192 168 1 0 255 255 255 0 any protocol tcp control code 2 2 IP access list jerry permit any host 00 17 7c 94 34 de ethertype 800 800 I...

Page 467: ...ion of a given interface when autonegotiation is disabled IC 4 169 negotiation Enables autonegotiation of a given interface IC 4 170 capabilities Advertises the capabilities of a given interface for use in autonegotiation IC 4 170 flowcontrol Enables flow control on a given interface IC 4 171 media type Forces port type selected for combination ports IC 4 172 shutdown Disables an interface IC 4 17...

Page 468: ... Syntax description string no description string Comment or a description to help you remember what is attached to this interface Range 1 64 characters Default Setting None Command Mode Interface Configuration Ethernet Port Channel Example The following example adds a description to port 24 Console config interface ethernet 1 24 Console config if Console config interface ethernet 1 24 Console conf...

Page 469: ... The 1000BASE T standard does not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T port or trunk If not used the success of the link process cannot be guaranteed when connecting to other types of switches To force operation to the speed and duplex mode specified in a speed duplex command use the no negotiation command to disable auto negotiat...

Page 470: ...RJ 45 ports Example The following example configures port 11 to use autonegotiation Related Commands capabilities 4 170 speed duplex 4 169 capabilities This command advertises the port capabilities of a given interface during autonegotiation Use the no form with parameters to remove an advertised capability or the no form without parameters to restore the default values Syntax no capabilities 1000...

Page 471: ...ver any 1000BASE T port or trunk When auto negotiation is enabled with the negotiation command the switch will negotiate the best settings for a link based on the capabilites command When auto negotiation is disabled you must manually specify the link attributes with the speed duplex and flowcontrol commands Example The following example configures Ethernet port 5 capabilities to 100half 100full a...

Page 472: ...ities command To enable flow control under auto negotiation flowcontrol must be included in the capabilities list for any port Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub Example The following example enables flow control on port 5 ...

Page 473: ...le it after the problem has been resolved You may also want to disable a port for security reasons Example The following example disables port 5 switchport packet rate This command configures broadcast multicast and unknown unicast storm control Use the no form to restore the default setting Syntax switchport broadcast multicast unicast packet rate rate no switchport broadcast multicast unicast br...

Page 474: ...re broadcast storm control at 500 packets per second clear counters This command clears statistics on an interface Syntax clear counters interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset This command sets th...

Page 475: ...ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 vlan vlan id Range 1 4094 Default Setting Shows the status for all interfaces Command Mode Normal Exec Privileged Exec Console clear counters ethernet 1 5 Console Console show interfaces brief Interface Name Status PVID Pri Speed Duplex Type Trunk Eth 1 1 Up 1 0 Auto 100full 100TX None Eth ...

Page 476: ...tus ethernet 1 5 Information of Eth 1 5 Basic information Port Type 1000T Mac Address 00 17 7C 12 31 28 Configuration Port Admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full 1000full Broadcast Storm Enabled Broadcast Storm Limit 500 packets second Multicast Storm Disabled Multicast Storm Limit 262143 packets second Unknown Unicast Storm Disabled Unknown Unicast Storm Limit 26214...

Page 477: ...5 Discard input 0 Discard output 0 Error input 0 Error output 0 Unknown protos input 0 QLen output 0 Extended iftable stats Multi cast input 0 Multi cast output 3064 Broadcast input 262 Broadcast output 1 Ether like stats Alignment errors 0 FCS errors 0 Single Collision frames 0 Multiple collision frames 0 SQE Test errors 0 Deferred transmissions 0 Late collisions 0 Excessive collisions 0 Internal...

Page 478: ... Disable 802 1Q tunnel Mode NORMAL 802 1Q tunnel TPID 8100 Hex Console Table 4 51 Interfaces Switchport Statistics Field Description Broadcast Threshold Shows if broadcast storm suppression is enabled or disabled if enabled it also shows the threshold level page 4 173 Multicast Threshold Shows if multicast storm suppression is enabled or disabled if enabled it also shows the threshold level page 4...

Page 479: ...AN Shows the VLANs this interface can not dynamically join via GVRP page 4 237 Private VLAN Mode Shows the private VLAN mode as host promiscuous or none 4 248 Private VLAN host association Shows the secondary or community VLAN with which this port is associated 4 248 Private VLAN mapping Shows the primary VLAN mapping for a promiscuous port 4 249 802 1Q tunnel Status Shows if 802 1Q tunnel is enab...

Page 480: ...e configured in an identical manner including communication mode i e speed duplex mode and flow control VLAN assignments and CoS settings All the ports in a trunk have to be treated as a whole when moved from to added or deleted from a VLAN via the specified port channel STP VLAN and IGMP settings can only be made for the entire trunk via the specified port channel Table 4 52 Link Aggregation Comm...

Page 481: ...ed to join a channel group If a link goes down LACP port priority is used to select the backup link channel group This command adds a port to a trunk Use the no form to remove a port from a trunk Syntax channel group channel id no channel group channel id Trunk index Range 1 32 Default Setting The current port will be added to this trunk Command Mode Interface Configuration Ethernet Command Usage ...

Page 482: ...s of an LACP trunk must be configured for full duplex and auto negotiation A trunk formed with another switch using LACP will automatically be assigned the next available port channel ID If the target switch has also enabled LACP on the connected ports the trunk will be activated automatically If more than eight ports attached to the same target switch have LACP enabled the additional ports will b...

Page 483: ...ip and to identify this device to other switches during LAG negotiations Range 0 65535 Default Setting 32768 Console config interface ethernet 1 11 Console config if lacp Console config if exit Console config interface ethernet 1 12 Console config if lacp Console config if exit Console config interface ethernet 1 13 Console config if lacp Console config if exit Console config exit Console show int...

Page 484: ...key Use the no form to restore the default setting Syntax lacp actor partner admin key key no lacp actor partner admin key actor The local side an aggregate link partner The remote side of an aggregate link key The port admin key must be set to the same value for ports that belong to the same link aggregation group LAG Range 0 65535 Default Setting 0 Command Mode Interface Configuration Ethernet C...

Page 485: ... during local LACP setup on this switch Range 0 65535 Default Setting 0 Command Mode Interface Configuration Port Channel Command Usage Ports are only allowed to join the same LAG if 1 the LACP system priority matches 2 the LACP port admin key matches and 3 the LACP port channel key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a channel group is f...

Page 486: ...cates a higher effective priority If an active port link goes down the backup port with the highest priority is selected to replace the downed link However if two or more ports have the same LACP port priority the port with the lowest physical port number will be selected as the backup port Once the remote side of a link has been established LACP operational settings are already in use on that sid...

Page 487: ...ker Sent 0 Marker Received 0 LACPDUs Unknown Pkts 0 LACPDUs Illegal Pkts 0 Table 4 53 show lacp counters display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group LACPDUs Received Number of valid LACPDUs received on this channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Mark...

Page 488: ...tate Defaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information Collecting Collection of ...

Page 489: ...ssigned by the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol par...

Page 490: ...17 7C 8F 2C A7 4 32768 00 17 7C 8F 2C A7 Console Table 4 56 show lacp sysid display description Field Description Channel group A link aggregation group configured on this switch System Priority LACP system priority for this channel group System MAC Address System MAC address The LACP system priority and system MAC address are concatenated to form the LAG system ID ...

Page 491: ...raffic from any source port to a destination port for real time analysis You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner Set the destination port by specifying an Ethernet interface with the interface configuration command and then use the port monitor command to specify the source of the t...

Page 492: ...ommand Mode Privileged Exec Command Usage This command displays the currently configured source port destination port and mirror mode i e RX TX Example The following shows mirroring configured from port 6 to port 11 Console config interface ethernet 1 11 Console config if port monitor ethernet 1 6 rx Console config if Console config interface ethernet 1 11 Console config if port monitor ethernet 1...

Page 493: ... port can only be configured as one type of RSPAN interface source destination or uplink Also note that the source port and destination port cannot be configured on the same switch Local Remote Mirror The destination of a local mirror session created with the port monitor command cannot be used as the destination for RSPAN traffic Only two mirror sessions are allowed Both sessions can be allocated...

