manualshive.com logo in svg

Digisol DG-GS4826S, Management Manual

The Digisol DG-GS4826S, an advanced network switch, offers seamless connectivity with 24 Gigabit Ethernet ports and 2 additional 10G SFP+ uplink ports. Simplify configuration and optimize network performance with the comprehensive Management Manual, available for free download exclusively at our website.

Share
Download
background image

C

HAPTER

 14

  |  Security Measures

AAA Authorization and Accounting

–  276  –

u

DHCP Snooping

 – Filter IP traffic on insecure ports for which the source 

address cannot be identified via DHCP snooping. 

N

OTE

:

 The priority of execution for the filtering commands is Port Security, 

Port Authentication, Network Access, Web Authentication, Access Control 

Lists, IP Source Guard, and then DHCP Snooping.

AAA A

UTHORIZATION

 

AND

 A

CCOUNTING

The Authentication, authorization, and accounting (AAA) feature provides 

the main framework for configuring access control on the switch. The three 

security functions can be summarized as follows:

u

Authentication — Identifies users that request access to the network.

u

Authorization — Determines if users can access specific services.

u

Accounting — Provides reports, auditing, and billing for services that 

users have accessed on the network.

The AAA functions require the use of configured RADIUS or  

servers in the network. The security servers can be defined as sequential 

groups that are applied as a method for controlling user access to specified 

services. For example, when the switch attempts to authenticate a user, a 

request is sent to the first server in the defined group, if there is no 

response the second server will be tried, and so on. If at any point a pass 

or fail is returned, the process stops.

The switch supports the following AAA features:

u

Accounting for IEEE 802.1X authenticated users that access the 

network through the switch.

u

Accounting for users that access management interfaces on the switch 

through the console and Telnet.

u

Accounting for commands that users enter at specific CLI privilege 

levels.

u

Authorization of users that access management interfaces on the 

switch through the console and Telnet. 

To configure AAA on the switch, you need to follow this general process:

1.

Configure RADIUS and  server access parameters. See 

"Configuring Local/Remote Logon Authentication" on page 277

.

2.

Define RADIUS and server groups to support the accounting 
and authorization of services.

Summary of Contents for DG-GS4826S

Page 1: ...850S Layer 3 Gigabit Ethernet Managed Switch Management Guide V1 1 2011 01 12 MUSTANG 4000 Managed Switch Series As our product undergoes continuous development the specifications are subject to change without prior notice ...

Page 2: ...DG GS4826S DG GS4850S E012011 R01 F1 2 2 0 ...

Page 3: ...gabit Combination Ports RJ 45 SFP 2 10 Gigabit Extender Module Slots and 2 Stacking Transceiver Cable Slots DG GS4850S GIGABIT ETHERNET SWITCH Layer 3 Switch with 44 10 100 1000BASE T RJ 45 Ports and 4 Gigabit Combination Ports RJ 45 SFP 2 10 Gigabit Extender Module Slots and 2 Stacking Transceiver Cable Slots ...

Page 4: ......

Page 5: ...nt information or calls your attention to related features or instructions CAUTION Alerts you to a potential hazard that could cause loss of data or damage the system or equipment WARNING Alerts you to a potential hazard that could cause personal injury RELATED PUBLICATIONS The following publication details the hardware features of the switch including the physical and performance related characte...

Page 6: ...ABOUT THIS GUIDE 6 ...

Page 7: ...ion 65 Access Control Lists 65 DHCP 65 Port Configuration 66 Rate Limiting 66 Port Mirroring 66 Port Trunking 66 Broadcast Storm Control 66 Static Addresses 66 IP Address Filtering 66 IEEE 802 1D Bridge 67 Store and Forward Switching 67 Spanning Tree Algorithm 67 Virtual LANs 68 IEEE 802 1Q Tunneling QinQ 68 Traffic Prioritization 68 Quality of Service 69 IP Routing 69 Equal cost Multipath Load Ba...

Page 8: ... Renumbering the Stack 80 Ensuring Consistent Code is Used Across the Stack 80 Basic Configuration 81 Console Connection 81 Setting Passwords 82 Setting an IP Address 82 Enabling SNMP Management Access 87 Managing System Files 90 Saving or Restoring Configuration Settings 90 SECTION II WEB CONFIGURATION 93 3 USING THE WEB INTERFACE 95 Connecting to the Web Interface 95 Navigating the Web Browser I...

Page 9: ...isplaying Memory Utilization 134 Renumbering the Stack 135 Resetting the System 136 5 INTERFACE CONFIGURATION 141 Port Configuration 141 Configuring by Port List 141 Configuring by Port Range 144 Displaying Connection Status 145 Configuring Port Mirroring 146 Showing Port or Trunk Statistics 148 Performing Cable Diagnostics 152 Trunk Configuration 154 Configuring a Static Trunk 155 Configuring a D...

Page 10: ...98 Mapping Protocol Groups to Interfaces 200 Configuring IP Subnet VLANs 202 Configuring MAC based VLANs 204 7 ADDRESS TABLE SETTINGS 207 Configuring MAC Address Learning 207 Setting Static Addresses 209 Changing the Aging Time 210 Displaying the Dynamic Address Table 211 Clearing the Dynamic Address Table 212 8 SPANNING TREE ALGORITHM 215 Overview 215 Configuring Loopback Detection 218 Configurin...

Page 11: ...ing Telephony OUI 273 Configuring VoIP Traffic Ports 274 14 SECURITY MEASURES 277 AAA Authorization and Accounting 278 Configuring Local Remote Logon Authentication 279 Configuring Remote Logon Authentication Servers 280 Configuring AAA Accounting 285 Configuring AAA Authorization 290 Configuring User Accounts 293 Web Authentication 294 Configuring Global Settings for Web Authentication 295 Config...

Page 12: ...333 Binding a Port to an Access Control List 335 ARP Inspection 336 Configuring Global Settings for ARP Inspection 337 Configuring VLAN Settings for ARP Inspection 339 Configuring Interface Settings for ARP Inspection 341 Displaying ARP Inspection Statistics 342 Displaying the ARP Inspection Log 343 Filtering IP Addresses for Management Access 344 Configuring Port Security 346 Configuring 802 1X P...

Page 13: ...88 Simple Network Management Protocol 390 Configuring Global Settings for SNMP 392 Setting the Local Engine ID 393 Specifying a Remote Engine ID 394 Setting SNMPv3 Views 396 Configuring SNMPv3 Groups 399 Setting Community Access Strings 402 Configuring Local SNMPv3 Users 404 Configuring Remote SNMPv3 Users 406 Specifying Trap Managers 409 Remote Monitoring 413 Configuring RMON Alarms 414 Configuri...

Page 14: ...guring Global MVR Settings 461 Configuring the MVR Group Range 462 Configuring MVR Interface Status 463 Assigning Static Multicast Groups to Interfaces 466 Showing Multicast Groups Assigned to Interfaces 467 17 IP CONFIGURATION 469 Setting the Switch s IP Address IP Version 4 469 Setting the Switch s IP Address IP Version 6 473 Configuring the IPv6 Default Gateway 473 Configuring IPv6 Interface Se...

Page 15: ...iguring General DNS Service Parameters 519 Configuring a List of Domain Names 520 Configuring a List of Name Servers 522 Configuring Static DNS Host to Address Entries 523 Displaying the DNS Cache 524 Dynamic Host Configuration Protocol 525 Specifying A DHCP Client Identifier 526 Configuring DHCP Relay Service 527 Configuring the DHCP Server 528 Forwarding UDP Service Requests 535 Enabling the UDP...

Page 16: ...Stub Areas 576 Configuring Area Ranges Route Summarization for ABRs 577 Redistributing External Routes 579 Configuring Summary Addresses for External AS Routes 581 Configuring OSPF Interfaces 583 Configuring Virtual Links 589 Displaying Link State Database Information 592 Displaying Information on Neighboring Routers 594 22 MULTICAST ROUTING 597 Overview 597 Configuring Global Settings for Multica...

Page 17: ...ering Commands 631 Keywords and Arguments 631 Minimum Abbreviation 631 Command Completion 631 Getting Help on Commands 632 Partial Keyword Lookup 633 Negating the Effect of Commands 633 Using Command History 634 Understanding Command Modes 634 Exec Commands 634 Configuration Commands 635 Command Line Processing 637 CLI Command Groups 638 24 GENERAL COMMANDS 641 prompt 641 reload Global Configurati...

Page 18: ... show running config 652 show startup config 654 show system 655 show tech support 656 show users 656 show version 657 Frame Size 658 jumbo frame 658 Fan Control 659 fan speed force full 659 File Management 659 boot system 660 copy 661 delete 664 dir 665 whichboot 666 Line 666 line 667 databits 668 exec timeout 669 login 669 parity 670 password 671 password thresh 672 silent time 673 speed 673 sto...

Page 19: ...ndmail 684 logging sendmail host 684 logging sendmail level 685 logging sendmail destination email 685 logging sendmail source email 686 show logging sendmail 686 Time 687 sntp client 687 sntp poll 688 sntp server 689 show sntp 689 clock timezone 690 calendar set 691 show calendar 691 Time Range 692 time range 692 absolute 693 periodic 693 show time range 694 26 SNMP COMMANDS 697 snmp server 698 s...

Page 20: ...2 snmp server notify filter 713 show nlm oper status 714 show snmp notify filter 715 27 REMOTE MONITORING COMMANDS 717 rmon alarm 718 rmon event 719 rmon collection history 720 rmon collection rmon1 721 show rmon alarms 721 show rmon events 722 show rmon history 722 show rmon statistics 722 28 FLOW SAMPLING COMMANDS 725 sflow destination 725 sflow max datagram size 726 sflow max header size 727 sf...

Page 21: ...erver retransmit 739 radius server timeout 739 show radius server 740 TACACS Client 740 tacacs server 741 tacacs server host 741 tacacs server key 742 tacacs server port 742 show tacacs server 743 AAA 743 aaa accounting commands 744 aaa accounting dot1x 745 aaa accounting exec 746 aaa accounting update 747 aaa authorization exec 747 aaa group server 748 server 749 accounting dot1x 749 accounting e...

Page 22: ... 763 ip ssh crypto zeroize 764 ip ssh save host key 765 show ip ssh 765 show public key 766 show ssh 767 802 1X Port Authentication 767 dot1x default 768 dot1x eapol pass through 768 dot1x system auth control 769 dot1x intrusion action 769 dot1x max req 770 dot1x operation mode 771 dot1x port control 772 dot1x re authentication 772 dot1x timeout quiet period 773 dot1x timeout re authperiod 773 dot...

Page 23: ...detection link up 791 network access link detection link up down 792 network access max mac count 792 network access mode mac authentication 793 network access port mac filter 794 mac authentication intrusion action 795 mac authentication max mac count 795 show network access 796 show network access mac address table 797 show network access mac filter 798 Web Authentication 798 web auth login atte...

Page 24: ...source guard max binding 816 show ip source guard 817 show ip source guard binding 817 ARP Inspection 818 ip arp inspection 819 ip arp inspection filter 820 ip arp inspection log buffer logs 821 ip arp inspection validate 822 ip arp inspection vlan 822 ip arp inspection limit 823 ip arp inspection trust 824 show ip arp inspection configuration 824 show ip arp inspection interface 825 show ip arp i...

Page 25: ...C ACL 841 mac access group 843 show mac access group 844 show mac access list 844 ARP ACLs 845 access list arp 845 permit deny ARP ACL 846 show arp access list 847 ACL Information 848 show access group 848 show access list 848 32 INTERFACE COMMANDS 849 interface 850 alias 850 capabilities 851 description 852 flowcontrol 853 media type 854 negotiation 854 shutdown 855 speed duplex 856 switchport pa...

Page 26: ...COMMANDS 883 auto traffic control apply timer 885 auto traffic control release timer 886 auto traffic control 887 auto traffic control action 888 auto traffic control alarm clear threshold 889 auto traffic control alarm fire threshold 890 auto traffic control auto control release 891 auto traffic control control release 891 snmp server enable port traps atc broadcast alarm clear 892 snmp server en...

Page 27: ...905 spanning tree hello time 905 spanning tree max age 906 spanning tree mode 907 spanning tree pathcost method 908 spanning tree priority 909 spanning tree mst configuration 909 spanning tree system bpdu flooding 910 spanning tree transmission limit 910 max hops 911 mst priority 912 mst vlan 912 name 913 revision 914 spanning tree bpdu filter 914 spanning tree bpdu guard 915 spanning tree cost 91...

Page 28: ...932 switchport gvrp 932 show bridge ext 933 show garp timer 933 show gvrp configuration 934 Editing VLAN Groups 934 vlan database 935 vlan 935 Configuring VLAN Interfaces 936 interface vlan 937 switchport acceptable frame types 937 switchport allowed vlan 938 switchport ingress filtering 939 switchport mode 940 switchport native vlan 941 vlan trunking 941 Displaying VLAN Information 943 show vlan ...

Page 29: ...tocol group Configuring Interfaces 958 show protocol vlan protocol group 959 show interfaces protocol vlan protocol group 960 Configuring IP Subnet VLANs 961 subnet vlan 961 show subnet vlan 962 Configuring MAC Based VLANs 963 mac vlan 963 show mac vlan 964 Configuring Voice VLANs 964 voice vlan 965 voice vlan aging 966 voice vlan mac address 966 switchport voice vlan 967 switchport voice vlan pri...

Page 30: ...ap ip port 983 show map ip precedence 984 41 QUALITY OF SERVICE COMMANDS 985 class map 986 description 987 match 988 rename 989 policy map 989 class 990 police flow 991 police srtcm color 993 police trtcm color 995 set 997 service policy 998 show class map 999 show policy map 1000 show policy map interface 1000 42 MULTICAST FILTERING COMMANDS 1003 IGMP Snooping 1004 ip igmp snooping 1005 ip igmp s...

Page 31: ...nterval 1017 ip igmp snooping vlan query resp intvl 1018 ip igmp snooping vlan static 1019 show ip igmp snooping 1019 show ip igmp snooping group 1020 show mac address table multicast 1021 Static Multicast Routing 1022 ip igmp snooping vlan mrouter 1022 show ip igmp snooping mrouter 1023 IGMP Filtering and Throttling 1023 ip igmp filter Global Configuration 1024 ip igmp profile 1025 permit deny 10...

Page 32: ... clear ip igmp group 1046 show ip igmp groups 1047 show ip igmp interface 1049 IGMP Proxy Routing 1050 ip igmp proxy 1050 ip igmp proxy unsolicited report interval 1051 MLD Layer 3 1052 ipv6 mld 1052 ipv6 mld last member query response interval 1053 ipv6 mld max resp interval 1054 ipv6 mld query interval 1055 ipv6 mld robustval 1055 ipv6 mld static group 1056 ipv6 mld version 1057 clear ipv6 mld g...

Page 33: ...ystem name 1072 lldp dot1 tlv proto ident 1073 lldp dot1 tlv proto vid 1073 lldp dot1 tlv pvid 1074 lldp dot1 tlv vlan name 1074 lldp dot3 tlv link agg 1075 lldp dot3 tlv mac phy 1075 lldp dot3 tlv max frame 1076 lldp notification 1076 show lldp config 1077 show lldp info local device 1078 show lldp info remote device 1079 show lldp info statistics 1080 44 DOMAIN NAME SERVICE COMMANDS 1083 ip doma...

Page 34: ...1099 service dhcp 1100 bootfile 1100 client identifier 1101 default router 1102 dns server 1102 domain name 1103 hardware address 1103 host 1104 lease 1105 netbios name server 1106 netbios node type 1107 network 1107 next server 1108 clear ip dhcp binding 1109 show ip dhcp binding 1109 show ip dhcp 1110 46 VRRP COMMANDS 1111 vrrp authentication 1112 vrrp ip 1112 vrrp preempt 1113 vrrp priority 111...

Page 35: ...ARP Configuration 1127 arp 1128 arp timeout 1129 ip proxy arp 1129 clear arp cache 1130 show arp 1130 UDP Helper Configuration 1131 ip forward protocol udp 1131 ip helper 1132 ip helper address 1133 show ip helper 1134 IPv6 Interface 1135 ipv6 default gateway 1136 ipv6 address 1137 ipv6 address eui 64 1138 ipv6 address link local 1140 ipv6 enable 1141 ipv6 mtu 1143 show ipv6 interface 1144 show ip...

Page 36: ...l 1166 48 IP ROUTING COMMANDS 1169 Global Routing Configuration 1169 ip route 1170 maximum paths 1171 show ip route 1171 show ip route database 1173 show ip traffic 1173 ipv6 route 1174 show ipv6 route 1176 Routing Information Protocol RIP 1177 router rip 1178 default information originate 1179 default metric 1179 distance 1180 maximum prefix 1181 neighbor 1182 network 1182 passive interface 1183 ...

Page 37: ...9 timers spf 1200 clear ip ospf process 1201 area default cost 1201 area range 1202 auto cost reference bandwidth 1203 default metric 1204 redistribute 1205 summary address 1206 area nssa 1207 area stub 1209 area virtual link 1210 network area 1212 ip ospf authentication 1213 ip ospf authentication key 1215 ip ospf cost 1216 ip ospf dead interval 1217 ip ospf hello interval 1218 ip ospf message di...

Page 38: ...42 area default cost 1242 area range 1243 default metric 1244 redistribute 1245 area stub 1246 area virtual link 1247 ipv6 router ospf area 1249 ipv6 router ospf tag area 1250 ipv6 ospf cost 1251 ipv6 ospf dead interval 1252 ipv6 ospf hello interval 1253 ipv6 ospf priority 1253 ipv6 ospf retransmit interval 1254 ipv6 ospf transmit delay 1255 passive interface 1256 show ipv6 ospf 1257 show ipv6 osp...

Page 39: ...im join prune holdtime 1277 ip pim lan prune delay 1278 ip pim override interval 1279 ip pim propagation delay 1280 ip pim trigger hello delay 1280 show ip pim interface 1281 show ip pim neighbor 1282 ip pim graft retry interval 1282 ip pim max graft retries 1283 ip pim state refresh origination interval 1283 ip pim bsr candidate 1284 ip pim register rate limit 1285 ip pim register source 1286 ip ...

Page 40: ...pv6 pim propagation delay 1302 ipv6 pim state refresh origination interval 1303 ipv6 pim trigger hello delay 1304 show ipv6 pim interface 1305 show ipv6 pim neighbor 1305 SECTION IV APPENDICES 1307 A SOFTWARE SPECIFICATIONS 1309 Software Features 1309 Management Features 1311 Standards 1311 Management Information Bases 1312 B TROUBLESHOOTING 1315 Problems Accessing the Management Interface 1315 Us...

Page 41: ...ime Zone 127 Figure 15 Console Port Settings 129 Figure 16 Telnet Connection Settings 131 Figure 17 Displaying CPU Utilization 132 Figure 18 Displaying Memory Utilization 132 Figure 19 Renumbering the Stack 133 Figure 20 Restarting the Switch Immediately 135 Figure 21 Restarting the Switch In 136 Figure 22 Restarting the Switch At 136 Figure 23 Restarting the Switch Regularly 137 Figure 24 Configu...

Page 42: ...47 Displaying LACP Port Remote Information 164 Figure 48 Sampling Traffic Flows 166 Figure 49 Enabling Traffic Segmentation 167 Figure 50 Configuring Members for Traffic Segmentation 168 Figure 51 Configuring VLAN Trunking 169 Figure 52 Configuring VLAN Trunking 170 Figure 53 VLAN Compliant and VLAN Non compliant Devices 172 Figure 54 Using GVRP 174 Figure 55 Creating Static VLANs 175 Figure 56 Mo...

Page 43: ... Dynamic MAC Address Table 210 Figure 86 Clearing Entries in the Dynamic MAC Address Table 211 Figure 87 STP Root Ports and Designated Ports 214 Figure 88 MSTP Region Internal Spanning Tree Multiple Spanning Tree 215 Figure 89 Common Internal Spanning Tree Common Spanning Tree Internal Spanning Tree 215 Figure 90 Configuring Port Loopback Detection 217 Figure 91 Configuring Global Settings for STA...

Page 44: ... Rules for a Class Map 257 Figure 121 Configuring a Policy Map 264 Figure 122 Showing Policy Maps 265 Figure 123 Adding Rules to a Policy Map 266 Figure 124 Showing the Rules for a Policy Map 266 Figure 125 Attaching a Policy Map to a Port 267 Figure 126 Configuring a Voice VLAN 270 Figure 127 Configuring an OUI Telephony List 272 Figure 128 Showing an OUI Telephony List 272 Figure 129 Configuring...

Page 45: ...ure 154 Configuring a MAC Address Filter for Network Access 302 Figure 155 Showing the MAC Address Filter Table for Network Access 303 Figure 156 Showing Addresses Authenticated for Network Access 304 Figure 157 Configuring HTTPS 306 Figure 158 Downloading the Secure Site Certificate 307 Figure 159 Configuring the SSH Server 311 Figure 160 Generating the SSH Host Key Pair 313 Figure 161 Showing th...

Page 46: ...ic Bindings for IP Source Guard 358 Figure 193 Showing the IP Source Guard Binding Table 360 Figure 194 Configuring Global Settings for DHCP Snooping 364 Figure 195 Configuring DHCP Snooping on a VLAN 365 Figure 196 Configuring the Port Mode for DHCP Snooping 366 Figure 197 Displaying the Binding Table for DHCP Snooping 367 Figure 198 Configuring Settings for System Memory Logs 371 Figure 199 Show...

Page 47: ...9 Showing Trap Managers 411 Figure 230 Configuring an RMON Alarm 414 Figure 231 Showing Configured RMON Alarms 414 Figure 232 Configuring an RMON Event 416 Figure 233 Showing Configured RMON Events 417 Figure 234 Configuring an RMON History Sample 418 Figure 235 Showing Configured RMON History Samples 419 Figure 236 Showing Collected RMON History Samples 419 Figure 237 Configuring an RMON Statisti...

Page 48: ...263 Showing Static IGMP Groups 454 Figure 264 Displaying Multicast Groups Learned from IGMP Information 457 Figure 265 Displaying Multicast Groups Learned from IGMP Detail 457 Figure 266 MVR Concept 458 Figure 267 Configuring Global Settings for MVR 460 Figure 268 Configuring the Group Range for MVR 461 Figure 269 Showing the Configured Group Range for MVR 461 Figure 270 Configuring Interface Sett...

Page 49: ...gure 302 Several Virtual Master Routers Configured for Mutual Backup and Load Sharing 508 Figure 303 Configuring the VRRP Group ID 512 Figure 304 Showing Configured VRRP Groups 512 Figure 305 Setting the Virtual Router Address for a VRRP Group 513 Figure 306 Showing the Virtual Addresses Assigned to VRRP Groups 513 Figure 307 Configuring Detailed Settings for a VRRP Group 514 Figure 308 Showing Co...

Page 50: ... General Settings for RIP 544 Figure 336 Clearing Entries from the Routing Table 545 Figure 337 Adding Network Interfaces to RIP 546 Figure 338 Showing Network Interfaces Using RIP 547 Figure 339 Specifying a Passive RIP Interface 548 Figure 340 Showing Passive RIP Interfaces 548 Figure 341 Specifying a Static RIP Neighbor 549 Figure 342 Showing Static RIP Neighbors 549 Figure 343 Redistributing E...

Page 51: ... External Routes 580 Figure 374 Showing Summary Addresses for External Routes 581 Figure 375 Configuring Settings for All Interfaces Assigned to a VLAN 585 Figure 376 Configuring Settings for a Specific Area Assigned to a VLAN 586 Figure 377 Showing OSPF Interfaces 586 Figure 378 Showing MD5 Authentication Keys 587 Figure 379 OSPF Virtual Link 587 Figure 380 Adding a Virtual Link 588 Figure 381 Sh...

Page 52: ...guring an RP Candidate 615 Figure 398 Showing Settings for an RP Candidate 615 Figure 399 Showing Information About the BSR 617 Figure 400 Showing RP Mapping 618 Figure 401 Enabling PIMv6 Multicast Routing 618 Figure 402 Configuring PIMv6 Interface Settings Dense Mode 622 Figure 403 Showing PIMv6 Neighbors 623 Figure 404 Storm Control by Limiting the Traffic Rate 880 Figure 405 Storm Control by Sh...

Page 53: ...s 250 Table 14 Usage of ToS Bits 251 Table 15 Dynamic QoS Profiles 298 Table 16 HTTPS System Support 307 Table 17 ARP Inspection Statistics 342 Table 18 ARP Inspection Log 343 Table 19 802 1X Statistics 355 Table 20 Logging Levels 372 Table 21 Chassis ID Subtype 382 Table 22 System Capabilities 382 Table 23 Port ID Subtype 385 Table 24 Remote Port Auto Negotiation Advertised Capability 386 Table 2...

Page 54: ...ds 677 Table 48 Logging Levels 678 Table 49 show logging flash ram display description 682 Table 50 show logging trap display description 683 Table 51 Event Logging Commands 683 Table 52 Time Commands 687 Table 53 Time Range Commands 692 Table 54 SNMP Commands 697 Table 55 show snmp engine id display description 709 Table 56 show snmp group display description 711 Table 57 show snmp user display d...

Page 55: ... List Commands 827 Table 84 IPv4 ACL Commands 827 Table 85 IPv4 ACL Commands 834 Table 86 MAC ACL Commands 840 Table 87 ARP ACL Commands 845 Table 88 ACL Information Commands 848 Table 89 Interface Commands 849 Table 90 show interfaces switchport display description 862 Table 91 Link Aggregation Commands 867 Table 92 show lacp counters display description 874 Table 93 show lacp internal display de...

Page 56: ...120 Mapping IP DSCP to CoS Values 980 Table 121 Mapping IP Precedence to CoS Values 982 Table 122 Quality of Service Commands 985 Table 123 Multicast Filtering Commands 1003 Table 124 IGMP Snooping Commands 1004 Table 125 Static Multicast Interface Commands 1022 Table 126 IGMP Filtering and Throttling Commands 1023 Table 127 Multicast VLAN Registration Commands 1033 Table 128 show mvr display desc...

Page 57: ...ipv6 traffic display description 1158 Table 159 IPv6 to IPv4 Tunnelling Commands 1159 Table 160 IP Routing Commands 1169 Table 161 Global Routing Configuration Commands 1169 Table 162 Routing Information Protocol Commands 1177 Table 163 Open Shortest Path First Commands 1195 Table 164 show ip ospf display description 1223 Table 165 show ip ospf database display description 1226 Table 166 show ip o...

Page 58: ...display description 1267 Table 184 show ip mroute display description 1270 Table 185 Static Multicast Routing Commands 1271 Table 186 IPv4 and IPv6 PIM Commands 1273 Table 187 PIM DM and PIM SM Multicast Routing Commands 1273 Table 188 show ip pim neighbor display description 1282 Table 189 show ip pim bsr router display description 1294 Table 190 show ip pim rp mapping display description 1295 Ta...

Page 59: ...iew of the switch and introduces some basic concepts about network switches It also describes the basic settings required to access the management interface This section includes these chapters u Introduction on page 61 u Initial Switch Configuration on page 73 ...

Page 60: ...SECTION I Getting Started 60 ...

Page 61: ...ame password RADIUS TACACS Port IEEE 802 1X MAC address filtering SNMP v1 2c Community strings SNMP version 3 MD5 or SHA password Telnet SSH Web HTTPS General Security Measures AAA ARP inspection DHCP Snooping with Option 82 relay information IP Source Guard Private VLANs Port Authentication IEEE 802 1X Port Security MAC address filtering Access Control Lists Supports up to 256 ACLs 96 MAC rules 9...

Page 62: ...p to 256 using IEEE 802 1Q port based protocol based private VLANs voice VLANs and QinQ tunnel Traffic Prioritization Default port priority traffic class map queue scheduling IP Precedence or Differentiated Services Code Point DSCP and TCP UDP Port Qualify of Service Supports Differentiated Services DiffServ Link Layer Discovery Protocol Used to discover basic information about neighboring devices...

Page 63: ...tion server i e RADIUS or TACACS Port based authentication is also supported via the IEEE 802 1X protocol This protocol uses Extensible Authentication Protocol over LANs EAPOL to request user credentials from the 802 1X client and then uses the EAP between the switch and the authentication server to verify the client s right to access the network via an authentication server i e RADIUS or TACACS s...

Page 64: ... connection integrity PORT TRUNKING Ports can be combined into an aggregate connection Trunks can be manually set up or dynamically configured using Link Aggregation Control Protocol LACP IEEE 802 3 2005 The additional ports dramatically increase the throughput across any connection and provide redundancy by taking over the load if a port in the trunk should fail The switch supports up to 32 trunk...

Page 65: ...tocol provides loop detection When there are multiple physical paths between segments this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network This prevents the creation of network loops However if the chosen path should fail for any reason an alternate path will be activated to maintain the connection u Rapid Spann...

Page 66: ...ocol VLANs to restrict traffic to specified interfaces based on protocol type IEEE 802 1Q TUNNELING QINQ This feature is designed for service providers carrying traffic for multiple customers across their networks QinQ tunneling is used to maintain customer specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs This is accomplished by inserti...

Page 67: ...n any IP interfaces configured on the ECN430 switch Routing to statically configured hosts or subnet addresses is provided based on next hop entries specified in the static routing table RIP This protocol uses a distance vector approach to routing Routes are determined on the basis of minimizing the distance vector or hop count which serves as a rough estimate of transmission cost OSPF This approa...

Page 68: ...tination via the switch which uses its own routing table to reach the destination on the other network MULTICAST FILTERING Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real time delivery by setting the required priority level for the designated VLAN The switch uses IGMP Snooping and Query at Layer 2 and...

Page 69: ...vileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privileged Exec from Normal Exec Level Password super RADIUS Authentication Disabled TACACS Authentication Disabled 802 1X Port Authentication Disabled MAC Authentication Disabled HTTPS Enabled SSH Disabled Port Security Disabled IP Filtering Disabled DHCP Snooping Disabled Web Management HTTP S...

Page 70: ...P standard Edge Ports Enabled LLDP Status Enabled Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Disabled Switchport Mode Egress Mode Hybrid tagged untagged frames GVRP global Disabled GVRP port interface Disabled QinQ Tunneling Disabled Traffic Prioritization Ingress Port Priority 0 Queue Mode WRR Weighted Round Robin Queue 0 1 2 3 4 5 6 7 Weight 1 2 4 6 8 10 12 14...

Page 71: ...d Unicast Routing RIP Disabled OSPFv2 Disabled OSPFv3 Disabled Router Redundancy VRRP Disabled Multicast Filtering IGMP Snooping Layer 2 Snooping Enabled Querier Disabled Multicast VLAN Registration Disabled IGMP Layer 3 IGMP Proxy Layer 3 Disabled Disabled System Log Status Enabled Messages Logged Levels 0 7 all Messages Logged to Flash Levels 0 3 SMTP Email Alerts Event Handler Enabled but no se...

Page 72: ...CHAPTER 1 Introduction System Defaults 72 ...

Page 73: ...rd web browser such as Internet Explorer 5 x or above Netscape 6 2 or above and Mozilla Firefox 2 0 0 0 or above The switch s web management interface can be accessed from any computer attached to the network The CLI program can be accessed by a direct connection to the RJ 45 serial console port on the switch or remotely by a Telnet connection over the network The switch s management agent also su...

Page 74: ...on any port for excessive broadcast traffic u Display system information and statistics u Configure any stack unit through the same IP address REQUIRED CONNECTIONS The switch provides an RJ 45 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch A null modem console cable is provided with the switch NOTE When configuring a stack connect to the console...

Page 75: ...le connection or DHCP protocol An IPv4 address for this switch is obtained via DHCP by default To manually configure this address or enable dynamic address assignment via DHCP see Setting an IP Address on page 80 NOTE This switch supports four Telnet sessions or four SSH sessions NOTE Any VLAN group can be assigned an IP interface address page 80 for managing the switch Also note that the Master u...

Page 76: ...on depressed as the stack Master n If the Master Select push button is not depressed on any unit the system will select the unit with the lowest MAC address as the stack Master u When the stack is initially powered on the Master unit is designated as unit 1 for a ring topology For a line topology the stack is simply numbered from top to bottom with the first unit in the stack designated at unit 1 ...

Page 77: ...re or a new unit added to the stack the original unit IDs are not affected after rebooting and a new unit is assigned the lowest available unit ID BROKEN LINK FOR LINE AND WRAP AROUND TOPOLOGIES All units in the stack must be connected via stacking cable You can connect the units in a simple cascade configuration from the top to the bottom unit Using this kind of line topology if any link or unit ...

Page 78: ...it identification number If the units are no longer numbered sequentially after several topology changes or failures you can reset the unit numbers using the Renumbering command in the web interface or CLI Just remember to save the new configuration settings to a startup configuration file prior to powering off the stack Master ENSURING CONSISTENT CODE IS USED ACROSS THE STACK Consistent Runtime C...

Page 79: ...le at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities To fully configure the switch parameters you must access the CLI at the Privileged Exec level NOTE You can only access the console interface through the Master unit in the stack Access to both CLI levels are controlled by user names and ...

Page 80: ...password Console config username admin password 0 password Console config This manual covers the DG GS4826S and DG GS4850S switches Other than the difference in the number of ports there are no significant differences Therefore nearly all of the screen display examples are based on the DG GS4826S SETTING AN IP ADDRESS You must establish IP address information for the stack to obtain management acc...

Page 81: ...r 2 Type ip address ip address netmask where ip address is the switch IP address and netmask is the network mask for the network Press Enter 3 Type exit to return to the global configuration mode prompt Press Enter 4 To set the IP address of the default gateway for the network to which the switch belongs type ip default gateway gateway where gateway is the IP address of the default gateway Press E...

Page 82: ...r the ipv6 address similar to that shown in the example followed by the link local command parameter Then press Enter Console config interface vlan 1 Console config if ipv6 address FE80 260 3EFF FE11 6700 link local Console config if end Console show ipv6 interface Vlan 1 is up IPv6 is enable Link local address FE80 260 3EFF FE11 6700 64 Global unicast address es Joined group address es FF01 1 16 ...

Page 83: ... of the IPv6 default gateway for the network to which the switch belongs type ipv6 default gateway gateway where gateway is the IPv6 address of the default gateway Press Enter Console config interface vlan 1 Console config if ipv6 address 2001 DB8 2222 7272 64 Console config if exit Console config ipv6 default gateway 2001 DB8 2222 7272 254 Console config end Console show ipv6 interface Vlan 1 is ...

Page 84: ...n servers on the network complete the following steps 1 From the Global Configuration mode prompt type interface vlan 1 to access the interface configuration mode Press Enter 2 At the interface configuration mode prompt use one of the following commands n To obtain IP settings via DHCP type ip address dhcp and press Enter n To obtain IP settings via BOOTP type ip address bootp and press Enter 3 Ty...

Page 85: ...sole Address for Multi segment Network An IPv6 address for use in a network containing more than one subnet must be manually configured as described in Assigning an IPv6 Address on page 81 The current software does not support DHCP for IPv6 ENABLING SNMP MANAGEMENT ACCESS The switch can be configured to accept management commands from Simple Network Management Protocol SNMP applications You can co...

Page 86: ...hat you change the default community strings To configure a community string complete the following steps 1 From the Privileged Exec level global configuration mode prompt type snmp server community string mode where string is the community access string and mode is rw read write or ro read only Press Enter Note that the default mode is read only 2 To remove an existing string simply type no snmp ...

Page 87: ...des the IEEE 802 1d bridge MIB It assigns these respective read and read write views to a group call r d and specifies group authentication via MD5 or SHA In the last step it assigns a v3 user to this group indicating that MD5 will be used for authentication provides the password greenpeace for authentication and the password einstien for encryption Console config snmp server view mib 2 1 3 6 1 2 ...