Page 494: ...ype to be mirrored remotely Use the no form to disable RSPAN on the specified port or with a traffic type keyword to disable mirroring for the specified type Syntax no rspan session session id source interface interface list rx tx both session id A number identifying this RSPAN session Range 1 2 Only two mirror sessions are allowed including both local and remote mirroring If local mirroring is en...

Page 495: ...ailable for RSPAN interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 tagged Traffic exiting the destination port carries the RSPAN VLAN tag untagged Traffic exiting the destination port is untagged Default Setting Traffic exiting the destination port is untagged Command Mode Global Configuration Command Usage Only one destination port can be configured on the same ...

Page 496: ...otely mirrored traffic intermediate Specifies this device as an intermediate switch transparently passing mirrored traffic from one or more sources to one or more destinations destination Specifies this device as a switch configured with a destination port which is to receive mirrored traffic for this session uplink A port configured to receive or transmit remotely mirrored traffic interface ether...

Page 497: ...mirroring If local mirroring is enabled with the port monitor command page 4 191 then there is only one session available for RSPAN Command Mode Global Configuration Command Usage The no rspan session command must be used to disable an RSPAN VLAN before it can be deleted from the VLAN database see the vlan command page 4 231 Example show rspan Use this command to displays the configuration setting...

Page 498: ...s forwarded without any changes rate limit Use this command to define the rate limit level for a specific interface Use this command without specifying a rate to restore the default rate limit level Use the no form to restore the default status of disabled Syntax rate limit input output rate no rate limit input output input Input rate limit output Output rate limit rate Maximum value in Mbps Range...

Page 499: ...rt unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 vlan id VLAN ID Range 1 4094 action delete on reset Assignment lasts until the switch is reset permanent Assignment is permanent Console config interface ethernet 1 1 Console config if rate limit input 1000 Console config if Table 4 60 Address Table Commands Command Function Mode Page mac address table sta...

Page 500: ... assigned interface and will not be moved When a static address is seen on another interface the address will be ignored and will not be written to the address table A static address cannot be learned on another port until the address is removed with the no form of this command Example clear mac address table dynamic This command removes any learned entries from the forwarding database and clears ...

Page 501: ... MAC addresses associated with each interface Note that the Type field may include the following types Learned Dynamic address entries Permanent Static entry Delete on reset Static entry to be deleted when system is reset The mask should be hexadecimal numbers representing an equivalent bit mask in the form xx xx xx xx xx xx that is applied to the specified MAC address Enter hexadecimal numbers wh...

Page 502: ...0000 seconds 0 to disable aging Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information Example show mac address table aging time This command shows the aging time for entries in the address table Default Setting None Command Mode Privileged Exec Example Console config mac address table aging time 100 ...

Page 503: ...onfigures the priority of a spanning tree instance MST 4 211 name Configures the name for the multiple spanning tree MST 4 211 revision Configures the revision number for the multiple spanning tree MST 4 212 max hops Configures the maximum number of hops allowed in the region before a BPDU is discarded MST 4 212 spanning tree spanning disabled Disables spanning tree for an interface IC 4 213 spann...

Page 504: ...le This example shows how to enable the Spanning Tree Algorithm for the switch spanning tree mode This command selects the spanning tree mode for this switch Use the no form to restore the default Note MSTP is not supported in the current software Syntax spanning tree mode stp rstp mstp no spanning tree mode stp Spanning Tree Protocol IEEE 802 1D rstp Rapid Spanning Tree Protocol IEEE 802 1w mstp ...

Page 505: ...igration delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port Multiple Spanning Tree Protocol To allow multiple spanning trees to operate over the netwo...

Page 506: ...ce must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to the discarding state otherwise temporary data loops might result Example spanning tree hello time This command configures the spanning tree bridge hello time globally for this switch Use the no form to restore the ...

Page 507: ...nd Mode Global Configuration Command Usage This command sets the maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message becomes the designated port for ...

Page 508: ...e lower numeric value becomes the STA root device However if all devices have the same priority the device with the lowest MAC address will then become the root device Example spanning tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree Use the no form to restore the default Syntax spanning tree pathcost method long short no spa...

Page 509: ...etween the transmission of consecutive RSTP MSTP BPDUs Use the no form to restore the default Syntax spanning tree transmission limit count no spanning tree transmission limit count The transmission limit in seconds Range 1 10 Default Setting 3 Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs Example spanning tree mst configuration This co...

Page 510: ...s multiple pathways across the network thereby balancing the traffic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new topology for the failed instance By default all VLANs are assigned to the Internal Spanning Tree MSTI 0 that connects all bridges and LANs within the MST region This switch supports up to 58 instances Y...

Page 511: ...ecting the root bridge and alternate bridge of the specified instance The device with the highest priority i e lowest numerical value becomes the MSTI root device However if all devices have the same priority the device with the lowest MAC address will then become the root device You can set this switch to act as the MSTI root device by specifying a priority of 0 or as the MSTI alternate device by...

Page 512: ...n number of the spanning tree Range 0 65535 Default Setting 0 Command Mode MST Configuration Command Usage The MST region name page 4 211 and revision number are used to designate a unique MST region A bridge i e spanning tree compliant device such as this switch can only belong to one MST region And all bridges in the same region must be configured with the same MST instances Example Related Comm...

Page 513: ...ments the hop count by one before passing on the BPDU When the hop count reaches zero the message is dropped Example spanning tree spanning disabled This command disables the spanning tree algorithm for the specified interface Use the no form to reenable the spanning tree algorithm for the specified interface Syntax no spanning tree spanning disabled Default Setting Enabled Command Mode Interface ...

Page 514: ...24 Use the spanning tree pathcost method command on page 4 208 to set the path cost method Table 4 62 Recommended STA Path Cost Range Port Type IEEE 802 1D 1998 IEEE 802 1w 2001 Ethernet 50 600 200 000 20 000 000 Fast Ethernet 10 60 20 000 2 000 000 Gigabit Ethernet 3 10 2 000 200 000 Table 4 63 Recommended STA Path Cost Port Type Link Type IEEE 802 1D 1998 IEEE 802 1w 2001 Ethernet Half Duplex Fu...

Page 515: ...a and higher values assigned to ports with slower media Path cost takes precedence over port priority When the spanning tree pathcost method page 4 208 is set to short the maximum value for path cost is 65 535 Example spanning tree port priority This command configures the priority for the specified interface Use the no form to restore the default Syntax spanning tree port priority priority no spa...

Page 516: ...el Command Usage You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or servers retains the current forwarding database to redu...

Page 517: ...ceive any BPDUs after the edge delay timer expires its role changes to designated port and it immediately enters forwarding state see Displaying Interface Settings for STA on page 3 158 The edge delay time equals the protocol migration time when the port link type is point to point which is 3 seconds as defined in IEEE 802 3D 2004 17 20 4 otherwise it equals the maximum age for configuration messa...

Page 518: ...and Multiple Spanning Tree Use the no form to restore the default Syntax spanning tree link type auto point to point shared no spanning tree link type auto Automatically derived from the duplex mode setting point to point Point to point link shared Shared medium Default Setting auto Command Mode Interface Configuration Ethernet Port Channel Command Usage Specify a point to point link if the interf...

Page 519: ...abled on the switch Example spanning tree loopback detection release mode This command configures the release mode for a port that was placed in the discarding state because a loopback BPDU was received Use the no form to restore the default Syntax spanning tree loopback detection release mode auto manual no spanning tree loopback detection release mode auto Allows a port to automatically be relea...

Page 520: ...ote 1 Port Loopback Detection will not be active if Spanning Tree is disabled on the switch When configured for manual release mode then a link down up event will not release the port from the discarding state Example spanning tree loopback detection trap This command enables SNMP trap notification for Spanning Tree loopback BPDU detections Use the no form to restore the default Syntax spanning tr...

Page 521: ...thod is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is set to 65 535 Ethernet half duplex 2 000 000 full duplex 1 000 000 trunk 500 000 Fast Ethernet half duplex 200 000 full duplex 100 000 trunk 50 000 Gigabit Ethernet full duplex 10 000 trunk 5 000 10 Gigabit Ethernet full duplex 1000 trunk 500 Command Mode Interface Configuration Ethernet...

Page 522: ...nge 0 240 in steps of 16 Default Setting 128 Command Mode Interface Configuration Ethernet Port Channel Command Usage This command defines the priority for the use of an interface in the multiple spanning tree If the path cost for all interfaces on a switch are the same the interface with the highest priority that is lowest value will be configured as an active link in the spanning tree Where more...

Page 523: ...ompatible mode However you can also use the spanning tree protocol migration command at any time to manually re check the appropriate BPDU format to send on the selected interfaces i e RSTP or STP compatible Example show spanning tree This command shows the configuration for the common spanning tree CST or for an instance within the multiple spanning tree MST Syntax show spanning tree interface ms...

Page 524: ...played under Spanning tree information see Configuring Global Settings for STA on page 3 154 For a description of the items displayed for specific interfaces see Displaying Interface Settings for STA on page 3 158 Example Console show spanning tree Spanning tree information Spanning Tree Mode MSTP Spanning Tree Enabled Disabled Enabled Instance 0 VLANs Configuration 1 4094 Priority 32768 Bridge He...

Page 525: ... 100000 Priority 128 Designated Cost 0 Designated Port 128 13 Designated Root 32768 0 00177CF8D8C6 Designated Bridge 32768 0 00177CF8D8C6 Fast Forwarding Disabled Forward Transitions 1 Admin Edge Port Disabled Oper Edge Port Disabled Admin Link Type Auto Oper Link Type Point to point Spanning Tree Status enable Loopback Detection Status Enabled Loopback Detection Release Mode Auto Loopback Detecti...

Page 526: ...eters including ingress and egress tagging mode ingress filtering PVID and GVRP 4 232 Displaying VLAN Information Displays VLAN groups status port members and MAC addresses 4 238 Configuring 802 1Q Tunneling Configures 802 1Q Tunneling QinQ Tunneling 4 239 Configuring Port based Traffic Segmentation Configures traffic segmentation for different client sessions based on specified downlink and uplin...

Page 527: ...e local switch Example show bridge ext This command shows the configuration for bridge extension commands Default Setting None Command Mode Privileged Exec Command Usage See Displaying Basic VLAN Information on page 3 175 and Displaying Bridge Extension Capabilities on page 3 15 for a description of the displayed items Example Console config bridge ext gvrp Console config Console show bridge ext M...

Page 528: ...if GVRP is enabled Syntax show gvrp configuration interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting Shows both global and interface specific configuration Command Mode Normal Exec Privileged Exec Example Console config interface ethernet 1 6 Console config if switchport gvrp Console config if Console sho...

Page 529: ...Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are independent of the media access method or data rate These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration deregistration Timer values are applied to GVRP for all the ports ...

Page 530: ...nds garp timer 4 229 Editing VLAN Groups vlan database This command enters VLAN database mode All commands in this mode will take effect immediately Default Setting None Command Mode Global Configuration Console show garp timer ethernet 1 1 Eth 1 1 GARP timer status Join timer 100 centiseconds Leave timer 60 centiseconds Leaveall timer 1000 centiseconds Console Table 4 67 Editing VLAN Groups Comma...

Page 531: ...media ethernet state active suspend rspan no vlan vlan id name state vlan id ID of configured VLAN Range 1 4094 no leading zeroes name Keyword to be followed by the VLAN name vlan name ASCII string from 1 to 32 characters media ethernet Ethernet media type state Keyword to be followed by the VLAN state active VLAN is operational suspend VLAN is suspended Suspended VLANs do not pass packets rspan K...

Page 532: ...g zeroes Default Setting None Console config vlan database Console config vlan vlan 105 name RD5 media ethernet Console config vlan Table 4 68 Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN GC 4 232 switchport mode Configures VLAN membership mode for an interface IC 4 233 switchport acceptable frame types Configures fr...

Page 533: ... port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames hybrid Specifies a hybrid VLAN interface The port may transmit tagged or untagged frames private vlan For an explanation of this command see switchport mode private vlan on page 4 248 Default Setting All ports are in hy...

Page 534: ...types Command Mode Interface Configuration Ethernet Port Channel Command Usage When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Example The following example shows how to restrict the traffic received on port 1 to tagged frames Related Commands switchport mode 4 233 switchport ingress filtering This command enables ingress filtering for an ...

Page 535: ... port 1 and then enable ingress filtering switchport native vlan This command configures the PVID i e default VLAN ID for a port Use the no form to restore the default Syntax switchport native vlan vlan id no switchport native vlan vlan id Default VLAN ID for a port Range 1 4094 no leading zeroes Default Setting VLAN 1 Command Mode Interface Configuration Ethernet Port Channel Command Usage When u...

Page 536: ...rt or a trunk with switchport mode set to hybrid must be assigned to a VLAN as untagged If a trunk has switchport mode set to trunk i e 1Q Trunk then you can only assign an interface to VLAN groups as a tagged member Frames are always tagged within the switch The tagged untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egr...

Page 537: ...gnate a range of IDs Do not enter leading zeros Range 1 4094 Default Setting No VLANs are included in the forbidden list Command Mode Interface Configuration Ethernet Port Channel Command Usage This command prevents a VLAN from being automatically added to the specified interface via GVRP If a VLAN has been added to the set of allowed VLANs for an interface then you cannot add it to the set of for...

Page 538: ...Command Mode Normal Exec Privileged Exec Example The following example shows how to display information for VLAN 1 Table 4 69 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE PE 4 238 show interfaces status vlan Displays status for the specified VLAN interface NE PE 4 175 show interfaces switchport Displays the administrative and operational status of an interface ...

Page 539: ...nfigure the QinQ tunnel access port to join the SPVLAN as an untagged member switchport allowed vlan page 4 236 6 Configure the SPVLAN ID as the native VID on the QinQ tunnel access port switchport native vlan page 4 235 7 Configure the QinQ tunnel uplink port to dot1Q tunnel uplink mode switchport dot1q tunnel mode page 4 240 8 Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged ...

Page 540: ...how dot1q tunnel 4 242 show interfaces switchport 4 177 switchport dot1q tunnel mode This command configures an interface as a QinQ tunnel port Use the no form to disable QinQ on the interface Syntax switchport dot1q tunnel mode access uplink no switchport dot1q tunnel mode access Sets the port as an 802 1Q tunnel access port uplink Sets the port as an 802 1Q tunnel uplink port Default Setting Dis...

Page 541: ...tion This identifier is used to select a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is 0x8100 Range 0800 FFFF hexadecimal Default Setting 0x8100 Command Mode Interface Configuration Ethernet Port Channel Command Usage Use the switchport dot1q tunnel tpid command to set a custom 802 1Q ethertype value on the selected interface This feature allows the ...

Page 542: ...sole config dot1q tunnel system tunnel control Console config interface ethernet 1 1 Console config if switchport dot1q tunnel mode access Console config if interface ethernet 1 2 Console config if switchport dot1q tunnel mode uplink Console config if end Console show dot1q tunnel Current double tagged status of the system is Enabled The dot1q tunnel mode of the set interface 1 1 is Access mode TP...

Page 543: ...feature Syntax no pvlan Default Setting Disabled Command Mode Global Configuration Command Usage When traffic segmentation is enabled the forwarding state for the uplink and downlink ports is shown below When traffic segmentation is disabled all ports operate in normal forwarding mode based on the settings specified by other functions such as VLANs and spanning tree protocol Table 4 71 Traffic Seg...

Page 544: ...consecutive list of interfaces or a comma between non consecutive interfaces ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting None Command Mode Global Configuration Command Usage A port cannot be configured in both an uplink and downlink list If a downlink port is not configured the assigned uplink ports will operate as no...

Page 545: ...and multiple community VLANs can be associated with each primary VLAN Note that private VLANs and normal VLANs can exist simultaneously within the same switch This section describes commands used to configure private VLANs Console show pvlan Private VLAN status Enabled Up link port Ethernet 1 12 Down link port Ethernet 1 5 Ethernet 1 6 Ethernet 1 7 Ethernet 1 8 Console Table 4 73 Private VLAN Comm...