Page 88: ...has a total of 32 Mbytes of flash memory for system files In the system flash memory one file of each type must be set as the start up file During a system boot the diagnostic and operation code files set as the start up file are run and then the start up configuration file is loaded Note that configuration files should be downloaded using a file name that reflects the contents or usage of the fil...

Page 89: ...ing config startup config Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Console To restore configuration settings from a backup server enter the following command 1 From the Privileged Exec mode prompt type copy tftp startup config and press Enter 2 Enter the address of the TFTP server Press Enter 3 Enter the name of the startup file stored on the...

Page 90: ...CHAPTER 2 Initial Switch Configuration Managing System Files 90 ...

Page 91: ...figuration on page 171 u Address Table Settings on page 205 u Spanning Tree Algorithm on page 213 u Rate Limit Configuration on page 237 u Storm Control Configuration on page 239 u Class of Service on page 241 u Quality of Service on page 253 u VoIP Traffic Configuration on page 269 u Security Measures on page 275 u Basic Administration Protocols on page 369 u Multicast Filtering on page 423 u IP ...

Page 92: ...SECTION II Web Configuration 92 u Unicast Routing on page 539 u Multicast Routing on page 595 ...

Page 93: ...gateway using an out of band serial connection BOOTP or DHCP protocol See Setting an IP Address on page 80 2 Set user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Setting Passwords on page 80 3 After you enter a user name and password you will have access to the system ...

Page 94: ...our web browser connects with the switch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used to navigate to other menus and display configuration parameters and statistics Figure 1 Home Page NOTE This manual covers the DG GS4826S and DG GS4850S Gigabit Etherne...

Page 95: ...eck for newer versions of stored pages should be Every visit to the page PANEL DISPLAY The web agent displays an image of the switch s ports The Mode can be set to display different information for the ports including Active i e up or down Duplex i e half or full duplex or Flow Control i e with or without flow control Figure 2 Front Panel Indicators Table 3 Web Page Configuration Buttons Button Ac...

Page 96: ...urrent time 124 SNTP Configures SNTP polling interval 125 Configure Time Server Configures a list of SNTP servers 126 Configure Time Zone Sets the local time zone for the system clock 127 Console Sets console port connection parameters 128 Telnet Sets Telnet connection parameters 130 CPU Utilization Displays information on CPU utilization 131 Memory Status Shows memory utilization parameters 132 R...

Page 97: ...p members on the local side 155 Partner Configures parameters for link aggregation group members on the remote side 155 Show Information Counters Displays statistics for LACP protocol messages 160 Internal Displays configuration settings and operational state for the local side of a link aggregation 162 Neighbors Displays configuration settings and operational state for the remote side of a link a...

Page 98: ...ces assigned to a VLAN through GVRP 181 Private Configure VLAN Add Creates primary or community VLANs 184 Show Display configured primary and community VLANs 184 Add Community VLAN Associates a community VLAN with a primary VLAN 186 Show Community VLAN Shows the community VLANs associated with a primary VLAN 186 Configure Interface Sets the private VLAN interface type and associates the interfaces...

Page 99: ...lobal Configure Configures global bridge settings for STP RSTP and MSTP 217 Show Information Displays STA values used for the bridge 222 Configure Interface Configure Configures interface settings for STA 223 Show Informaton Displays interface settings for STA 227 MSTP Multiple Spanning Tree Algorithm Configure Global Add Configures initial VLAN and priority for an MST instance 230 Show Configures...

Page 100: ...classification rules for a class map 254 Configure Policy Add Creates a policy map to apply to multiple interfaces 257 Show Shows configured policy maps 257 Modify Modifies the name of a policy map 257 Add Rule Sets the boundary parameters used for monitoring inbound traffic and the action to take for conforming and non conforming traffic 257 Show Rule Shows the rules used to enforce bandwidth pol...

Page 101: ... information recorded for user sessions 283 Authorization Enables authorization of requested services 288 Configure Method 288 Add Configures authorization for various service types 288 Show Shows the authorization settings used for various service types 288 Configure Service Sets the authorization method applied used for the console port and for Telnet 288 Show Information Shows the configured au...

Page 102: ...e Generates the host key pair public and private 312 Show Displays RSA and DSA host keys deletes host keys 312 Configure User Key 313 Copy Imports user public keys from TFTP server 313 Show Displays RSA and DSA user keys deletes user keys 313 ACL Access Control Lists 315 Configure Time Range Configures the time to apply an ACL 316 Add Specifies the name of a time range 316 Show Shows the name of c...

Page 103: ...s 349 Show Statistics Displays protocol statistics for the selected port 353 IP Source Guard Filters IP traffic based on static entries in the IP Source Guard table or dynamic entries in the DHCP Snooping table 354 Port Configuration Enables IP source guard and selects filter type per port 354 Static Binding 356 Add Adds a static addresses to the source guard binding table 356 Show Shows static ad...

Page 104: ...onfigure View 394 Add View Adds an SNMP v3 view of the OID MIB 394 Show View Shows configured SNMP v3 views 394 Add OID Subtree Specifies a part of the subtree for the selected view 394 Show OID Subtree Shows the subtrees assigned to each view 394 Configure Group 397 Add Adds a group with access policies for assigned users 397 Show Shows configured groups and access policies 397 Configure User Add...

Page 105: ...p 417 Statistics Shows sampled data for each entry in the history group 419 IP General Routing Interface Add Configures an IP interface for a VLAN 467 Show Shows the IP interfaces assigned to a VLAN 467 Ping Sends ICMP echo request packets to another node on the network 493 Trace Route Shows the route packets take to the specified destination 494 ARP Address Resolution Protocol 495 Configure Gener...

Page 106: ...08 Show Statistics Global Statistics Displays global statistics for VRRP protocol packet errors 514 Group Statistics Displays statistics for VRRP protocol events and errors on the specified VRRP group and interface 515 IPv6 Configuration 471 Configure Global Sets an IPv6 default gateway for traffic with no known next hop 471 Configure Interface Configures IPv6 interface address using auto configur...

Page 107: ...ted name servers 522 DHCP Dynamic Host Configuration Protocol 523 Client Specifies the DHCP client identifier for an interface 524 Relay Specifies DHCP relay servers 525 Snooping 360 Configure Global Enables DHCP snooping globally MAC address verification information option and sets the information policy 363 Configure VLAN Enables DHCP snooping on a VLAN 364 Configure Interface Sets the trust mod...

Page 108: ...attached to a neighboring multicast router either through static or dynamic configuration 431 IGMP Member 433 Add Static Member Statically assigns multicast addresses to the selected VLAN 433 Show Static Member Shows multicast addresses statically configured on the selected VLAN 433 Show Current Member Shows multicast addresses associated with the selected VLAN either through static or dynamic con...

Page 109: ...ral Globally enables multicast routing 598 Information 599 Show Summary Shows each multicast route the switch has learned 599 Show Detail Shows additional information for each multicast route the switch has learned including upstream router and downstream interfaces 599 MVR Multicast VLAN Registration 457 Configure General Globally enables MVR sets the MVR VLAN 459 Configure Group Range Add Config...

Page 110: ...m other routing protocols 551 Show Shows the administrative distances assigned to external routes learned from other routing protocols 551 Interface 552 Add Configures RIP parameters for each interface including send and receive versions authentication and method of loopback prevention 552 Show Shows the RIP parameters set for each interface 552 Modify Modifies RIP parameters for an interface 552 ...

Page 111: ...odifies configuration settings for redistributed routes 577 Summary Address 579 Add Aggregates routes learned from other protocols for advertising into other autonomous systems 579 Show Shows configured summary addresses 579 Interface 581 Show Shows area ID and designated router settings for each interface 581 Configure by VLAN Configures OSPF protocol settings and authentication for specified VLA...

Page 112: ...iated multicast group s 611 Show Shows the static addresses configured for each RP and the associated multicast groups 611 RP Candidate 613 Add Advertises the switch as an RP candidate to the BSR for the specified multicast groups 613 Show Shows the multicast groups for which this switch is advertising itself as an RP candidate to the BSR 613 Show Information Show BSR Router Displays information a...

Page 113: ...g the System Clock Sets the current time manually or through specified SNTP servers u Console Port Settings Sets console port connection parameters u Telnet Settings Sets Telnet connection parameters u Displaying CPU Utilization Displays information on CPU utilization u Displaying Memory Utilization Shows memory utilization parameters u Renumbering the Stack Renumbers the units in the stack u Rese...

Page 114: ...e management agent has been up u System Name Name assigned to the switch system u System Location Specifies the system location u System Contact Administrator responsible for the system WEB INTERFACE To configure general system information 1 Click System General 2 Specify the system name location and contact information for the system administrator 3 Click Apply Figure 3 System Information NOTE Th...

Page 115: ...n board u Internal Power Status Displays the status of the internal power supply Management Software Information u Role Shows that this switch is operating as Master or Slave u EPLD Version Version number of EEPROM Programmable Logic Device u Loader Version Version number of loader code u Diagnostics Code Version Version of Power On Self Test POST and boot code u Operation Code Version Version num...

Page 116: ...cess protocol encapsulation fields CLI REFERENCES u System Management Commands on page 647 USAGE GUIDELINES To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extended frame size And for half duplex c...

Page 117: ...ed on GMRP GARP Multicast Registration Protocol u Traffic Classes This switch provides mapping of user priorities to multiple traffic classes Refer to Class of Service on page 241 u Static Entry Individual Port This switch allows static filtering for unicast and multicast addresses Refer to Setting Static Addresses on page 207 u VLAN Version Number Based on IEEE 802 1Q 1 indicates Bridges that sup...

Page 118: ...icast filtering WEB INTERFACE To view Bridge Extension information 1 Click System then Capability Figure 6 Displaying Bridge Extension Configuration MANAGING SYSTEM FILES This section describes how to upgrade the switch operating software or configuration files and set the system start up files COPYING FILES VIA FTP TFTP OR HTTP Use the System File Copy page to upload download firmware or configur...

Page 119: ...ade Copies a file from a TFTP server to the switch n TFTP Download Copies a file from the switch to a TFTP server u FTP TFTP Server IP Address IP address of an FTP or TFTP server u User Name The user name for FTP server access u Password The password for FTP server access u File Type Specify Operation Code to copy firmware u File Name The file name should not contain slashes or the leading letter ...

Page 120: ...s used enter the IP address of the file server 5 If FTP Upgrade is used enter the user name and password for your account on the FTP server 6 Set the file type to Operation Code 7 Enter the name of the file to download 8 Select a file on the switch to overwrite or specify a new file name 9 Then click Apply Figure 7 Copy Firmware If you replaced a file currently used for startup and want to start u...

Page 121: ...on n Running Config Copies the current configuration settings to a local file on the switch u Destination File Name Copy to the currently designated startup file or to a new file The file name should not contain slashes or the leading letter of the file name should not be a period and the maximum length for file names is 31 characters for files on the switch Valid characters A Z a z 0 9 _ NOTE The...

Page 122: ...are or configuration file to use for system initialization CLI REFERENCES u whichboot on page 664 u boot system on page 658 WEB INTERFACE To set a file to use for system initialization 1 Click System then File 2 Select Set Start Up from the Action list 3 Mark the operation code or configuration file to be used at startup 4 Then click Apply Figure 9 Setting Start Up Files To start using the new fir...

Page 123: ... System Files SETTING THE SYSTEM CLOCK Simple Network Time Protocol SNTP allows the switch to set its internal clock based on periodic updates from a time server SNTP or NTP Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries You can also manually set the clock If the clock is not set manually or via SNTP the switch will only rec...

Page 124: ...t on the switch u Hours Sets the hour Range 0 23 Default 0 u Minutes Sets the minute value Range 0 59 Default 0 u Seconds Sets the second value Range 0 59 Default 0 u Month Sets the month Range 1 12 Default 1 u Day Sets the day of the month Range 1 31 Default 1 u Year Sets the year Range 2001 2100 Default 2009 WEB INTERFACE To manually set the system clock 1 Click System then Time 2 Select Configu...

Page 125: ...switch will query the time servers PARAMETERS The following parameters are displayed in the web interface u Current Time Shows the current time set on the switch u SNTP Polling Interval Sets the interval between sending requests for a time update from a time server Range 16 16384 seconds Default 16 seconds WEB INTERFACE To set the polling interval for SNTP 1 Click System then Time 2 Select Configu...

Page 126: ...are displayed in the web interface u SNTP Server IP Address Sets the IPv4 or IPv6 address for up to three time servers The switch attempts to update the time from the first server if this fails it attempts an update from the next server in the sequence WEB INTERFACE To set the SNTP time servers 1 Click System then Time 2 Select Configure Time Server from the Action list 3 Enter the IP address of u...

Page 127: ...redefined time zone definitions or your can manually configure the parameters for your local time zone PARAMETERS The following parameters are displayed in the web interface u Direction Configures the time zone to be before east of or after west of UTC u Name Assigns a name to the time zone Range 1 29 characters u Hours 0 13 The number of hours before after UTC The maximum value before UTC is 12 T...

Page 128: ...fault 600 seconds u Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time set by the Silent Time parameter before allowing the next logon attempt Range 0 120 Default 3 attempts u Quiet Period Sets the amount of time the management consol...

Page 129: ...be configured through the CLI see password on page 669 NOTE Password checking can be enabled or disabled for logging in to the console connection see login on page 667 You can select authentication by a single global password as configured for the password command or by passwords set up for specific user name accounts The default is for local passwords configured on the switch WEB INTERFACE To con...

Page 130: ... 0 300 seconds Default 300 seconds u Exec Timeout Sets the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is terminated Range 0 65535 seconds Default 600 seconds u Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is rea...

Page 131: ...ay information on CPU utilization CLI REFERENCES u show process cpu on page 650 PARAMETERS The following parameters are displayed in the web interface u Time Interval The interval at which to update the displayed utilization rate Options 1 5 10 30 60 seconds Default 1 second u CPU Utilization CPU utilization over specified interval WEB INTERFACE To display CPU utilization 1 Click System then CPU U...

Page 132: ...arameters CLI REFERENCES u show memory on page 650 PARAMETERS The following parameters are displayed in the web interface u Free Size The amount of memory currently free for use u Used Size The amount of memory allocated to active processes u Total The total amount of system memory WEB INTERFACE To display memory utilization 1 Click System then Memory Status Figure 18 Displaying Memory Utilization...

Page 133: ...uration file maps configuration settings to each switch in the stack based on the unit identification number You should therefore remember to save the current configuration after renumbering the stack u For a line topology the stack is numbered from top to bottom with the first unit in the stack designated at unit 1 For a ring topology the Master unit is taken as the top of the stack and is number...

Page 134: ... The following parameters are displayed in the web interface System Reload Configuration u Reset Mode Restarts the switch immediately or at the specified time s n Immediately Restarts the system immediately n In Specifies an interval after which to reload the switch The specified time must be equal to or less than 24 days n hours The number of hours combined with the minutes before the switch rese...

Page 135: ...od n Daily Every day n Weekly Day of the week at which to reload Range Sunday Saturday n Monthly Day of the month at which to reload Range 1 31 WEB INTERFACE To restart the switch 1 Click System then Reset 2 Select the required rest mode 3 For any option other than to reset immediately fill in the required parameters 4 Click Apply 5 When prompted confirm that you want reset the switch Figure 20 Re...

Page 136: ...CHAPTER 4 Basic Management Tasks Resetting the System 136 Figure 21 Restarting the Switch In Figure 22 Restarting the Switch At ...

Page 137: ...CHAPTER 4 Basic Management Tasks Resetting the System 137 Figure 23 Restarting the Switch Regularly ...

Page 138: ...CHAPTER 4 Basic Management Tasks Resetting the System 138 ...

Page 139: ...n Configures the uplinks and down links to a segmented group of ports u VLAN Trunking Configures a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong PORT CONFIGURATION This section describes how to configure port connections mirror traffic from one port to another and run cable diagnostics CONFIGURING BY PORT LIST Use the Interface Port ...

Page 140: ...Indicates the port type 1000Base T 1000Base SFP or 10G u Name Allows you to label an interface Range 1 64 characters u Admin Allows you to manually disable an interface You can disable an interface due to abnormal behavior e g excessive collisions and then re enable it after the problem has been resolved You may also disable an interface for security reasons u Media Type Configures the forced pref...

Page 141: ...ing flow control on a port connected to a hub unless it is actually required to solve a problem Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub Default Autonegotiation enabled on Gigabit and 10 Gigabit ports Advertised capabilities for 1000BASE T 10half 10full 100half 100full 1000full 1000Base SX LX LH 1000full 10GBASE SR LR ER 10Gfull 10...

Page 142: ...e or manually fix the speed duplex mode and flow control For more information on command usage and a description of the parameters refer to Configuring by Port List on page 139 CLI REFERENCES u Interface Commands on page 845 WEB INTERFACE To configure port connection parameters 1 Click Interface Port General 2 Select Configure by Port Range from the Action List 3 Enter to range of ports to which y...

Page 143: ...fier u Type Indicates the port type 1000Base T 1000Base SFP or 10G u Name Interface label u Admin Shows if the port is enabled or disabled u Oper Status Indicates if the link is Up or Down u Media Type Media type used Options 1000Base T RJ 45 Copper Forced SFP Copper Forced SFP Forced or SFP Preferred Auto XFP and 10GBase T SFP Preferred Auto Default 1000Base T RJ 45 Copper Forced SFP SFP Preferre...

Page 144: ...o the target port and study the traffic crossing the source port in a completely unobtrusive manner Figure 27 Configuring Local Port Mirroring CLI REFERENCES u Local Port Mirroring Commands on page 873 COMMAND USAGE u Traffic can be mirrored from one or more source ports to one destination port on the same switch u Monitor port speed should match or exceed source port speed otherwise traffic may b...

Page 145: ...e Allows you to select which traffic to mirror to the target port Rx receive Tx transmit or Both Default Rx WEB INTERFACE To configure a local mirror session 1 Click Interface Port Mirror 2 Select Add from the Action List 3 Specify the source port 4 Specify the monitor port 5 Specify the traffic type to be mirrored 6 Click Apply Figure 28 Configuring Local Port Mirroring To display the configured ...

Page 146: ...tics are refreshed every 60 seconds by default NOTE RMON groups 2 3 and 9 can only be accessed using SNMP management software CLI REFERENCES u show interfaces counters on page 855 PARAMETERS These parameters are displayed in the web interface Table 5 Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface including framing cha...

Page 147: ... of successfully transmitted frames for which transmission is inhibited by exactly one collision Multiple Collision Frames A count of successfully transmitted frames for which transmission is inhibited by more than one collision Late Collisions The number of times that a collision is detected later than 512 bit times into the transmission of a packet Excessive Collisions A count of frames for whic...

Page 148: ...ber of packets received that were less than 64 octets long excluding framing bits but including FCS octets and were otherwise well formed Oversize Packets The total number of packets received that were longer than 1518 octets excluding framing bits but including FCS octets and were otherwise well formed 64 Bytes Packets The total number of packets including bad packets received and transmitted tha...

Page 149: ...own list 4 Use the Refresh button at the bottom of the page if you need to update the screen Figure 30 Showing Port Statistics Table To show a chart of port statistics 1 Click Interface Port Chart 2 Select the statistics mode to display Interface Etherlike RMON or All 3 If Interface Etherlike RMON statistics mode is chosen select a port from the drop down list If All ports statistics mode is chose...

Page 150: ...LI REFERENCES u Interface Commands on page 685 COMMAND USAGE u Cable diagnostics are performed using Digital Signal Processing DSP test methods DSP analyses the cable by sending a pulsed signal into the cable and then examining the reflection of that pulse u Cable diagnostics can only be performed on twisted pair media u This cable test is only accurate for cables 7 140 meters long u The test take...

Page 151: ...layed in the web interface u Port Switch port identifier Range 1 26 50 u Test Result The results include common cable failures as well as the status and approximate distance to a fault or the approximate cable length if no fault is found u Accuracy The accuracy of the reported length to a fault The accuracy displays 0 when no problem is found u Last Updated Shows the last time this port was tested...

Page 152: ...ill be placed in standby mode Should one link in the trunk fail one of the standby ports will automatically be activated to replace it COMMAND USAGE Besides balancing the load across each port in the trunk the other ports provide redundancy by taking over the load if a port in the trunk fails However before making any physical connections between devices use the web interface or CLI to specify the...

Page 153: ...are Cisco EtherChannel compatible u To avoid creating a loop in the network be sure you add a static trunk via the configuration interface before connecting the ports and also disconnect the ports before removing a static trunk via the configuration interface PARAMETERS These parameters are displayed in the web interface u Trunk ID Trunk identifier Range 1 32 u Member The initial trunk member Use ...

Page 154: ...ct Add Member from the Action list 4 Select a trunk identifier 5 Set the unit and port for an additional trunk member 6 Click Apply Figure 35 Adding Static Trunks Members To configure connection parameters for a static trunk 1 Click Interface Trunk Static 2 Select Configure General from the Step list 3 Select Configure from the Action list 4 Modify the required interface settings Refer to Configur...

Page 155: ... from the Action list Figure 37 Displaying Connection Parameters for Static Trunks CONFIGURING A DYNAMIC TRUNK Use the Interface Trunk Dynamic Configure Aggregator page to set the administrative key for an aggregation group enable LACP on a port and configure protocol parameters for local and partner ports Figure 38 Configuring Dynamic Trunks CLI REFERENCES u Link Aggregation Commands on page 863 ...

Page 156: ...ACP port admin key matches and 3 the LAG admin key matches if configured However if the LAG admin key is set then the port admin key must be set to the same value for a port to be allowed to join that group NOTE If the LACP admin key is not set when a channel group is formed i e it has a null value of 0 the operational value of this key is set to the same value as the port admin key used by the in...

Page 157: ...ng LACP negotiations with other systems u Port Priority If a link goes down LACP port priority is used to select a backup link Range 0 65535 Default 32768 NOTE Configuring LACP settings for a port only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with that port NOTE Configuring the port partner sets the remot...

Page 158: ...t Configure from the Action list 4 Click General 5 Enable LACP on the required ports 6 Click Apply Figure 40 Enabling LACP on a Port To configure LACP parameters for group members 1 Click Interface Trunk Dynamic 2 Select Configure Aggregation Port from the Step list 3 Select Configure from the Action list 4 Click Actor or Partner 5 Configure the required settings 6 Click Apply ...

Page 159: ...ep List 3 Select Show Member from the Action List 4 Select a Trunk Figure 42 Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk 1 Click Interface Trunk Dynamic 2 Select Configure Trunk from the Step List 3 Select Configure from the Action List 4 Modify the required interface settings See Configuring by Port List on page 139 for a description of the interface ...

Page 160: ...the Interface Trunk Dynamic Configure Aggregation Port Show Information Counters page to display statistics for LACP protocol messages CLI REFERENCES u show lacp on page 869 PARAMETERS These parameters are displayed in the web interface Table 6 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group LACPDUs Received Number of valid LACPDUs ...

Page 161: ...Figure 45 Displaying LACP Port Counters Marker Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type Marker Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value but contain a badly formed PDU o...

Page 162: ...n Admin State Oper State Administrative or operational values of the actor s state parameters u Expired The actor s receive machine is in the expired state u Defaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner u Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currentl...

Page 163: ...he user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port Op...

Page 164: ...etwork administrators with an accurate detailed and real time overview of the types and levels of traffic present on their network The sFlow Agent samples 1 out of n packets from all data traversing the switch re encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector This sampling occurs at the internal hardware level where all traffic is seen whereas traditional pro...

Page 165: ...Sampling Commands on page 721 PARAMETERS These parameters are displayed in the web interface u Port Choose the port to configure Range 1 26 50 Default 1 u Status Enables sFlow on the selected port u Receiver Owner1 The name of the receiver Range 1 256 characters Default None u Receiver IP Address1 IP address of the sFlow Collector u Receiver Port1 The UDP port on which the sFlow Collector is liste...

Page 166: ...400 bytes u Sample Rate The number of packets out of which one sample will be taken Range 256 16777215 packets or 0 to disable sampling Default Disabled WEB INTERFACE To configure flow sampling 1 Click Interface sFlow 2 Set the parameters for flow collector the reset timeout the payload and the sampling rate 3 Click Apply Figure 48 Sampling Traffic Flows ...

Page 167: ...ts is only forwarded to and from uplink ports ENABLING TRAFFIC SEGMENTATION Use the Interface Traffic Segmentation Configure Global page to enable traffic segmentation CLI REFERENCES u Configuring Port based Traffic Segmentation on page 946 PARAMETERS These parameters are displayed in the web interface u Status Enables port based traffic segmentation Default Disabled WEB INTERFACE To enable traffi...

Page 168: ...based Traffic Segmentation on page 946 PARAMETERS These parameters are displayed in the web interface u Interface Displays a list of ports or trunks u Port Port Identifier Range 1 26 50 u Trunk Trunk Identifier Range 1 32 u Direction Adds an interface to the segmented group by setting the direction to uplink or downlink Default None WEB INTERFACE To configure the members of the traffic segmentatio...

Page 169: ...However by enabling VLAN trunking on the intermediate switch ports along the path connecting VLANs 1 and 2 you only need to create these VLAN groups in switches A and B Switches C D and E automatically allow frames with VLAN group tags 1 and 2 groups that are unknown to those switches to pass through their VLAN trunking ports u To prevent loops from forming in the spanning tree all unknown VLANs w...

Page 170: ...VLAN trunking on the selected interface WEB INTERFACE To enable VLAN trunking on a port or trunk 1 Click Interface VLAN Trunking 2 Click Port or Trunk to specify the interface type 3 Enable VLAN trunking on any of the Gigibit ports or on a trunk containing Gigabit ports 4 Click Apply Figure 52 Configuring VLAN Trunking ...

Page 171: ...o VLAN mapping table IEEE 802 1Q VLANS In large networks routers are used to isolate broadcast traffic for each subnet into separate domains This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains VLANs confine broadcast traffic to the originating group and can eliminate broadcast storms in large networks This also pro...

Page 172: ...d to VLAN 1 as untagged ports Add a port as a tagged port if you want it to carry traffic for one or more VLANs and any intermediate network devices or the host at the other end of the connection supports VLANs Then assign ports on the other VLAN aware network devices along the path that will carry this traffic to the same VLAN s either manually or dynamically using GVRP However if you want a port...

Page 173: ...uld be assigned If an end station or its network adapter supports the IEEE 802 1Q VLAN protocol it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join When this switch receives these messages it will automatically place the receiving port in the specified VLANs and then forward the message to all other ports When the message arrives at another switc...

Page 174: ...nation host the switch must first strip off the VLAN tag before forwarding the frame When the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag However when this switch receives an untagged frame from a VLAN unaware device it first decides where to forward the frame and then inserts a VLAN tag reflecting the ingress port s default VID CONFIGURING VLA...

Page 175: ...D of configured VLAN u VLAN Name Name of the VLAN u Status Operational status of configured VLAN WEB INTERFACE To create VLAN groups 1 Click VLAN Static 2 Select Add from the Action list 3 Enter a VLAN ID or range of IDs 4 Mark Enable to configure the VLAN as operational 5 Click Apply Figure 55 Creating Static VLANs ...

Page 176: ...tings for VLAN groups 1 Click VLAN Static 2 Select Show from the Action list Figure 57 Showing Static VLANs ADDING STATIC MEMBERS TO VLANS Use the VLAN Static page to configure port members for the selected VLAN index interface or a range of interfaces Use the menus for editing port members to configure the VLAN behavior for specific interfaces including the mode of operation Hybrid or 1Q Trunk th...

Page 177: ... between two switches so the port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames u PVID VLAN ID assigned to untagged frames received on the interface Default 1 If an interface is not a member of VLAN 1 and you assign its PVID to this VLAN the interface will automatically ...

Page 178: ... VLAN All packets transmitted by the port will be untagged that is not carry a tag and therefore not carry VLAN or CoS information Note that an interface must be assigned to at least one group as an untagged port n Forbidden Interface is forbidden from automatically joining the VLAN via GVRP For more information see Automatic VLAN Registration on page 173 n None Interface is not a member of the VL...

Page 179: ...by VLAN from the Step list 3 Set the Interface type to display as Port or Trunk 4 Modify the settings for any interface as required Remember that Membership Type cannot be changed until an interface has been added to another VLAN and the PVID changed to anything other than 1 5 Click Apply Figure 58 Configuring Static Members by VLAN Index To configure static members by interface 1 Click VLAN Stati...

Page 180: ...the Step list 3 Set the Interface type to display as Port or Trunk 4 Enter an interface range 5 Modify the VLAN parameters as required Remember that the PVID acceptable frame type and ingress filtering parameters for each interface within the specified range must be configured on either the Edit Member by VLAN or Edit Member by Interface page 6 Click Apply Figure 60 Configuring Static VLAN Members...

Page 181: ...VRP Status Enables disables GVRP for the interface GVRP must be globally enabled for the switch before this setting can take effect using the Configure General page When disabled any GVRP packets received on this port will be discarded and no GVRP registrations will be propagated from other ports Default Disabled u GVRP Timers Timer settings must follow this rule 2 x join timer leave timer leaveAl...

Page 182: ...itch has joined through GVRP u Interface Displays a list of ports or trunks which have joined the selected VLAN through GVRP WEB INTERFACE To configure GVRP on the switch 1 Click VLAN Dynamic 2 Select Configure General from the Step list 3 Enable or disable GVRP 4 Click Apply Figure 61 Configuring Global Status of GVRP To configure GVRP status and timers on a port or trunk 1 Click VLAN Dynamic 2 S...

Page 183: ...AN Dynamic 2 Select Show Dynamic VLAN from the Step list 3 Select Show VLAN from the Action list Figure 63 Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN 1 Click VLAN Dynamic 2 Select Show Dynamic VLAN from the Step list 3 Select Show VLAN Members from the Action list Figure 64 Showing the Members of a Dynamic VLAN ...

Page 184: ...rmal VLANs can exist simultaneously within the same switch To configure primary secondary associated groups follow these steps 1 Use the Configure VLAN Add page to designate one or more community VLANs and the primary VLAN that will channel traffic outside of the VLAN groups 2 Use the Configure VLAN Add Community VLAN page to map a community VLAN to the primary VLAN 3 Use the Configure Interface p...

Page 185: ...N from the Step list 3 Select Add from the Action list 4 Enter the VLAN ID to assign to the private VLAN 5 Select Primary or Community from the Type list 6 Click Apply Figure 65 Configuring Private VLANs To display a list of private VLANs 1 Click VLAN Private 2 Select Configure VLAN from the Step list 3 Select Show from the Action list Figure 66 Showing Private VLANs NOTE All member ports must be ...

Page 186: ... a community VLAN with a primary VLAN 1 Click VLAN Private 2 Select Configure VLAN from the Step list 3 Select Add Community VLAN from the Action list 4 Select an entry from the Primary VLAN list 5 Select an entry from the Community VLAN list to associate it with the selected primary VLAN Note that a community VLAN can only be associated with one primary VLAN 6 Click Apply Figure 67 Associating Pr...

Page 187: ...runk Mode Sets the private VLAN port types n Normal The port is not assigned to a private VLAN n Host The port is a community port A community port can communicate with other ports in its own community VLAN and with designated promiscuous port s n Promiscuous A promiscuous port can communicate with all interfaces within a private VLAN u Primary VLAN Conveys traffic between promiscuous ports and be...

Page 188: ...erface from the Step list 3 Set the Interface type to display as Port or Trunk 4 Set the Port Mode to Promiscuous 5 For an interface set the Promiscuous mode select an entry from the Primary VLAN list 6 For an interface set the Host mode select an entry from the Community VLAN list 7 Click Apply Figure 69 Configuring Interfaces for Private VLANs ...

Page 189: ...c VLAN IDs QinQ tunneling expands VLAN space by using a VLAN in VLAN hierarchy preserving the customer s original tagged packets and adding SPVLAN tags to each frame also called double tagging A port configured to support QinQ tunneling must be set to tunnel port mode The Service Provider VLAN SPVLAN ID for the specific customer must be assigned to the QinQ tunnel access port on the edge switch wh...

Page 190: ...er tag if it is a tagged or priority tagged packet 2 After successful source and destination lookup the ingress process sends the packet to the switching process with two tags If the incoming packet is untagged the outer tag is an SPVLAN tag and the inner tag is a dummy tag 8100 0000 If the incoming packet is tagged the outer tag is an SPVLAN tag and the inner tag is a CVLAN tag 3 After packet cla...

Page 191: ...equal to the TPID of the uplink port no new VLAN tag is added If the uplink port is not the member of the outer VLAN of the incoming packets the packet will be dropped when ingress filtering is enabled If ingress filtering is not enabled the packet will still be forwarded If the VLAN is not listed in the VLAN table the packet will be dropped 4 After successful source and destination lookups the pa...

Page 192: ...r 3 information are not supported on tunnel ports n Spanning tree bridge protocol data unit BPDU filtering is automatically disabled on a tunnel port General Configuration Guidelines for QinQ 1 Enable Tunnel Status and set the Tag Protocol Identifier TPID value of the tunnel access port in the Ethernet Type field This step is required if the attached client is using a nonstandard 2 byte ethertype ...

Page 193: ...el port Range hexadecimal 0800 FFFF Default 8100 Use this field to set a custom 802 1Q ethertype value This feature allows the switch to interoperate with third party switches that do not use the standard 0x8100 ethertype to identify 802 1Q tagged frames For example if 0x1234 is set as the custom 802 1Q ethertype on a trunk port incoming frames containing that ethertype are assigned to the VLAN co...

Page 194: ...nt is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames u Then use the Configure Interface page to set the access interface on the edge switch to Tunnel mode and set the uplink interface on the switch attached to the service provider network to Tunnel Uplink mode PARAMETERS These parameters are displayed in the web interface u Interface Displays a list of ports or trunks u Port...

Page 195: ...e easily grouped into a common VLAN This may require non standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol This kind of configuration deprives users of the basic benefits of VLANs including security and easy accessibility To avoid these problems you can configure this switch with protocol based VLANs that divide the ...

Page 196: ...ol groups CLI REFERENCES u protocol vlan protocol group Configuring Groups on page 954 PARAMETERS These parameters are displayed in the web interface u Frame Type Choose either Ethernet RFC 1042 or LLC Other as the frame type used by this protocol u Protocol Type Specifies the protocol type to match The available options are IP ARP RARP and IPv6 If LLC Other is chosen for the Frame Type the only a...

Page 197: ...from the Action list 4 Select an entry from the Frame Type list 5 Select an entry from the Protocol Type list 6 Enter an identifier for the protocol group 7 Click Apply Figure 73 Configuring Protocol VLANs To configure a protocol group 1 Click VLAN Protocol 2 Select Configure Protocol from the Step list 3 Select Show from the Action list Figure 74 Displaying Protocol VLANs ...

Page 198: ...rame is tagged it will be processed according to the standard rules applied to tagged frames n If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN n If the frame is untagged but the protocol type does not match the frame is forwarded to the default VLAN for this interface PARAMETERS These parameters are displayed in the web interface u Interface Di...

Page 199: ...raffic will be forwarded 7 Click Apply Figure 75 Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk 1 Click VLAN Protocol 2 Select Configure Interface from the Step list 3 Select Show from the Action list Figure 76 Showing the Interface to Protocol Group Mapping ...

Page 200: ...N ID An IP subnet consists of an IP address and a mask u When an untagged frame is received by a port the source IP address is checked against the IP subnet to VLAN mapping table and if an entry is found the corresponding VLAN ID is assigned to the frame If no mapping is found the PVID of the receiving port is assigned to the frame u The IP subnet cannot be a broadcast or multicast IP address u Wh...