Page 546: ...private VLAN Use the no form to remove the specified private VLAN Syntax private vlan vlan id community primary no private vlan vlan id vlan id ID of private VLAN Range 1 4094 no leading zeroes community A VLAN in which traffic is restricted to host members in the same VLAN and to promiscuous ports in the associate primary VLAN primary A VLAN which can contain one or more community VLANs and serve...

Page 547: ...econdary vlan id ID of secondary i e community VLAN Range 1 4094 no leading zeroes Default Setting None Command Mode VLAN Configuration Command Usage Secondary VLANs provide security for group members The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN e g servers configured with promiscuous ports and to resources outside of the pri...

Page 548: ...ort to a primary VLAN use the switchport private vlan mapping command To assign a host port to a community VLAN use the private vlan host association command Example switchport private vlan host association Use this command to associate an interface with a secondary VLAN Use the no form to remove this association Syntax switchport private vlan host association secondary vlan id no switchport priva...

Page 549: ... Ethernet Port Channel Command Usage Promiscuous ports assigned to a primary VLAN can communicate with any other promiscuous ports in the same VLAN and with the group members within any associated secondary VLANs Example show vlan private vlan Use this command to show the private VLAN configuration settings on this switch Syntax show vlan private vlan community primary community Displays all commu...

Page 550: ...ry we suggest configuring a separate VLAN for each major protocol running on your network Do not add port members at this time 2 Create a protocol group for each of the protocols you want to assign to a VLAN using the protocol vlan protocol group command General Configuration mode 3 Then map the protocol for each interface to the appropriate VLAN using the protocol vlan protocol group command Inte...

Page 551: ...tion for the llc_other frame type is ipx_raw The options for all other frames types include ip arp rarp and user defined 0801 FFFF hexadecimal Default Setting No protocol groups are configured Command Mode Global Configuration Example The following creates protocol group 1 and specifies Ethernet frames with IP and ARP protocol types protocol vlan protocol group Configuring Interfaces This command ...

Page 552: ...ccording to the standard rules applied to tagged frames If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the default VLAN for this interface Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol g...

Page 553: ...it Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting The mapping for all interfaces is displayed Command Mode Privileged Exec Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2 Console show protocol vlan protocol group ProtocolGroup ID Frame Type Protocol Type 1 ethernet 08...

Page 554: ...it is recommended to isolate the Voice over IP VoIP network traffic from other data traffic Traffic isolation helps prevent excessive packet delays packet loss and jitter which results in higher voice quality This is best achieved by assigning all VoIP traffic to a single VLAN VoIP traffic can be detected on switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to d...

Page 555: ...detection and specifies the Voice VLAN ID as 1234 voice vlan aging This command sets the Voice VLAN ID time out Use the no form to restore the default Syntax voice vlan aging minutes no voice vlan minutes Specifies the port Voice VLAN membership time out Range 5 43200 minutes Default Setting 1440 minutes Command Mode Global Configuration Command Usage The Voice VLAN aging time is the time after wh...

Page 556: ...ne Command Mode Global Configuration Command Usage VoIP devices attached to the switch can be identified by the manufacturer s Organizational Unique Identifier OUI in the source MAC address of received packets OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from ...

Page 557: ...r OUI or 802 1ab LLDP using the switchport voice vlan rule command page 4 257 When OUI is selected be sure to configure the MAC address ranges in the Telephony OUI list using the voice vlan mac address command page 4 256 Example The following example sets port 1 to Voice VLAN auto mode switchport voice vlan rule This command selects a method for detecting VoIP traffic on a port Use the no form to ...

Page 558: ... Use the no form to disable filtering on a port Syntax no switchport voice vlan security Default Setting Disabled Command Mode Interface Configuration Command Usage Security filtering discards any non VoIP packets received on the port that are tagged with the voice VLAN ID VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list or through LLDP that discovers VoIP de...

Page 559: ...he port VoIP traffic on the Voice VLAN The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port Example The following example sets the CoS priority to 5 on port 1 show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list Syntax show voice vlan oui status oui Displays the OUI Telepho...

Page 560: ...n be used by SNMP applications to simplify troubleshooting enhance network management and maintain an accurate network topology Console show voice vlan status Global Voice VLAN Status Voice VLAN Status Enabled Voice VLAN ID 1234 Voice VLAN aging time 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority Eth 1 1 Auto Enabled OUI 6 Eth 1 2 Disabled Disabled OUI 6 Eth 1 3 Manual Enabl...

Page 561: ...nfigures an LLDP enabled port to advertise its system capabilities IC 4 269 lldp basic tlv system description Configures an LLDP enabled port to advertise the system description IC 4 270 lldp basic tlv system name Configures an LLDP enabled port to advertise its system name IC 4 270 lldp dot1 tlv proto ident Configures an LLDP enabled port to advertise the supported protocols IC 4 271 lldp dot1 tl...

Page 562: ...ault Setting Holdtime multiplier 4 TTL 4 30 120 seconds lldp med tlv med cap Configures an LLDP MED enabled port to advertise its Media Endpoint Device capabilities IC 4 275 lldp med tlv network policy Configures an LLDP MED enabled port to advertise its network policy configuration IC 4 276 show lldp config Shows LLDP configuration settings for all ports PE 4 276 show lldp info local device Shows...

Page 563: ... Configuration Command Usage The MED Fast Start Count parameter is part of the timer which ensures that the LLDP MED Fast Start mechanism is active for the port LLDP MED Fast Start is critical to the timely startup of LLDP and therefore integral to the rapid availability of Emergency Call Service Example lldp notification interval This command configures the allowed interval for sending SNMP notif...

Page 564: ...geTime to detect any lldpRemTablesChange notification events missed due to throttling or transmission loss Example lldp refresh interval This command configures the periodic transmit interval for LLDP advertisements Use the no form to restore the default setting Syntax lldp refresh interval seconds no lldp refresh delay seconds Specifies the periodic interval at which LLDP advertisements are sent ...

Page 565: ...ated with this port is deleted Example lldp tx delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables Use the no form to restore the default setting Syntax lldp tx delay seconds no lldp tx delay seconds Specifies the transmit delay Range 1 8192 seconds Default Setting 2 seconds Command Mode Global Configuration ...

Page 566: ...Mode Interface Configuration Ethernet Port Channel Example lldp notification This command enables the transmission of SNMP trap notifications about LLDP changes Use the no form to disable LLDP notifications Syntax no lldp notification Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option sends out SNMP trap notifications to designated target s...

Page 567: ...t Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification interval command page 4 263 Trap notifications include information about state changes in the LLDP MIB IEEE 802 1AB the LLDP MED MIB ANSI TIA 1057 or organization specific LLDP EXT D...

Page 568: ...rdware component or protocol entity associated with this address The interface number and OID are included to assist SNMP applications to perform network discovery by indicating enterprise specific or other starting points for the search such as the Interface or Entity MIB Since there are typically a number of different addresses associated with a Layer 3 device an individual LLDP PDU may contain ...

Page 569: ...basic tlv system capabilities This command configures an LLDP enabled port to advertise its system capabilities Use the no form to disable this feature Syntax no lldp basic tlv system capabilities Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The system capabilities identifies the primary function s of the system and whether or not these primary f...

Page 570: ...ystem and networking software Example lldp basic tlv system name This command configures an LLDP enabled port to advertise the system name Use the no form to disable this feature Syntax no lldp basic tlv system name Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The system name is taken from the sysName object in RFC 3418 which contains the system ...

Page 571: ...es an LLDP enabled port to advertise port related VLAN information Use the no form to disable this feature Syntax no lldp dot1 tlv proto vid Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises the port based and protocol based VLANs configured on this interface see Configuring VLAN Interfaces on page 4 232 and Configuring Protocol...

Page 572: ...p dot1 tlv vlan name This command configures an LLDP enabled port to advertise its VLAN name Use the no form to disable this feature Syntax no lldp dot1 tlv vlan name Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises the name of all VLANs to which this interface has been assigned See switchport allowed vlan on page 4 236 and pro...

Page 573: ... member Example lldp dot3 tlv mac phy This command configures an LLDP enabled port to advertise its MAC and physical layer capabilities Use the no form to disable this feature Syntax no lldp dot3 tlv mac phy Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises MAC PHY configuration status which includes information about auto negot...