Page 201: ...s field 4 Enter a mask in the Subnet Mask field 5 Enter the identifier in the VLAN field Note that the specified VLAN need not already be configured 6 Enter a value to assign to untagged frames in the Priority field 7 Click Apply Figure 77 Configuring IP Subnet VLANs To show the configured IP subnet VLANs 1 Click VLAN IP Subnet 2 Select Show from the Action list Figure 78 Showing IP Subnet VLANs ...

Page 202: ...ses cannot be broadcast or multicast addresses u When MAC based IP subnet based and protocol based VLANs are supported concurrently priority is applied in this sequence and then port based VLANs last PARAMETERS These parameters are displayed in the web interface u MAC Address A source MAC address which is to be mapped to a specific VLAN The MAC address must be specified in the format xx xx xx xx x...

Page 203: ...ation Configuring MAC based VLANs 203 6 Click Apply Figure 79 Configuring MAC Based VLANs To show the MAC addresses mapped to a VLAN 1 Click VLAN MAC Based 2 Select Show from the Action list Figure 80 Showing MAC Based VLANs ...

Page 204: ...CHAPTER 6 VLAN Configuration Configuring MAC based VLANs 204 ...

Page 205: ...NG MAC ADDRESS LEARNING Use the MAC Address Learning Status page to enable or disable MAC address learning on an interface CLI REFERENCES u mac learning on page 778 COMMAND USAGE u When MAC address learning is disabled the switch immediately stops learning new MAC addresses on the specified interface Only incoming traffic with source addresses stored in the static address table see Setting Static ...

Page 206: ...ee Configuring Port Security on page 344 is enabled on the same interface PARAMETERS These parameters are displayed in the web interface u Interface Displays a list of ports or trunks u Port Port Identifier Range 1 26 50 u Trunk Trunk Identifier Range 1 32 u Status The status of MAC address learning Default Enabled WEB INTERFACE To enable or disable MAC address learning 1 Click MAC Address Learnin...

Page 207: ...another interface the address will be ignored and will not be written to the address table u Static addresses will not be removed from the address table when a given interface link is down u A static address cannot be learned on another port until the address is removed from the table PARAMETERS These parameters are displayed in the web interface u VLAN ID of configured VLAN Range 1 4093 u Interfa...

Page 208: ...NG THE AGING TIME Use the MAC Address Dynamic Configure Aging page to set the aging time for entries in the dynamic address table The aging time is used to age out dynamically learned forwarding information CLI REFERENCES u mac address table aging time on page 893 PARAMETERS These parameters are displayed in the web interface u Aging Status Enables disables the function u Aging Time The time after...

Page 209: ...for traffic entering the switch When the destination address for inbound traffic is found in the database the packets intended for that address are forwarded directly to the associated port Otherwise the traffic is flooded to all ports CLI REFERENCES u show mac address table on page 895 PARAMETERS These parameters are displayed in the web interface u Sort Key You can sort the information displayed...

Page 210: ...ARING THE DYNAMIC ADDRESS TABLE Use the MAC Address Dynamic Clear Dynamic MAC page to remove any learned entries from the forwarding database CLI REFERENCES u clear mac address table dynamic on page 895 PARAMETERS These parameters are displayed in the web interface u Clear by All entries can be cleared or you can clear the entries for a specific MAC address all the entries in a VLAN or all the ent...

Page 211: ...1 3 Select the method by which to clear the entries i e All MAC Address VLAN or Interface 4 Enter information in the additional fields required for clearing entries by MAC Address VLAN or Interface 5 Click Clear Figure 86 Clearing Entries in the Dynamic MAC Address Table ...

Page 212: ...CHAPTER 7 Address Table Settings Clearing the Dynamic Address Table 212 ...

Page 213: ...liant switch bridge or router in your network to ensure that only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes down The spanning tree algorithms supported by this switch include these versions u STP Spanning Tree Protocol IEEE 802 1D u RSTP Rapid Spanning Tree Protocol IEEE 802 1w u MSTP Multiple Spanning T...

Page 214: ...3 seconds compared to 30 seconds or more for STP by reducing the number of state changes before active ports start learning predefining an alternate route that can be used when a node or port fails and retaining the forwarding database for ports insensitive to changes in the tree structure when reconfiguration occurs MSTP When using STP or RSTP it may be difficult to maintain a stable path between...

Page 215: ...ridge node for communications with STP or RSTP nodes in the global network Figure 89 Common Internal Spanning Tree Common Spanning Tree Internal Spanning Tree MSTP connects all bridges and LAN segments with a single Common and Internal Spanning Tree CIST The CIST is formed as a result of the running spanning tree algorithm between switches that support the STP RSTP MSTP protocols Once you specify ...

Page 216: ...own BPDUs in a forward delay interval NOTE If loopback detection is not enabled and an interface receives it s own BPDU then the interface will drop the loopback BPDU according to IEEE Standard 802 1w 2001 9 3 4 Note 1 NOTE Loopback detection will not be active if Spanning Tree is disabled on the switch NOTE When configured for manual release mode then a link down up event will not release the por...

Page 217: ...AND USAGE u Spanning Tree Protocol2 Uses RSTP for the internal state machine but sends only 802 1D BPDUs This creates one spanning tree instance for the entire network If multiple VLANs are implemented on a network the path between specific VLAN members may be inadvertently disabled to prevent network loops thus isolating group members When operating multiple VLANs we recommend selecting the MSTP ...

Page 218: ...anning tree instance can exist only on bridges that have compatible VLAN instance assignments n Be careful when switching between spanning tree modes Changing modes stops all spanning tree instances for the previous mode and restarts the system in the new mode temporarily disrupting user traffic PARAMETERS These parameters are displayed in the web interface Basic Configuration of Global Settings u...

Page 219: ...itch uses a backwards compatible subset of RSTP to implement STP and also apply to MSTP which is based on RSTP according to the standard u Path Cost Method The path cost is used to determine the best path between devices The path cost method is used to determine the range of values that can be assigned to each interface n Long Specifies 32 bit based values that range from 1 200 000 000 This is the...

Page 220: ...n Default 15 n Minimum The higher of 4 or Max Message Age 2 1 n Maximum 30 Configuration Settings for MSTP u Max Instance Numbers The maximum number of MSTP instances to which this switch can be assigned u Configuration Digest An MD5 signature key that contains the VLAN ID to MST ID mapping table In other words this key is a mapping of all VLANs to the CIST u Region Revision3 The revision for this...

Page 221: ...CHAPTER 8 Spanning Tree Algorithm Configuring Global Settings for STA 221 5 Click Apply Figure 91 Configuring Global Settings for STA STP Figure 92 Configuring Global Settings for STA RSTP ...

Page 222: ... page 922 u show spanning tree mst configuration on page 924 PARAMETERS The parameters displayed in the web interface are described in the preceding section except for the following items u Bridge ID A unique identifier for this bridge consisting of the bridge priority the MST Instance ID 0 for the Common Spanning Tree when spanning tree type is set to MSTP and MAC address where the address is tak...

Page 223: ...NTERFACE To display global STA settings 1 Click Spanning Tree STA 2 Select Configure Global from the Step list 3 Select Show Information from the Action list Figure 94 Displaying Global Settings for STA CONFIGURING INTERFACE SETTINGS FOR STA Use the Spanning Tree STA Configure Interface Configure page to configure RSTP and MSTP attributes for specific interfaces including port priority path cost l...

Page 224: ... Protocol is detecting network loops Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled n Default 128 n Range 0 240 in steps of 16 u Admin Path Cost This parameter is used by the STA to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports...

Page 225: ...panning tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or servers retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events does not cause the spanning tree to initiate reconfiguration when the interface changes state and also overcomes other STA related ...

Page 226: ...nfiguration configured edge ports should not receive BPDUs If an edge port receives a BPDU an invalid configuration exists such as a connection to an unauthorized device The BPDU guard feature provides a secure response to invalid configurations because an administrator must manually enable the port Default Disabled u BPDU Filter5 BPDU filtering allows you to avoid transmitting BPDUs on configured...

Page 227: ...ee Shows if STA has been enabled on this interface u BPDU Flooding Shows if BPDUs will be flooded to other ports when spanning tree is disabled globally on the switch or disabled on a specific port u STA Status Displays current state of this port within the Spanning Tree n Discarding Port receives STA configuration messages but does not forward packets n Learning Port has transmitted configuration...

Page 228: ... on the designated bridging device through which this switch must communicate with the root of the Spanning Tree u Oper Path Cost The contribution of this port to the path cost of paths towards the spanning tree root which include this port u Oper Link Type The operational point to point status of the LAN segment attached to this interface This parameter is determined by manual configuration or by...

Page 229: ... Step list 3 Select Show Information from the Action list Figure 97 Displaying Interface Settings for STA Alternate port receives more useful BPDUs from another bridge and is therefore not selected as the designated port x R Root Port A Alternate Port D Designated Port B Backup Port R R A D B Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designate...

Page 230: ...hin the same MSTI Region page 217 with the same set of instances and the same instance on each bridge with the same set of VLANs Also note that RSTP treats each MSTI region as a single node connecting all regions to the Common Spanning Tree To use multiple spanning trees 1 Set the spanning tree type to MSTP page 217 2 Enter the spanning tree priority for the selected MST instance on the Spanning T...

Page 231: ...y the MST instance identifier and the initial VLAN member Additional member can be added using the Spanning Tree MSTP Configure Global Add Member page If the priority is not specified the default value 32768 is used 5 Click Apply Figure 98 Creating an MST Instance To show the MSTP instances 1 Click Spanning Tree MSTP 2 Select Configure Global from the Step list 3 Select Show from the Action list F...

Page 232: ...he priority for an MSTP Instance 5 Click Apply Figure 100 Modifying the Priority for an MST Instance To display global settings for MSTP 1 Click Spanning Tree MSTP 2 Select Configure Global from the Step list 3 Select Show Information from the Action list 4 Select an MST ID The attributes displayed on this page are described under Displaying Global Settings for STA on page 222 Figure 101 Displayin...

Page 233: ...lect an MST instance from the MST ID list 5 Enter the VLAN group to add to the instance in the VLAN ID field Note that the specified member does not have to be a configured VLAN 6 Click Apply Figure 102 Adding a VLAN to an MST Instance To show the VLAN members of an MSTP instance 1 Click Spanning Tree MSTP 2 Select Configure Global from the Step list 3 Select Show Member from the Action list Figur...

Page 234: ...rity used for this port in the Spanning Tree Protocol If the path cost for all ports on a switch are the same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops Where more than one port is assigned the highest priority ...

Page 235: ...arameters for a port or trunk 1 Click Spanning Tree MSTP 2 Select Configure Interface from the Step list 3 Select Configure from the Action list 4 Enter the priority and path cost for an interface 5 Click Apply Figure 104 Configuring MSTP Interface Settings To display MSTP parameters for a port or trunk 1 Click Spanning Tree MSTP 2 Select Configure Interface from the Step list 3 Select Show Inform...

Page 236: ...CHAPTER 8 Spanning Tree Algorithm Configuring Interface Settings for MSTP 236 Figure 105 Displaying MSTP Interface Settings ...

Page 237: ...rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped conforming traffic is forwarded without any changes CLI REFERENCES u Rate Limit Commands on page 877 PARAMETERS These parameters are displayed in the web interface u Port Displays the port number u Type Indicates the port type 1000Base T 1000Base SFP or 10G u Status Enables or disables the rate limit Defa...

Page 238: ...CHAPTER 9 Rate Limit Configuration 238 Figure 106 Configuring Rate Limits ...

Page 239: ... unknown unicast traffic packets exceeding the threshold are dropped until the rate falls back down beneath the threshold u The rate limits set by this function are also used by automatic storm control when the control response is set to rate limiting by the auto traffic control action command u Using both rate limiting and storm control on the same interface may lead to unexpected results For exa...

Page 240: ...own unicast storm control u Rate Threshold level as a rate i e packets per second Range 500 262143 packets per second Default 500 pps for broadcast traffic 262143 pps for unknown unicast and multicast traffic WEB INTERFACE To configure broadcast storm control 1 Click Traffic Storm Control 2 Set the Status field to enable or disable storm control 3 Set the required threshold beyond which the switch...

Page 241: ...rity for untagged frames set the queue mode set the weights assigned to each queue and map class of service tags to queues SETTING THE DEFAULT PRIORITY FOR INTERFACES Use the Traffic Priority Default Priority page to specify the default port priority for each interface on the switch All untagged packets entering the switch are tagged with the specified default port priority and then sorted into th...

Page 242: ...t priority for any interface 4 Click Apply Figure 108 Setting the Default Port Priority SELECTING THE QUEUE MODE Use the Traffic Priority Queue page to set the queue mode for the egress queues on any interface The switch can be set to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before the lower priority queues are serviced or Weigh...

Page 243: ...r one of the queuing modes that use a combination of strict and weighted queuing PARAMETERS These parameters are displayed in the web interface u Interface Displays a list of ports or trunks u Queue Mode n Strict Services the egress queues in sequential order transmitting all traffic in the higher priority queues before servicing lower priority queues This ensures that the highest priority packets...

Page 244: ...ueue mode 4 If any of the weighted queue modes is selected the queue weight can be modified if required 5 If any of the queue modes that use a combination of strict and weighted queueing are selected the queues which are serviced first must be specified by enabling strict mode parameter in the table 6 Click Apply Figure 109 Setting the Queue Mode Strict Figure 110 Setting the Queue Mode WRR ...

Page 245: ...trict priority Weighted Round Robin WRR or a combination of strict and weighted queuing Up to eight separate traffic priorities are defined in IEEE 802 1p Default priority levels are assigned according to recommendations in the IEEE 802 1p standard as shown in the following table The priority levels recommended in the IEEE 802 1p standard for various network applications are shown in Table 12 Howe...

Page 246: ...ge 0 7 where 7 is the highest priority u Queue Output queue buffer Range 0 7 where 7 is the highest CoS priority queue WEB INTERFACE To specify which of the output queues to use for CoS priority tagged traffic 1 Click Traffic Priority CoS to Queue 2 Assign priorities to the output queues 3 Click Apply Table 12 CoS Priority Levels Priority Level Traffic Type 1 Background 2 Spare 0 default Best Effo...

Page 247: ...iorities are mapped to a Class of Service value by the switch and the traffic then sent to the corresponding output queue Because different priority information may be contained in the traffic this switch maps priority values to the output queues in the following manner u The precedence for priority mapping is IP Port Priority IP Precedence or DSCP Priority and then Default Port Priority u IP Prec...

Page 248: ...are priority queues The default mapping is defined in the following table Note that all the DSCP values that are not specified are mapped to CoS value 0 NOTE IP DSCP settings apply to all interfaces PARAMETERS These parameters are displayed u DSCP Mapping Status Enables or disables the use of IP DSCP priorities and the mapping of these priority values to CoS values Default Disabled u IP DSCP 8 bit...

Page 249: ... The Type of Service ToS octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic The default IP Precedence values are mapped one to one to Class of Service values i e Precedence value 0 maps to CoS value 0 and so forth Bits 6 and 7 are used for network control a...

Page 250: ... 7 WEB INTERFACE To set the IP Precedence to CoS priority map 1 Click Traffic Priority IP Precedence to CoS 2 Locate an entry from the IP Precedence table and enter a value in the CoS field 3 Click Apply Figure 114 Mapping IP Precedence Priority Values MAPPING IP PORT PRIORITY Use the Traffic Priority IP Port to CoS page to map network applications designated by a TCP UDP destination port number i...

Page 251: ...ese parameters are displayed in the web interface u IP Port Mapping Status Enables or disables the use of TCP UDP destination port numbers priorities and the mapping of these priority values to CoS values Default Disabled u TCP UDP Port 16 bit TCP UDP destination port number Range 0 65535 u CoS Class of Service value Range 0 7 WEB INTERFACE To set the TCP UDP port number to CoS priority map 1 Clic...

Page 252: ... of Service Layer 3 4 Priority Settings 252 To show the TCP UDP port number to CoS priority map 1 Click Traffic Priority IP Port to DSCP 2 Select Show from the Action list Figure 116 Showing IP Port Number Priority Map ...

Page 253: ...nt kinds of traffic can be marked for different kinds of forwarding All switches or routers that access the Internet rely on class information to provide the same forwarding treatment to packets in the same class Class information can be assigned by end hosts or switches or routers along the path Priority can then be assigned based on a general policy or a detailed examination of the packet Howeve...

Page 254: ...r the maximum throughput and burst rate Then specify the action to take for conforming traffic or the action to take for a policy violation 5 Use the Configure Interface page to assign a policy map to a specific interface CONFIGURING A CLASS MAP A class map is used for matching packets to a specified class Use the Traffic DiffServ Configure Class page to configure a class map CLI REFERENCES u Qual...

Page 255: ...me of an access control list Any type of ACL can be specified including standard or extended IP ACLs and MAC ACLs u IP DSCP A DSCP value Range 0 63 u IP Precedence An IP Precedence value Range 0 7 u IPv6 DSCP A DSCP value contained in an IPv6 packet Range 0 63 u VLAN ID A VLAN Range 1 4093 WEB INTERFACE To configure a class map 1 Click Traffic DiffServ 2 Select Configure Class from the Step list 3...

Page 256: ...Maps To edit the rules for a class map 1 Click Traffic DiffServ 2 Select Configure Class from the Step list 3 Select Add Rule from the Action list 4 Select the name of a class map 5 Specify type of traffic for this class based on an access list a DSCP or IP Precedence value or a VLAN You can specify up to 16 items to match when assigning ingress traffic to a class map 6 Click Apply Figure 119 Addi...

Page 257: ...hich indicates how to match the inbound packets according to an access list a DSCP or IP Precedence value or a member of specific VLAN A policy map is then configured which indicates the boundary parameters used for monitoring inbound traffic and the action to take for conforming and non conforming traffic A policy map may contain one or more classes based on previously defined class maps The clas...

Page 258: ... as described below A packet is marked green if it doesn t exceed the committed information rate and committed burst size yellow if it does exceed the committed information rate and committed burst size but not the excess burst size and red otherwise u The meter operates in one of two modes In the color blind mode the meter assumes that the packet stream is uncolored In color aware mode the meter ...

Page 259: ...put peak information rate PIR and their associated burst sizes committed burst size BC or burst rate and peak burst size BP Action may taken for traffic conforming to the maximum throughput exceeding the maximum throughput or exceeding the peak burst size u The PHB label is composed of five bits three bits for per hop behavior and two bits for the color scheme used to control queue congestion In a...

Page 260: ...as red or if Tp t B 0 the packet is red else n if the packet has been precolored as yellow or if Tc t B 0 the packet is yellow and Tp is decremented by B else n the packet is green and both Tp and Tc are decremented by B u The trTCM can be used to mark a IP packet stream in a service where different decreasing levels of assurances either absolute or relative are given to packets which are green ye...

Page 261: ...ts from a policy violation u Meter Mode Selects one of the following policing methods n Flow Police Flow Defines the committed information rate CIR or maximum throughput committed burst size BC or burst rate and the action to take for conforming and non conforming traffic Policing is based on a token bucket where bucket depth that is the maximum burst before the bucket overflows is specified by th...

Page 262: ...ch assumes that the packet stream is uncolored and Color Aware which assumes that the incoming packets are pre colored The functional differences between these modes is described at the beginning of this section under srTCM Police Meter n Committed Information Rate CIR Rate in kilobits per second Range 1 1000000 kbps or maximum port speed whichever is lower The rate cannot exceed the configured in...

Page 263: ...n to the actions defined by this command to transmit remark the DSCP service value or drop a packet the switch will also mark the two color bits used to prioritize service to packets of different colors The color modes include Color Blind which assumes that the packet stream is uncolored and Color Aware which assumes that the incoming packets are pre colored The functional differences between thes...

Page 264: ...d or the DSCP service level will be reduced n Set IP DSCP Decreases DSCP priority for out of conformance traffic Range 0 63 n Drop Drops out of conformance traffic n Violate Specifies whether the traffic that exceeds the peak information rate PIR will be dropped or the DSCP service level will be reduced n Set IP DSCP Decreases DSCP priority for out of conformance traffic Range 0 63 n Drop Drops ou...

Page 265: ...ep list 3 Select Add Rule from the Action list 4 Select the name of a policy map 5 Set the CoS or per hop behavior for matching packets to specify the quality of service to be assigned to the matching traffic class Use one of the metering options to define parameters such as the maximum throughput and burst rate Then specify the action to take for conforming traffic the action to tack for traffic ...

Page 266: ... Policies 266 Figure 123 Adding Rules to a Policy Map To show the rules for a policy map 1 Click Traffic DiffServ 2 Select Configure Policy from the Step list 3 Select Show Rule from the Action list Figure 124 Showing the Rules for a Policy Map ...

Page 267: ...one policy map can be bound to an interface u The switch does not allow a policy map to be bound to an interface for egress traffic PARAMETERS These parameters are displayed in the web interface u Port Specifies a port u Ingress Applies the selected rule to ingress traffic WEB INTERFACE To bind a policy map to a port 1 Click Traffic DiffServ 2 Select Configure Interface from the Step list 3 Check ...

Page 268: ...CHAPTER 12 Quality of Service Attaching a Policy Map to a Port 268 ...

Page 269: ...y by isolating the VoIP traffic from other data traffic End to end QoS policies and high priority can be applied to VoIP VLAN traffic across the network guaranteeing the bandwidth it needs VLAN isolation also protects against disruptive broadcast and multicast traffic that can seriously affect voice quality The switch allows you to specify a Voice VLAN for the network and set a CoS priority for th...

Page 270: ...lready be created on the switch Range 1 4093 u Voice VLAN Aging Time The time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port Range 5 43200 minutes Default 1440 minutes NOTE The Voice VLAN ID cannot be modified when the global Auto Detection Status is enabled WEB INTERFACE To configure global settings for a Voice VLAN 1 Click Traffic VoIP 2 Sel...

Page 271: ...ayed in the web interface u Telephony OUI Specifies a MAC address range to add to the list Enter the MAC address in format 01 23 45 67 89 AB u Mask Identifies a range of MAC addresses Selecting a mask of FF FF FF 00 00 00 identifies all devices with the same OUI the first three octets Other masks restrict the MAC address range Selecting FF FF FF FF FF FF specifies a single MAC address Default FF F...

Page 272: ... to configure ports for VoIP traffic you need to set the mode Auto or Manual specify the discovery method to use and set the traffic priority You can also enable security filtering to ensure that only VoIP traffic is forwarded on the Voice VLAN CLI REFERENCES u Configuring Voice VLANs on page 960 PARAMETERS These parameters are displayed in the web interface u Mode Specifies if the port will be ad...

Page 273: ...n the port Default OUI n OUI Traffic from VoIP devices is detected by the Organizationally Unique Identifier OUI of the source MAC address OUI numbers are assigned to manufacturers and form the first three octets of a device MAC address MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device n LLDP Uses LLDP IEEE 80...

Page 274: ...CHAPTER 13 VoIP Traffic Configuration Configuring VoIP Traffic Ports 274 Figure 129 Configuring Port Settings for a Voice VLAN ...

Page 275: ...tication methods are infeasible or impractical u Network Access Configure MAC authentication and dynamic VLAN assignment u HTTPS Provide a secure web connection u SSH Provide a secure shell for secure Telnet access u ACL Access Control Lists provide packet filtering for IP frames based on address protocol Layer 4 protocol port number or TCP control code u ARP Inspection Security feature that valid...

Page 276: ...vers in the network The security servers can be defined as sequential groups that are applied as a method for controlling user access to specified services For example when the switch attempts to authenticate a user a request is sent to the first server in the defined group if there is no response the second server will be tried and so on If at any point a pass or fail is returned the process stop...

Page 277: ...OMMAND USAGE u By default management access is always checked against the authentication database stored on the local switch If a remote authentication server is used you must specify the authentication sequence Then specify the corresponding parameters for the remote authentication protocol using the Security AAA Server page Local and remote logon authentication control management access via the ...

Page 278: ...are logon authentication protocols that use software running on a central server to control access to RADIUS aware or TACACS aware devices on the network An authentication server contains a database of multiple user name password pairs with associated privilege levels for each user that requires management access to the switch Figure 131 Authentication Server Operation RADIUS uses UDP while TACACS...

Page 279: ...ransport Layer Security or TTLS Tunneled Transport Layer Security PARAMETERS These parameters are displayed in the web interface Configure Server u RADIUS n Global Provides globally applicable RADIUS settings n Server Index Specifies one of five RADIUS servers that may be configured The switch attempts authentication using the listed sequence of servers The process ends when a server either approv...

Page 280: ...ACACS server used for authentication messages Range 1 65535 Default 49 n Set Key Mark this box to set or modify the encryption key n Authentication Key Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters n Confirm Authentication Key Re type the string entered in the previous field to ensure no errors were made The switch wi...

Page 281: ... the parameters that apply to a specific server 5 To set or modify the authentication key mark the Set Key box enter the key and then confirm it 6 Click Apply Figure 132 Configuring Remote Authentication Server RADIUS Figure 133 Configuring Remote Authentication Server TACACS To configure the RADIUS or TACACS server groups to use for accounting and authorization 1 Click Security AAA Server 2 Selec...

Page 282: ...up name followed by the index of the server to use for each priority level 6 Click Apply Figure 134 Configuring AAA Server Groups To show the RADIUS or TACACS server groups used for accounting and authorization 1 Click Security AAA Server 2 Select Configure Group from the Step list 3 Select Show from the Action list Figure 135 Showing AAA Server Groups ...

Page 283: ...tes where 0 means disabled Configure Method u Accounting Type Specifies the service as n 802 1X Accounting for end users n Exec Administrative accounting for local console Telnet or SSH connections u Method Name Specifies an accounting method for service requests The default methods are used for a requested service if no other methods have been defined Range 1 255 characters Note that the method n...

Page 284: ...ounting service u Method Name Displays the user defined or default accounting method u Server Group Name Displays the accounting server group u Interface Displays the port console or Telnet interface to which these rules apply This field is null if the accounting method and associated server group has not been assigned to an interface Show Information Statistics u User Name Displays a registered u...

Page 285: ...ng method applied to various service types and the assigned server group 1 Click Security AAA Accounting 2 Select Configure Method from the Step list 3 Select Add from the Action list 4 Select the accounting type 802 1X Exec 5 Specify the name of the accounting method and server group name 6 Click Apply Figure 137 Configuring AAA Accounting Methods ...

Page 286: ...he Action list Figure 138 Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces console commands entered at specific privilege levels and local console Telnet or SSH connections 1 Click Security AAA Accounting 2 Select Configure Service from the Step list 3 Select the accounting type 802 1X Exec 4 Enter the required accounting method 5 Click Apply Figure ...

Page 287: ...pecified service types 1 Click Security AAA Accounting 2 Select Show Information from the Step list 3 Click Summary Figure 141 Displaying a Summary of Applied AAA Accounting Methods To display basic accounting information and statistics recorded for user sessions 1 Click Security AAA Accounting 2 Select Show Information from the Step list 3 Click Statistics Figure 142 Displaying Statistics for AAA...

Page 288: ...nections u Method Name Specifies an authorization method for service requests The default method is used for a requested service if no other methods have been defined Range 1 255 characters u Server Group Name Specifies the authorization server group Range 1 255 characters The group name tacacs specifies all configured TACACS hosts see Configuring Local Remote Logon Authentication on page 277 Any ...

Page 289: ...o the Exec service type and the assigned server group 1 Click Security AAA Authorization 2 Select Configure Method from the Step list 3 Specify the name of the authorization method and server group name 4 Click Apply Figure 143 Configuring AAA Authorization Methods To show the authorization method applied to the EXEC service type and the assigned server group 1 Click Security AAA Authorization 2 S...

Page 290: ... Configure Service from the Step list 3 Enter the required authorization method 4 Click Apply Figure 145 Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type 1 Click Security AAA Authorization 2 Select Show Information from the Step list Figure 146 Displaying the Applied AAA Authorization Method...

Page 291: ...are displayed in the web interface u User Name The name of the user Maximum length 8 characters maximum number of users 16 u Access Level Specifies the user level Options 0 Normal 15 Privileged Normal privilege level provides access to a limited number of the commands which display the current status of the switch as well as several database clear and reset functions Privileged level provides full...

Page 292: ...ion are infeasible or impractical The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries All other traffic except for HTTP protocol traffic is blocked The switch intercepts HTTP protocol traffic and redirects it to a switch generated web page that facilitates user name and password authentication via RADIUS Once authent...

Page 293: ...ust also be enabled for any port where required under the Configure Interface menu u Session Timeout Configures how long an authenticated session stays active before it must re authenticate itself Range 300 3600 seconds Default 3600 seconds u Quiet Period Configures how long a host must wait to attempt authentication again after it has exceeded the maximum allowable failed login attempts Range 1 1...

Page 294: ...u Host IP Address Indicates the IP address of each connected host u Remaining Session Time Indicates the remaining time until the current authorization session for the host expires u Apply Enables web authentication if the Status box is checked Also ends all authenticated web sessions for selected host IP addresses in the Authenticated Host List and forces the users to re authenticate u Revert Res...

Page 295: ...NOTE MAC authentication cannot be configured on trunk ports CLI REFERENCES u Network Access MAC Address Authentication on page 781 COMMAND USAGE u MAC address authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is ...

Page 296: ... identifier list is carried in the RADIUS Tunnel Private Group ID attribute The VLAN list can contain multiple VLAN identifiers in the format 1u 2t 3u where u indicates an untagged VLAN and t a tagged VLAN u The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user The Filter ID attribute attribute 11 can be configured on the RADIUS se...

Page 297: ...s occur n Illegal characters found in a profile value for example a non digital character in an 802 1p profile value n Failure to configure the received profiles on the authenticated port u When the last user logs off on a port with a dynamic QoS assignment the switch restores the original QoS configuration for the port u When a user attempts to log into the network with a returned dynamic QoS pro...

Page 298: ...the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server During the reauthentication process traffic through the port remains unaffected Default 1800 seconds Range 120 1000000 seconds WEB INTERFACE To configure aging status and reauthentication time for MAC address authentication 1 Click Security Network Access 2 Select Configure Global from the Step ...

Page 299: ...figuring Port Settings for 802 1X on page 349 u Dynamic VLAN Enables dynamic VLAN assignment for an authenticated port When enabled any VLAN identifiers returned by the RADIUS server are applied to the port providing the VLANs have already been created on the switch GVRP is not used to create the VLANs Default Enabled The VLAN settings specified by the first authenticated MAC address are implement...

Page 300: ...uest VLAN to use when MAC Authentication or 802 1X Authentication fails and the dynamic VLAN and QoS assignments 5 Click Apply Figure 152 Configuring Interface Settings for Network Access CONFIGURING PORT LINK DETECTION Use the Security Network Access Configure Interface Link Detection page to send an SNMP trap and or shut down a port when a link event occurs CLI REFERENCES u Network Access MAC Ad...

Page 301: ...nk detection on switch ports 1 Click Security Network Access 2 Select Configure Interface from the Step list 3 Click the Link Detection button 4 Modify the link detection status trigger condition and the response for any port 5 Click Apply Figure 153 Configuring Link Detection for Network Access CONFIGURING A MAC ADDRESS FILTER Use the Security MAC Authentication Configure MAC Filter page to desig...

Page 302: ...Mask u MAC Address Mask The filter rule will check for the range of MAC addresses defined by the MAC bit mask If you omit the mask the system will assign the default mask of an exact match Range 000000000000 FFFFFFFFFFFF Default FFFFFFFFFFFF WEB INTERFACE To add a MAC address filter for MAC authentication 1 Click Security Network Access 2 Select Configure MAC Filter from the Step list 3 Select Add...

Page 303: ... u Query By Specifies parameters to use in the MAC address query n Sort Key Sorts the information displayed based on MAC address port interface or attribute n MAC Address Specifies a specific MAC address n Interface Specifies a port interface n Attribute Displays static or dynamic addresses u Authenticated MAC Address List n MAC Address The authenticated MAC address n Interface The port interface ...

Page 304: ...URING HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol HTTPS over the Secure Socket Layer SSL providing secure access i e an encrypted connection to the switch s web interface CONFIGURING GLOBAL SETTINGS FOR HTTPS Use the Security HTTPS Configure Global page to enable or disable HTTPS and specify the UDP port used for this service CLI REFERENCES u Web Server on p...

Page 305: ...rating systems currently support HTTPS u To specify a secure site certificate see Replacing the Default Secure site Certificate on page 306 PARAMETERS These parameters are displayed in the web interface u HTTPS Status Allows you to enable disable the HTTPS server feature on the switch Default Enabled u HTTPS Port Specifies the UDP port number used for HTTPS connection to the switch s web interface...

Page 306: ...certificate and a private key and password from a recognized certification authority CAUTION For maximum security we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity This is because the default certificate for the switch is not unique to the hardware you have purchased When you have obtained these place them on your TFTP server and transfer them to the swi...

Page 307: ...ing the certificate to the switch u Confirm Password Re type the string entered in the previous field to ensure no errors were made The switch will not download the certificate if these two fields do not match WEB INTERFACE To replace the default secure site certificate 1 Click Security HTTPS 2 Select Copy Certificate from the Step list 3 Fill in the TFTP server certificate and private key file na...

Page 308: ...rts both password and public key authentication If password authentication is specified by the SSH client then the password can be authenticated either locally or via a RADIUS or TACACS remote authentication server as specified on the System Authentication page page 277 If public key authentication is specified by the client then you must configure authentication keys on both the client and the sw...

Page 309: ...e Optional Parameters On the SSH Settings page configure the optional parameters including the authentication timeout the number of retries and the server key size 5 Enable SSH Service On the SSH Settings page enable the SSH server on the switch 6 Authentication One of the following authentication methods is employed Password Authentication for SSH v1 5 or V2 Clients a The client sends its passwor...

Page 310: ... authentication process Otherwise it rejects the request c The client sends a signature generated using the private key to the switch d When the server receives this message it checks whether the supplied key is acceptable for authentication and if so it then checks whether the signature is correct If both checks succeed the client is authenticated NOTE The SSH server supports up to four client se...

Page 311: ...es the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process Range 1 5 times Default 3 u Server Key Size Specifies the SSH server key size Range 512 896 bits Default 768 n The server key is a private key that is never shared outside the switch n The host key is shared with the SSH client and is fixed at 1024 ...

Page 312: ...e the host key pair i e public and private keys Range RSA Version 1 DSA Version 2 Both Default Both The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch and then negotiates with the client to select either DES 56 bit or 3DES 168 bit for data encryption NOTE The switch uses only RSA Version 1 for SSHv1 5 clients and DSA Version 2 for SSHv2 c...

Page 313: ... Click Show Figure 161 Showing the SSH Host Key Pair IMPORTING USER PUBLIC KEYS Use the Security SSH Configure User Key Copy page to upload a user s public key to the switch This public key must be stored on the switch for the user to be able to log in using the public key authentication mechanism If the user s public key does not exist on the switch SSH will revert to the interactive password aut...

Page 314: ...st establishes a connection with the switch and then negotiates with the client to select either DES 56 bit or 3DES 168 bit for data encryption The switch uses only RSA Version 1 for SSHv1 5 clients and DSA Version 2 for SSHv2 clients u TFTP Server IP Address The IP address of the TFTP server that contains the public key file you wish to import u Source File Name The public key file to upload WEB ...

Page 315: ...protocol port number or TCP control code IPv6 frames based on address next header type or flow label or any frames based on MAC address or Ethernet type To filter incoming packets first create an access list add the required rules and then bind the list to a specific port Configuring Access Control Lists An ACL is a sequential list of permit or deny conditions that apply to IP addresses MAC addres...