Page 574: ...d tlv inventory This command configures an LLDP MED enabled port to advertise its inventory identification details Use the no form to disable this feature Syntax no lldp med tlv inventory Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises device details useful for inventory management such as manufacturer model software version a...

Page 575: ...an LLDP MED enabled port to advertise its Media Endpoint Device capabilities Use the no form to disable this feature Syntax no lldp med tlv med cap Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises LLDP MED TLV capabilities allowing Media Endpoint and Connectivity Devices to efficiently discover which LLDP MED related TLVs are s...

Page 576: ...in the discovery and diagnosis of VLAN configuration mismatches on a port Improper network policy configurations frequently result in voice quality degradation or complete service disruption Example show lldp config This command shows LLDP configuration settings for all ports Syntax show lldp config detail interface detail Shows configuration summary interface ethernet unit port unit Stack unit Ra...

Page 577: ...x True Eth 1 2 Tx Rx True Eth 1 3 Tx Rx True Eth 1 4 Tx Rx True Eth 1 5 Tx Rx True Console show lldp config detail ethernet 1 1 LLDP Port Configuration Detail Port Eth 1 1 Admin Status Tx Rx Notification Enabled True Basic TLVs Advertised port description system name system description system capabilities management ip address 802 1 specific TLVs Advertised port vid vlan name proto vlan proto iden...

Page 578: ...Name System Description DG GS1550 System Capabilities Support Bridge System Capabilities Enabled Bridge Management Address 192 168 226 232 IPv4 LLDP Port Information Interface PortID Type PortID PortDesc Eth 1 1 MAC Address 00 01 02 03 04 06 Ethernet Port on unit 1 port 1 Eth 1 2 MAC Address 00 01 02 03 04 07 Ethernet Port on unit 1 port 2 Eth 1 3 MAC Address 00 01 02 03 04 08 Ethernet Port on uni...

Page 579: ...onfiguration settings for remote devices attached to an LLDP enabled port Syntax show lldp info remote device detail interface detail Shows detailed information interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 52 port channel channel id Range 1 8 Command Mode Privileged Exec ...

Page 580: ... Bridge Remote Management Address 192 168 0 4 IPv4 Remote Port VID 1 Remote VLAN Name VLAN 1 DefaultVlan Remote Protocol Identity Hex 88 CC Remote MAC PHY configuration status Remote port auto neg supported Yes Remote port auto neg enabled Yes Remote port auto neg advertised cap Hex 6C00 Remote port MAU type 16 Remote Power Via Mdi Remote power class PSE Remote power mdi supported Yes Remote power...

Page 581: ...itch show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated 2450279 seconds New Neighbor Entries Count 1 Neighbor Entries Deleted Count 0 Neighbor Entries Dropped Count 0 Neighbor Entries Ageout Count 0 Interface NumFramesRecvd NumFramesSent NumFramesDiscarded Eth 1 1 10 11 0 Eth 1 2 0 0 0 Eth 1 3 0 0 0 Eth 1 4 0 0 0 Eth 1 5 0 0 0 switch show lldp info statistics detai...

Page 582: ... for untagged frames sets queue weights and maps class of service tags to hardware queues 4 282 Priority Layer 3 and 4 Sets the default priority processing method CoS IP Precedence or DSCP and maps TCP ports IP precedence tags or IP DSCP tags to class of service values 4 288 Table 4 78 Priority Commands Layer 2 Command Function Mode Page queue mode Sets the queue mode to strict priority or Weighte...

Page 583: ...ority queues are serviced WRR uses a relative weight for each queue which determines the number of packets the switch transmits every time it services a queue before moving on to the next queue Thus a queue weighted 8 will be allowed to transmit up to 8 packets after which the next lower priority queue will be serviced according to it s weighting This prevents the head of line blocking that can oc...

Page 584: ...mes that do not have VLAN tags are tagged with the input port s default ingress user priority and then placed in the appropriate priority queue at the output port The default priority for all ingress ports is zero Therefore any inbound frames that do not have priority tags will be placed in queue 0 of the output port Note that if the output port is an untagged member of the associated VLAN these f...

Page 585: ...is prevents the head of line blocking that can occur with strict priority queuing Example This example shows how to assign WRR weights to priority queues 0 2 Related Commands show queue bandwidth 4 287 queue cos map This command assigns class of service CoS values to the priority queues i e hardware output queues 0 3 Use the no form set the CoS map to the default values Syntax queue cos map queue ...

Page 586: ...ress port Example The following example shows how to change the CoS assignments Related Commands show queue cos map 4 287 show queue mode This command shows the current queue mode Default Setting None Command Mode Privileged Exec Example Table 4 79 Default CoS Values to Egress Queues Queue 0 1 2 3 Priority 1 2 0 3 4 5 6 7 Console config interface ethernet 1 1 Console config if queue cos map 0 0 Co...

Page 587: ...ws the class of service priority map Syntax show queue cos map interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting None Command Mode Privileged Exec Example Console show queue bandwidth Queue ID Weight 0 1 1 2 2 4 3 8 Console Console show queue cos map ethernet 1 1 Information of Eth 1 1 Traffic Class 0 1 ...

Page 588: ...ort mapping globally Table 4 80 Priority Commands Layer 3 and 4 Command Function Mode Page map ip port Enables TCP UDP class of service mapping GC 4 288 map ip port Maps TCP UDP socket to a class of service IC 4 289 map ip precedence Enables IP precedence class of service mapping GC 4 289 map ip precedence Maps IP precedence value to a class of service IC 4 290 map ip dscp Enables IP DSCP class of...

Page 589: ...tchport priority This command sets the IP port priority for all interfaces Example The following example shows how to map HTTP traffic to CoS value 0 map ip precedence Global Configuration This command enables IP precedence mapping i e IP Type of Service Use the no form to disable IP precedence mapping Syntax no map ip precedence Default Setting Disabled Command Mode Global Configuration Command U...

Page 590: ...edence or IP DSCP and default switchport priority IP Precedence values are mapped to default Class of Service values on a one to one basis according to recommendations in the IEEE 802 1p standard and then subsequently mapped to the eight hardware priority queues This command sets the IP Precedence for all interfaces Example The following example shows how to map IP precedence value 1 to CoS value ...

Page 591: ...ty Use the no form to restore the default table Syntax map ip dscp dscp value cos cos value no map ip dscp dscp value 8 bit DSCP value Range 0 63 cos value Class of Service value Range 0 7 Default Setting The DSCP default values are defined in the following table Note that all the DSCP values that are not specified are mapped to CoS value 0 Command Mode Interface Configuration Ethernet Port Channe...

Page 592: ...alue 1 to CoS value 0 show map ip port This command shows the IP port priority map Syntax show map ip port interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0 Related Commands map ip port Global Configuration 4 288 ma...

Page 593: ...ip precedence Global Configuration 4 289 map ip precedence Interface Configuration 4 290 show map ip dscp This command shows the IP DSCP priority map Syntax show map ip dscp interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting None Console show map ip precedence ethernet 1 5 Precedence mapping status disabl...

Page 594: ...lated Commands map ip dscp Global Configuration 4 290 map ip dscp Interface Configuration 4 291 Console show map ip dscp ethernet 1 1 DSCP mapping status disabled Port DSCP COS Eth 1 1 0 0 Eth 1 1 1 0 Eth 1 1 2 0 Eth 1 1 3 0 Eth 1 1 61 0 Eth 1 1 62 0 Eth 1 1 63 0 Console ...

Page 595: ...ass configuration mode A policy map can contain multiple class statements Table 4 83 Quality of Service Commands Command Function Mode Page class map Creates a class map for a type of traffic GC 4 296 match Defines the criteria used to classify traffic CM 4 297 rename Redefines the name of a class map CM 4 298 description Specifies the description of a class map CM 4 298 policy map Creates a polic...

Page 596: ...figuration mode Use the no form to delete a class map and return to Global configuration mode Syntax no class map class map name match any match any Match any condition within a class map class map name Name of the class map Range 1 16 characters Default Setting None Command Mode Global Configuration Command Usage First enter this command to designate a class map and enter the Class Map configurat...

Page 597: ... Map configuration mode Then use the match command to specify the fields within ingress packets that must match to qualify for this class map Only one match command can be entered per class map Example This example creates a class map called rd_class 1 and sets it to match packets marked for DSCP service value 3 This example creates a class map call rd_class 2 and sets it to match packets marked f...

Page 598: ...ion This command specifies the description of a class map or policy map Syntax description string string Description of the class map or policy map Range 1 64 characters Command Mode Class Map Configuration Policy Map Configuration Example Console config class map rd class 1 Console config cmap rename rd class 9 Console config cmap Console config class map rd_class 1 Console config cmap descriptio...

Page 599: ...te a Class Map page 4 299 before assigning it to a Policy Map Example This example creates a policy called rd_policy uses the class command to specify the previously defined rd_class uses the set command to classify the service that incoming packets will receive and then uses the police command to limit the average bandwidth to 100 000 Kbps the burst rate to 1522 bytes and configure the response t...

Page 600: ...e set command to classify the service that incoming packets will receive and then uses the police command to limit the average bandwidth to 100 000 Kbps the burst rate to 1522 bytes and configure the response to drop any violating packets set This command services IP traffic by setting a CoS DSCP or IP Precedence value in a matching packet as specified by the match command on page 4 297 Use the no...

Page 601: ...s lower burst byte Burst in bytes Range 64 1522 bytes drop Drop packet when specified rate or burst are exceeded set Set DSCP service to the specified value Range 0 63 Default Setting Drop out of profile packets Command Mode Policy Map Class Configuration Command Usage You can configure up to 64 policers i e meters or class maps for each of the following access list types MAC ACL IP ACL including ...

Page 602: ...licy map name input Apply to the input traffic policy map name Name of the policy map for this interface Range 1 16 characters Default Setting No policy map is attached to an interface Command Mode Interface Configuration Ethernet Port Channel Command Usage You can only assign one policy map to an interface You must first define a class map then define a policy map and finally use the service poli...

Page 603: ...e QoS policy maps which define classification criteria for incoming traffic and may include policers for bandwidth limitations Syntax show policy map policy map name class class map name policy map name Name of the policy map Range 1 16 characters class map name Name of the class map Range 1 16 characters Default Setting Displays all policy maps and all classes Command Mode Privileged Exec Console...

Page 604: ...net unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Command Mode Privileged Exec Example Console show policy map Policy Map rd_policy class rd_class set ip dscp 3 Console show policy map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console Console show policy map interface ethernet 1 5 Service policy rd_policy input ...

Page 605: ...Query Configures IGMP query parameters for multicast filtering at Layer 2 4 310 Static Multicast Routing Configures static multicast router ports 4 314 IGMP Filtering and Throttling Configures IGMP filtering and throttling 4 316 Multicast VLAN Registration Configures a single network wide multicast VLAN shared by hosts residing in other standard or private VLAN groups preserving security and data ...

Page 606: ...form to remove the port Syntax no ip igmp snooping vlan vlan id static ip address interface vlan id VLAN ID Range 1 4094 ip address IP address for multicast group interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting None Command Mode Global Configuration Example The following shows how to statically configure a multi...

Page 607: ...ions 2 and 3 are backward compatible so the switch can operate with other devices regardless of the snooping version employed Some commands are only enabled for IGMPv2 and or v3 including ip igmp snooping querier ip igmp snooping query max response time ip igmp snooping query interval and ip igmp snooping immediate leave Example The following configures the switch to use IGMP Version 1 ip igmp sno...

Page 608: ...ember query timer for that port Example ip igmp snooping immediate leave This command immediately deletes a member port of a multicast service if a leave packet is received at that port and immediate leave is enabled for the parent VLAN Use the no form to restore the default Syntax no ip igmp snooping immediate leave Default Setting Disabled Command Mode Interface Configuration VLAN Command Usage ...

Page 609: ...w mac address table multicast This command shows known multicast addresses Syntax show mac address table multicast vlan vlan id user igmp snooping vlan id VLAN ID 1 to 4094 user Display only the user configured multicast entries igmp snooping Display only entries learned through IGMP snooping Default Setting None Console config interface vlan 1 Console config if ip igmp snooping immediate leave Co...

Page 610: ...ip igmp snooping querier Default Setting Enabled Command Mode Global Configuration Console show mac address table multicast vlan 1 igmp snooping VLAN M cast IP addr Member ports Type 1 224 1 2 3 Eth1 11 IGMP Console Table 4 86 IGMP Query Commands Layer 2 Command Function Mode Page ip igmp snooping querier Allows this device to act as the querier for IGMP snooping GC 4 310 ip igmp snooping query co...

Page 611: ...p a client from the multicast group Range 2 10 Default Setting 2 times Command Mode Global Configuration Command Usage The query count defines how long the querier waits for a response from a multicast client before taking action If a querier has sent a number of queries defined by this command but a client has not responded a countdown timer is started using the time defined by ip igmp snooping q...

Page 612: ... igmp snooping query max response time seconds no ip igmp snooping query max response time seconds The report delay advertised in IGMP queries Range 5 25 Default Setting 10 seconds Command Mode Global Configuration Command Usage The switch must be using IGMPv2 v3 snooping for this command to take effect This command defines the time after a query during which a response is expected from a multicas...

Page 613: ...g router port expire time seconds The time the switch waits after the previous querier stops before it considers it to have expired Range 300 500 Default Setting 300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 v3 snooping for this command to take effect Example The following shows how to configure the default timeout to 300 seconds Related Commands ip igmp sn...

Page 614: ...ports are configured Command Mode Global Configuration Command Usage Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore if the IGMP querier is a known multicast router switch connected over the network to an interface port or trunk on your router you can manually configure that interface to join all the current multicast groups Example T...

Page 615: ...lan vlan id vlan id VLAN ID Range 1 4094 Default Setting Displays multicast router ports for all configured VLANs Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static Example The following shows that port 11 in VLAN 1 is attached to a multicast router Console show ip igmp snooping mrouter vlan 1 VLAN M cast Router Ports Type 1 Eth 1 11 Static 2 Eth 1 12 S...

Page 616: ...orts received on the port are checked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP filtering and throttling only applies to dynamically learned multicast groups it does not apply to statically configured groups Table 4 88 IGMP Filtering and Throttling ...

Page 617: ...ration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join The same profile can be applied to many interfaces but only one profile can be assigned to one interface Each profile has only one access mode either permit or deny Example permit deny This command sets the access mode for an IGMP filter profile Use the no form to delete a profile number Sy...

Page 618: ... the end of a multicast group range Default Setting None Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile Example ip igmp filter Interface Configuration This command assigns an IGMP filtering profile to an interface on the switch Use the no form to remove a profile from an interface Syn...

Page 619: ...groups number The maximum number of multicast groups an interface can join at the same time Range 0 64 Default Setting 64 Command Mode Interface Configuration Command Usage IGMP throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can take one of two actions either deny or replace If the action ...

Page 620: ...e If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group Example show ip igmp filter This command displays the global and interface settings for IGMP filtering Syntax show ip igmp filter interface interface interface ethernet unit port unit Stack unit Range 1 p...

Page 621: ... Range 1 4294967295 Default Setting None Command Mode Privileged Exec Example Console show ip igmp filter IGMP filter enabled Console show ip igmp filter interface ethernet 1 1 Ethernet 1 1 information IGMP Profile 19 Deny range 239 1 1 1 239 1 1 1 range 239 2 3 1 239 2 3 100 Console Console show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console show ip igmp profile 19 IGMP Profile 19 Deny r...

Page 622: ...it port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces Example Console show ip igmp throttle interface ethernet 1 1 Eth 1 1 Information Status TRUE Action Deny Max Multicast Groups 32 Current Multicast Groups 0 Console...

Page 623: ...m with the group keyword to remove a specific address or range of addresses Or use the no form with the vlan keyword restore the default MVR VLAN Syntax no mvr group ip address count vlan vlan id group Defines a multicast service sent to all attached subscribers ip address IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 count The number of contiguous MVR group addresses Range...