Page 316: ...s ports are checked in parallel 2 Rules within an ACL are checked in the configured order from top to bottom 3 If the result of checking an IP ACL is to permit a packet but the result of a MAC ACL on the same packet is to deny it the packet will be denied because the decision to deny a packet has a higher priority for security reasons A packet will also be denied if the IP ACL denies it and the MA...

Page 317: ...t Configure Time Range from the Step list 3 Select Add from the Action list 4 Enter the name of a time range 5 Click Apply Figure 164 Setting the Name of a Time Range To show a list of time ranges 1 Click Security ACL 2 Select Configure Time Range from the Step list 3 Select Show from the Action list Figure 165 Showing a List of Time Ranges To configure a rule for a time range 1 Click Security ACL...

Page 318: ... a mode option of Absolute or Periodic 6 Fill in the required parameters for the selected mode 7 Click Apply Figure 166 Add a Rule to a Time Range To show the rules configured for a time range 1 Click Security ACL 2 Select Configure Time Range from the Step list 3 Select Show Rule from the Action list Figure 167 Showing the Rules Configured for a Time Range ...

Page 319: ...to a port each rule in an ACL will use two PCEs and when setting an IP Source Guard filter rule for a port the system will also use two PCEs PARAMETERS These parameters are displayed in the web interface u Total Policy Control Entries The number policy control entries in use u Free Policy Control Entries The number of policy control entries available for use u Entries Used by System The number of ...

Page 320: ... TCP protocol is specified then you can also filter packets based on the TCP control code n IPv6 Standard IPv6 ACL mode filters packets based on the source IPv6 address n IPv6 Extended IPv6 ACL mode filters packets based on the source or destination IP address as well as the type of the next header and the flow label i e a request for special handling by IPv6 routers n MAC MAC ACL mode filters pac...

Page 321: ...Standard IP ACL on page 825 u show ip access list on page 829 u Time Range on page 689 PARAMETERS These parameters are displayed in the web interface u Type Selects the type of ACLs to show in the Name list u Name Shows the names of ACLs matching the selected type u Action An ACL can contain any combination of permit or deny rules u Address Type Specifies the source IP address Use Any to include a...

Page 322: ...ing the port s to which this ACL has been assigned u Time Range Name of a time range WEB INTERFACE To add rules to a Standard IPv4 ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the Action list 4 Select IP Standard from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the address type Any Host o...

Page 323: ... Address Source or destination IP address u Source Destination Subnet Mask Subnet mask for source or destination address See the description for Subnet Mask on page 321 u Source Destination Port Source destination port number for the specified protocol type Range 0 65535 u Source Destination Port Bit Mask Decimal number representing the port bits to match Range 0 65535 u Protocol Specifies the pro...

Page 324: ...code 18 control bit mask 18 n SYN valid and ACK invalid use control code 2 control bit mask 18 u Time Range Name of a time range WEB INTERFACE To add rules to an Extended IPv4 ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the Action list 4 Select IP Extended from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit...

Page 325: ...bination of permit or deny rules u Source Address Type Specifies the source IP address Use Any to include all possible addresses Host to specify a specific host address in the Address field or IPv6 prefix to specify a range of addresses Options Any Host IPv6 prefix Default Any u Source IPv6 Address An IPv6 source address or network class The address must be formatted according to RFC 2373 IPv6 Add...

Page 326: ...t 3 Select Add Rule from the Action list 4 Select IPv6 Standard from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the source address type Any Host or IPv6 prefix 8 If you select Host enter a specific address If you select IPv6 prefix enter a subnet address and the prefix length 9 Click Apply Figure 173 Configuring a Standard IPv6 ACL...

Page 327: ...al values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields The switch only checks the first 64 bits of the destination address u Destination Prefix Length A decimal value indicating how many contiguous bits from the left of the address comprise the prefix i e the network portion of the address Range 0 64 bits u DSCP DSCP ...

Page 328: ...the routers by a control protocol such as a resource reservation protocol or by information within the flow s packets themselves e g in a hop by hop option A flow is uniquely identified by the combination of a source address and a non zero flow label Packets that do not belong to a flow carry a flow label of zero Hosts or routers that do not support the functions specified by the flow label must s...

Page 329: ...s are displayed in the web interface u Type Selects the type of ACLs to show in the Name list u Name Shows the names of ACLs matching the selected type u Action An ACL can contain any combination of permit or deny rules u Source Destination Address Type Use Any to include all possible addresses Host to indicate a specific MAC address or MAC to specify an address range with the Address and Bit Mask...

Page 330: ...ol types can be found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX u Ethernet Type Bit Mask Protocol bit mask Range 600 ffff hex u Time Range Name of a time range WEB INTERFACE To add rules to a MAC ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the Action list 4 Select MAC from the Type list 5 Select the name of an ACL fro...

Page 331: ...e displayed in the web interface u Type Selects the type of ACLs to show in the Name list u Name Shows the names of ACLs matching the selected type u Action An ACL can contain any combination of permit or deny rules u Packet Type Indicates an ARP request ARP response or either type Range Request Response All Default Request u Source Destination IP Address Type Specifies the source or destination I...

Page 332: ...tination MAC Bit Mask Hexadecimal mask for source or destination MAC address u Log Logs a packet when it matches the access control entry WEB INTERFACE To add rules to an ARP ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the Action list 4 Select ARP from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny ...

Page 333: ...ip access group on page 828 u ipv6 access group on page 835 u show ip access group on page 829 u show ipv6 access group on page 835 u mac access group on page 839 u show mac access group on page 840 u Time Range on page 689 COMMAND USAGE u This switch supports ACLs for ingress filtering only u You only bind one ACL to any port for ingress filtering PARAMETERS These parameters are displayed in the ...

Page 334: ...he middle attacks This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropriate destination Invalid ARP packets are dropped ARP Inspection determines the validity of an ARP packet based on valid IP to MAC address bindings stored in a trusted database the DHCP snooping bindi...

Page 335: ...l not affect the ARP Inspection configuration of any VLANs n When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for individual VLANs These configuration changes will only become active after ARP Inspection is enabled globally again u The ARP Inspection engine in the current firmware version does not support ARP Inspection on trunk ports CONFIGURING GLOBAL SET...

Page 336: ... basis After the system message is generated the entry is cleared from the log buffer u Each log entry contains flow information such as the receiving VLAN the port number the source and destination IP addresses and the source and destination MAC addresses u If multiple identical invalid ARP packets are received consecutively on the same VLAN then the logging facility will only generate one entry ...

Page 337: ...y ARP Inspection 2 Select Configure General from the Step list 3 Enable ARP inspection globally enable any of the address validation options and adjust any of the logging parameters if required 4 Click Apply Figure 178 Configuring Global Settings for ARP Inspection CONFIGURING VLAN SETTINGS FOR ARP INSPECTION Use the Security ARP Inspection Configure VLAN page to enable ARP inspection for any VLAN...

Page 338: ...rameters are displayed in the web interface u ARP Inspection VLAN ID Selects any configured VLAN Default 1 u ARP Inspection VLAN Status Enables ARP Inspection for the selected VLAN Default Disabled u ARP Inspection ACL Name n ARP ACL Allows selection of any configured ARP ACLs Default None n Static When an ARP ACL is selected and static mode also selected the switch only performs ARP Inspection an...

Page 339: ...s are exempt from ARP packet rate limiting Packets arriving on trusted interfaces bypass all ARP Inspection and ARP Inspection Validation checks and will always be forwarded while those arriving on untrusted interfaces are subject to all configured ARP inspection tests u Packet Rate Limit Sets the maximum number of ARP packets that can be processed by CPU per second on untrusted ports Range 0 2048...

Page 340: ... Count of ARP packets received but not exceeding the ARP Inspection rate limit Dropped ARP packets in the process of ARP inspection rate limit Count of ARP packets exceeding and dropped by ARP rate limiting ARP packets dropped by additional validation IP Count of ARP packets that failed the IP address test ARP packets dropped by additional validation Dst MAC Count of packets that failed the destin...

Page 341: ...o show information about entries stored in the log including the associated VLAN port and address components CLI REFERENCES u show ip arp inspection log on page 821 PARAMETERS These parameters are displayed in the web interface Table 18 ARP Inspection Log Parameter Description VLAN ID The VLAN where this packet was seen Port The port where this packet was seen Src IP Address The source IP address ...

Page 342: ...t Once you add an entry to a filter list access to that interface is restricted to the specified addresses u If anyone tries to access a management interface on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager u IP address can be configured for SNMP web and Telnet access respectively Each o...

Page 343: ...he SNMP group n Telnet Configures IP address es for the Telnet group u Start IP Address A single IP address or the starting address of a range u End IP Address The end address of a range WEB INTERFACE To create a list of IP addresses authorized for management access 1 Click Security IP Filter 2 Select Add from the Action list 3 Select the management interface to filter Web SNMP Telnet 4 Enter the ...

Page 344: ...ess table will be authorized to access the network through that port If a device with an unauthorized MAC address attempts to use the switch port the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message To use port security specify a maximum number of addresses to allow on the port and then let the switch dynamically learn the sou...

Page 345: ... be taken when a port security violation is detected n None No action should be taken This is the default n Trap Send an SNMP trap message n Shutdown Disable the port n Trap and Shutdown Send an SNMP trap message and disable the port u Security Status Enables or disables port security on the port Default Disabled u Max MAC Count The maximum number of MAC addresses that can be learned on a port Ran...

Page 346: ...henticator responds with an EAPOL identity request The client provides its identity such as a user name in an EAPOL response to the switch which it forwards to the RADIUS server The RADIUS server verifies the client identity and sends an access challenge back to the client The EAP packet from the RADIUS server contains not only the challenge but the authentication method to be used The client can ...

Page 347: ...erver and client also have to support the same EAP authentication type MD5 PEAP TLS or TTLS Native support for these encryption methods is provided in Windows XP and in Windows 2000 with Service Pack 4 To support these encryption methods in Windows 95 and 98 you can use the AEGIS dot1x client or other comparable client software CONFIGURING 802 1X GLOBAL SETTINGS Use the Security Port Authenticatio...

Page 348: ...witches on to the authentication servers thereby allowing the authentication process to still be carried out by switches located on the edge of the network When this device is functioning as an edge switch but does not require any attached clients to be authenticated EAPOL Pass Through can be disabled to discard unnecessary EAPOL traffic WEB INTERFACE To configure global settings for 802 1X 1 Clic...

Page 349: ...rface u Port Port number u Status Indicates if authentication is enabled or disabled on the port The status is disabled if the control mode is set to Force Authorized u Authorized Displays the 802 1X authorization status of connected clients n Yes Connected client is authorized n No Connected client is not authorized u Supplicant Indicates the MAC address of a connected client u Control Mode Sets ...

Page 350: ...Tx Period Sets the time period during an authentication session that the switch waits before re transmitting an EAP packet Range 1 65535 Default 30 seconds u Supplicant Timeout Sets the time that a switch port waits for a response to an EAP request from a client before re transmitting an EAP packet Range 1 65535 Default 30 seconds This command attribute sets the timeout for EAP request frames othe...

Page 351: ...ount Number of times connecting state is re entered u Current Identifier Identifier sent in each EAP Success Failure or Request packet by the Authentication Server Backend State Machine u State Current state including request response success fail timeout idle initialize u Request Count Number of EAP Request packets sent to the Supplicant without receiving a response u Identifier Server Identifier...

Page 352: ...CHAPTER 14 Security Measures Configuring 802 1X Port Authentication 352 Figure 188 Configuring Interface Settings for 802 1X Port Authenticator ...

Page 353: ...type that have been received by this Authenticator Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Authenticator Rx Last EAPOLSrc The source MAC address carried in the most recent EAPOL frame received by this Authenticator Rx EAP Resp Id The number of EAP Resp Id frames that have been received by this Authenticator Rx EAP Resp Oth The number of ...

Page 354: ...d see DHCP Snooping on page 360 IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network This section describes commands used to configure IP Source Guard CONFIGURING PORTS FOR IP SOURCE GUARD Use the Security IP Source Guard Port Configuration page to set the filtering type based on source IP address or source IP add...

Page 355: ...63 IP source guard will check the VLAN ID source IP address port number and source MAC address for the SIP MAC option If a matching entry is found in the binding table and the entry type is static IP source guard binding the packet will be forwarded n If DHCP snooping is enabled IP source guard will check the VLAN ID source IP address port number and source MAC address for the SIP MAC option If a ...

Page 356: ...ee Configuring Static Bindings for IP Source Guard on page 356 WEB INTERFACE To set the IP Source Guard filter for ports 1 Click Security IP Source Guard Port Configuration 2 Set the required filtering type for each port 3 Click Apply Figure 190 Setting the Filter Type for IP Source Guard CONFIGURING STATIC BINDINGS FOR IP SOURCE GUARD Use the Security IP Source Guard Static Configuration page to ...

Page 357: ...ame VLAN ID and MAC address and the type of entry is static IP source guard binding then the new entry will replace the old one n If there is an entry with the same VLAN ID and MAC address and the type of the entry is dynamic DHCP snooping binding then the new entry will replace the old one and the entry type will be changed to static IP source guard binding n Only unicast addresses are accepted f...

Page 358: ...nfiguration 2 Select Add from the Action list 3 Enter the required bindings for each port 4 Click Apply Figure 191 Configuring Static Bindings for IP Source Guard To display static bindings for IP Source Guard 1 Click Security IP Source Guard Static Configuration 2 Select Show from the Action list Figure 192 Displaying Static Bindings for IP Source Guard ...

Page 359: ...he web interface Query by u Port A port on this switch u VLAN ID of a configured VLAN Range 1 4093 u MAC Address A valid unicast MAC address u IP Address A valid unicast IP address including classful types A B or C Dynamic Binding List u VLAN VLAN to which this entry is bound u MAC Address Physical address associated with the entry u Interface Port to which this entry is bound u IP Address IP addr...

Page 360: ...on to a DHCP server This information can be useful in tracking an IP address back to a physical port COMMAND USAGE DHCP Snooping Process u Network traffic may be disrupted when malicious DHCP messages are received from an outside source DHCP snooping is used to filter DHCP messages received on a non secure interface from outside the network or fire wall When DHCP snooping is enabled globally and e...

Page 361: ...et only if the corresponding entry is found in the binding table n If the DHCP packet is from a client such as a DISCOVER REQUEST INFORM DECLINE or RELEASE message the packet is forwarded if MAC address verification is disabled However if MAC address verification is enabled then the packet will only be forwarded if the client s hardware address stored in the DHCP packet is the same as the source M...

Page 362: ...d by the switch and in reply packets sent back from the DHCP server This information may specify the MAC address or IP address of the requesting device that is the switch in this context By default the switch also fills in the Option 82 circuit id field with information indicating the local interface over which the switch received the DHCP client request including the port and VLAN ID This allows ...

Page 363: ... Option 82 information relay Default Disabled u DHCP Snooping Information Option Policy Specifies how to handle DHCP client request packets which already contain Option 82 information n Drop Drops the client s request packet instead of relaying it n Keep Retains the Option 82 information in the client request and forwards the packets to trusted ports n Replace Replaces the Option 82 information ci...

Page 364: ...ic VLANs but the changes will not take effect until DHCP snooping is globally re enabled u When DHCP snooping is globally enabled and DHCP snooping is then disabled on a VLAN all dynamic bindings learned for this VLAN are removed from the binding table PARAMETERS These parameters are displayed in the web interface u VLAN ID of a configured VLAN Range 1 4093 u DHCP Snooping Status Enables or disabl...

Page 365: ... the network or fire wall u When DHCP snooping is enabled both globally and on a VLAN DHCP packet filtering will be performed on any untrusted ports within the VLAN u When an untrusted port is changed to a trusted port all the dynamic DHCP snooping bindings associated with this port are removed u Set all ports connected to DHCP servers within the local network or fire wall to trusted state Set all...

Page 366: ... the client u Lease Time seconds The time for which this IP address is leased to the client u Type Entry types include n DHCP Snooping Dynamically snooped n Static DHCPSNP Statically configured u VLAN VLAN to which this entry is bound u Interface Port or trunk to which this entry is bound u Store Writes all dynamically learned snooping entries to flash memory This function can be used to store the...

Page 367: ...INTERFACE To display the binding table for DHCP Snooping 1 Click Security IP Source Guard DHCP Snooping 2 Select Show Information from the Step list 3 Use the Store or Clear function if required Figure 197 Displaying the Binding Table for DHCP Snooping ...

Page 368: ...CHAPTER 14 Security Measures DHCP Snooping 368 ...

Page 369: ...MP CONFIGURING EVENT LOGGING The switch allows you to control the logging of error messages including the type of events that are recorded in switch memory logging to a remote System Log syslog server and displays a list of recent event messages SYSTEM LOG CONFIGURATION Use the Administration Log System Configure Global page to enable or disable event logging and specify which levels are logged to...

Page 370: ...M Range 0 7 Default 7 NOTE The Flash Level must be equal to or less than the RAM Level WEB INTERFACE To configure the logging of error messages to system memory 1 Click Administration Log System 2 Select Configure Global from the Step list 3 Enable or disable system logging set the level of event messages to be logged to flash memory and RAM 4 Click Apply Table 20 Logging Levels Level Severity Nam...

Page 371: ...dministration Log System 2 Select Show System Logs from the Step list 3 Click RAM or Flash This page allows you to scroll through the logged system and event messages The switch can store up to 2048 log entries in temporary random access memory RAM i e memory flushed on power reset and up to 4096 entries in permanent flash memory Figure 199 Showing Error Messages Logged to System Memory ...

Page 372: ... an appropriate service The attribute specifies the facility type tag sent in syslog messages see RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to process messages such as sorting or storing messages in the corresponding database Range 16 23 Default 23 u Logging Trap Level Limits log messages that are sent to the remote ...

Page 373: ... Enables disables the SMTP function Default Enabled u Severity Sets the syslog severity threshold level see table on page 370 used to trigger alert messages All events at this level or higher will be sent to the configured email recipients For example using Level 7 will report all events from level 7 to level 0 Default Level 7 u Email Source Address Sets the email address used for the From field i...

Page 374: ...K LAYER DISCOVERY PROTOCOL Link Layer Discovery Protocol LLDP is used to discover basic information about neighboring devices on the local broadcast domain LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device Advertised information is represented in Type Length Value TLV format according to the IEEE 802 1ab standard and can include details such...

Page 375: ...w long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner TTL in seconds is based on the following rule Transmission Interval Holdtime Multiplier 65536 Therefore the default TTL is 4 30 120 seconds u Delay Interval Configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables...

Page 376: ...s that exist at the time of a notification are included in the transmission An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification events missed due to throttling or transmission loss WEB INTERFACE To configure LLDP timing attributes 1 Click Administration LLDP 2 Select Configure Global from the Step list 3 Enab...

Page 377: ...ighbors that occur between SNMP notifications is not transmitted Only state changes that exist at the time of a trap notification are included in the transmission An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification events missed due to throttling or transmission loss u Basic Optional TLVs Configures basic inf...

Page 378: ...Information on page 113 u 802 1 Organizationally Specific TLVs Configures IEEE 802 1 information included in the TLV field of advertised messages n Protocol Identity The protocols that are accessible through this interface see Protocol VLANs on page 195 n VLAN ID The port s default VLAN identifier PVID indicates the VLAN with which untagged or priority tagged frames are associated see IEEE 802 1Q ...

Page 379: ...and select the information to advertise in LLDP messages 4 Click Apply Figure 203 Configuring LLDP Interface Attributes DISPLAYING LLDP LOCAL DEVICE INFORMATION Use the Administration LLDP Show Local Device Information page to display information about the switch such as its MAC address chassis ID management IP address and port information CLI REFERENCES u show lldp info local device on page 1074 ...

Page 380: ...imary function s of the system which are currently enabled Refer to the preceding table u Management Address The management address associated with the local system Table 21 Chassis ID Subtype ID Basis Reference Chassis component EntPhysicalAlias when entPhysClass has a value of chassis 3 IETF RFC 2737 Interface alias IfAlias IETF RFC 2863 Port component EntPhysicalAlias when entPhysicalClass has ...

Page 381: ...escription If RFC 2863 is implemented the ifDescr object should be used for this field u Port Trunk ID A string that contains the specific identifier for the port or trunk from which this LLDPDU was transmitted WEB INTERFACE To display LLDP information for the local device 1 Click Administration LLDP 2 Select Show Local Device Information from the Step list 3 Select General Port or Trunk Figure 20...

Page 382: ... transmitted u System Name A string that indicates the system s administratively assigned name Port Details u Local Port The local port to which a remote LLDP capable device is attached u Chassis Type Identifies the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent There are several ways in which a chassis may be identified and a chassis ID subtype is used to i...

Page 383: ...ault VLAN identifier PVID indicates the VLAN with which untagged or priority tagged frames are associated u Remote VLAN Name List VLAN names associated with a port u Remote Protocol Identity List Information about particular protocols that are accessible through a port This object represents an arbitrary local integer value used by this agent to identify a particular protocol identity and an octet...

Page 384: ...stem PSE Power Sourcing Equipment or PD Powered Device u Remote Power MDI Status Shows whether MDI power is enabled on the given port associated with the remote system u Remote Power Pairs Signal means that the signal pairs only are in use and Spare means that the spare pairs only are in use u Remote Power MDI Supported Shows whether MDI power is supported on the given port associated with the rem...

Page 385: ...u Remote Link Aggregation Status The current aggregation status of the link u Remote Link Aggregation Port ID This object contains the IEEE 802 3 aggregated port identifier aAggPortID IEEE 802 3 2002 30 7 2 1 1 derived from the ifNumber of the ifIndex for the port component associated with the remote system If the remote port is not in link aggregation state and or it does not support link aggrega...

Page 386: ...pable devices attached to the switch and for LLDP protocol messages transmitted or received on all local interfaces CLI REFERENCES u show lldp info statistics on page 1076 PARAMETERS These parameters are displayed in the web interface General Statistics on Remote Devices u Neighbor Entries List Last Updated The time the LLDP neighbor entry list was last updated u New Neighbor Entries Count The num...

Page 387: ...s as well as any specific usage rules defined for the particular TLV u Frames Invalid A count of all LLDPDUs received with one or more detectable errors u Frames Received Number of LLDP PDUs received u Frames Sent Number of LLDP PDUs transmitted u TLVs Unrecognized A count of all TLVs not recognized by the receiving LLDP local agent u TLVs Discarded A count of all LLDPDUs received and then discard...

Page 388: ...ed to configure these devices for proper operation in a network environment as well as to monitor them to evaluate performance or detect potential problems Managed devices supporting SNMP contain software which runs locally on the device and is referred to as an agent A defined set of variables known as managed objects is maintained by the SNMP agent and used to manage the device These objects are...

Page 389: ...wn as views The switch has a default view all MIB objects and default groups defined for security models v1 and v2c The following table shows the security models and levels available and the system default settings NOTE The predefined default groups and view can be deleted from the system You can then define customized groups and views for the SNMP clients that require access Table 25 SNMPv3 Secur...

Page 390: ... page to specify trap managers so that key events are reported by this switch to your management station 3 Use the Administration SNMP Configure Engine page to change the local engine ID If you want to change the default engine ID it must be changed before configuring other parameters 4 Use the Administration SNMP Configure View page to specify read and write access views for the switch MIB tree 5...

Page 391: ...he required trap types 4 Click Apply Figure 210 Configuring Global Settings for SNMP SETTING THE LOCAL ENGINE ID Use the Administration SNMP Configure Engine Set Engine ID page to change the local engine ID An SNMPv3 engine is an independent SNMP agent that resides on the switch This engine protects against message replay delay and redirection The engine ID is also used in combination with user pa...

Page 392: ...decimal characters 5 Click Apply Figure 211 Configuring the Local Engine ID for SNMP SPECIFYING A REMOTE ENGINE ID Use the Administration SNMP Configure Engine Add Remote Engine page to configure a engine ID for a remote management station To allow management access from an SNMPv3 user on a remote device you must first specify the engine identifier for the SNMP agent on the remote device where the...

Page 393: ...89 is equivalent to 1234567890 u Remote IP Host The IP address of a remote management station which is using the specified engine ID WEB INTERFACE To configure a remote SNMP engine ID 1 Click Administration SNMP 2 Select Configure Engine from the Step list 3 Select Add Remote Engine from the Action list 4 Enter an ID of a least 9 hexadecimal characters and the IP address of the remote host 5 Click...

Page 394: ...er of a branch within the MIB tree Wild cards can be used to mask a specific portion of the OID string Use the Add OID Subtree page to configure additional object identifiers u Type Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view Add OID Subtree u View Name Lists the SNMP views configured in the Add View page u OID Subtree Adds an addit...

Page 395: ... an SNMP View To show the SNMP views of the switch s MIB database 1 Click Administration SNMP 2 Select Configure View from the Step list 3 Select Show View from the Action list Figure 215 Showing SNMP Views To add an object identifier to an existing SNMP view of the switch s MIB database 1 Click Administration SNMP 2 Select Configure View from the Step list 3 Select Add OID Subtree from the Action...

Page 396: ...o an SNMP View To show the OID branches configured for the SNMP views of the switch s MIB database 1 Click Administration SNMP 2 Select Configure View from the Step list 3 Select Show OID Subtree from the Action list 4 Select a view name from the list of existing views Figure 217 Showing the OID Subtree Configured for SNMP Views ...

Page 397: ...cations This is the default security level n AuthNoPriv SNMP communications use authentication but the data is not encrypted n AuthPriv SNMP communications use both authentication and encryption u Read View The configured view for read access Range 1 64 characters u Write View The configured view for write access Range 1 64 characters u Notify View The configured view for notifications Range 1 64 ...

Page 398: ...ne of its communication links left the down state and transitioned into some other state but not into the notPresent state This other state is indicated by the included value of ifOperStatus authenticationFailure 1 3 6 1 6 3 1 1 5 5 An authenticationFailure trap signifies that the SNMPv2 entity acting in an agent role has received a protocol message that is not properly authenticated While all imp...

Page 399: ...rotocol 399 WEB INTERFACE To configure an SNMP group 1 Click Administration SNMP 2 Select Configure Group from the Step list 3 Select Add from the Action list 4 Enter a group name assign a security model and level and then select read write and notify views 5 Click Apply ...

Page 400: ...Step list 3 Select Show from the Action list Figure 219 Showing SNMP Groups SETTING COMMUNITY ACCESS STRINGS Use the Administration SNMP Configure User Add Community page to configure up to five community strings authorized for management access by clients using SNMP v1 and v2c For security reasons you should consider removing the default strings CLI REFERENCES u snmp server community on page 695 ...

Page 401: ...nagement stations are only able to retrieve MIB objects n Read Write Authorized management stations are able to both retrieve and modify MIB objects WEB INTERFACE To set a community access string 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Add Community from the Action list 4 Add new community strings as required and select the corresponding access rights from t...

Page 402: ...rs are displayed in the web interface u User Name The name of user connecting to the SNMP agent Range 1 32 characters u Group Name The name of the SNMP group to which the user is assigned Range 1 32 characters u Security Model The user security model SNMP v1 v2c or v3 u Security Level The following security levels are only used for the groups assigned to the SNMP security model n noAuthNoPriv Ther...

Page 403: ...e User from the Step list 3 Select Add SNMPv3 Local User from the Action list 4 Enter a name and assign it to a group If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv then an authentication protocol and password must be specified If the security level is authPriv a privacy password must also be specified 5 Click Apply Figure 222 Configuring Local SNMPv3 Users...

Page 404: ...The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and the remote user See Specifying Trap Managers on page 407 and Specifying a Remote Engine ID on page 392 PARAMETERS These parameters are displayed in the web interface u User Name The name of user connecting to the SNMP agent Range 1 32 characters u Group Name The na...

Page 405: ...ble u Privacy Password A minimum of eight plain text characters is required WEB INTERFACE To configure a remote SNMPv3 user 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Add SNMPv3 Remote User from the Action list 4 Enter a name and assign it to a group Enter the IP address to identify the source of SNMPv3 inform messages sent from the local switch If the security...

Page 406: ...Management Protocol 406 Figure 224 Configuring Remote SNMPv3 Users To show remote SNMPv3 users 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Show SNMPv3 Remote User from the Action list Figure 225 Showing Remote SNMPv3 Users ...

Page 407: ...n is received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider these effects when deciding whether to issue notifications as traps or informs To send an inform to a SNMPv2c host complete these steps 1 Enable the SNMP agent page 390 2 Create a view with the req...

Page 408: ...ceive notification message i e the targeted recipient u Version Specifies whether to send notifications as SNMP v1 v2c or v3 traps u Notification Type n Traps Notifications are sent as trap messages n Inform Notifications are sent as inform messages Note that this option is only available for version 2c and 3 hosts Default traps are used n Timeout The number of seconds to wait for an acknowledgmen...

Page 409: ... 0 255 Default 3 u Local User Name The name of a local user which is used to identify the source of SNMPv3 trap messages sent from the local switch Range 1 32 characters If an account for the specified user has not been created page 402 one will be automatically generated u Remote User Name The name of a remote user which is used to identify the source of SNMPv3 inform messages sent from the local...

Page 410: ...configure trap managers 1 Click Administration SNMP 2 Select Configure Trap from the Step list 3 Select Add from the Action list 4 Fill in the required parameters based on the selected SNMP version 5 Click Apply Figure 226 Configuring Trap Managers SNMPv1 Figure 227 Configuring Trap Managers SNMPv2c ...

Page 411: ...to specified events on an independent basis This switch is an RMON capable device which can independently perform a wide range of tasks significantly reducing network management traffic It can continuously run diagnostics and log information on network performance If an event is triggered it can automatically notify the network administrator of a failure and provide historical information about th...

Page 412: ...iggered it will not be triggered again until the statistical value crosses the opposite bounding threshold and then back across the trigger threshold CLI REFERENCES u Remote Monitoring Commands on page 713 COMMAND USAGE u If an alarm is already defined for an index the entry must be deleted before any changes can be made PARAMETERS These parameters are displayed in the web interface u Index Index ...

Page 413: ... falling threshold and the last sample value was greater than this threshold then an alarm will be generated After a falling event has been generated another such event will not be generated until the sampled value has risen above the falling threshold reaches the rising threshold and again moves back down to the failing threshold Range 1 65535 u Falling Event Index The index of the event to use i...

Page 414: ...e Monitoring 414 Figure 230 Configuring an RMON Alarm To show configured RMON alarms 1 Click Administration RMON 2 Select Configure Global from the Step list 3 Select Show from the Action list 4 Click Alarm Figure 231 Showing Configured RMON Alarms ...

Page 415: ...eb interface u Index Index to this entry Range 1 65535 u Type Specifies the type of event to initiate n None No event is generated n Log Generates an RMON log entry when the event is triggered Log messages are processed based on the current configuration settings for event logging see System Log Configuration on page 369 n Trap Sends a trap message to all configured trap managers see Specifying Tr...

Page 416: ... list 4 Click Event 5 Enter an index number the type of event to initiate the community string to send with trap messages the name of the person who created this event and a brief description of the event 6 Click Apply Figure 232 Configuring an RMON Event To show configured RMON events 1 Click Administration RMON 2 Select Configure Global from the Step list 3 Select Show from the Action list 4 Cli...

Page 417: ...n page 713 COMMAND USAGE u Each index number equates to a port on the switch u If history collection is already enabled on an interface the entry must be deleted before any changes can be made u The information collected for each sample includes input octets packets broadcast packets multicast packets undersize packets oversize packets fragments jabbers CRC alignment errors collisions drop events ...

Page 418: ... 3 Select Add from the Action list 4 Click History 5 Select a port from the list as the data source 6 Enter an index number the sampling interval the number of buckets to use and the name of the owner for this entry 7 Click Apply Figure 234 Configuring an RMON History Sample To show configured RMON history samples 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select...

Page 419: ...he list 5 Click History Figure 236 Showing Collected RMON History Samples CONFIGURING RMON STATISTICAL SAMPLES Use the Administration RMON Configure Interface Add Statistics page to collect statistics on a port which can subsequently be used to monitor the network for common errors and overall traffic rates CLI REFERENCES u Remote Monitoring Commands on page 713 COMMAND USAGE u If statistics colle...

Page 420: ... entry Range 1 65535 u Owner Name of the person who created this entry Range 1 127 characters WEB INTERFACE To enable regular sampling of statistics on a port 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select Add from the Action list 4 Click Statistics 5 Select a port from the list as the data source 6 Enter an index number and the name of the owner for this entr...

Page 421: ...gure 238 Showing Configured RMON Statistical Samples To show collected RMON statistical samples 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select Show Details from the Action list 4 Select a port from the list 5 Click Statistics Figure 239 Showing Collected RMON Statistical Samples ...

Page 422: ...CHAPTER 15 Basic Administration Protocols Remote Monitoring 422 ...

Page 423: ...rving security and data isolation OVERVIEW Multicasting is used to support real time applications such as video conferencing or streaming audio A multicast server does not have to establish a separate connection with each client It merely broadcasts its service to the network and any hosts that want to receive the multicast register with their local multicast switch router Although this approach r...

Page 424: ...members but also supports the Protocol Independent Multicasting PIM routing protocol required to forward multicast traffic to other subnets page 1269 You can also configure a single network wide multicast VLAN shared by hosts residing in other standard or private VLAN groups preserving security and data isolation Multicast VLAN Registration on page 457 IGMP PROTOCOL The Internet Group Management P...

Page 425: ...ided by IGMPv3 snooping is in keeping track of information about the specific multicast sources which downstream IGMPv3 hosts have requested or refused The switch maintains information about both multicast groups and channels where a group indicates a multicast flow for which the hosts have not requested a specific source the only option for IGMPv1 and v2 hosts unless statically configured on the ...

Page 426: ...ched VLAN or flooded throughout the VLAN if unregistered flooding is enabled see Configuring IGMP Snooping and Query Parameters on page 427 Static IGMP Router Interface If IGMP snooping cannot locate the IGMP querier you can manually designate a known IGMP querier i e a multicast router switch connected over the network to an interface on your switch page 431 This interface will then join all the ...

Page 427: ...out the VLAN if unregistered flooding is enabled see Unregistered Data Flood in the Command Attributes section u IGMP Querier A router or multicast enabled switch can periodically ask their hosts if they want to receive multicast traffic If there is more than one router switch on the LAN performing IP multicasting one of these devices is elected querier and assumes the role of querying the LAN for...

Page 428: ... and all the uplink ports are subsequently deleted a time out mechanism is used to delete all of the currently learned multicast channels When a new uplink port starts up the switch sends unsolicited reports for all currently learned channels out the new uplink port By default the switch immediately enters into multicast flooding mode when a spanning tree topology change occurs In this mode multic...

Page 429: ...eries that do not contain the Router Alert option u Unregistered Data Flooding Floods unregistered multicast traffic into the attached VLAN Default Disabled Once the table used to store multicast entries for IGMP snooping and multicast routing is filled no new entries are learned If no router port is configured in the attached VLAN and unregistered flooding is disabled any subsequent multicast tra...

Page 430: ...less of the snooping version employed u Querier Status When enabled the switch can serve as the Querier which is responsible for asking hosts if they want to receive multicast traffic This feature is not supported for IGMPv3 snooping Default Disabled WEB INTERFACE To configure general settings for IGMP Snooping and Query 1 Click Multicast IGMP Snooping General 2 Adjust the IGMP settings as require...

Page 431: ...interfaces within the switch CLI REFERENCES u Static Multicast Routing on page 1018 PARAMETERS These parameters are displayed in the web interface u VLAN Selects the VLAN which is to propagate all multicast traffic coming from the attached multicast router Range 1 4093 u Interface Activates the Port or Trunk scroll down list u Port or Trunk Specifies the interface attached to a multicast router WE...

Page 432: ...ting protocol such as PIM to support IP multicasting across the Internet These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch To show all the interfaces attached to a multicast router 1 Click Multicast IGMP Snooping Multicast Router 2 Select Current Multicast Router from the Action list 3 Select the VLAN for which to display this informatio...