Page 624: ...s members of the MVR VLAN using the switchport allowed vlan command page 4 236 and switchport native vlan command page 4 235 but MVR receiver ports should not be statically configured as members of this VLAN IGMP snooping must be enabled to a allow a subscriber to dynamically join or leave an MVR group see ip igmp snooping on page 4 306 Note that only IGMP version 2 or 3 hosts can issue multicast ...

Page 625: ...led No receiver port is a member of any configured multicast group Command Mode Interface Configuration Ethernet Port Channel Command Usage A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering Receiver ports can belong to different VLANs but should not be configured as a member of t...

Page 626: ...r 3 hosts can issue multicast join or leave messages Example The following configures one source port and several receiver ports on the switch enables immediate leave on one of the receiver ports and statically assigns a multicast group to another receiver port show mvr This command shows information about the global MVR configuration settings when entered without any keywords the interfaces attac...

Page 627: ...ps 10 Console Table 4 90 show mvr display description Field Description MVR Status Shows if MVR is globally enabled on the switch MVR running status Indicates whether or not all necessary conditions in the MVR environment are satisfied MVR multicast vlan Shows the VLAN used to transport all MVR multicast traffic MVR Max Multicast Groups Shows the maximum number of multicast groups which can assign...

Page 628: ...0 0 2 INACTIVE None 225 0 0 3 INACTIVE None 225 0 0 4 INACTIVE None 225 0 0 5 INACTIVE None 225 0 0 6 INACTIVE None 225 0 0 7 INACTIVE None 225 0 0 8 INACTIVE None 225 0 0 9 INACTIVE None 225 0 0 10 INACTIVE None Console Table 4 92 show mvr members display description Field Description MVR Group IP Multicast groups assigned to the MVR VLAN Status Shows whether or not the there are active subscribe...

Page 629: ...ress1 Corresponding IP address address2 address8 Additional corresponding IP addresses Default Setting No static entries Command Mode Global Configuration Table 4 93 DNS Commands Command Function Mode Page ip host Creates a static host name to address mapping GC 4 329 clear host Deletes entries from the host name to address table PE 4 330 ip domain name Defines a default domain name for incomplete...

Page 630: ...ll entries Default Setting None Command Mode Privileged Exec Example This example clears all static entries from the DNS table ip domain name This command defines the default domain name appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation Use the no form to remove the current domain name Syntax ip domain name name no ip domain name name...

Page 631: ...m the domain name Range 1 64 characters Default Setting None Command Mode Global Configuration Command Usage Domain names are added to the end of the list one at a time When an incomplete host name is received by the DNS service on this switch it will work through the domain list appending each domain name in the list to the host name and checking with the specified name servers for a match If the...

Page 632: ...ddress6 server address1 IP address of domain name server server address2 server address6 IP address of additional domain name servers Default Setting None Command Mode Global Configuration Command Usage The listed name servers are queried in the specified sequence until a response is received or the end of the list is reached with no response Console config ip domain list sample com jp Console con...

Page 633: ...fied before you can enable DNS If all name servers are deleted DNS will automatically be disabled Example This example enables DNS and then displays the configuration Console config ip domain server 192 168 1 55 10 1 0 55 Console config end Console show dns Domain Lookup Status DNS disabled Default Domain Name sample com Domain Name List sample com jp sample com uk Name Server List 192 168 1 55 10...

Page 634: ...s an alias if it is mapped to the same address es as a previously configured entry show dns This command displays the configuration of the DNS service Command Mode Privileged Exec Example Console show hosts Hostname rd5 Inet address 10 1 0 55 192 168 1 55 Alias 1 rd6 Console Console show dns Domain Lookup Status DNS enabled Default Domain Name sample com Domain Name List sample com jp sample com u...

Page 635: ...CNAME graphics8 nytimes com 19 POINTER TO 2 4 4 CNAME graphics478 nytimes com edgesui 19 POINTER TO 2 Console Table 4 94 show dns cache display description Field Description NO The entry number for each resource record FLAG The flag is always 4 indicating a cache entry and therefore unreliable TYPE This field includes ADDRESS which specifies the host address for the owner and CNAME which specifies...

Page 636: ...ssociated IP subnet This mask identifies the host address bits used for routing to specific subnets bootp Obtains IP address from BOOTP dhcp Obtains IP address from DHCP Default Setting DHCP Command Mode Interface Configuration VLAN Table 4 95 IP Interface Commands Command Function Mode Page IP Configuration Commands ip address Sets the IP address for the current interface IC 4 336 ip default gate...

Page 637: ...s the default is VLAN 1 This defines the management VLAN the only VLAN through which you can gain management access to the switch If you assign an IP address to any other VLAN the new IP address overrides the original IP address and this becomes the new management VLAN Example In the following example the device is assigned an address in VLAN 1 Related Commands ip dhcp restart 4 338 ip default gat...

Page 638: ...lable If the BOOTP or DHCP server has been moved to a different domain the network portion of the address provided to the client will be based on this new domain Example In the following example the device is reassigned the same address Related Commands ip address 4 336 show ip interface This command displays the settings of an IP interface Default Setting All interfaces Command Mode Privileged Ex...

Page 639: ...e actual packet size will be eight bytes larger than the size specified because the switch adds header information count Number of packets to send Range 1 16 default 5 Default Setting This command has no default for the host Command Mode Normal Exec Privileged Exec Command Usage Use the ping command to see if another site on the network can be reached Following are some results of the ping command...

Page 640: ...uding the corresponding IP address MAC address type dynamic other and VLAN interface Note that entry type other indicates local addresses for this switch Example This example displays all entries in the ARP cache Console ping 10 1 0 9 Type ESC to abort PING to 10 1 0 9 by 5 32 byte payload ICMP packets timeout is 5 seconds response time 10 ms response time 10 ms response time 10 ms response time 1...

Page 641: ...es from the Address Resolution Protocol ARP cache Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache Console clear arp cache This operation will delete all the dynamic entries in ARP Cache Are you sure to continue this operation y n y Console ...

Page 642: ...Command Line Interface 4 342 4 ...

Page 643: ... 1000 Mbps at full duplex SFP Flow Control Full Duplex IEEE 802 3 2002 Half Duplex Back pressure Storm Control Broadcast multicast or unknown unicast traffic throttled above a critical threshold Port Mirroring Multiple source ports one destination port Rate Limits Input output limits Range configured per port Port Trunking Static trunks Cisco EtherChannel compliant Dynamic trunks Link Aggregation ...

Page 644: ...MP Simple Network Management Protocol SNTP Simple Network Time Protocol Switch Clustering Management Features In Band Management Telnet Web based HTTP or HTTPS SNMP manager or Secure Shell Out of Band Management RS 232 console port Software Loading TFTP in band or XModem out of band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1 2 3 9 Statistics History Al...

Page 645: ...FC DRAFT 2273 2576 3410 3411 3414 3415 SNTP RFC 2030 SSH Version 2 0 TELNET RFC 854 855 856 TFTP RFC 1350 Management Information Bases Bridge MIB RFC 1493 Differentiated Services MIB RFC 3289 DNS Resolver MIB RFC 1612 Entity MIB RFC 2737 Ether like MIB RFC 3635 Extended Bridge MIB RFC 2674 Extensible SNMP Agents MIB RFC 2742 Forwarding Table MIB RFC 2096 IGMP MIB RFC 2933 Interface Group MIB RFC 2...

Page 646: ...onfiguration Group RFC 2021 partial implementation SNMP Community MIB RFC 3584 SNMP Framework MIB RFC 3411 SNMP MPD MIB RFC 3412 SNMP Target MIB SNMP Notification MIB RFC 3413 SNMP User Based SM MIB RFC 3414 SNMP View Based ACM MIB RFC 3415 SNMPv2 IP MIB RFC 2011 TACACS Authentication Client MIB TCP MIB RFC 2012 Trap RFC 1215 UDP MIB RFC 2013 ...

Page 647: ...t Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH client software is properly configured...

Page 648: ...r messages reported to include all categories 3 Designate the SNMP host that is to receive the error messages 4 Repeat the sequence of commands or other actions that lead up to the error 5 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 6 Contact your distributor s service engineer For example Console config logging on Console con...