Page 433: ...COMMAND USAGE u Static multicast addresses are never aged out u When a multicast address is assigned to an interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN PARAMETERS These parameters are displayed in the web interface u VLAN Specifies the VLAN which is to propagate the multicast service Range 1 4093 u Interface Activates the Port or Trunk scro...

Page 434: ... Select the VLAN for which to display this information Figure 247 Showing Static Interfaces Assigned to a Multicast Service To display information about all multicast groups IGMP Snooping or multicast routing must first be enabled on the switch To show all of the interfaces statically or dynamically assigned to a multicast service 1 Click Multicast IGMP Snooping IGMP Member 2 Select Show Current M...

Page 435: ...icast routing devices MRD is used to discover which interfaces are attached to multicast routers allowing IGMP enabled devices to determine where to send multicast source and group membership messages MRD is specified in draft ietf magma mrdisc 07 Multicast source data and group membership reports must be received by all multicast routers on a segment Using the group membership protocol query mess...

Page 436: ...er is gracefully shut down Advertisement and Termination messages are sent to the All Snoopers multicast address Solicitation messages are sent to the All Routers multicast address NOTE MRD messages are flooded to all ports in a VLAN where IGMP snooping or routing has been enabled To ensure that older switches which do not support MRD can also learn the multicast router port the switch floods IGMP...

Page 437: ...able fixed at 2 as defined in RFC 2236 If immediate leave is enabled the switch assumes that only one host is connected to the interface Therefore immediate leave should only be enabled on an interface if it is connected to only one IGMP enabled device either a service host or a neighbor running IGMP snooping This attribute is only effective if IGMP snooping is enabled and IGMPv2 snooping is used ...

Page 438: ... to proxy general queries Range 10 31744 tenths of a second Default 10 seconds This attribute applies when the switch is serving as the querier page 427 or as a proxy host when IGMP snooping proxy reporting is enabled page 427 u Last Member Query Interval The interval to wait for a response to a group specific or group and source specific query message Range 1 31744 tenths of a second in multiples...

Page 439: ...ress in IGMP reports sent to upstream ports Many hosts do not implement RFC 4541 and therefore do not understand query messages with the source address of 0 0 0 0 These hosts will therefore not reply to the queries causing the multicast router to stop sending traffic to them To resolve this problem the source address in proxied IGMP query messages can be replaced with any valid unicast address oth...

Page 440: ...a drop on page 1025 PARAMETERS These parameters are displayed in the web interface u IGMP Query Drop Configures an interface to drop any IGMP query packets received on the specified interface If this switch is acting as a Querier this prevents it from being affected by messages received from another Querier u Multicast Data Drop Configures an interface to stop multicast services from being forward...

Page 441: ...AN An interface on the switch that is forwarding traffic to downstream ports for the specified multicast group address u Group Address IP multicast group address with subscribers directly attached or downstream from the switch or a static multicast group assigned to this interface u Source Address The address of one of the multicast servers transmitting traffic to the specified group u Interface A...

Page 442: ...r a range of multicast addresses but only one profile can be assigned to a port When enabled IGMP join reports received on the port are checked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP throttling sets a maximum number of multicast groups that a por...

Page 443: ...oping Filter Add page to create an IGMP profile and set its access mode Then use the Add Multicast Group Range page to configure the multicast groups to filter CLI REFERENCES u IGMP Filtering and Throttling on page 1019 COMMAND USAGE Specify a range of multicast groups by entering a start and end IP address or specify a single multicast group by entering the same IP address for the start and end o...

Page 444: ... range of multicast groups u End Multicast IP Address Specifies the ending address of a range of multicast groups WEB INTERFACE To create an IGMP filter profile and set its access mode 1 Click Multicast IGMP Snooping Filtering 2 Select Add from the Action list 3 Enter the number for a profile and set its access mode 4 Click Apply Figure 254 Creating an IGMP Filtering Profile To show the IGMP filte...

Page 445: ...rofile to configure and add a multicast group address or range of addresses 4 Click Apply Figure 256 Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile 1 Click Multicast IGMP Snooping Filtering 2 Select Show Multicast Group Range from the Action list 3 Select the profile for which to display this information Figure 257 Showing th...

Page 446: ... displayed in the web interface u Interface Port or trunk identifier An IGMP profile or throttling setting can be applied to a port or trunk When ports are configured as trunk members the trunk uses the settings applied to the first port member in the trunk u Profile ID Selects an existing profile to assign to an interface u Max Multicast Groups Sets the maximum number of multicast groups an inter...

Page 447: ...which need to forward multicast traffic Layer 3 IGMP Query as described below is used in conjunction with both Layer 2 IGMP Snooping and multicast routing IGMP This protocol includes a form of multicast query specifically designed to work with multicast routing A router periodically asks its hosts if they want to receive multicast traffic It then propagates service requests on to any upstream mult...

Page 448: ... on edge switches greatly reduces the processing load on those devices by not having to run more complicated multicast routing protocols such as PIM It also makes the proxy devices independent of the multicast routing protocols used by core routers IGMP proxy routing uses a tree topology where the root of the tree is connected to a complete multicast infrastructure with the upstream interface conn...

Page 449: ... settings described in this section 4 Optional Indicate how often the system will send unsolicited reports to the upstream router using the Multicast IGMP Proxy page as described later in this section COMMAND USAGE u When IGMP proxy is enabled on an interface that interface is known as the upstream or host interface This interface performs only the host portion of IGMP by sending IGMP membership r...

Page 450: ...face should transmit unsolicited IGMP reports Range 1 65535 seconds Default 400 seconds WEB INTERFACE To configure IGMP Proxy Routing 1 Click Multicast IGMP Proxy 2 Select the upstream interface enable the IGMP Proxy Status and modify the interval for unsolicited IGMP reports if required 3 Click Apply Figure 260 Configuring IGMP Proxy Routing CONFIGURING IGMP INTERFACE PARAMETERS Use the Multicast...

Page 451: ...b interface u VLAN VLAN interface bound to a primary IP address Range 1 4093 u IGMP Protocol Status Enables IGMP including IGMP query functions on a VLAN interface Default Disabled When a multicast routing protocol such as PIM is enabled IGMP is also enabled u IGMP Version Configures the IGMP version used on an interface Options Version 1 3 Default Version 2 u Robustness Variable Specifies the rob...

Page 452: ... bursty as host responses are spread out over a larger interval The number of seconds represented by the maximum response interval must be less than the Query Interval u Last Member Query Interval The frequency at which to send IGMP group specific or IGMPv3 group source specific query messages in response to receiving a group specific or group source specific leave message Range 0 255 tenths of a ...

Page 453: ...atically mapped this group to a specific source address Also if an address outside of the SSM address range is specified and a specific source address is included in the command the request to join the multicast group will also fail if the next node up the reverse path tree has enabled the PIM SSM protocol u If a static group is configured for an any source multicast G a source address cannot subs...

Page 454: ...ps 1 Click Multicast IGMP Static Group 2 Select Add from the Action list 3 Select a VLAN interface to be assigned as a static multicast group member and then specify the multicast group If source specific multicasting is supported by the next hop router in the reverse path tree for the specified multicast group then the source address should also be specified 4 Click Apply Figure 262 Configuring S...

Page 455: ...dentifier The selected entry must be a configured IP interface Range 1 4093 u Group Address IP multicast group address with subscribers directly attached or downstream from the switch u Last Reporter The IP address of the source of the last membership report received for this multicast group address on this interface u Up Time The time elapsed since this entry was created Depending on the elapsed ...

Page 456: ...lticast address is requested from all IP source addresses except for those listed in the source list parameter and for any other sources where the source timer status has expired u Group Source List A list of zero or more IP unicast addresses from which multicast reception is desired or not desired depending on the filter mode n Source Address The address of one of the multicast servers transmitti...

Page 457: ... for transmitting multicast traffic such as television channels or video on demand across a service provider s network Any multicast traffic entering an MVR VLAN is sent to all attached subscribers This protocol can significantly reduce to processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN This makes it possible to support common mul...

Page 458: ... with a stable set of hosts you can statically bind the multicast group to the participating interfaces see Assigning Static Multicast Groups to Interfaces on page 464 u Although MVR operates on the underlying mechanism of IGMP snooping the two features operate independently of each other One can be enabled or disabled without affecting the behavior of the other However if IGMP snooping and MVR ar...

Page 459: ... page 176 but MVR receiver ports should not be manually configured as members of this VLAN Default 1 u MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied Running status is Active as long as MVR is enabled the specified MVR VLAN exists and a source port with a valid link has been configured see Configuring MVR Interface Status on page 461 u MVR...

Page 460: ...ayed in the web interface u MVR Group IP IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 Default no groups are assigned to the MVR VLAN Any multicast data sent to this address is sent to all source ports on the switch and all receiver ports that have elected to receive data on that multicast address The IP address range of 224 0 0 0 to 239 255 255 255 is used for multicast st...

Page 461: ...ulticast groups assigned to the MVR VLAN 1 Click Multicast MVR 2 Select Configure Group Range from the Step list 3 Select Show from the Action list Figure 269 Showing the Configured Group Range for MVR CONFIGURING MVR INTERFACE STATUS Use the Multicast MVR Configure Interface page to configure each interface that participates in the MVR protocol as a source port or receiver port If you are sure th...

Page 462: ...orts u Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message When immediate leave is disabled the switch follows the standard rules by sending a query message to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before remov...

Page 463: ...the switch MVR status for receiver ports is Active only if there are subscribers receiving multicast traffic from one of the MVR groups or a multicast group has been statically assigned to an interface u Immediate Leave Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group This option only applies to an interface conf...

Page 464: ...P Address Defines a multicast service sent to the selected port Multicast groups must be assigned from the MVR group range configured on the Configure General page WEB INTERFACE To assign a static MVR group to a port 1 Click Multicast MVR 2 Select Configure Static Group Member from the Step list 3 Select Add from the Action list 4 Select a VLAN and port member to receive the multicast stream and t...

Page 465: ...web interface Group IP Address Multicast groups assigned to the MVR VLAN Source IP Address Indicates the source address of the multicast service or displays an asterisk if the group address has been statically assigned VLAN Indicates the MVR VLAN receiving the multicast service Forwarding Port Shows the interfaces with subscribers for multicast services provided through the MVR VLAN Also shows the...

Page 466: ...CHAPTER 16 Multicast Filtering Multicast VLAN Registration 466 Figure 273 Showing All MVR Groups Assigned to a Port ...

Page 467: ...to configure an IPv4 address for the switch An IPv4 address is obtained via DHCP by default for VLAN 1 To configure a static address you need to change the switch s default settings to values that are compatible with your network You may also need to a establish a default gateway between the switch and management stations that exist on another network segment if no routing protocols are enabled Yo...

Page 468: ...y by the switch for an IP address DHCP BOOTP responses can include the IP address subnet mask and default gateway Default DHCP u IP Address Type Specifies a primary or secondary IP address An interface can have only one primary IP address but can have many secondary IP addresses In other words secondary addresses need to be specified if more than one IP subnet can be accessed through this interfac...

Page 469: ... enter the IP address and subnet mask 4 Click Apply Figure 274 Configuring a Static IPv4 Address To obtain an dynamic address through DHCP BOOTP for the switch 1 Click IP General Routing Interface 2 Select Add from the Action list 3 Select any configured VLAN and set IP Address Mode to BOOTP or DHCP 4 Click Apply to save your changes IP will be enabled but will not function until a BOOTP or DHCP r...

Page 470: ...r for a specific period of time If the address expires or the switch is moved to another network segment you will lose management access to the switch In this case you can reboot the switch or submit a client request to restart DHCP service via the CLI If the address assigned by DHCP is no longer functioning you will not be able to renew the IP settings via the web interface You can only restart D...

Page 471: ... cannot be passed by any router outside of the subnet A link local address is easy to set up and may be useful for simple networks or basic troubleshooting tasks However to connect to a larger network with multiple segments the switch must be configured with a global unicast address u An IPv6 global unicast or link local address can be manually configured using the Add IPv6 Address page or a link ...

Page 472: ...plicit configuration of a link local interface address the MTU size and neighbor discovery protocol settings for duplicate address detection and the neighbor solicitation interval CLI REFERENCES u IPv6 Interface on page 1131 u DHCP Client on page 1089 COMMAND USAGE u The switch must be configured with a link local address The option to explicitly enable IPv6 creates a link local address but will n...

Page 473: ... 65535 bytes Default 1500 bytes n The maximum value set by this command cannot exceed the MTU of the physical interface which is currently fixed at 1500 bytes n If a non default value is configured an MTU option is included in the router advertisements sent from this device This option is provided to ensure that all nodes on a link use the same MTU value in cases where the link MTU is not otherwis...

Page 474: ...but not for any of the IPv6 global unicast addresses already associated with the interface u ND NS Interval The interval between transmitting IPv6 neighbor solicitation messages on an interface Range 1000 3600000 milliseconds Default 1000 milliseconds is used for neighbor discovery operations 0 milliseconds is advertised in router advertisements This attribute specifies the interval between transm...

Page 475: ... of zeros required to fill the undefined fields u The switch must always be configured with a link local address Therefore explicitly enabling IPv6 see Configuring IPv6 Interface Settings on page 472 or manually assigning a global unicast address will also automatically generate a link local unicast address The prefix length for a link local address is fixed at 64 bits and the host portion of the ...

Page 476: ...ddress Range 1 4093 u Address Type Defines the address type configured for this interface n Global Configures an IPv6 global unicast address with a full IPv6 address including the network prefix and host address bits followed by a forward slash and a decimal value indicating how many contiguous bits from the left of the address comprise the prefix i e the network portion of the address n EUI 64 Ex...

Page 477: ... rest of the address resulting in a modified EUI 64 interface identifier of 2A 9F 18 FF FE 1C 82 35 n This host addressing method allows the same interface identifier to be used on multiple IP interfaces of a single device as long as those interfaces are attached to different subnets n Link Local Configures an IPv6 link local address n The address prefix must be FE80 n You can configure only one l...

Page 478: ...r all attached IPv6 nodes The interface local multicast address is only used for loopback transmission of multicast traffic Link local multicast addresses cover the same types as used by link local unicast addresses including all nodes FF02 1 all routers FF02 2 and solicited nodes FF02 1 FFXX XXXX as described below A node is also required to compute and join the associated solicited node multicas...

Page 479: ... CACHE Use the IP IPv6 Configuration Show IPv6 Neighbor Cache page to display the IPv6 addresses detected for neighbor devices CLI REFERENCES u show ipv6 neighbors on page 1154 PARAMETERS These parameters are displayed in the web interface Table 27 ShowIPv6 Neighbors display description Field Description IPv6 Address IPv6 address of neighbor Age The time since the address was verified as reachable...

Page 480: ...he last positive confirmation was received that the forward path was functioning While in Stale state the device takes no action until a packet is sent u Delay More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning A packet was sent within the last DELAY_FIRST_PROBE_TIME interval If no reachability confirmation is re...

Page 481: ...ing capacity to forward a datagram and when the gateway can direct the host to send traffic on a shorter route ICMP is also used by routers to feed back information about more suitable routes that is the next hop router to use for a specific destination u UDP User Datagram Protocol provides a datagram mode of packet switched communications It uses IP as the underlying transport mechanism providing...

Page 482: ...or some of the fragments Reassembled Succeeded The number of IPv6 datagrams successfully reassembled Note that this counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the fragments Reassembled Failed The number of failures detected by the IPv6 re assembly algorithm for whatever reason timed out errors etc N...

Page 483: ...roblem Messages The number of ICMP Parameter Problem messages received by the interface Echo Request Messages The number of ICMP Echo request messages received by the interface Echo Reply Messages The number of ICMP Echo Reply messages received by the interface Router Solicit Messages The number of ICMP Router Solicit messages received by the interface Router Advertisement Messages The number of I...

Page 484: ...nt by the interface Neighbor Advertisement Messages The number of ICMP Router Advertisement messages sent by the interface Redirect Messages The number of Redirect messages sent For a host this object will always be zero since hosts do not send redirects Group Membership Query Messages The number of ICMPv6 Group Membership Query messages sent by the interface Group Membership Response Messages The...

Page 485: ...CHAPTER 17 IP Configuration Setting the Switch s IP Address IP Version 6 485 Figure 282 Showing IPv6 Statistics IPv6 Figure 283 Showing IPv6 Statistics ICMPv6 ...

Page 486: ...ENCES u show ipv6 mtu on page 1142 PARAMETERS These parameters are displayed in the web interface WEB INTERFACE To show the MTU reported from other devices 1 Click IP IPv6 Configuration 2 Select Show MTU from the Action list Table 29 Show MTU display description Field Description MTU Adjusted MTU contained in the ICMP packet too big message returned from this destination and now used for all traff...

Page 487: ...CHAPTER 17 IP Configuration Setting the Switch s IP Address IP Version 6 487 Figure 285 Showing Reported MTU Values ...

Page 488: ...CHAPTER 17 IP Configuration Setting the Switch s IP Address IP Version 6 488 ...

Page 489: ...ssing traffic between VLANs with different IP interfaces and routing traffic to external IP networks However when the switch is first booted default routing can only forward traffic between local IP interfaces As with all traditional routers static and dynamic routing functions must first be configured to work INITIAL CONFIGURATION By default all ports belong to the same VLAN and the switch provid...

Page 490: ...Replacing destination source MAC addresses for each hop n Incrementing the hop count n Decrementing the time to live n Verifying and recalculating the Layer 3 checksum If the destination node is on the same subnetwork as the source network then the packet can be transmitted directly without the help of a router However if the MAC address is not yet known to the switch an Address Resolution Protoco...

Page 491: ...ady there the switch broadcasts an ARP packet to all the ports on the destination VLAN to find out the destination MAC address After the MAC address is discovered the packet is reformatted and sent out to the destination The reformat process includes decreasing the Time To Live TTL field of the IP header recalculating the IP header checksum and replacing the destination MAC address with either the...

Page 492: ...he router s host number on that network In other words a router interface address defines the network segment that is connected to that interface and allows you to send IP packets to or from the router You can specify the IP subnets connected directly to this router by manually assigning an IP address to each VLAN or using BOOTP or DHCP to dynamically assign an address To specify IP subnets not di...

Page 493: ...ters are displayed in the web interface u IP Address IP address of the host u Probe Count Number of packets to send Range 1 16 u Packet Size Number of bytes in a packet Range 32 512 bytes The actual packet size will be eight bytes larger than the size specified because the switch adds header information COMMAND USAGE u Use the ping command to see if another site on the network can be reached u The...

Page 494: ...onds when the maximum timeout TTL is exceeded or the maximum number of hops is exceeded u The trace route function first sends probe datagrams with the TTL value set at one This causes the first router to discard the datagram and return an error message The trace function then sends several probe messages at each subsequent TTL level and displays the round trip time for each message Not all device...

Page 495: ... hop to the next ARP is used to map an IP address to a physical layer i e MAC address When an IP frame is received by this router or any standards based router it first looks up the MAC address corresponding to the destination IP address in the ARP cache If the address is found the router writes the MAC address into the appropriate field in the frame header and forwards the frame on to the next ho...

Page 496: ...t for its own IP address it will send back a response and also cache the MAC of the source device s IP address BASIC ARP CONFIGURATION Use the IP ARP Configure General page to specify the timeout for ARP cache entries or to enable Proxy ARP for specific VLAN interfaces CLI REFERENCES u arp timeout on page 1125 u ip proxy arp on page 1125 COMMAND USAGE Proxy ARP When a node in the attached subnetwo...

Page 497: ...for specified VLAN interfaces allowing a non routing device to determine the MAC address of a host on another subnet or network Default Disabled End stations that require Proxy ARP must view the entire network as a single network These nodes must therefore use a smaller subnet mask than that used by the router or other relevant network devices Extensive use of Proxy ARP can degrade router performa...

Page 498: ...e used if there is no response to an ARP broadcast message For example some applications may not respond to ARP requests or the response arrives too late causing network operations to time out u Static entries will not be aged out or deleted when power is reset You can only remove a static entry via the configuration interface PARAMETERS These parameters are displayed in the web interface u IP Add...

Page 499: ...NAMIC OR LOCAL ARP ENTRIES The ARP cache contains static entries and entries for local interfaces including subnet host and broadcast addresses However most entries will be dynamically learned through replies to broadcast messages Use the IP ARP Show Information page to display dynamic or local entries in the ARP cache CLI REFERENCES u show arp on page 1126 WEB INTERFACE To display all dynamic ent...

Page 500: ...P Show Information page to display statistics for ARP messages crossing all interfaces on this router CLI REFERENCES u show ip traffic on page 1169 PARAMETERS These parameters are displayed in the web interface Table 31 ARP Statistics Parameter Description Received Request Number of ARP Request packets received by the router Received Reply Number of ARP Reply packets received by the router Sent Re...

Page 501: ... subnet rather than using dynamic routing Static routes do not automatically change in response to changes in network topology so you should only configure a small number of stable routes to ensure network accessibility CLI REFERENCES u ip route on page 1166 COMMAND USAGE u Up to 512 static routes can be configured u Up to eight equal cost multipaths ECMP can be configured for static routing see E...

Page 502: ...op IP address of the next router hop used for this route u Distance An administrative distance indicating that this route can be overridden by dynamic routing information if the distance of the dynamic route is less than that configured for the static route Note that the default administrative distances used by the dynamic unicast routing protocols is 110 for OSPF and 120 for RIP Range 1 255 Defau...

Page 503: ...the interface identifier and next hop information for each reachable destination network prefix based on the IP routing table When routing or topology changes occur in the network the routing table is updated and those changes are immediately reflected in the FIB The FIB is distinct from the routing table or Routing Information Base RIB which holds all routing information received from routing pee...

Page 504: ...CE To display the routing table 1 Click IP Routing Routing Table 2 Select Show Information from the Action List Figure 298 Displaying the Routing Table EQUAL COST MULTIPATH ROUTING Use the IP Routing Routing Table Configure ECMP Number page to configure the maximum number of equal cost paths that can transmit traffic to the same destination The Equal cost Multipath routing algorithm is a technique...

Page 505: ...paths have the same lowest cost the static paths have precedence over dynamic paths u Each path toward the same destination with equal cost takes up one entry in the routing table to record routing information In other words a route with 8 paths will take up 8 entries u The routing table can only have up to 8 equal cost multipaths for static routing and 8 for dynamic routing for a common destinati...

Page 506: ...the maximum ECMP number 1 Click IP Routing Routing Table 2 Select Configure ECMP Number from the Action List 3 Enter the maximum number of equal cost paths used to route traffic to the same destination that are permitted on the switch 4 Click Apply Figure 299 Setting the Maximum ECMP Number ...

Page 507: ...al router priority Router redundancy can be set up in any of the following configurations These examples use the address of one of the participating routers as the master router When the virtual router IP address is not a real address the master router is selected based on priority When the priority is the same on several competing routers then the router with the highest IP address is selected as...

Page 508: ...as a higher priority than the currently active master router CLI REFERENCES u VRRP Commands on page 1107 COMMAND USAGE Address Assignment u To designate a specific router as the VRRP master the IP address assigned to the virtual router must already be configured on the router that will become the Owner of the group address In other words the IP address for the virtual router exists on one and only...

Page 509: ...he virtual IP address Owner is the highest the original master router will always become the active master router when it recovers u If two or more routers are configured with the same VRRP priority the router with the higher IP address is elected as the new master router if the current master fails Preempting the Acting Master u The virtual IP Owner has the highest priority so no other router can...

Page 510: ...nformation about its priority and current state as the master VRRP advertisements are sent to the multicast address 224 0 0 8 Using a multicast address reduces the amount of traffic that has to be processed by network devices that are not part of the designated VRRP group If the master router stops sending advertisements backup routers will bid to become the master router based on priority The dea...

Page 511: ...he group its authentication string is compared to the string configured on this router If the strings match the message is accepted Otherwise the packet is discarded u State VRRP router role Values Master Backup u Virtual MAC Address Virtual MAC address for this group u Master Router The primary router servicing this group u Master Priority The priority of the master router u Master Advertisement ...

Page 512: ...gure Group ID from the Step List 3 Select Show from the Action List Figure 304 Showing Configured VRRP Groups To configure the virtual router address for a VRRP group 1 Click IP VRRP 2 Select Configure Group ID from the Step List 3 Select Add IP Address from the Action List 4 Select a VLAN a VRRP group identifier and enter the IP address for the virtual router 5 Click Apply ...

Page 513: ...rom the Step List 3 Select Show IP Addresses from the Action List 4 Select a VLAN and a VRRP group identifier Figure 306 Showing the Virtual Addresses Assigned to VRRP Groups To configure detailed settings for a VRRP group 1 Click IP VRRP 2 Select Configure Group ID from the Step List 3 Select Configure Detail from the Action List 4 Select a VRRP group identifier and set any of the VRRP protocol p...

Page 514: ... parameters are displayed in the web interface u VRRP Packets with Invalid Checksum The total number of VRRP packets received with an invalid VRRP checksum value u VRRP Packets with Unknown Error The total number of VRRP packets received with an unknown or unsupported version number u VRRP Packets with Invalid VRID The total number of VRRP packets received with an invalid VRID for this virtual rou...

Page 515: ...o master Received Advertisement Packets Number of VRRP advertisements received by this router Received Error Advertisement Interval Packets Number of VRRP advertisements received for which the advertisement interval is different from the one configured for the local virtual router Received Authentication Failure Packets Number of VRRP packets received that do not pass the authentication check Rece...

Page 516: ...alue in the type field Received Error Address List VRRP Packets Number of packets received for which the address list does not match the locally configured list for the virtual router Received Invalid Authentication Type VRRP Packets Number of packets received with an unknown authentication type Received Mismatch Authentication Type VRRP Packets Number of packets received with Auth Type not equal ...

Page 517: ... static table entries or by redirection to other name servers on the network When a client device designates this switch as a DNS server the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch and waiting for a response You can manually configure entries in the DNS table used for mapping domain names to IP addresses configure default domain names or ...

Page 518: ...he default domain name 4 Click Apply Figure 310 Configuring General Settings for DNS CONFIGURING A LIST OF DOMAIN NAMES Use the IP Service DNS General Add Domain Name page to configure a list of domain names to be tried in sequential order CLI REFERENCES u ip domain list on page 1079 u show dns on page 1085 COMMAND USAGE u Use this page to define a list of domain names that can be appended to inco...

Page 519: ...ge 520 PARAMETERS These parameters are displayed in the web interface Domain Name Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 68 characters WEB INTERFACE To create a list domain names 1 Click IP Service DNS 2 Select Add Domain Name from the Action list 3 Enter one domain name at a time 4 Click Apply Figure 311 Configuring a List of Doma...

Page 520: ... until a response is received or the end of the list is reached with no response u If all name servers are deleted DNS will automatically be disabled This is done by disabling the domain lookup status PARAMETERS These parameters are displayed in the web interface Name Server IP Address Specifies the address of a domain name server to use for name to address resolution Up to six IP addresses can be...

Page 521: ...E u Static entries may be used for local devices connected directly to the attached network or for commonly used resources located elsewhere on the network PARAMETERS These parameters are displayed in the web interface u Host Name Name of a host device that is mapped to one or more IP addresses Range 1 127 characters u IP Address Internet address es associated with a host name WEB INTERFACE To con...

Page 522: ...CHE Use the IP Service DNS Cache page to display entries in the DNS cache that have been learned via the designated name servers CLI REFERENCES u show dns cache on page 1086 COMMAND USAGE u Servers or other network devices may support one or more connections via multiple IP addresses If more than one IP address is associated with a host name via information returned from a name server a DNS client...

Page 523: ...GURATION PROTOCOL Dynamic Host Configuration Protocol DHCP can dynamically allocate an IP address and other configuration information to network clients when they boot up If a subnet does not already include a BOOTP or DHCP server you can relay DHCP client requests to a DHCP server on another subnet or configure the DHCP server on this switch to support that subnet When configuring the DHCP server...

Page 524: ... identification information about a client but the specific string to use should be supplied by your service provider or network administrator PARAMETERS These parameters are displayed in the web interface u VLAN ID of configured VLAN u Vendor Class ID The following options are supported when the check box is marked to enable this feature n Default Depending the unit the default strings are either...

Page 525: ...to the client Figure 319 Layer 3 DHCP Relay Service CLI REFERENCES u ip dhcp relay server on page 1092 u ip dhcp restart relay on page 1093 COMMAND USAGE u You must specify the IP address for at least one DHCP server Otherwise the switch s DHCP relay agent will not forward client requests to a DHCP server u DHCP relay configuration will be disabled if an active DHCP server is detected on the same ...

Page 526: ... code or MAC address Figure 321 DHCP Server COMMAND USAGE u First configure any excluded addresses including the address for this switch u Then configure address pools for the network interfaces You can configure up to 8 network address pools You can also manually bind an address to a specific client if required However any fixed addresses must fall within the range of an existing network address ...

Page 527: ...ling the DHCP Server SETTING EXCLUDED ADDRESSES Use the IP Service DHCP Server Configure Excluded Addresses Add page to specify the IP addresses that should not be assigned to clients CLI REFERENCES u ip dhcp excluded address on page 1095 PARAMETERS These parameters are displayed in the web interface u Start IP Address Specifies a single IP address or the first address in a range that the DHCP ser...

Page 528: ... Configuring Excluded Addresses on the DHCP Server To show the IP addresses excluded for DHCP clients 1 Click IP Service DHCP Server 2 Select Configure Excluded Addresses from the Step list 3 Select Show from the Action list Figure 324 Showing Excluded Addresses on the DHCP Server CONFIGURING ADDRESS POOLS Use the IP Service DHCP Server Configure Pool Add page configure IP address pools for each I...

Page 529: ...s pool However if no matching address pool is found the request is ignored u When searching for a manual binding the switch compares the client identifier and then the hardware address for DHCP clients Since BOOTP clients cannot transmit a client identifier you must configure a hardware address for this host type If no manual binding has been specified for a host entry with a hardware address or c...

Page 530: ... WINS name server used for Microsoft DHCP clients u Netbios Type NetBIOS node type for Microsoft DHCP clients Options Broadcast Hybrid Mixed Peer to Peer Default Hybrid u Domain Name The domain name of the client Range 1 128 characters u Bootfile The default boot image for a DHCP client This file should placed on the Trivial File Transfer Protocol TFTP server specified as the Next Server u Next Se...

Page 531: ...rotocol 531 6 Click Apply Figure 325 Configuring DHCP Server Address Pools Network Figure 326 Configuring DHCP Server Address Pools Host To show the configured DHCP address pools 1 Click IP Service DHCP Server 2 Select Configure Pool from the Step list ...

Page 532: ...HCP server CLI REFERENCES u show ip dhcp binding on page 1105 PARAMETERS These parameters are displayed in the web interface u IP Address IP address assigned to host u MAC Address MAC address of host u Lease Time Duration that this IP address can be used by the host u Start Time Time this address was assigned by the switch WEB INTERFACE To show the addresses assigned to DHCP clients 1 Click IP Ser...

Page 533: ... forward broadcast packets for specified UDP application ports to remote servers located in another network segment u To configure UDP helper enable it globally see Configuring General DNS Service Parameters on page 517 specify the UDP destination ports for which broadcast traffic will be forwarded see Specifying UDP Destination Ports on page 534 and specify the remote application servers or the s...

Page 534: ...face u Destination UDP Port UDP application port for which UDP service requests are forwarded Range 1 65535 The following UDP ports are included in the forwarding list when the UDP helper is enabled and a remote server address is configured BOOTP client port 67 BOOTP server port 68 Domain Name Service port 53 IEN 116 Name Service port 42 NetBIOS Datagram Server port 138 NetBIOS Name Server port 13...

Page 535: ...roadcast packets are forwarded CLI REFERENCES u ip helper address on page 1129 COMMAND USAGE u Up to 20 helper addresses can be specified u To forward UDP packets with the UDP helper the clients must be connected to the selected interface and the interface configured with an IP address u The UDP packets to be forwarded must be specified in the IP Service UDP Helper Forwarding page and the packets ...

Page 536: ...ed by default as described on page 534 PARAMETERS These parameters are displayed in the web interface u VLAN ID VLAN identifier Range 1 4093 u IP Address Host address or directed broadcast address to which UDP broadcast packets are forwarded Range 1 65535 WEB INTERFACE To specify the target server or subnet for forwarding UDP request packets 1 Click IP Service UDP Helper Address 2 Select Add from ...

Page 537: ...CHAPTER 20 IP Services Forwarding UDP Service Requests 537 Figure 333 Showing the Target Server or Subnet for UDP Requests ...

Page 538: ...CHAPTER 20 IP Services Forwarding UDP Service Requests 538 ...

Page 539: ...mate of transmission cost Each router broadcasts its advertisement every 30 seconds together with any updates to its routing table This allows all routers on the network to learn consistent tables of next hop links which lead to relevant subnets NOTE RIPng which supports IPv6 will be supported in a future release OSPFv2 Dynamic Routing Protocols OSPF overcomes all the problems of RIP It uses a lin...

Page 540: ...st as Layer 2 switches use the Spanning Tree Algorithm to prevent loops routers also use methods for preventing loops that would cause endless retransmission of data traffic RIP utilizes the following three methods to prevent loops from occurring n Split horizon Never propagate routes back to an interface port from which they have been acquired n Poison reverse Propagate routes back to an interfac...

Page 541: ...ion Protocol RIP on page 1173 COMMAND USAGE u RIP is used to specify how routers exchange routing information When RIP is enabled on this router it sends RIP messages to all devices in the network every 30 seconds by default and updates its own routing table when RIP messages are received from other routers To communicate properly with other routers using RIP you need to specify the RIP version us...

Page 542: ... and the router learns about the same external network with a better metric from a redistribution point other than that derived from the original source The default metric does not override the metric value set in the Redistribute screen see Configuring Route Redistribution on page 549 When a metric value has not been configured in the Redistribute screen the default metric sets the metric value t...

Page 543: ... routing protocol less sensitive to changes in the network configuration u Timeout Sets the time after which there have been no update messages that a route is declared dead The route is marked inaccessible i e the metric set to infinite and advertised as unreachable However packets are still forwarded on this route Range 90 360 seconds Default 180 seconds u Garbage Collection After the timeout in...

Page 544: ...re RIP network redistribute connected routes using the Routing Protocol RIP Redistribute screen page 549 to make the RIP network a connected route To delete the RIP routes learned from neighbors but keep the RIP network intact clear RIP types from the routing table PARAMETERS These parameters are displayed in the web interface u Clear Route By Type Clears entries from the RIP routing table based o...

Page 545: ...al 2 Select Clear Route from the Action list 3 When clearing routes by type select the required type from the drop down list When clearing routes by network enter a valid network address and prefix length 4 Click Apply Figure 336 Clearing Entries from the Routing Table SPECIFYING NETWORK INTERFACES Use the Routing Protocol RIP Network Add page to specify the network interfaces that will be include...

Page 546: ...ise the network portion of the address This mask identifies the network address bits used for the associated routing entries u By VLAN Adds a Layer 3 VLAN to the RIP routing process The VLAN must be configured with an IP address Range 1 4093 WEB INTERFACE To add a network interface to RIP 1 Click Routing Protocol RIP Network 2 Select Add from the Action list 3 Add an interface that will participat...

Page 547: ...an interface the attached subnet will still continue to be advertised to other interfaces and updates from other routers on the specified interface will continue to be received and processed u This feature can be used in conjunction with the static neighbor feature described in the next section to control the routing updates sent to specific neighbors PARAMETERS These parameters are displayed in t...

Page 548: ... a static neighbor specifically for point to point links rather than relying on broadcast or multicast messages generated by the RIP protocol This feature can be used in conjunction with the passive interface feature described in the preceding section to control the routing updates sent to specific neighbors CLI REFERENCES u neighbor on page 1178 PARAMETERS These parameters are displayed in the we...

Page 549: ...Protocol RIP Redistribute Add page to import external routing information from other routing domains that is directly connected routes protocols or static routes into this autonomous system CLI REFERENCES u redistribute on page 1180 PARAMETERS These parameters are displayed in the web interface u Protocol The type of routes that can be imported include n Connected Imports routes that are establish...

Page 550: ...ised to routers up to 5 hops away at which point the metric exceeds the maximum hop count of 15 By defining a low metric of 1 traffic can follow an imported route the maximum number of hops allowed within a RIP domain However using a low metric can increase the possibility of routing loops For example this can occur if there are multiple redistribution points and the router learns about the same e...

Page 551: ...ding to the IP address of the router supplying the routing information For example to filter out unreliable routing information from routers not under your administrative control u The administrative distance is applied to all routes learned for the specified network PARAMETERS These parameters are displayed in the web interface u Distance Administrative distance for external routes External route...

Page 552: ...on 4 Click Apply Figure 345 Setting the Distance Assigned to External Routes To show the distance assigned to external routes learned from other routing protocols 1 Click Routing Protocol RIP Distance 2 Select Show from the Action list Figure 346 Showing the Distance Assigned to External Routes CONFIGURING NETWORK INTERFACES FOR RIP Use the Routing Protocol RIP Distance Add page to configure the s...

Page 553: ...vided by RIPv2 including subnet mask next hop and authentication information This is the default setting n Use Do Not Send to passively monitor route information advertised by other routers attached to the network u The Receive Version can be specified based on these options n Use RIPv1 or RIPv2 if all routers in the local network are based on RIPv1 or RIPv2 respectively n Use RIPv1 and RIPv2 if s...

Page 554: ...ers are displayed in the web interface u VLAN ID Layer 3 VLAN interface This interface must be configured with an IP address and have an active link Range 1 4093 u Send Version The RIP version to send on an interface n RIPv1 Sends only RIPv1 packets n RIPv2 Sends only RIPv2 packets n RIPv1 Compatible Route information is broadcast to other routers with RIPv2 n Do Not Send Does not transmit RIP upd...

Page 555: ... same password Range 1 16 characters case sensitive u Instability Prevention Specifies the method used to reduce the convergence time when the network topology changes and to prevent RIP protocol messages from looping back to the source router n Split Horizon This method never propagate routes back to an interface from which they have been acquired n Poison Reverse This method propagates routes ba...

Page 556: ... the Routing Protocol RIP Statistics Show Interface Information page to display information about RIP interface configuration settings CLI REFERENCES u show ip rip on page 1190 PARAMETERS These parameters are displayed in the web interface u Interface Source IP address of RIP router interface u Auth Type The type of authentication used for exchanging RIPv2 protocol messages u Send Version The RIP ...

Page 557: ...tion page to display information on neighboring RIP routers CLI REFERENCES u show ip protocols rip on page 1189 PARAMETERS These parameters are displayed in the web interface u Peer Address IP address of a neighboring RIP router u Update Time Last time a route update was received from this peer u Version Shows whether RIPv1 or RIPv2 packets were received from this peer u Rcv Bad Packets Number of ...

Page 558: ...t OSPF is more suited for large area networks which experience frequent changes in the links It also handles subnets much better than RIP OSPF protocol actively tests the status of each link to its neighbors to generate a shortest path tree and builds a routing table based on this information OSPF then utilizes IP multicast to propagate routing information A separate routing area scheme is also us...

Page 559: ... protocol message authentication and the addition of a point to multipoint interface which allows OSPF to run over non broadcast networks as well as support for overlapping area ranges u When using OSPF you must organize your network i e autonomous system into normal stub or not so stubby areas configure the ranges of subnet addresses that can be aggregated by link state advertisements and configu...

Page 560: ...cted areas and external links to other areas Use the Routing Protocol OSPF Network Area Add page to define an OSPF area and the interfaces that operate within this area An autonomous system must be configured with a backbone area designated by the area identifier 0 0 0 0 By default all other areas are created as normal transit areas Routers in a normal area may import or export routing information...

Page 561: ...orresponding address range forms a routing interface and can be configured to aggregate LSAs from all of its subnetwork addresses and exchange this information with other routers in the network as described under Configuring Area Ranges Route Summarization for ABRs on page 575 u If an address range overlaps other network areas the router will use the network area with the address range that most c...

Page 562: ...hat is contiguous with all the other areas in the network and configure an area for all of the other OSPF interfaces 4 Click Apply Figure 354 Defining OSPF Network Areas Based on Addresses To to show the OSPF areas and the assigned interfaces 1 Click Routing Protocol OSPF Network Area 2 Select Show from the Action list Figure 355 Showing OSPF Network Areas To to show the OSPF process identifiers 1...

Page 563: ...uters are using the same RFC for calculating summary route costs Enable this field to force the router to calculate summary route costs using RFC 1583 Default Disabled When RFC 1583 compatibility is enabled only cost is used when choosing among multiple AS external LSAs advertising the same destination When disabled preference is based on type of path using cost only to break ties see RFC 2328 If ...

Page 564: ...s imported from other protocols Range 0 16777214 Default 20 A default metric must be used to resolve the problem of redistributing external routes from other protocols that use incompatible metrics This default metric does not override the metric value set on the Redistribute configuration screen see page 577 When a metric value has not been configured on the Redistribute page the default metric c...

Page 565: ...ute advertisements add the internal cost to the external route metric Type 2 routes do not add the internal cost metric When comparing Type 2 routes the internal cost is only used as a tie breaker if several Type 2 routes have the same cost Default Type 2 u Default External Metric8 Metric assigned to the default route Range 0 16777215 Default 20 The metric for the default external route is used to...

Page 566: ...rameter Description Router ID Type Indicates if the router ID was manually configured or automatically generated by the system Rx LSAs The number of link state advertisements that have been received Originate LSAs The number of new link state advertisements that have been originated AS LSA Count The number of autonomous system LSAs in the link state database External LSA Count The number of extern...

Page 567: ... a separate routing database for each area ASBR Status Autonomous System Boundary Router Indicates if this router exchanges routing information with boundary routers in other autonomous systems to which it may be attached If a router is enabled as an ASBR then every other router in the autonomous system can learn about external routes from this device Restart Status Indicates if the OSPF process i...

Page 568: ...otocol OSPF Network Area Add page Range 1 65535 u Area ID Identifier for a not so stubby area NSSA or stub The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0 4294967295 Set the area ID to the same value for all routers on a network segment using the network mask to add one or more interfaces to an area u Area Type Specifies an NSSA or stub WEB INTE...

Page 569: ...ABR An NSSA is similar to a stub It blocks most external routing information and can be configured to advertise a single default route for traffic passing between the NSSA and other areas within the autonomous system AS when the router is an ABR An NSSA can also import external routes from one or more small routing domains that are not part of the AS such as a RIP domain or locally configured stat...

Page 570: ... own area and then leaked to adjacent areas u Routes that can be advertised with NSSA external LSAs include network destinations outside the AS learned through OSPF the default route static routes routes derived from other routing protocols such as RIP or directly connected networks that are not running OSPF u An NSSA can be used to simplify administration when connecting a central site using OSPF...

Page 571: ...t can import a default external AS route for routing protocol domains adjacent to the NSSA but not within the OSPF AS into the NSSA using this option u Metric Type Type 1 or Type 2 external routes When using Type 2 routers do not add internal cost to the external route metric Default Type 2 u Metric Metric assigned to Type 7 default LSAs Range 1 16777214 Default 1 u Default Cost Cost for the defau...

Page 572: ...ntly reduce the amount of topology data that has to be exchanged over the network Figure 364 OSPF Stub Area By default a stub can only pass traffic to other areas in the autonomous system through the default external route However an area border router can also be configured to send Type 3 summary link advertisements into the stub about subnetworks located elsewhere in the autonomous system CLI RE...

Page 573: ...ached stub u Summary Controls the use of summary routes n Summary Allows an Area Border Router ABR to send a summary link advertisement into the stub area n No Summary Stops an ABR from sending a summary link advertisement into a stub area Routing table space is saved in a stub by blocking Type 4 AS summary LSAs and Type 5 external LSAs This option can be used to completely isolate the stub by als...

Page 574: ...see page 560 u Area ID Identifier for a not so stubby area NSSA or stub u SPF Runs The number of times the Shortest Path First algorithm has been run for this area u ABR Count The number of Area Border Routers attached to this area u ASBR Count The number of Autonomous System Boundary Routers attached to this area u LSA Count The number of new link state advertisements that have been originated u ...

Page 575: ...te Summarization for ABRs CLI REFERENCES u router ospf on page 1192 u area range on page 1198 COMMAND USAGE u Use the Area Range configuration page to summarize intra area routes and advertise this information to other areas through Area Border Routers ABRs The summary route for an area is defined by an IP address and network mask You therefore need to structure each area with a contiguous set of ...

Page 576: ...ndicates whether or not to advertise the summary route If the routes are set to be advertised the router will issue a Type 3 summary LSA for each specified address range If the summary is not advertised the specified routes remain hidden from the rest of the network Default Advertise WEB INTERFACE To configure a route summary for an area range 1 Click Routing Protocol OSPF Area Range 2 Select Add ...

Page 577: ...ports redistribution for all currently connected routes entries learned through RIP and static routes u When you redistribute external routes into an OSPF autonomous system AS the router automatically becomes an autonomous system boundary router ASBR u However if the router has been configured as an ASBR via the General Configuration screen but redistribution is not enabled the router will only ge...

Page 578: ... assigned to all external routes for the specified protocol Range 1 65535 Default 10 The metric value specified for redistributed routes supersedes the Default External Metric specified in the Routing Protocol OSPF System screen page 563 u Tag A tag placed in the AS external LSA to identify a specific external routing domain or to pass additional information between routers Range 0 4294967295 A ta...

Page 579: ...oute individually in an external LSA as described in the preceding section The reduce the number of protocol messages required to redistribute these external routes an Autonomous System Boundary Router ASBR can instead be configured to redistribute routes learned from other protocols into all attached autonomous systems To reduce the amount of external LSAs sent to other autonomous systems you can...

Page 580: ...tising into the local domain u To summarize routes sent between OSPF areas use the Area Range Configuration screen page 575 u This router supports up 20 Type 5 summary routes PARAMETERS These parameters are displayed in the web interface u Process ID Process ID as configured in the Network Area configuration screen see page 560 u IP Address Summary address covering a range of addresses u Netmask N...

Page 581: ...ign an interface address range to an OSPF area After assigning a routing interface to an OSPF area use the Routing Protocol OSPF Interface Configure by VLAN or Configure by Address page to configure the interface specific parameters used by OSPF to set the cost used to select preferred paths select the designated router control the timing of link state advertisements and specify the method used to...

Page 582: ... to prevent a router from being elected as a DR or BDR If set to any value other than zero the router with the highest priority becomes the DR and the router with the next highest priority becomes the BDR If two or more routers are set to the same highest priority the router with the higher ID will be elected If a DR already exists for an area when this interface comes up the new router will accep...

Page 583: ...nd trip delay between any two routers on the attached network to avoid unnecessary retransmissions u Authentication Type Specifies the authentication type used for an interface Options None Simple MD5 Default None Use authentication to prevent routers from inadvertently joining an unauthorized area Configure routers in the same area with the same password or key All neighboring routers on the same...

Page 584: ...ate incoming packets Neighbor routers must use the same key identifier and key value When changing to a new key the router will send multiple copies of all protocol messages one with the old key and another with the new key Once all the neighboring routers start sending protocol messages back to this router with the new key the router will stop using the old key This rollover process gives the net...

Page 585: ...gs for All Interfaces Assigned to a VLAN To configure interface settings for a specific area assigned to a VLAN 1 Click Routing Protocol OSPF Interface 2 Select Configure by Address from the Action list 3 Specify the VLAN ID enter the address assigned to an area and configure the required interface settings 4 Click Apply ...

Page 586: ...VLAN To show the configuration settings for OSPF interfaces 1 Click Routing Protocol OSPF Interface 2 Select Show from the Action list 3 Select the VLAN ID Figure 377 Showing OSPF Interfaces To show the MD5 authentication keys configured for an interface 1 Click Routing Protocol OSPF Interface 2 Select Show MD5 Key from the Action list 3 Select the VLAN ID ...

Page 587: ...ckbone area i e transit area to reach the backbone To define this path you must configure an ABR that serves as an endpoint connecting the isolated area to the common transit area and specify a neighboring ABR at the other endpoint connecting the common transit area to the backbone itself Note that you cannot configure a virtual link that runs through a stub or NSSA Figure 379 OSPF Virtual Link Vi...

Page 588: ...n see page 560 u Area ID Identifies the transit area for the virtual link The area ID must be in the form of an IPv4 address or also as a four octet unsigned integer ranging from 0 4294967295 u Neighbor Router ID of the virtual link neighbor This specifies the Area Border Router ABR at the other end of the virtual link To create a virtual link it must be configured for an ABR at both ends of the l...

Page 589: ... settings for a virtual link 1 Click Routing Protocol OSPF Virtual Link 2 Select Configure Detailed Settings from the Action list 3 Specify the process ID then modify the protocol timers and authentication settings as required 4 Click Apply Figure 382 Configuring Detailed Settings for a Virtual Link To show the MD5 authentication keys configured for a virtual link 1 Click Routing Protocol OSPF Int...

Page 590: ...tables are synchronized with neighboring routers through a process called reliable flooding You can show information about different LSAs stored in this router s database which may include any of the following types u Router Type 1 All routers in an OSPF area originate Router LSAs that describe the state and cost of its active interfaces and neighbors u Network Type 2 The designated router for eac...

Page 591: ...for which LSA information is to be displayed u Link ID Network portion described by an LSA The Link ID is either n An IP network number for Type 3 Summary and Type 5 AS External LSAs When an Type 5 AS External LSA is describing a default route its Link ID is set to the default destination 0 0 0 0 n A Router ID for Router Network and Type 4 AS Summary LSAs u Adv Router IP address of the advertising...

Page 592: ...tion Neighbor page to display information about neighboring routers on each interface CLI REFERENCES u show ip ospf neighbor on page 1229 PARAMETERS These parameters are displayed in the web interface u Process ID Process ID as configured in the Network Area configuration screen see page 560 u ID Neighbor s router ID u Priority Neighbor s router priority u State OSPF state and identification flag ...

Page 593: ...changed n Loading LSA databases being exchanged n Full Neighboring routers now fully adjacent Identification flags include n D Dynamic neighbor n S Static neighbor n DR Designated router n BDR Backup designated router u Address IP address of this interface u Interface A Layer 3 interface on which OSPF has been enabled WEB INTERFACE To display information about neighboring routers stored in the lin...

Page 594: ...CHAPTER 21 Unicast Routing Configuring the Open Shortest Path First Protocol Version 2 594 ...

Page 595: ...DM is designed for networks where the probability of multicast group members is high such as a local network PIM SM is designed for networks where the probability of multicast group members is low such as the Internet Also note that if PIM is not enabled on this router or another multicast routing protocol is used on the network the switch ports attached to a multicast router can be manually confi...

Page 596: ... a Reverse Path Tree RPT that channels the multicast traffic from each source through a single Rendezvous Point RP within the local PIM SM domain and then forwards this traffic to the Designated Router DR in the local network segment to which the host is attached However when the multicast load from a particular source is heavy enough to justify it PIM SM can be configured to construct a Shortest ...

Page 597: ...uters along the RP Tree are replicated wherever the RP Tree branches and eventually reach all the receivers for that multicast group Because all routers along the shared tree are using PIM SM the multicast flow is confined to the shared tree Also note that more than one flow can be carried over the same shared tree but only one RP is responsible for each flow Shortest Path Tree SPT When using the ...

Page 598: ...ge 602 or PIM DM for IPv6 on page 618 Note that only one IPv4 multicast routing protocol PIM DM or PIM SM can be enabled on any given interface but both PIMv4 and PIMv6 can be enabled on the same interface ENABLING MULTICAST ROUTING GLOBALLY Use the Multicast Multicast Routing General page to enable IP multicast routing globally on the switch CLI REFERENCES u ip multicast routing on page 1261 PARA...

Page 599: ...dress Subnetwork containing the IP multicast source u Source Mask Network mask for the IP multicast source Note that the switch cannot detect the source mask and therefore displays 255 255 255 255 in this field u Interface Upstream interface leading to the upstream neighbor PIM creates a multicast routing tree based on the unicast routing table If the related unicast routing table does not exist P...

Page 600: ... Register flag This device is registering for a multicast source n RPT bit set The S G entry is pointing to the Rendezvous Point RP which normally indicates a pruned state along the shared tree for a particular source n SPT bit set Multicast packets have been received from a source on shortest path tree n Join SPT The rate of traffic arriving over the shared tree has exceeded the SPT threshold for...

Page 601: ...ng table 1 Click Multicast Multicast Routing Information 2 Select Show Summary from the Action List Figure 387 Displaying the Multicast Routing Table To display detailed information on a specific flow in multicast routing table 1 Click Multicast Multicast Routing Information 2 Select Show Details from the Action List 3 Select a Group Address 4 Select a Source Address Figure 388 Displaying Detailed...

Page 602: ...ary to the multicast protocol parameters u To use PIM multicast routing must be enabled on the switch see Enabling Multicast Routing Globally on page 598 WEB INTERFACE To enable PIM multicast routing 1 Click Routing Protocol PIM General 2 Enable PIM Routing Protocol 3 Click Apply Figure 389 Enabling PIM Multicast Routing CONFIGURING PIM INTERFACE SETTINGS Use the Routing Protocol PIM Interface pag...

Page 603: ... received from a downstream router or if group members are directly connected to the interface When routers want to receive a multicast flow they periodically send join messages to the RP and are subsequently added to the shared path for the specified flow back up to the RP If routers want to join the source path up through the SPT they periodically send join messages toward the source They also s...

Page 604: ...prune state is maintained until the join prune holdtime timer expires or a graft message is received for the forwarding entry n PIM SM The multicast interface that first receives a multicast stream from a particular source forwards this traffic only to those interfaces on the router that have requests to join this group When there are no longer any requesting groups on that interface the leaf node...

Page 605: ... or PIM is enabled on an interface the hello delay is set to random value between 0 and the trigger hello delay This prevents synchronization of Hello messages on multi access links if multiple routers are powered on simultaneously Also if a Hello message is received from a new neighbor the receiving router will send its own Hello message after a random delay between 0 and the trigger hello delay ...

Page 606: ...e DR If a router does not advertise a priority in its hello messages it is assumed to have the highest priority and is elected as the DR If more than one router is not advertising its priority then the router with the highest IP address is elected to serve as the DR u Join Prune Interval Sets the interval at which join prune messages are sent Range 1 65535 seconds Default 60 seconds By default the...

Page 607: ...CHAPTER 22 Multicast Routing Configuring PIM for IPv4 607 Figure 390 Configuring PIM Interface Settings Dense Mode Figure 391 Configuring PIM Interface Settings Sparse Mode ...

Page 608: ...ING GLOBAL PIM SM SETTINGS Use the Routing Protocol PIM SM Configure Global page to configure the rate at which register messages are sent the source of register messages and switchover to the Shortest Path Tree SPT CLI REFERENCES u IPv4 PIM Commands on page 1269 PARAMETERS These parameters are displayed in the web interface u Register Rate Limit Configures the rate at which register messages are ...

Page 609: ...ugh the RP is not always the shortest path Therefore the router uses the RP to forward only the first packet from a new multicast group to its receivers Afterwards it calculates the shortest path tree SPT directly between the receiver and source and then uses the SPT to send all subsequent packets from the source to the receiver instead of using the shared tree Note that when the SPT threshold is ...

Page 610: ... u This router will continue to be the BSR until it receives a bootstrap message from another candidate with a higher priority or a higher IP address if the priorities are the same u To improve failover recovery it is advisable to select at least two core routers in diverse locations each to serve as both a candidate BSR and candidate RP It is also preferable to set up one of these routers as both...

Page 611: ...ge 0 255 Default 0 WEB INTERFACE To configure the switch as a BSR candidate 1 Click Multicast Multicast Routing SM 2 Select BSR Candidate from the Step list 3 Specify the VLAN interface for which this router is bidding to become the BSR the hash mask length that will subsequently be used for RP selection if this router is selected as the BSR and the priority for BSR selection 4 Click Apply Figure ...

Page 612: ...over the one statically configured u All routers within the same PIM SM domain must be configured with the same RP s Selecting an RP through the dynamic election process is therefore preferable for most situations Using the dynamic RP election process also allows a backup RP to automatically take over if the active RP router becomes unavailable PARAMETERS These parameters are displayed in the web ...

Page 613: ...ENCES u ip pim rp candidate on page 1284 COMMAND USAGE u When this router is configured as an RP candidate it periodically sends PIMv2 messages to the BSR advertising itself as a candidate RP for the specified group addresses The IP address of the designated VLAN is sent as the candidate s RP address The BSR places information about all of the candidate RPs in subsequent bootstrap messages The BSR...

Page 614: ... up one of these routers as both the primary BSR and RP PARAMETERS These parameters are displayed in the web interface u VLAN Identifier of configured VLAN interface Range 1 4093 u Interval The interval at which this device advertises itself as an RP candidate Range 60 16383 seconds Default 60 seconds u Priority Priority used by the candidate RP in the election process The RP candidate with the la...

Page 615: ...elect an interface from the VLAN list Figure 398 Showing Settings for an RP Candidate DISPLAYING THE BSR ROUTER Use the Routing Protocol PIM SM Show Information Show BSR Router page to display Information about the bootstrap router BSR CLI REFERENCES u show ip pim bsr router on page 1289 PARAMETERS These parameters are displayed in the web interface u IP Address IP address of interface configured ...

Page 616: ...ing the new BSR s identity and the RP set n Accept Preferred The router knows the identity of the current BSR and is using the RP set provided by that BSR Only bootstrap messages from that BSR or from a C BSR with higher weight than the current BSR will be accepted n Candidate BSR Bidding in election process n Pending BSR The router is a candidate to be the BSR for the RP set Currently no other ro...

Page 617: ... in the web interface u Groups A multicast group address u RP Address IP address of the RP for the listed multicast group u Information Source RP that advertised the mapping how the RP was selected Static or Bootstrap and the priority used in the bidding process u Uptime The time this RP has been up and running u Expire The time before this entry will be removed WEB INTERFACE To display the RPs ma...

Page 618: ...y on the router You also need to enable PIM DM for each interface that will support multicast routing see page 619 and make any changes necessary to the multicast protocol parameters u To use PIMv6 multicast routing must be enabled on the switch see Enabling Multicast Routing Globally on page 598 u To use multicast routing MLD proxy can not enabled on any interface of the device see MLD Proxy Rout...

Page 619: ...D proxy is enabled on an interface PIMv6 cannot be enabled on any interface PARAMETERS These parameters are displayed in the web interface u VLAN Layer 3 VLAN interface Range 1 4093 u Mode PIMv6 routing mode Options Dense None u IPv6 Address IPv6 link local address assigned to the selected VLAN u Hello Holdtime Sets the interval to wait for hello messages from a neighboring PIM router before decla...

Page 620: ...ream The protocol maintains both the current join state and the pending RPT prune state for this source group pair until the join prune interval timer expires u LAN Prune Delay Causes this device to inform downstream routers of how long it will wait before pruning a flow after receiving a prune request Default Disabled When other downstream routers on the same VLAN are notified that this upstream ...

Page 621: ...een 0 and the trigger hello delay u Graft Retry Interval The time to wait for a Graft acknowledgement before resending a Graft message Range 1 10 seconds Default 3 seconds A graft message is sent by a router to cancel a prune state When a router receives a graft message it must respond with an graft acknowledgement message If this acknowledgement message is lost the router that sent the graft mess...

Page 622: ...nterface Settings Dense Mode DISPLAYING NEIGHBOR INFORMATION Use the Routing Protocol PIM6 Neighbor page to display all neighboring PIMv6 routers CLI REFERENCES u show ip pim neighbor on page 1278 PARAMETERS These parameters are displayed in the web interface u Address IP address of the next hop router u VLAN VLAN that is attached to this neighbor u Uptime The duration this entry has been active u...

Page 623: ...CHAPTER 22 Multicast Routing Configuring PIMv6 for IPv6 623 WEB INTERFACE To display neighboring PIMv6 routers 1 Click Routing Protocol PIM6 Neighbor Figure 403 Showing PIMv6 Neighbors ...

Page 624: ...CHAPTER 22 Multicast Routing Configuring PIMv6 for IPv6 624 ...

Page 625: ... 713 u sFlow Sampling Commands on page 721 u Authentication Commands on page 727 u General Security Measures on page 777 u Access Control Lists on page 823 u Interface Commands on page 845 u Link Aggregation Commands on page 863 u Port Mirroring Commands on page 873 u Rate Limit Commands on page 877 u Automatic Traffic Control Commands on page 879 u Address Table Commands on page 893 u Spanning Tr...

Page 626: ...ommands on page 999 u LLDP Commands on page 1061 u Domain Name Service Commands on page 1079 u DHCP Commands on page 1089 u VRRP Commands on page 1107 u IP Interface Commands on page 1117 u IP Routing Commands on page 1165 u Multicast Routing Commands on page 1261 ...

Page 627: ...e port perform these steps 1 At the console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec But when the guest user name and password is entered the CLI displays the Cons...

Page 628: ...onsole config If your corporate network is connected to another network outside your office or to the Internet you need to apply for a registered IP address However if you are attached to an isolated network then you can use any IP address that matches the network segment to which you are attached After you configure the switch with an IP address you can open a Telnet session by performing these s...

Page 629: ...er each command in the required order For example to enable Privileged Exec command mode and display the startup configuration enter Console enable Console show startup config u To enter commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username admin password 0 smith MINIMUM ABBREVIATIO...

Page 630: ... 802 1X content garp GARP properties gvrp GVRP interface information history Shows history information hosts Host information interfaces Shows interface information ip IP information ipv6 IPv6 information lacp LACP statistics line TTY line information lldp LLDP log Log records logging Logging setting loop Shows the information of loopback mac MAC access list mac address table Configuration of the ...

Page 631: ...nterface of transceiver information Console Show commands which display more than one page of information e g show running config pause and require you to press the Space bar to continue displaying one more page the Enter key to display one more line or the a key to display the rest of the information without stopping You can press any other key to terminate the display PARTIAL KEYWORD LOOKUP If y...

Page 632: ... mode The command classes and associated modes are displayed in the following table EXEC COMMANDS When you open a new console session on the switch with the user name and password guest the system enters the Normal Exec command mode or guest mode displaying the Console command prompt Only a limited number of the commands are available in this mode You can access all commands only from the Privileg...

Page 633: ... To store the running configuration in non volatile storage use the copy running config startup config command The configuration commands are organized into different modes u Global Configuration These commands modify the system level configuration and include commands such as hostname and snmp server community u Access Control List Configuration These commands are used for packet filtering u Clas...

Page 634: ...iguration prompt type one of the following commands Use the exit or end command to return to the Privileged Exec mode Table 35 Configuration Command Modes Mode Command Prompt Page Access Control List access list arp access list ip standard access list ip extended access list mac access list ipv6 standard access list ipv6 extended Console config arp acl Console config std acl Console config ext acl...

Page 635: ... for command line processing Table 36 Keystroke Commands Keystroke Function Ctrl A Shifts cursor to start of command line Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor to the right one character Ctrl K Deletes all characters from the cursor to the end of the line Ctr...

Page 636: ...iguring valid static or dynamic addresses web authentication MAC address authentication filtering DHCP requests and replies and discarding invalid ARP responses 777 Access Control List Provides filtering for IPv4 frames based on address protocol TCP UDP port number or TCP control code IPv6 frames based on address DSCP traffic class next header or flow label or non IP frames based on MAC address or...

Page 637: ...lity of Service Configures Differentiated Services 981 Multicast Filtering Configures IGMP multicast filtering query profile and proxy parameters specifies ports attached to a multicast router also configures multicast VLAN registration 999 Link Layer Discovery Protocol Configures LLDP settings to enable information discovery about neighbor devices 1061 Domain Name Service Configures DNS services ...

Page 638: ...CHAPTER 23 Using the Command Line Interface CLI Command Groups 638 ...

Page 639: ...tarts the system at a specified time after a specified delay or at a periodic interval GC enable Activates privileged mode NE quit Exits a CLI session NE PE show history Shows the command history buffer NE PE configure Activates global configuration mode PE disable Returns to normal mode from privileged mode PE reload Restarts the system immediately PE show reload Displays the current reload setti...

Page 640: ...which to reload Range 0 23 minute The minute at which to reload Range 0 59 month The month at which to reload january december day The day of the month at which to reload Range 1 31 year The year at which to reload Range 2001 2050 reload in An interval after which to reload the switch hours The number of hours combined with the minutes before the switch resets Range 0 576 minutes The number of min...

Page 641: ...Are you sure to reboot the system at the specified time y n enable This command activates Privileged Exec mode In privileged mode additional commands are available and certain commands display additional information See Understanding Command Modes on page 632 SYNTAX enable level level Privilege level to log into the device The device has two predefined privilege levels 0 Normal Exec 15 Privileged ...

Page 642: ... Exec COMMAND USAGE The quit and exit commands can both exit the configuration program EXAMPLE This example shows how to quit a CLI session Console quit Press ENTER to start session User Access Verification Username show history This command shows the contents of the command history buffer DEFAULT SETTING None COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE The history buffer size is fixed ...

Page 643: ...story buffer when you are in any of the configuration modes In this example the 2 command repeats the second command in the Execution history buffer config Console 2 Console config Console config configure This command activates Global Configuration mode You must enter this mode to modify any settings on the switch You must also enter Global Configuration mode prior to enabling some of the other c...

Page 644: ...ded to the end of the prompt to indicate that the system is in normal access mode EXAMPLE Console disable Console RELATED COMMANDS enable 641 reload Privileged Exec This command restarts the system NOTE When the system is restarted it will always run the Power On Self Test It will also retain all configuration information stored in non volatile memory by the copy running config startup config comm...

Page 645: ...days 0 hours 29 minutes 52 seconds Console end This command returns to Privileged Exec mode DEFAULT SETTING None COMMAND MODE Global Configuration Interface Configuration Line Configuration VLAN Database Configuration and Multiple Spanning Tree Configuration EXAMPLE This example shows how to return to the Privileged Exec mode from the Interface Configuration mode Console config if end Console exit...

Page 646: ...6 EXAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console config exit Console exit Press ENTER to start session User Access Verification Username ...

Page 647: ...ns to full speed Frame Size Enables support for jumbo frames File Management Manages code image or switch configuration files Line Sets communication parameters for the serial port including baud rate and console time out Event Logging Controls logging of error messages SMTP Alerts Configures SMTP email alerts Time System Clock Sets the system clock automatically via NTP SNTP server or manually Ti...

Page 648: ...nsole config switch all renumber This command resets the switch unit identification numbers in the stack All stack members are numbered sequentially starting from the top unit for a non loop stack or starting from the Master unit for a looped stack SYNTAX switch all renumber DEFAULT SETTING u For non loop stacking the top unit is unit 1 u For loop stacking the master unit is unit 1 COMMAND MODE Pr...

Page 649: ...also use two PCEs EXAMPLE Console show access list tcam utilization Total Policy Control Entries 512 Free Policy Control Entries 508 TCAM Utilization 0 78 Console Table 41 System Status Commands Command Function Mode show access list tcam utilization Shows utilization parameters for TCAM PE show memory Shows memory utilization parameters NE PE show process cpu Shows CPU utilization parameters NE P...

Page 650: ...ytes Free 134946816 Used 133488640 Total 268435456 Console show process cpu This command shows the CPU utilization parameters COMMAND MODE Normal Exec Privileged Exec EXAMPLE Console show process cpu CPU Utilization in the past 5 seconds 3 98 Console show running config This command displays the configuration information currently in use SYNTAX show running config interface interface interface eth...

Page 651: ...e settings n Interface settings n Any configured settings for the console port and Telnet EXAMPLE Console show running config Building running configuration Please wait stackingDB 0000000000000000 stackingDB stackingMac 01_00 17 7C 93 82 a0_01 stackingMac stackingMac 00_00 00 00 00 00 00_00 stackingMac stackingMac 00_00 00 00 00 00 00_00 stackingMac stackingMac 00_00 00 00 00 00 00_00 stackingMac ...

Page 652: ...how running config command to compare the information in running memory to the information stored in non volatile memory u This command displays settings for key command modes Each mode group is separated by symbols and includes the configuration mode command and corresponding commands This command displays the following information n MAC address for each switch in the stack n SNMP community strin...

Page 653: ...the air flow intake vents on both models The second detector is near the switch ASIC on the DG GS4826S and near the physical layer ASIC on the DG GS4850S u No information will be displayed under POST Result unless there is a problem with the unit If any POST test indicates FAIL contact your distributor for assistance EXAMPLE Console show system System Description DG GS4850S DG GS4826S System OID S...

Page 654: ...rogram EXAMPLE Console show tech support Vty 0 show system System Description DG GS4850S DG GS4826S System OID String 1 3 6 1 4 1 36293 1 1 2 3 System Information System Up Time 0 days 0 hours 8 minutes and 40 72 seconds System Name test System Location System Contact MAC Address Unit 1 00 17 7C 0C 8F EE Web Server Enabled Web Server Port 80 Web Secure Server Enabled Web Secure Server Port 443 Tel...

Page 655: ...4 192 168 0 61 Console show version This command displays hardware and software version information for the system COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE See Displaying Switch Hardware Software Versions on page 115 for detailed information on the items displayed by this command EXAMPLE Console show version Unit 1 Serial Number 007000031 Hardware Version R02 EPLD Version 1 06 Number...

Page 656: ... to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields u To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extended frame size A...

Page 657: ...ded and downloaded to or from an FTP TFTP server By saving runtime code to a file on an FTP TFTP server that file can later be downloaded to the switch to restore operation The switch can also be set to use new firmware without overwriting the previous version When downloading runtime code the destination file name can be specified to replace the current image or the file can be first downloaded u...

Page 658: ...sed to start up the system SYNTAX boot system unit boot rom config opcode filename unit Stack unit Range 1 8 boot rom Boot ROM config Configuration file opcode Run time operation code filename Name of configuration file or code image DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE u A colon is required after the specified unit number and file type u If the file contains an err...

Page 659: ...rd that allows you to copy to from a file ftp Keyword that allows you to copy to from an FTP server https certificate Keyword that allows you to copy the HTTPS secure site certificate public key Keyword that allows you to copy a SSH key from a TFTP server See Secure Shell on page 753 running config Keyword that allows you to copy to from the current running configuration startup config The configu...

Page 660: ...g the Default Secure site Certificate on page 306 For information on configuring the switch to use HTTPS for a secure connection see the ip http secure server command u When logging into an FTP server the interface prompts for a user name and password configured on the remote server Note that anonymous is set as the default user name EXAMPLE The following example shows how to download new firmware...

Page 661: ...is example shows how to copy a secure site certificate from an TFTP server It then reboots the switch to activate the certificate Console copy tftp https certificate TFTP server ip address 10 1 0 19 Source certificate file name SS certificate Source private file name SS private Private password Success Console reload System will be restarted continue y n y This example shows how to copy a public k...

Page 662: ... file or image SYNTAX delete unit filename unit Stack unit Range 1 8 filename Name of configuration file or code image DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE u If the file type is used for system startup then this file cannot be deleted u Factory_Default_Config cfg cannot be deleted u A colon is required after the specified unit number EXAMPLE This example shows how to del...