Page 649: ...to enforce priority service and prevent blockage of lower level queues Priority may be set according to the port default the packet s priority bit in the VLAN tag TCP UDP port number or DSCP priority bit Differentiated Services DiffServ DiffServ provides quality of service on large networks by employing a well defined set of building blocks from which a variety of aggregate forwarding behaviors ma...

Page 650: ...y the network access rights for any device that is plugged into the switch A user name and password is requested by the switch and then passed to an authentication server e g RADIUS for verification EAPOL is implemented as part of the IEEE 802 1X Port Authentication standard GARP VLAN Registration Protocol GVRP Defines a way for switches to exchange VLAN information in order to register necessary ...

Page 651: ...nning Tree Protocol RSTP which reduces the convergence time for network topology changes to about 10 of that required by the older IEEE 802 1D STP standard Now incorporated in IEEE 802 1D 2004 IEEE 802 1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication IEEE 802 3ac Defines frame extensions for VLAN tagging IEEE 802...

Page 652: ...edence The Type of Service ToS octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic The eight values are mapped one to one to the Class of Service categories by default but may be configured differently to suit the requirements for specific network applicatio...

Page 653: ... MVR simplifies the configuration of multicast services by using a common VLAN for distribution while still preserving security and data isolation for subscribers residing in both the MVR VLAN and other standard or private VLAN groups Multiple Spanning Tree Protocol MSTP MSTP can provide an independent spanning tree for different VLANs It simplifies network management provides for even faster conv...

Page 654: ...e features effectively provide preferential treatment to specific flows either by raising the priority of one flow or limiting the priority of another flow Remote Authentication Dial in User Service RADIUS RADIUS is a logon authentication protocol that uses software running on a central server to control access to RADIUS compliant devices on the network Remote Monitoring RMON RMON provides compreh...

Page 655: ...g to a terminal device over TCP IP Terminal Access Controller Access Control System Plus TACACS TACACS is a logon authentication protocol that uses software running on a central server to control access to TACACS compliant devices on the network Transmission Control Protocol Internet Protocol TCP IP Protocol suite that includes TCP as the primary transport protocol and IP as the network layer prot...

Page 656: ...dless of their physical location or connection point in the network A VLAN serves as a logical workgroup with no physical barriers and allows users to share information and resources as though located on the same LAN XModem A protocol used to transfer files between devices Data is grouped in 128 byte blocks and error corrected ...

Page 657: ...pe 3 183 4 234 Access Control List See ACL ACL 3 96 4 155 binding to a port 3 103 4 160 IP Extended 3 96 3 99 4 155 4 158 IP Standard 3 96 3 98 4 155 4 157 MAC 3 101 4 161 4 162 4 164 address table 3 146 4 199 aging time 3 148 4 202 authentication MAC 3 95 4 138 MAC address authentication 3 90 4 138 MAC configuring ports 3 95 4 141 network access 3 90 4 138 public key 3 75 4 114 B BOOTP 3 18 4 336...

Page 658: ...aying the cache 3 249 4 334 domain name list 3 245 4 329 enabling lookup 3 245 4 333 name server list 3 245 4 332 static entries 3 247 4 329 Domain Name Service See DNS downloading software 3 20 4 36 DSA encryption 3 76 4 118 DSCP enabling 3 209 4 290 mapping priorities 3 211 4 291 dynamic addresses displaying 3 147 4 201 dynamic QoS assignment 4 139 E edge port STA 3 160 3 163 4 216 encryption DS...

Page 659: ... 153 setting filter criteria 3 111 4 151 J jumbo frame 3 19 4 34 K key private 3 74 4 113 public 3 74 4 113 user public importing 4 36 key pair host 3 74 4 113 host generating 3 76 4 118 L LACP group attributes configuring 3 123 4 185 group members configuring 3 123 local parameters 3 127 4 187 partner parameters 3 127 4 187 protocol message statistics 3 127 4 187 Link Layer Discovery Protocol See...

Page 660: ...ing 3 222 4 305 multicast groups 3 230 4 309 displaying 3 230 4 309 static 3 230 4 306 4 307 4 309 multicast services configuring 3 231 4 306 4 307 displaying 3 230 4 309 multicast storm threshold 3 132 4 173 multicast filtering and throttling 3 232 4 316 multicast static router port 3 229 4 191 4 314 MVR configuring 3 238 4 323 description 3 237 interface status configuring 3 242 4 325 interface ...

Page 661: ... 3 201 4 248 primary VLAN 3 194 4 246 promiscuous ports 3 194 4 245 Q QinQ Tunneling See 802 1Q tunnel QoS 3 214 4 295 configuring 3 215 4 295 dynamic assignment 4 139 Quality of Service See QoS queue weights 3 208 4 284 4 287 R RADIUS logon authentication 3 56 4 91 4 93 settings 3 56 4 93 rate limits setting 3 140 4 198 remote logging 3 29 4 55 restarting the system 3 33 4 14 4 16 at scheduled ti...

Page 662: ...g 3 20 4 28 setting 3 20 4 41 static addresses setting 3 146 4 199 statistics port 3 141 4 176 STP 3 154 4 204 STP Also see STA summary accounting 3 67 4 108 switch clustering for management 3 250 4 67 switch settings restoring 3 22 4 35 saving 4 35 system clock setting 3 34 4 62 setting manually 3 34 4 66 setting the time zone 3 35 4 65 setting with SNTP 3 34 4 62 4 64 system logs 3 28 4 52 syste...

Page 663: ...interface configuration 3 201 4 251 protocol system configuration 3 201 4 251 PVID 3 183 4 235 system mode QinQ 3 188 4 240 voice 4 254 voice VLANs 4 254 detecting VoIP devices 4 254 enabling for ports 4 257 4 259 identifying client devices 4 256 VoIP traffic 4 254 ports configuring 4 257 4 259 telephony OUI configuring 4 256 voice VLAN configuring 4 254 W Web interface access requirements 3 1 web...

Page 664: ...Index 8 Index ...

Page 665: ......

Reviews:

No comments

Related manuals for DG-GS1550

D-Link DGS-1224TP - Web Smart Switch User Manual preview
DGS-1224TP - Web Smart Switch
Brand: D-Link Pages: 52
D-Link DGS-1008P Quick Install Manual preview
DGS-1008P
Brand: D-Link Pages: 8
D-Link DES-3225G Series Technical Bulletin preview
DES-3225G Series
Brand: D-Link Pages: 3
D-Link DES-1228 - Web Smart Switch Manual preview
DES-1228 - Web Smart Switch
Brand: D-Link Pages: 69
D-Link DGS-1210-10P Reference Manual preview
DGS-1210-10P
Brand: D-Link Pages: 109
Barco DCS-100 Specifications preview
DCS-100
Brand: Barco Pages: 2
Delta EXPERT-POE-54G User Manual preview
EXPERT-POE-54G
Brand: Delta Pages: 4
3onedata TNS5800-8GP16GT-P24VDC Quick Installation Manual preview
TNS5800-8GP16GT-P24VDC
Brand: 3onedata Pages: 3
LIVOLO VL-C302S-61 Manual preview
VL-C302S-61
Brand: LIVOLO Pages: 14
WAGO 852-1102 Manual preview
852-1102
Brand: WAGO Pages: 36
Black Box KV1044A-R2 Specifications preview
KV1044A-R2
Brand: Black Box Pages: 4
Minicom DX DX 432 Operating Manual preview
DX 432
Brand: Minicom DX Pages: 36
Phonic MIDI HUB User Manual preview
MIDI HUB
Brand: Phonic Pages: 16
Zektor HD800-V2 User Manual preview
HD800-V2
Brand: Zektor Pages: 41
Lantech TGS-L6216XT User Manual preview
TGS-L6216XT
Brand: Lantech Pages: 24
BERNSTEIN CSMS-M-R-H-KA Installation And Operating Instructions Manual preview
CSMS-M-R-H-KA
Brand: BERNSTEIN Pages: 38
serverLink SL-271-H Quick Installation Manual preview
SL-271-H
Brand: serverLink Pages: 2
Madison M8000-C Installation And Maintenance preview
M8000-C
Brand: Madison Pages: 2

Brands by name

Popular brands

Load more brands