Page 663: ... the specified unit number and file type File information is shown below EXAMPLE The following example shows how to display all file information Console dir File Name Type Startup Modify Time Size bytes Unit 1 DG GS4826S_50S_V1 2 1 0 BIX OpCode N 2010 03 12 07 15 13 15052008 DG GS4826S_50S_V1 2 1 2 BIX OpCode Y 2010 04 23 11 50 11 15110656 Factory_Default_Config cfg Config N 2009 10 12 12 02 08 45...

Page 664: ...on program by attaching a VT100 compatible device to the server s serial port These commands are used to set communication parameters for the serial port or Telnet i e a virtual terminal Table 46 Line Commands Command Function Mode line Identifies a specific line for configuration and starts the line configuration mode GC accounting exec Applies an accounting method to local console Telnet or SSH ...

Page 665: ...mode enter the following command Console config line console Console config line RELATED COMMANDS show line 673 show users 654 password thresh Sets the password intrusion threshold which limits the number of failed logon attempts LC silent time Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password th...

Page 666: ... input from devices that generate 7 data bits with parity If parity is being generated specify 7 data bits per character If no parity is required specify 8 data bits per character EXAMPLE To specify 7 data bits enter this command Console config line databits 7 Console config line RELATED COMMANDS parity 668 exec timeout This command sets the interval that the system waits until user input is detec...

Page 667: ... local Selects local password checking Authentication is based on the user name specified with the username command DEFAULT SETTING login local COMMAND MODE Line Configuration COMMAND USAGE u There are three authentication modes provided by the switch itself at login n login selects authentication by a single global password as specified by the password line configuration command When using this m...

Page 668: ...LATED COMMANDS username 729 password 669 parity This command defines the generation of a parity bit Use the no form to restore the default setting SYNTAX parity none even odd no parity none No parity even Even parity odd Odd parity DEFAULT SETTING No parity COMMAND MODE Line Configuration COMMAND USAGE Communication protocols provided by devices such as terminals and modems often require a specifi...

Page 669: ...ion the system prompts for the password If you enter the correct password the system shows a prompt You can use the password thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state u The encrypted password is required for compatibility with legacy password settings i e plain text or...

Page 670: ...re allowing the next logon attempt Use the silent time command to set this interval When this threshold is reached for Telnet the Telnet logon interface shuts down EXAMPLE To set the password threshold to five attempts enter this command Console config line password thresh 5 Console config line RELATED COMMANDS silent time 670 silent time This command sets the amount of time the management console...

Page 671: ...om terminal speeds Use the no form to restore the default setting SYNTAX speed bps no speed bps Baud rate in bits per second Options 9600 19200 38400 57600 115200 bps DEFAULT SETTING 115200 bps COMMAND MODE Line Configuration COMMAND USAGE Set the speed to match the baud rate of the device connected to the serial port Some baud rates available on devices connected to the port might not be supporte...

Page 672: ...onse This command sets the interval that the system waits for a user to log into the CLI Use the no form to restore the default setting SYNTAX timeout login response seconds no timeout login response seconds Integer that specifies the timeout interval Range 0 300 seconds 0 disabled DEFAULT SETTING CLI Disabled 0 seconds Telnet 300 seconds COMMAND MODE Line Configuration COMMAND USAGE u If a login ...

Page 673: ...an SSH Telnet or console connection Range 0 4 COMMAND MODE Privileged Exec COMMAND USAGE Specifying session identifier 0 will disconnect the console connection Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection EXAMPLE Console disconnect 1 Console RELATED COMMANDS show ssh 762 show users 654 show line This command displays the terminal line s paramet...

Page 674: ...on describes commands used to configure event logging on the switch Table 47 Event Logging Commands Command Function Mode logging facility Sets the facility type for remote logging of syslog messages GC logging history Limits syslog messages saved to switch memory based on severity GC logging host Adds a syslog server host IP address that will receive logging messages GC logging on Controls loggin...

Page 675: ...y the syslog server to sort messages or to store messages in the corresponding database EXAMPLE Console config logging facility 19 Console config logging history This command limits syslog messages saved to switch memory based on severity The no form returns the logging of syslog messages to the default level SYNTAX logging history flash ram level no logging history flash ram flash Event history s...

Page 676: ...move a syslog server host SYNTAX no logging host host ip address host ip address The IPv4 or IPv6 address of a syslog server DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE u Use this command more than once to build up a list of host IP addresses u The maximum number of host IP addresses allowed is five 4 warnings Warning conditions e g return false unexpected return 3 errors ...

Page 677: ...error messages that are stored in memory You can use the logging trap command to control the type of error messages that are sent to specified syslog servers EXAMPLE Console config logging on Console config RELATED COMMANDS logging history 675 logging trap 677 clear log 678 logging trap This command enables the logging of system messages to a remote server or limits the syslog messages saved to a ...

Page 678: ...d level also enables remote logging but restores the minimum severity level to the default EXAMPLE Console config logging trap 4 Console config clear log This command clears messages from the log buffer SYNTAX clear log flash ram flash Event history stored in flash memory i e permanent memory ram Event history stored in temporary RAM i e memory flushed on power reset DEFAULT SETTING Flash and RAM ...

Page 679: ...module 5 function 1 and event no 1 0 00 01 30 2001 01 01 Unit 1 Port 1 link up notification level 6 module 5 function 1 and event no 1 Console show logging This command displays the configuration settings for logging messages to local switch memory to an SMTP event handler or to a remote syslog server SYNTAX show logging flash ram sendmail trap flash Displays settings for storing event messages in...

Page 680: ...ver IP Address 0 0 0 0 Console RELATED COMMANDS show logging sendmail 684 Table 49 show logging flash ram display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command History logging in FLASH The message level s reported based on the logging history command History logging in RAM The message level s reported based on the logging history c...

Page 681: ...that will be sent alert messages Use the no form to remove an SMTP server SYNTAX no logging sendmail host ip address ip address IP address of an SMTP server that will be sent alert messages for event handling DEFAULT SETTING None Table 51 Event Logging Commands Command Function Mode logging sendmail Enables SMTP event handling GC logging sendmail host SMTP servers to receive alert messages GC logg...

Page 682: ...again If it still fails the system will repeat the process at a periodic interval A trap will be triggered if the switch cannot successfully open a connection EXAMPLE Console config logging sendmail host 192 168 1 19 Console config logging sendmail level This command sets the severity threshold used to trigger alert messages Use the no form to restore the default setting SYNTAX logging sendmail le...

Page 683: ...ters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE You can specify up to five recipients for alert messages However you must enter a separate command to specify each recipient EXAMPLE Console config logging sendmail destination email ted this company com Console config logging sendmail source email This command sets the email address used for the From field in alert messages...

Page 684: ...dresses 1 ted this company com SMTP Source E mail Address bill this company com SMTP Status Enabled Console TIME The system clock can be dynamically set by polling a set of specified time servers NTP or SNTP Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries If the clock is not set the switch will only record the time from the f...

Page 685: ... time requests to time servers specified via the sntp server command It issues time synchronization requests based on the interval set via the sntp poll command EXAMPLE Console config sntp server 10 1 0 19 Console config sntp poll 60 Console config sntp client Console config end Console show sntp Current Time Dec 23 02 52 44 2002 Poll Interval 60 Current Mode unicast SNTP Status Enabled SNTP Serve...

Page 686: ...h SNTP time requests are issued Use the this command with no arguments to clear all time servers from the current list Use the no form to clear all time servers from the current list or to clear a specific server SYNTAX sntp server ip1 ip2 ip3 no sntp server ip1 ip2 ip3 ip IPv4 or IPv6 address of an time server NTP or SNTP Range 1 3 addresses DEFAULT SETTING None COMMAND MODE Global Configuration ...

Page 687: ...s and the current SNTP mode i e unicast EXAMPLE Console show sntp Current Time Nov 5 18 51 22 2006 Poll Interval 16 seconds Current Mode Unicast SNTP Status Enabled SNTP Server 137 92 140 80 137 92 140 81 Console clock timezone This command sets the time zone for the switch s internal clock SYNTAX clock timezone name hour hours minute minutes before utc after utc name Name of timezone usually an a...

Page 688: ...rs 5 minute 30 after UTC Console config RELATED COMMANDS show sntp 687 calendar set This command sets the system clock It may be used if there is no time server on your network or if you have not configured the switch to receive signals from a time server SYNTAX calendar set hour min sec day month year month day year hour Hour in 24 hour format Range 0 23 min Minute Range 0 59 sec Second Range 0 5...

Page 689: ...s a time range for use by other functions such as Access Control Lists time range This command specifies the name of a time range and enters time range configuration mode Use the no form to remove a previously specified time range SYNTAX no time range name name Name of the time range Range 1 30 characters Table 53 Time Range Commands Command Function Mode time range Specifies the name of a time ra...

Page 690: ...o remove a previously specified time SYNTAX absolute start hour minute day month year end hour minutes day month year absolute end hour minutes day month year no absolute hour Hour in 24 hour format Range 0 23 minute Minute Range 0 59 day Day of month Range 1 31 month january february march april may june july august september october november december year Year 4 digit Range 2009 2109 DEFAULT SET...

Page 691: ...y saturday sunday thursday tuesday wednesday weekdays weekend hour minute to daily friday monday saturday sunday thursday tuesday wednesday weekdays weekend hour minute daily Daily friday Friday monday Monday saturday Saturday sunday Sunday thursday Thursday tuesday Tuesday wednesday Wednesday weekdays Weekdays weekend Weekends hour Hour in 24 hour format Range 0 23 minute Minute Range 0 59 DEFAUL...

Page 692: ...me ranges SYNTAX show time range name name Name of the time range Range 1 30 characters DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show time range r d Time range r d absolute start 01 01 01 April 2009 periodic Daily 01 01 to Daily 02 01 periodic Daily 02 01 to Daily 03 01 Console ...

Page 693: ...s Command Function Mode General SNMP Commands snmp server Enables the SNMP agent GC snmp server community Sets up the community access string to permit access to SNMP commands GC snmp server contact Sets the system contact string GC snmp server location Sets the system location string GC show snmp Displays the status of SNMP communications NE PE SNMP Target Host Commands snmp server enable traps E...

Page 694: ...able port traps atc broadcast control apply Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires IC Port snmp server enable port traps atc broadcast control release Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires IC Port snmp serve...

Page 695: ...s rw Specifies read write access Authorized management stations are able to both retrieve and modify MIB objects DEFAULT SETTING u public Read only access Authorized management stations are only able to retrieve MIB objects u private Read write access Authorized management stations are able to both retrieve and modify MIB objects COMMAND MODE Global Configuration EXAMPLE Console config snmp server...

Page 696: ...th 255 characters DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE Console config snmp server location WC 19 Console config RELATED COMMANDS snmp server contact 695 show snmp This command can be used to check the status of SNMP communications DEFAULT SETTING None COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE This command provides information on the community access strings c...

Page 697: ...0 Trap PDUs SNMP Logging Disabled Console snmp server enable traps This command enables this device to send Simple Network Management Protocol traps or informs i e SNMP notifications Use the no form to disable SNMP notifications SYNTAX no snmp server enable traps authentication link up down authentication Keyword to issue authentication failure notifications link up down Keyword to issue link up o...

Page 698: ...s the recipient of a Simple Network Management Protocol notification operation Use the no form to remove the specified host SYNTAX snmp server host host addr inform retry retries timeout seconds community string version 1 2c 3 auth noauth priv udp port port no snmp server host host addr host addr Internet address of the host the targeted recipient Maximum host addresses 5 trap destination IP addre...

Page 699: ...ost u The snmp server host command is used in conjunction with the snmp server enable traps command Use the snmp server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally For a host to receive notifications at least one snmp server enable traps command and the snmp server host command for that host must be enabled u Some notific...

Page 700: ... Allow the switch to send SNMP traps i e notifications page 697 6 Specify the target host that will receive inform messages with the snmp server host command as described in this section u The switch can send SNMP Version 1 2c or 3 notifications to a host IP address depending on the SNMP version that the management station supports If the snmp server host command does not specify the SNMP version ...

Page 701: ...authenticating and encrypting SNMPv3 packets u A remote engine ID is required when using SNMPv3 informs See the snmp server host command The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and a user on the remote host SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritat...

Page 702: ...iew for write access 1 32 characters notifyview Defines the view for notifications 1 32 characters DEFAULT SETTING Default groups public10 read only private11 read write readview Every object belonging to the Internet OID space 1 writeview Nothing is defined notifyview Nothing is defined COMMAND MODE Global Configuration COMMAND USAGE u A group sets the access policy for the assigned users u When ...

Page 703: ...device ip address The Internet address of the remote device v1 v2c v3 Use SNMP version 1 2c or 3 encrypted Accepts the password as encrypted input auth Uses SNMPv3 with authentication md5 sha Uses MD5 or SHA authentication auth password Authentication password Enter as plain text if the encrypted option is not used Otherwise enter an encrypted password A minimum of eight characters is required pri...

Page 704: ...emote user will fail u SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it EXAMPLE Console config snmp server user steve group r d v3 auth md5 green priv des56 einstien Console config snmp server u...

Page 705: ... config This view includes the MIB 2 interfaces table and the mask selects all index entries Console config snmp server view ifEntry a 1 3 6 1 2 1 2 2 1 1 included Console config show snmp engine id This command shows the SNMP engine ID COMMAND MODE Privileged Exec EXAMPLE This example shows the default engine ID Console show snmp engine id Local SNMP EngineID 8000002a80000000177c666672 Local SNMP...

Page 706: ...s active Group Name public Security Model v2c Read View defaultview Write View No writeview specified Notify View No notifyview specified Storage Type volatile Row Status active Group Name private Security Model v1 Read View defaultview Write View defaultview Notify View No notifyview specified Storage Type volatile Row Status active Group Name private Security Model v2c Read View defaultview Writ...

Page 707: ...ld Description Group Name Name of an SNMP group Security Model The SNMP version Read View The associated read view Write View The associated write view Notify View The associated notify view Storage Type The storage type for this entry Row Status The row status of this entry Table 57 show snmp user display description Field Description EngineId String identifying the engine ID User Name Name of us...

Page 708: ...on log SYNTAX no nlm filter name filter name Notification log name Range 1 32 characters DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE u Notification logging is enabled by default but will not start recording information until a logging profile specified by the snmp server notify filter command is enabled by the nlm command Table 58 show snmp view display description Fiel...

Page 709: ...ameter is only required to complete mandatory fields in the SNMP Notification MIB DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE u Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notifications whether those are Traps or Informs that exceed retransmission limits The Notification Log MIB NLM RFC 3014 provides an in...

Page 710: ...contain up to 256 entries and the entry aging time is 1440 minutes Information recorded in a notification log and the entry aging time can only be configured using SNMP from a network management station u When a trap host is created with the snmp server host command a default notify filter will be created as shown in the example under the show snmp notify filter command EXAMPLE This example first ...

Page 711: ...is command displays the configured notification logs COMMAND MODE Privileged Exec EXAMPLE This example displays the configured notification logs and associated target hosts Console show snmp notify filter Filter profile name IP address A1 10 1 19 23 Console ...

Page 712: ...CHAPTER 26 SNMP Commands 712 ...

Page 713: ...Event and Alarm groups When RMON is enabled the system gradually builds up information about its physical interfaces storing this information in the relevant RMON database group A management agent then periodically communicates with the switch using the SNMP protocol However if the switch encounters a critical event it can automatically send a trap message to the management agent which can then re...

Page 714: ...e and the difference is then compared to the thresholds threshold An alarm threshold for the sampled variable Range 0 2147483647 event index The index of the event to use if an alarm is triggered If there is no corresponding entry in the event control table then no event will be generated Range 1 65535 name Name of the person who created this entry Range 1 127 characters DEFAULT SETTING 1 3 6 1 2 ...

Page 715: ...index index Index to this entry Range 1 65535 log Generates an RMON log entry when the event is triggered Log messages are processed based on the current configuration settings for event logging see Event Logging on page 674 trap Sends a trap message to all configured trap managers see snmp server host on page 698 community A password like community string sent with the trap operation to SNMP v1 a...

Page 716: ...e number of buckets requested for this entry Range 1 65536 seconds The polling interval Range 1 3600 seconds name Name of the person who created this entry Range 1 127 characters DEFAULT SETTING 1 3 6 1 2 1 16 1 1 1 6 1 1 3 6 1 2 1 16 1 1 1 6 26 50 Buckets 8 Interval 30 seconds for even numbered entries 1800 seconds for odd numbered entries COMMAND MODE Interface Configuration Ethernet COMMAND USA...

Page 717: ...e 1 127 characters DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE u By default each index number equates to a port on the switch but can be changed to any number not currently in use u If statistics collection is already enabled on an interface the entry must be deleted before any changes can be made with this command u The information collected for each entry ...

Page 718: ...lid owned by mike Description is urgent Event firing causes log and trap to community last fired 00 00 00 Console show rmon history This command shows the sampling parameters configured for each entry in the history group COMMAND MODE Privileged Exec EXAMPLE Console show rmon history Entry 1 is valid and owned by Monitors 1 3 6 1 2 1 2 2 1 1 1 every 1800 seconds Requested of time intervals ie buck...

Page 719: ...atistics Interface 1 is valid and owned by Monitors 1 3 6 1 2 1 2 2 1 1 1 which has Received 164289 octets 2372 packets 120 broadcast and 2211 multicast packets 0 undersized and 0 oversized packets 0 fragments and 0 jabbers 0 CRC alignment errors and 0 collisions of dropped packet events due to lack of resources 0 of packets received of length in octets 64 2245 65 127 87 128 255 31 256 511 5 512 1...

Page 720: ...CHAPTER 27 Remote Monitoring Commands 720 ...

Page 721: ...address ipv6 ipv6 address destination udp port no sflow destination ipv4 address IPv4 address of the sFlow Collector Valid IPv4 addresses consist of four decimal numbers 0 to 255 separated by periods ipv6 address IPv6 address of the sFlow Collector A full IPv6 address including the network prefix and host address bits An IPv6 address consists of 8 colon separated 16 bit hexadecimal values Table 60...

Page 722: ... the default UDP port Console config interface ethernet 1 9 Console config if sflow destination ipv4 192 168 0 4 Console config if sflow max datagram size This command configures the maximum size of the sFlow datagram payload Use the no form to restore the default setting SYNTAX sflow max datagram size max datagram size no max datagram size max datagram size The maximum size of the sFlow datagram ...

Page 723: ...E Interface Configuration Ethernet EXAMPLE Console config interface ethernet 1 9 Console config if sflow max header size 256 Console config if sflow owner This command configures the name of the receiver i e sFlow Collector Use the no form to remove this name SYNTAX sflow owner name no sflow owner name The name of the receiver Range 1 256 characters DEFAULT SETTING None COMMAND MODE Interface Conf...

Page 724: ...figuration Ethernet EXAMPLE This example sets the sample rate to 1 out of every 100 packets Console config interface ethernet 1 9 Console config if sflow sample 100 Console config if sflow source This command enables sFlow on the source ports to be monitored Use the no form to disable sFlow on the specified ports SYNTAX no sflow source DEFAULT SETTING Disabled COMMAND MODE Interface Configuration ...

Page 725: ...cates no time out DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE The sFlow parameters affected by this command include the sampling interval the receiver s name address and UDP port the time out maximum header size and maximum datagram size EXAMPLE This example sets the time out to 1000 seconds Console config interface ethernet 1 9 Console config if sflow time...

Page 726: ...xec EXAMPLE Console show sflow interface ethernet 1 9 Interface of Ethernet 1 9 Interface status Enabled Owner name Lamar Owner destination 192 168 0 4 Owner socket port 6343 Time out 9994 Maximum header size 256 Maximum datagram size 1500 Sample rate 1 256 Console ...

Page 727: ...Authentication Commands Command Group Function User Accounts Configures the basic user names and passwords for management access Authentication Sequence Defines logon authentication method and precedence RADIUS Client Configures settings for authentication via a RADIUS server TACACS Client Configures settings for authentication via a TACACS server AAA Configures authentication authorization and ac...

Page 728: ...l Maximum length 8 characters plain text 32 encrypted case sensitive DEFAULT SETTING The default is level 15 The default password is super COMMAND MODE Global Configuration COMMAND USAGE u You cannot set a null password You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command u The encrypted password is required for compatibility with...

Page 729: ...encrypted password password password The authentication password for the user Maximum length 8 characters plain text 32 encrypted case sensitive DEFAULT SETTING The default access level is Normal Exec The factory defaults for the user names and passwords are COMMAND MODE Global Configuration COMMAND USAGE The encrypted password is required for compatibility with legacy password settings i e plain ...

Page 730: ...fers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet u RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server...

Page 731: ...connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet u RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server u You ...

Page 732: ...nting messages Use the no form to restore the default SYNTAX radius server acct port port number no radius server acct port port number RADIUS server UDP port used for accounting messages Range 1 65535 DEFAULT SETTING 1813 COMMAND MODE Global Configuration EXAMPLE Console config radius server acct port 181 Console config Table 65 RADIUS Client Commands Command Function Mode radius server acct port...

Page 733: ...o restore the default values SYNTAX no radius server index host host ip address auth port auth port acct port acct_port key key retransmit retransmit timeout timeout index Allows you to specify up to five servers These servers are queried in sequence until a server responds or the retransmit period expires host ip address IP address of server auth port RADIUS server UDP port used for authenticatio...

Page 734: ...server key key string no radius server key key string Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE Console config radius server key green Console config radius server retransmit This command sets the number of retries Use the no form to restore the defaul...

Page 735: ...timeout number of seconds no radius server timeout number of seconds Number of seconds the switch waits for a reply before resending a request Range 1 65535 DEFAULT SETTING 5 COMMAND MODE Global Configuration EXAMPLE Console config radius server timeout 10 Console config show radius server This command displays the current settings for the RADIUS server DEFAULT SETTING None COMMAND MODE Privileged...

Page 736: ... privilege levels for each user or group that require management access to a switch tacacs server This command specifies the TACACS server and other optional parameters Use the no form to remove the server or to restore the default values SYNTAX tacacs server index host host ip address key key port port number no tacacs server index index The index for this server Range 1 host ip address IP addres...

Page 737: ... This command specifies the TACACS server Use the no form to restore the default SYNTAX tacacs server host host ip address no tacacs server host host ip address IP address of a TACACS server DEFAULT SETTING 10 11 12 13 COMMAND MODE Global Configuration EXAMPLE Console config tacacs server host 192 168 1 25 Console config tacacs server key This command sets the TACACS encryption key Use the no form...

Page 738: ...tacacs server port port number no tacacs server port port number TACACS server TCP port used for authentication messages Range 1 65535 DEFAULT SETTING 49 COMMAND MODE Global Configuration EXAMPLE Console config tacacs server port 181 Console config show tacacs server This command displays the current settings for the TACACS server DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console s...

Page 739: ...0 15 default Specifies the default accounting method for service requests Table 67 AAA Commands Command Function Mode aaa accounting commands Enables accounting of Exec mode commands GC aaa accounting dot1x Enables accounting of 802 1X services GC aaa accounting exec Enables accounting of Exec services GC aaa accounting update Enables periodoc updates to be sent to the accounting server GC aaa aut...

Page 740: ... Note that the default and method name fields are only used to describe the accounting method s configured on the specified TACACS server and do not actually send any information to the server about the methods to use EXAMPLE Console config aaa accounting commands 15 default start stop group tacacs Console config aaa accounting dot1x This command enables the accounting of requested 802 1X services...

Page 741: ...ccounting method s configured on the specified RADIUS or TACACS servers and do not actually send any information to the servers about the methods to use EXAMPLE Console config aaa accounting dot1x default start stop group radius Console config aaa accounting exec This command enables the accounting of requested Exec services for network access Use the no form to disable the accounting service SYNT...

Page 742: ... method name fields are only used to describe the accounting method s configured on the specified RADIUS or TACACS servers and do not actually send any information to the servers about the methods to use EXAMPLE Console config aaa accounting exec default start stop group tacacs Console config aaa accounting update This command enables the sending of periodic updates to the accounting server Use th...

Page 743: ... 255 characters group Specifies the server group to use tacacs Specifies all TACACS hosts configured with the tacacs server command server group Specifies the name of a server group configured with the aaa group server command Range 1 255 characters DEFAULT SETTING Authorization is not enabled No servers are specified COMMAND MODE Global Configuration COMMAND USAGE u This command performs authoriz...

Page 744: ...AMPLE Console config aaa group server radius tps Console config sg radius server This command adds a security server to an AAA server group Use the no form to remove the associated server from the group SYNTAX no server index ip address index Specifies the server index Range RADIUS 1 5 TACACS 1 ip address Specifies the host IP address of a server DEFAULT SETTING None COMMAND MODE Server Group Conf...

Page 745: ... list name Specifies a method list created with the aaa accounting dot1x command DEFAULT SETTING None COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 2 Console config if accounting dot1x tps Console config if accounting exec This command applies an accounting method to local console Telnet or SSH connections Use the no form to disable accounting on the line SYNTAX ...

Page 746: ...t name Specifies a method list created with the aaa authorization exec command DEFAULT SETTING None COMMAND MODE Line Configuration EXAMPLE Console config line console Console config line authorization exec tps Console config line exit Console config line vty Console config line authorization exec default Console config line show accounting This command displays the current accounting settings per...

Page 747: ...nterface Eth 1 1 Method List tps Group List radius Interface Eth 1 2 Accounting Type EXEC Method List default Group List tacacs Interface vty Console WEB SERVER This section describes commands used to configure web browser management access to the switch Table 68 Web Server Commands Command Function Mode ip http port Specifies the port to be used by the web browser interface GC ip http server Allo...

Page 748: ...ange 1 65535 DEFAULT SETTING 80 COMMAND MODE Global Configuration EXAMPLE Console config ip http port 769 Console config RELATED COMMANDS ip http server 748 show system 653 ip http server This command allows this device to be monitored or configured from a browser Use the no form to disable this function SYNTAX no ip http server DEFAULT SETTING Enabled COMMAND MODE Global Configuration EXAMPLE Con...

Page 749: ...n is established in this way n The client authenticates the server using the server s digital certificate n The client and server negotiate a set of security protocols to use for the connection n The client and server generate session keys for encrypting and decrypting data u The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet E...

Page 750: ...S connection to the switch s web interface Use the no form to restore the default port SYNTAX ip http secure port port_number no ip http secure port port_number The UDP port used for HTTPS Range 1 65535 DEFAULT SETTING 443 COMMAND MODE Global Configuration COMMAND USAGE u You cannot configure the HTTP and HTTPS servers to use the same port u If you change the HTTPS port number clients attempting t...

Page 751: ...no ip telnet max sessions session count The maximum number of allowed Telnet session Range 0 4 DEFAULT SETTING 4 sessions COMMAND MODE Global Configuration COMMAND USAGE A maximum of four sessions can be concurrently opened for Telnet and Secure Shell i e both Telnet and SSH share a maximum number or four sessions EXAMPLE Console config ip telnet max sessions 1 Console config Table 70 Telnet Serve...

Page 752: ...TCP port number to be used by the browser interface Range 1 65535 DEFAULT SETTING 23 COMMAND MODE Global Configuration EXAMPLE Console config ip telnet port 123 Console config ip telnet server This command allows this device to be monitored or configured from Telnet Use the no form to disable this function SYNTAX no ip telnet server DEFAULT SETTING Enabled COMMAND MODE Global Configuration EXAMPLE...

Page 753: ...h authentication retries Specifies the number of retries allowed by a client GC ip ssh server Enables the SSH server on the switch GC ip ssh server key size Sets the SSH server key size GC ip ssh timeout Specifies the authentication timeout for the SSH server GC copy tftp public key Copies the user s public key from a TFTP server to the switch PE delete public key Deletes the public key for the sp...

Page 754: ...sts file would appear similar to the following example 10 1 0 54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233765468017262725714134287629413011961955667825 95664104869574278881462065194174677298486546861571773939016477 93559423035774130980227370877945452408397175264635805817671670 9574804776117 3 Import Clie...

Page 755: ...ients that have a private key corresponding to the public keys stored on the switch can access it The following exchanges take place during this process Authenticating SSH v1 5 Clients a The client sends its RSA public key to the switch b The switch compares the client s public key to those stored in memory c If a match is found the switch uses its secret key to generate a random 256 bit string as...

Page 756: ...using any configured IPv4 or IPv6 interface address on the switch ip ssh authentication retries This command configures the number of times the SSH server attempts to reauthenticate a user Use the no form to restore the default setting SYNTAX ip ssh authentication retries count no ip ssh authentication retries count The number of authentication attempts permitted after which the interface is reset...

Page 757: ...enabling the SSH server EXAMPLE Console ip ssh crypto host key generate dsa Console configure Console config ip ssh server Console config RELATED COMMANDS ip ssh crypto host key generate 759 show ssh 762 ip ssh server key size This command sets the SSH server key size Use the no form to restore the default setting SYNTAX ip ssh server key size key size no ip ssh server key size key size The size o...

Page 758: ...he switch will wait for a response from the client during the SSH negotiation phase Once an SSH session has been established the timeout for user input is controlled by the exec timeout command for vty sessions EXAMPLE Console config ip ssh timeout 60 Console config RELATED COMMANDS exec timeout 666 show ip ssh 761 delete public key This command deletes the specified user s public key SYNTAX delet...

Page 759: ...1 5 clients and DSA Version 2 for SSHv2 clients u This command stores the host key pair in memory i e RAM Use the ip ssh save host key command to save the host key pair to flash memory u Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process Otherwise you must manually create a known hosts file and place the host public key in it u Th...

Page 760: ...memory RAM Use the no ip ssh save host key command to clear the host key from flash memory u The SSH server must be disabled before you can execute this command EXAMPLE Console ip ssh crypto zeroize dsa Console RELATED COMMANDS ip ssh crypto host key generate 759 ip ssh save host key 760 no ip ssh server 756 ip ssh save host key This command saves the host key from RAM to flash memory SYNTAX ip ss...

Page 761: ...eged Exec COMMAND USAGE u If no parameters are entered all keys are displayed If the user keyword is entered but no user name is specified then the public keys for all users are displayed u When an RSA key is displayed the first field indicates the size of the host key e g 1024 the second field is the encoded public exponent e g 35 and the last string is the encoded modulus When a DSA key is displ...

Page 762: ...c27s6TLdtny1wRq ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF DjKGWtPNIQqabKgYCw2 o dVzX4Gg yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 w0W Console show ssh This command displays the current SSH server connections COMMAND MODE Privileged Exec EXAMPLE Console show ssh Connection Version State Username Encryption 0 2 0 Session Starte...

Page 763: ...t1x intrusion action Sets the port response to intrusion when authentication fails IC dot1x max req Sets the maximum number of times that the switch retransmits an EAP request identity packet to the client before it times out the authentication session IC dot1x operation mode Allows single or multiple hosts on an dot1x port IC dot1x port control Sets dot1x mode for a port interface IC dot1x re aut...

Page 764: ... through command can be used to forward EAPOL frames from other switches on to the authentication servers thereby allowing the authentication process to still be carried out by switches located on the edge of the network u When this device is functioning as an edge switch but does not require any attached clients to be authenticated the no dot1x eapol pass through command can be used to discard un...

Page 765: ... to the Guest VLAN DEFAULT block traffic COMMAND MODE Interface Configuration COMMAND USAGE For guest VLAN assignment to be successful the VLAN must be configured and set as active see the vlan database command and assigned as the guest VLAN for the port see the network access guest vlan command EXAMPLE Console config interface eth 1 2 Console config if dot1x intrusion action guest vlan Console co...

Page 766: ...r the maximum number of hosts count The maximum number of hosts that can connect to a port Range 1 1024 Default 5 mac based Allows multiple hosts to connect to this port with each host needing to be authenticated DEFAULT Single host COMMAND MODE Interface Configuration COMMAND USAGE u The max count parameter specified by this command is only effective if the dot1x mode is set to auto by the dot1x ...

Page 767: ...he port to grant access to all clients either dot1x aware or otherwise force unauthorized Configures the port to deny access to all clients either dot1x aware or otherwise DEFAULT force authorized COMMAND MODE Interface Configuration EXAMPLE Console config interface eth 1 2 Console config if dot1x port control auto Console config if dot1x re authentication This command enables periodic re authenti...

Page 768: ... port waits after the maximum request count see page 765 has been exceeded before attempting to acquire a new client Use the no form to reset the default SYNTAX dot1x timeout quiet period seconds no dot1x timeout quiet period seconds The number of seconds Range 1 65535 DEFAULT 60 seconds COMMAND MODE Interface Configuration EXAMPLE Console config interface eth 1 2 Console config if dot1x timeout q...

Page 769: ...out supp timeout seconds The number of seconds Range 1 65535 DEFAULT 30 seconds COMMAND MODE Interface Configuration COMMAND USAGE This command sets the timeout for EAP request frames other than EAP request identity frames If dot1x authentication is enabled on a port the switch will initiate authentication when the port link state comes up It will send an EAP request identity frame to the client t...

Page 770: ...onsole config if dot1x timeout tx period 300 Console config if dot1x re authenticate This command forces re authentication on all ports or a specific interface SYNTAX dot1x re authenticate interface interface ethernet unit port unit Stack unit Range 1 8 port Port number EC S4626F 1 26 EC S4650F 1 50 COMMAND MODE Privileged Exec COMMAND USAGE The re authentication process verifies the connected cli...

Page 771: ...ministrative state for port access control Enabled Authenticator or Supplicant n Operation Mode Allows single or multiple hosts page 766 n Control Mode Dot1x port control mode page 767 n Authorized Authorization status yes or n a not authorized u 802 1X Port Details Displays the port access control parameters for each interface including the following items n Reauthentication Periodic re authentic...

Page 772: ...n u Backend State Machine n State Current state including request response success fail timeout idle initialize n Request Count Number of EAP Request packets sent to the Supplicant without receiving a response n Identifier Server Identifier carried in the most recent EAP Success Failure or Request packet received from the Authentication Server u Reauthentication State Machine State Current state i...

Page 773: ...tifier 0 Authenticator PAE State Machine State Authenticated Reauth Count 0 Current Identifier 3 Backend State Machine State Idle Request Count 0 Identifier Server 2 Reauthentication State Machine State Initialize Console MANAGEMENT IP FILTER This section describes commands used to configure IP management access to the switch Table 74 Management IP Filter Commands Command Function Mode management ...

Page 774: ...alid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager u IP address can be configured for SNMP web and Telnet access respectively Each of these groups can include up to five different sets of addresses either individual addresses or address ranges u When entering addresses for the same group i e SNMP web or Telnet the...

Page 775: ...resses for all groups http client Displays IP addresses for the web group snmp client Displays IP addresses for the SNMP group telnet client Displays IP addresses for the Telnet group COMMAND MODE Privileged Exec EXAMPLE Console show management all client Management IP Filter HTTP Client Start IP Address End IP Address 192 168 1 19 192 168 1 19 SNMP Client Start IP Address End IP Address 192 168 1...

Page 776: ...CHAPTER 29 Authentication Commands Management IP Filter 776 ...

Page 777: ...ty of execution for these filtering commands is Port Security Port Authentication Network Access Web Authentication Access Control Lists DHCP Snooping and then IP Source Guard Configures secure addresses for a port 802 1X Port Authentication Configures host authentication on specific ports using 802 1X Network Access Configures MAC authentication and dynamic VLAN assignment Web Authentication Conf...

Page 778: ...ally take action by disabling the port and sending a trap message mac learning This command enables MAC address learning on the selected interface Use the no form to disable MAC address learning SYNTAX no mac learning DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet or Port Channel COMMAND USAGE u The no mac learning command immediately stops the switch from learning new MAC a...

Page 779: ...to restore the default settings for a response to security violation or for the maximum number of allowed addresses SYNTAX port security action shutdown trap trap and shutdown max mac count address count no port security action max mac count action Response to take when port security is violated shutdown Disable port only trap Issue SNMP trap message only trap and shutdown Issue SNMP trap message ...

Page 780: ...nd to disable port security and reset the maximum number of addresses to the default u You can also manually add secure addresses with the mac address table static command u A secure port has the following restrictions n Cannot be connected to a network interconnection device n Cannot be a trunk port u If a port is disabled due to a security violation it must be manually re enabled using the no sh...

Page 781: ...ss guest vlan Specifies the guest VLAN IC network access link detection Enables the link detection feature IC network access link detection link down Configures the link detection feature to detect and act upon link down events IC network access link detection link up Configures the link detection feature to detect and act upon link up events IC network access link detection link up down Configure...

Page 782: ...igured by the MAC Address Authentication process described in this section as well as to any secure MAC addresses authenticated by 802 1X regardless of the 802 1X Operation Mode Single Host Multi Host or MAC Based authentication as described on page 766 u The maximum number of secure MAC addresses supported for the switch system is 1024 EXAMPLE Console config if network access aging Console config...

Page 783: ...nfig network access mac filter 1 mac address 11 22 33 44 55 66 Console config mac authentication reauth time Use this command to set the time period after which a connected MAC address must be re authenticated Use the no form of this command to restore the default value SYNTAX mac authentication reauth time seconds no mac authentication reauth time seconds The reauthentication time period Range 12...

Page 784: ...ion for the port u When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port the user is denied access u While a port has an assigned dynamic QoS profile any manual QoS configuration changes only take effect after all users have logged off of the port NOTE Any configuration changes for dynamic QoS are not saved ...

Page 785: ...ng the VLANs have already been created on the switch GVRP is not used to create the VLANs u The VLAN settings specified by the first authenticated MAC address are implemented for a port Other authenticated MAC addresses on the port must have same VLAN configuration or they are treated as an authentication failure u If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VL...

Page 786: ...st VLAN must be defined and set as active See the vlan database command u When used with 802 1X authentication the intrusion action must be set for guest vlan to be effective see the dot1x intrusion action command EXAMPLE Console config interface ethernet 1 1 Console config if network access guest vlan 25 Console config if network access link detection Use this command to enable link detection for...

Page 787: ...disable the port DEFAULT SETTING Disabled COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 1 Console config if network access link detection link down action trap Console config if network access link detection link up Use this command to detect link up events When detected the switch can shut down the port send an SNMP trap or both Use the no form of this command t...

Page 788: ...ponse to take when port security is violated shutdown Disable port only trap Issue SNMP trap message only trap and shutdown Issue SNMP trap message and disable the port DEFAULT SETTING Disabled COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 1 Console config if network access link detection link up down action trap Console config if network access max mac count Use...

Page 789: ...enabled on a port the authentication process sends a Password Authentication Protocol PAP request to a configured RADIUS server The user name and password are both equal to the MAC address being authenticated u On the RADIUS server PAP user name and passwords must be configured in the MAC address format XX XX XX XX XX XX all in upper case u Authenticated MAC addresses are stored as dynamic entries...

Page 790: ...Type attribute set to 802 EXAMPLE Console config if network access mode mac authentication Console config if network access port mac filter Use this command to enable the specified MAC address filter Use the no form of this command to disable the specified MAC address filter SYNTAX network access port mac filter filter id no network access port mac filter filter id Specifies a MAC address filter t...

Page 791: ...ce Con figuration EXAMPLE Console config if mac authentication intrusion action block traffic Console config if mac authentication max mac count Use this command to set the maximum number of MAC addresses that can be authenticated on a port via MAC authentication Use the no form of this command to restore the default SYNTAX mac authentication max mac count count no mac authentication max mac count...

Page 792: ...t port unit Stack unit Range 1 8 port Port number Range 1 26 50 DEFAULT SETTING Displays the settings for all interfaces COMMAND MODE Privileged Exec EXAMPLE Console show network access interface ethernet 1 1 Global secure port information Reauthentication Time 1800 Port 1 1 MAC Authentication Disabled MAC Authentication Intrusion action Block traffic MAC Authentication Maximum MAC Counts 1024 Max...

Page 793: ... 1 8 port Port number Range 1 26 50 sort Sorts displayed entries by either MAC address or interface DEFAULT SETTING Displays all filters COMMAND MODE Privileged Exec COMMAND USAGE When using a bit mask to filter displayed MAC addresses a 1 means care and a 0 means don t care For example a MAC of 00 00 01 02 03 04 and mask FF FF FF 00 00 00 would result in all MACs in the range 00 00 01 00 00 00 to...

Page 794: ... perform DNS queries All other traffic except for HTTP protocol traffic is blocked The switch intercepts HTTP protocol traffic and redirects it to a switch generated web page that facilitates user name and password authentication via RADIUS Once authentication is successful the web browser is forwarded on to the originally requested web page Successful authentication is valid for all hosts connect...

Page 795: ...sole config web auth system auth control Enables web authentication globally for the switch GC web auth Enables web authentication for an interface IC web auth re authenticate Port Ends all web authentication sessions on the port and forces the users to re authenticate PE web auth re authenticate IP Ends the web authentication session associated with the designated IP address and forces the user t...

Page 796: ...D MODE Global Configuration EXAMPLE Console config web auth quiet period 120 Console config web auth session timeout This command defines the amount of time a web authentication session remains valid When the session timeout has been reached the host is logged off and must re authenticate itself the next time data transmission takes place Use the no form to restore the default SYNTAX web auth sess...

Page 797: ...h and web auth for an interface must be enabled for the web authentication feature to be active EXAMPLE Console config web auth system auth control Console config web auth This command enables web authentication for an interface Use the no form to restore the default SYNTAX no web auth DEFAULT SETTING Disabled COMMAND MODE Interface Configuration COMMAND USAGE Both web auth system auth control for...

Page 798: ...eged Exec EXAMPLE Console web auth re authenticate interface ethernet 1 2 Failed to reauth Console web auth re authenticate IP This command ends the web authentication session associated with the designated IP address and forces the user to re authenticate SYNTAX web auth re authenticate interface interface ip interface Specifies a port interface ethernet unit port unit This is unit 1 port Port nu...

Page 799: ...mpts 3 Console show web auth interface This command displays interface specific web authentication parameters and statistics SYNTAX show web auth interface interface interface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 26 50 COMMAND MODE Privileged Exec EXAMPLE Console show web auth interface ethernet 1 2 Web Auth Status Enabled Host Summary IP addre...

Page 800: ...ction Mode ip dhcp snooping Enables DHCP snooping globally GC ip dhcp snooping database flash Writes all dynamically learned snooping entries to flash memory GC ip dhcp snooping information option Enables or disables DHCP Option 82 information relay GC ip dhcp snooping information policy Sets the information option policy for DHCP client packets that include Option 82 information GC ip dhcp snoopi...

Page 801: ...d based upon dynamic entries learned via DHCP snooping u Table entries are only learned for trusted interfaces Each entry includes a MAC address IP address lease time VLAN identifier and port identifier u When DHCP snooping is enabled the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second Any DHCP packets in excess of this limit are dropped u F...

Page 802: ...to trusted ports in the same VLAN n If a DHCP packet is from server is received on a trusted port it will be forwarded to both trusted and untrusted ports in the same VLAN u If the DHCP snooping is globally disabled all dynamic bindings are removed from the binding table u Additional considerations when the switch itself is a DHCP client The port s through which the switch submits a client request...

Page 803: ...option DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE u DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server Known as DHCP Option 82 it allows compatible DHCP servers to use the information when assigning IP addresses or to set other services or policies for clients u When the DHCP Snooping Information Option is ...

Page 804: ...laying it keep Retains the Option 82 information in the client request and forwards the packets to trusted ports replace Replaces the Option 82 information circuit id and remote id fields in the client s request with information about the relay agent itself inserts the relay agent s address when DHCP snooping is enabled and forwards the packets to trusted ports DEFAULT SETTING replace COMMAND MODE...

Page 805: ...acket is dropped EXAMPLE This example enables MAC address verification Console config ip dhcp snooping verify mac address Console config RELATED COMMANDS ip dhcp snooping 801 ip dhcp snooping vlan 805 ip dhcp snooping trust 806 ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN Use the no form to restore the default setting SYNTAX no ip dhcp snooping vlan vlan id vlan i...

Page 806: ...ed Use the no form to restore the default setting SYNTAX no ip dhcp snooping trust DEFAULT SETTING All interfaces are untrusted COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE u A trusted interface is an interface that is configured to receive only messages from within the network An untrusted interface is an interface that is configured to receive messages from outside th...

Page 807: ...a client request to the DHCP server must be configured as trusted EXAMPLE This example sets port 5 to untrusted Console config interface ethernet 1 5 Console config if no ip dhcp snooping trust Console config if RELATED COMMANDS ip dhcp snooping 801 ip dhcp snooping vlan 805 clear ip dhcp snooping database flash This command removes all dynamically learned snooping entries from flash memory COMMAN...

Page 808: ...ble DHCP Snooping Information Policy replace DHCP Snooping is configured on the following VLANs 1 Verify Source Mac Address enable Interface Trusted Eth 1 1 No Eth 1 2 No Eth 1 3 No Eth 1 4 No Eth 1 5 Yes show ip dhcp snooping binding This command shows the DHCP snooping binding table entries COMMAND MODE Privileged Exec EXAMPLE Console show ip dhcp snooping binding MacAddress IpAddress Lease sec ...

Page 809: ...ress interface no ip source guard binding mac address vlan vlan id mac address A valid unicast MAC address vlan id ID of a configured VLAN Range 1 4093 ip address A valid unicast IP address including classful types A B or C interface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 26 50 DEFAULT SETTING No configured entries Table 81 IP Source Guard Comman...

Page 810: ...ssed as follows n If there is no entry with same VLAN ID and MAC address a new entry is added to binding table using the type of static IP source guard binding n If there is an entry with same VLAN ID and MAC address and the type of entry is static IP source guard binding then the new entry will replace the old one n If there is an entry with same VLAN ID and MAC address and the type of the entry ...

Page 811: ... port Use the sip option to check the VLAN ID source IP address and port number against all entries in the binding table Use the sip mac option to check these same parameters plus the source MAC address Use the no ip source guard command to disable this function on the selected port u When enabled traffic is filtered based upon dynamic entries learned via DHCP snooping or static addresses configur...

Page 812: ...e guard if enabled on an interface for which IP source bindings dynamically learned via DHCP snooping or manually configured are not yet configured the switch will drop all IP traffic on that port except for DHCP packets n Only unicast addresses are accepted for static bindings EXAMPLE This example enables IP source guard on port 5 Console config interface ethernet 1 5 Console config if ip source ...

Page 813: ...binding 1 Console config if show ip source guard This command shows whether source guard is enabled or disabled on each interface COMMAND MODE Privileged Exec EXAMPLE Console show ip source guard Interface Filter type Max binding Eth 1 1 DISABLED 5 Eth 1 2 DISABLED 5 Eth 1 3 DISABLED 5 Eth 1 4 DISABLED 5 Eth 1 5 SIP 1 Eth 1 6 DISABLED 5 show ip source guard binding This command shows the source gu...

Page 814: ...r hosts with statically configured IP addresses This section describes commands used to configure ARP Inspection Table 82 ARP Inspection Commands Command Function Mode ip arp inspection Enables ARP Inspection globally on the switch GC ip arp inspection filter Specifies an ARP ACL to apply to one or more VLANs GC ip arp inspection log buffer logs Sets the maximum number of entries saved in a log me...

Page 815: ...ection is enabled u When ARP Inspection is disabled all ARP request and reply packets bypass the ARP Inspection engine and their manner of switching matches that of all other packets u Disabling and then re enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs u When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for ind...

Page 816: ...t checked DEFAULT SETTING ARP ACLs are not bound to any VLAN Static mode is not enabled COMMAND MODE Global Configuration COMMAND USAGE u ARP ACLs are configured with the commands described on page 331 u If static mode is enabled the switch compares ARP packets to the specified ARP ACLs Packets matching an IP to MAC address binding in a permit or deny rule are processed accordingly Packets not mat...

Page 817: ...gging is active for ARP Inspection and cannot be disabled u When the switch drops a packet it places an entry in the log buffer Each entry contains flow information such as the receiving VLAN the port number the source and destination IP addresses and the source and destination MAC addresses u If multiple identical invalid ARP packets are received consecutively on the same VLAN then the logging fa...

Page 818: ...le target IP addresses are checked only in ARP responses src mac Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with different MAC addresses are classified as invalid and are dropped DEFAULT SETTING No additional validation is performed COMMAND MODE Global Configurat...

Page 819: ...engine and their manner of switching matches that of all other packets u Disabling and then re enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs u When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for individual VLANs These configuration changes will only become active after ARP Inspection is globally enabled again...

Page 820: ...xempted from ARP Inspection Use the no form to restore the default setting SYNTAX no ip arp inspection trust DEFAULT SETTING Untrusted COMMAND MODE Interface Configuration Port COMMAND USAGE Packets arriving on untrusted ports are subject to any configured ARP Inspection and additional validation checks Packets arriving on trusted ports bypass all of these checks and are forwarded according to nor...

Page 821: ...nterface interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 COMMAND MODE Privileged Exec EXAMPLE Console show ip arp inspection interface ethernet 1 1 Port Number Trust Status Limit Rate pps Eth 1 1 trusted 150 Console show ip arp inspection log This command shows information about entries stored in the log including the associated VLAN port and address...

Page 822: ...MAC address 0 ARP packets dropped by additional validation destination MAC address 0 ARP packets dropped by additional validation IP address 0 ARP packets dropped by ARP ACLs 0 ARP packets dropped by DHCP snooping 0 Console show ip arp inspection vlan This command shows the configuration settings for VLANs including ARP Inspection status the ARP ACL name and if the DHCP Snooping database is used a...

Page 823: ...roup Function IPv4 ACLs Configures ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code IPv6 ACLs Configures ACLs based on IPv6 addresses or DSCP traffic class MAC ACLs Configures ACLs based on hardware addresses packet format and Ethernet type ARP ACLs Configures ACLs based on ARP messages addresses ACL Information Displays ACLs and associated rules shows ACLs assig...

Page 824: ... more specific criteria acl name Name of the ACL Maximum length 16 characters no spaces or other special characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE u When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list u To remove a rule use the no permit or no deny command followed ...

Page 825: ...ne COMMAND MODE Standard IPv4 ACL COMMAND USAGE u New rules are appended to the end of the list u Address bit masks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP ...

Page 826: ...it deny tcp any source address bitmask host source any destination address bitmask host destination precedence precedence tos tos dscp dscp source port sport bitmask destination port dport port bitmask control flag control flags flag bitmask time range time range name no permit deny tcp any source address bitmask host source any destination address bitmask host destination precedence precedence to...

Page 827: ...s bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned u You can specify both Precedence and ToS in the same rule However if DSCP is used then neither Precedence nor ToS can be specified u The control code bitmask is a decimal number representing an equivalent bit mask that is applied to the...

Page 828: ...1 0 255 255 255 0 any destination port 80 Console config ext acl This permits all TCP packets from class C addresses 192 168 1 0 with the TCP control code set to SYN Console config ext acl permit tcp 192 168 1 0 255 255 255 0 any control flag 2 2 Console config ext acl RELATED COMMANDS access list ip 824 Time Range 689 ip access group This command binds an IPv4 ACL to a port Use the no form to rem...

Page 829: ...p access list 829 Time Range 689 show ip access group This command shows the ports assigned to IP ACLs COMMAND MODE Privileged Exec EXAMPLE Console show ip access group Interface ethernet 1 2 IP access list david in Console RELATED COMMANDS ip access group 828 show ip access list This command displays the rules for configured IPv4 ACLs SYNTAX show ip access list standard extended acl name standard...

Page 830: ...cess list ipv6 standard extended acl name standard Specifies an ACL that filters packets based on the source IP address extended Specifies an ACL that filters packets based on the destination IP address and other more specific criteria acl name Name of the ACL Maximum length 16 characters DEFAULT SETTING None Table 85 IPv4 ACL Commands Command Function Mode access list ipv6 Creates an IPv6 ACL and...

Page 831: ...tandard IPv6 ACL The rule sets a filter condition for packets emanating from the specified source Use the no form to remove a rule SYNTAX permit deny any host source ipv6 address source ipv6 address prefix length time range time range name no permit deny any host source ipv6 address source ipv6 address prefix length any Any source IP address host Keyword followed by a specific IP address source ip...

Page 832: ...rmit deny any destination ipv6 address prefix length dscp dscp flow label flow label next header next header time range time range name any Any IP address an abbreviation for the IPv6 prefix 0 destination ipv6 address An IPv6 destination address or network class The address must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One do...

Page 833: ...l handling might be conveyed to the routers by a control protocol such as a resource reservation protocol or by information within the flow s packets themselves e g in a hop by hop option A flow is uniquely identified by the combination of a source address and a non zero flow label Packets that do not belong to a flow carry a flow label of zero Hosts or routers that do not support the functions sp...

Page 834: ...g ext ipv6 acl permit 2009 DB9 2229 79 48 flow label 43 Console config ext ipv6 acl RELATED COMMANDS access list ipv6 830 Time Range 689 show ipv6 access list This command displays the rules for configured IPv6 ACLs SYNTAX show ipv6 access list standard extended acl name standard Specifies a standard IPv6 ACL extended Specifies an extended IPv6 ACL acl name Name of the ACL Maximum length 16 charac...

Page 835: ... Interface Configuration Ethernet COMMAND USAGE u A port can only be bound to one ACL u If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one u IPv6 ACLs can only be applied to ingress packets EXAMPLE Console config interface ethernet 1 2 Console config if ipv6 access group standard david in Console config if RELATED COMMAN...

Page 836: ...l characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE u When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list u To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule u An ACL can contain up to 128 rules Table 86 MAC ACL...

Page 837: ... bitmask any host destination destination address bitmask vid vid vid bitmask ethertype protocol protocol bitmask NOTE The default is for Ethernet II packets permit deny tagged eth2 any host source source address bitmask any host destination destination address bitmask vid vid vid bitmask ethertype protocol protocol bitmask time range time range name no permit deny tagged eth2 any host source sour...

Page 838: ...estination destination address bitmask tagged eth2 Tagged Ethernet II packets untagged eth2 Untagged Ethernet II packets tagged 802 3 Tagged Ethernet 802 3 packets untagged 802 3 Untagged Ethernet 802 3 packets any Any MAC source or destination address host A specific MAC address source Source MAC address destination Destination MAC address range with bitmask address bitmask14 Bitmask for MAC addr...

Page 839: ...acl permit any host 00 17 7c 94 34 de ethertype 0800 Console config mac acl RELATED COMMANDS access list mac 836 Time Range 689 mac access group This command binds a MAC ACL to a port Use the no form to remove the port SYNTAX mac access group acl name in time range time range name acl name Name of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets time rang...

Page 840: ...leged Exec EXAMPLE Console show mac access group Interface ethernet 1 5 MAC access list M5 in Console RELATED COMMANDS mac access group 839 show mac access list This command displays the rules for configured MAC ACLs SYNTAX show mac access list acl name acl name Name of the ACL Maximum length 16 characters COMMAND MODE Privileged Exec EXAMPLE Console show mac access list MAC access list jerry perm...

Page 841: ...MAND MODE Global Configuration COMMAND USAGE u When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list u To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule u An ACL can contain up to 96 ...

Page 842: ...response ip any host source ip source ip ip address bitmask any host destination ip destination ip ip address bitmask mac any host source mac source mac mac address bitmask any host destination mac destination mac mac address bitmask log source ip Source IP address destination ip Destination IP address with bitmask ip address bitmask15 IPv4 number representing the address bits to match source mac ...

Page 843: ... mac any any Console config mac acl RELATED COMMANDS access list arp 841 show arp access list This command displays the rules for configured ARP ACLs SYNTAX show arp access list acl name acl name Name of the ACL Maximum length 16 characters COMMAND MODE Privileged Exec EXAMPLE Console show arp access list ARP access list factory permit response ip any 192 168 0 0 255 255 0 0 mac any any Console RE...

Page 844: ...les COMMAND MODE Privileged Exec EXAMPLE Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 0 0 255 255 15 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 255 255 255 0 any destination port 80 80 permit 192 168 1 0 255 255 255 0 any protocol tcp control code 2 2 MAC access list jerry permit any host 00 17 7c 94 34 de ethert...

Page 845: ... an interface IC speed duplex Configures the speed and duplex operation of a given interface when autonegotiation is disabled IC switchport packet rate Configures broadcast multicast and unknown unicast storm control thresholds IC clear counters Clears statistics on an interface PE show interfaces counters Displays statistics for the specified interfaces NE PE show interfaces status Displays statu...

Page 846: ...t Port number Range 1 26 50 port channel channel id Range 1 32 vlan vlan id Range 1 4093 DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE To specify port 4 enter the following command Console config interface ethernet 1 4 Console config if alias This command configures an alias name for the interface Use the no form to remove the alias name SYNTAX alias string no alias string A mnemo...

Page 847: ...l 100full 100half 10full 10half flowcontrol symmetric 10000full Supports 10 Gbps full duplex operation 1000full Supports 1 Gbps full duplex operation 100full Supports 100 Mbps full duplex operation 100half Supports 100 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 10half Supports 10 Mbps half duplex operation flowcontrol Supports flow control symmetric Gigabit and 10 Gig...

Page 848: ...ig interface ethernet 1 5 Console config if capabilities 100half Console config if capabilities 100full Console config if capabilities flowcontrol Console config if RELATED COMMANDS negotiation 850 speed duplex 852 flowcontrol 849 description This command adds a description to an interface Use the no form to remove the description SYNTAX description string no description string Comment or a descri...

Page 849: ...buffers fill When enabled back pressure is used for half duplex operation and IEEE 802 3 2002 formally IEEE 802 3x for full duplex operation u To force flow control on or off with the flowcontrol or no flowcontrol command use the no negotiation command to disable auto negotiation on the selected interface u When using the negotiation command to enable auto negotiation the optimal settings will be ...

Page 850: ...nstalled sfp preferred auto Uses SFP port if both combination types are functioning and the SFP port has a valid link DEFAULT SETTING Ports 1 20 1 44 copper forced Ports 21 24 45 48 sfp preferred auto Ports 25 26 49 50 sfp preferred auto COMMAND MODE Interface Configuration Ethernet EXAMPLE This forces the switch to use the built in RJ 45 port for the combination port 25 Console config interface e...

Page 851: ...tion is disabled auto MDI MDI X pin signal configuration will also be disabled for the RJ 45 ports EXAMPLE The following example configures port 11 to use auto negotiation Console config interface ethernet 1 11 Console config if negotiation Console config if RELATED COMMANDS capabilities 847 speed duplex 852 shutdown This command disables an interface To restart a disabled interface use the no for...

Page 852: ...lt speed duplex setting is 100full on the 1000Base T ports 1000full on the 1000Base SFP ports and 10Gfull on the 10G ports u The speed duplex setting on the 10G ports is fixed at 10Gfull COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE u The 1000BASE T and 10GBASE T standard does not support forced mode Auto negotiation should always be used to establish a connection over a...

Page 853: ... Disabled Unknown Unicast Storm Control Disabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE u When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic packets exceeding the threshold are dropped until the rate falls back down beneath the threshold u Traffic storms can be controlled at the hardware level using this command or at the softwa...

Page 854: ... config if switchport broadcast packet rate 600 Console config if clear counters This command clears statistics on an interface SYNTAX clear counters interface interface ethernet unit port unit Stack unit Range 1 8 port Port number EC S4626F 1 26 EC S4650F 1 50 port channel channel id Range 1 32 DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Statistics are only initialized for a p...

Page 855: ...howing Port or Trunk Statistics on page 146 EXAMPLE Console show interfaces counters ethernet 1 17 Ethernet 1 1 IF table Stats 138550 Octets Input 820500 Octets Output 734 Unicast Input 932 Unicast Output 12 Discard Input 0 Discard Output 0 Error Input 0 Error Output 0 Unknown Protos Input 0 QLen Output Extended Iftable Stats 38 Multi cast Input 1342 Multi cast Output 210 Broadcast Input 2 Broadca...

Page 856: ... Output per seconds 0 Packets Output per second 0 00 Output Utilization Console show interfaces status This command displays the status for an interface SYNTAX show interfaces status interface interface ethernet unit port unit Stack unit Range 1 8 port Port number EC S4626F 1 26 EC S4650F 1 50 port channel channel id Range 1 32 vlan vlan id Range 1 4093 DEFAULT SETTING Shows the status for all int...

Page 857: ...0full Flow Control Type None Console show interfaces switchport This command displays the administrative and operational status of the specified interfaces SYNTAX show interfaces switchport interface interface ethernet unit port unit Stack unit Range 1 8 port Port number EC S4626F 1 26 EC S4650F 1 50 port channel channel id Range 1 32 DEFAULT SETTING Shows all interfaces COMMAND MODE Normal Exec P...

Page 858: ...id page 936 Ingress Rule Shows if ingress filtering is enabled or disabled page 935 Acceptable Frame Type Shows if acceptable VLAN frames include all types or tagged frames only page 933 Native VLAN Indicates the default Port VLAN ID page 937 Priority for Untagged Traffic Indicates the default priority for untagged frames page 971 GVRP Status Shows if GARP VLAN Registration Protocol is enabled or ...

Page 859: ...ivers This information allows administrators to remotely diagnose problems with optical devices EXAMPLE Console show interfaces transceiver ethernet 1 24 Information of Eth 1 22 Connector Type LC Fiber Type Single Mode SM Eth Compliance Codes 1000BASE LX Tx Central Wavelength 1310 nm Baud Rate 1300 MBd Vendor OUI 00 17 7C Vendor Name DIGISOL Vendor PN DG SA1133 Vendor Rev V1 0 Vendor SN AX10350010...

Page 860: ...40 meters long u The test takes approximately 5 seconds The switch displays the results of the test immediately upon completion including common cable failures as well as the status and approximate length of each cable pair u Potential conditions which may be listed by the diagnostics include n OK Correctly terminated pair n Open Open pair no link partner n Short Shorted pair n Not Supported This ...

Page 861: ...ck test packets from the specified interface are looped back into its internal PHY Outgoing data is looped back to the receiver without actually being transmitted Internal loopback makes it possible to check that an interface is working properly without having to make any network connections EXAMPLE Console test loop internal interface ethernet 1 1 Internal loopback test succeeded Console show cab...

Page 862: ...th 1 meters Pair D OK length 1 meters Last Update 0n 2009 10 21 15 08 20 Console show loop internal This command shows the results of a loop back test SYNTAX show loop internal interface interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 COMMAND MODE Privileged Exec EXAMPLE Console show loop internal interface ethernet 1 1 Port Test Result Last Update E...

Page 863: ...ating a loop u A trunk can have up to 8 ports u The ports at both ends of a connection must be configured as trunk ports u All ports in a trunk must be configured in an identical manner including communication mode i e speed and duplex mode VLAN assignments and CoS settings Table 91 Link Aggregation Commands Command Function Mode Manual Configuration Commands interface port channel Configures a tr...

Page 864: ... e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group u However if the port channel admin key is set then the port admin key must be set to the same value for a port to be allowed to join a channel group u If a link goes down LACP port priority is used to select the backup link channel gr...

Page 865: ...assigned the next available port channel ID u If the target switch has also enabled LACP on the connected ports the trunk will be activated automatically u If more than eight ports attached to the same target switch have LACP enabled the additional ports will be placed in standby mode and will only be enabled if one of the active links fails EXAMPLE The following shows LACP enabled on ports 10 12 ...

Page 866: ...n aggregate link key The port admin key must be set to the same value for ports that belong to the same link aggregation group LAG Range 0 65535 DEFAULT SETTING 0 COMMAND MODE Interface Configuration Ethernet COMMAND USAGE u Ports are only allowed to join the same LAG if 1 the LACP system priority matches 2 the LACP port admin key matches and 3 the LACP port channel key matches if configured u If ...

Page 867: ...ation Ethernet COMMAND USAGE u Setting a lower value indicates a higher effective priority u If an active port link goes down the backup port with the highest priority is selected to replace the downed link However if two or more ports have the same LACP port priority the port with the lowest physical port number will be selected as the backup port u Once the remote side of a link has been establi...

Page 868: ...e switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems u Once the remote side of a link has been established LACP operational settings are already in use on that side Configuring LACP settings for the partner only applies to its administrative state not its operational state and will only take effect the next...

Page 869: ... the interfaces that joined the group Note that when the LAG is no longer used the port channel admin key is reset to 0 EXAMPLE Console config interface port channel 1 Console config if lacp admin key 3 Console config if show lacp This command displays LACP information SYNTAX show lacp port channel counters internal neighbors sys id port channel Local identifier for a link aggregation group Range ...

Page 870: ...this channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group LACPDUs Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Et...

Page 871: ...ation u Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information u Synchronization The System considers this link to be IN_SYNC i e it has been allocated to the correct Link Aggregation Group the group has been associated with a compati...

Page 872: ...ssigned to this aggregation port by the partner Admin Key Current administrative value of the Key for the protocol partner Oper Key Current operational value of the Key for the protocol partner Admin State Administrative values of the partner s state parameters See preceding table Oper State Operational values of the partner s state parameters See preceding table Table 95 show lacp sysid display d...

Page 873: ...SYNTAX port monitor interface rx tx both no port monitor interface interface ethernet unit port source port unit Stack unit Range 1 8 port Port number Range 1 26 50 rx Mirror received packets tx Mirror transmitted packets both Mirror both received and transmitted packets DEFAULT SETTING u No mirror session is defined Table 96 Port Mirroring Commands Command Function Local Port Mirroring Mirrors da...

Page 874: ...itor command to specify the source of the traffic to mirror u When mirroring traffic from a port the mirror port and monitor port speeds should match otherwise traffic may be dropped from the monitor port u You can create multiple mirror sessions but all sessions must share the same destination port u Spanning Tree BPDU packets are not mirrored to the target port EXAMPLE The following example conf...

Page 875: ...ation port and mirror mode i e RX TX RX TX EXAMPLE The following shows mirroring configured from port 6 to port 11 Console config interface ethernet 1 11 Console config if port monitor ethernet 1 6 Console config if end Console show port monitor Port Mirroring Destination Port listen port Eth1 1 Source Port monitored port Eth1 6 Mode RX TX Console ...

Page 876: ...CHAPTER 34 Port Mirroring Commands Local Port Mirroring Commands 876 ...

Page 877: ...isabled SYNTAX rate limit input output rate no rate limit input output input Input rate for specified interface output Output rate for specified interface rate Maximum value in Mbps Range 64 1000000 kbps for Gigabit Ethernet ports 64 10000000 kbps for 10 Gigabit Ethernet ports DEFAULT SETTING 1000 Mbps COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE Using both rate limitin...

Page 878: ...ommand It is therefore not advisable to use both of these commands on the same interface EXAMPLE Console config interface ethernet 1 1 Console config if rate limit input 64 Console config if RELATED COMMAND show interfaces switchport 857 ...

Page 879: ...timer expires IC Port auto traffic control auto control release Automatically releases a control response IC Port auto traffic control control release Manually releases a control response PE SNMP Trap Commands snmp server enable port traps atc broadcast alarm clear Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered IC Port snmp s...

Page 880: ...ls beneath the lower threshold after a storm control response has been triggered and the release timer expires IC Port ATC Display Commands show auto traffic control Shows global configuration settings for automatic storm control PE show auto traffic control interface Shows interface configuration settings and storm control status for the specified port PE Enabling automatic storm control on a por...

Page 881: ...e enable the port FUNCTIONAL LIMITATIONS Automatic storm control is a software level control function Traffic storms can also be controlled at the hardware level using the switchport packet rate command However only one of these control types can be applied to a port Enabling automatic storm control on a port will disable hardware level storm control on that port auto traffic control apply timer T...

Page 882: ...ts the time at which to release the control response after ingress traffic has fallen beneath the lower threshold Use the no form to restore the default setting SYNTAX auto traffic control broadcast multicast release timer seconds no auto traffic control broadcast multicast release timer broadcast Specifies automatic storm control for broadcast traffic multicast Specifies automatic storm control f...

Page 883: ...NG Disabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE u Automatic storm control can be enabled for either broadcast or multicast traffic It cannot be enabled for both of these traffic types at the same time u Automatic storm control is a software level control function Traffic storms can also be controlled at the hardware level using the switchport packet rate command However onl...

Page 884: ...nly be manually re enabled DEFAULT SETTING rate control COMMAND MODE Interface Configuration Ethernet COMMAND USAGE u When the upper threshold is exceeded and the apply timer expires a control response will be triggered based on this command u When the control response is set to rate limiting by this command the rate limits are determined by the auto traffic control alarm clear threshold command u...

Page 885: ... COMMAND MODE Interface Configuration Ethernet COMMAND USAGE u Once the traffic rate falls beneath the lower threshold a trap message may be sent if configured by the snmp server enable port traps atc broadcast alarm clear command or snmp server enable port traps atc multicast alarm clear command u If rate limiting has been configured as a control response it will discontinued after the traffic ra...

Page 886: ... the apply timer expires Range 1 255 kilo packets per second seconds DEFAULT SETTING 128 kilo packets per seconds COMMAND MODE Interface Configuration Ethernet COMMAND USAGE u Once the upper threshold is exceeded a trap message may be sent if configured by the snmp server enable port traps atc broadcast alarm fire command or snmp server enable port traps atc multicast alarm fire command u After th...

Page 887: ...sponse after the specified action has been triggered and the release timer has expired EXAMPLE Console config interface ethernet 1 1 Console config if auto traffic control broadcast auto control release Console config if auto traffic control control release This command manually releases a control response SYNTAX auto traffic control broadcast multicast control release broadcast Specifies automati...

Page 888: ...enable port traps atc broadcast alarm clear Console config if RELATED COMMANDS auto traffic control action 884 auto traffic control alarm clear threshold 885 snmp server enable port traps atc broadcast alarm fire This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control Use the no form to disable this trap SYNTAX no snmp server enable port traps atc b...

Page 889: ...OMMANDS auto traffic control alarm fire threshold 886 auto traffic control apply timer 881 snmp server enable port traps atc broadcast control release This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires Use the no form to disable this trap SYNTAX no snmp server enable port traps atc broad...

Page 890: ...enable port traps atc multicast alarm clear Console config if RELATED COMMANDS auto traffic control action 884 auto traffic control alarm clear threshold 885 snmp server enable port traps atc multicast alarm fire This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control Use the no form to disable this trap SYNTAX no snmp server enable port traps atc m...

Page 891: ...OMMANDS auto traffic control alarm fire threshold 886 auto traffic control apply timer 881 snmp server enable port traps atc multicast control release This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires Use the no form to disable this trap SYNTAX no snmp server enable port traps atc multi...

Page 892: ...and storm control status for the specified port SYNTAX show auto traffic control interface interface interface ethernet unit port unit Unit identifier Range 1 8 port Port number Range 1 28 COMMAND MODE Privileged Exec EXAMPLE Console show auto traffic control interface ethernet 1 1 Eth 1 1 Information Storm Control Broadcast Multicast State Disabled Disabled Action rate control rate control Auto R...

Page 893: ...00 seconds COMMAND MODE Global Configuration COMMAND USAGE The aging time is used to age out dynamically learned forwarding information Table 100 Address Table Commands Command Function Mode mac address table aging time Sets the aging time of the address table GC mac address table static Maps a static address to a port in a VLAN GC clear mac address table dynamic Removes any learned entries from t...

Page 894: ...witch is reset permanent Assignment is permanent DEFAULT SETTING No static addresses are defined The default mode is permanent COMMAND MODE Global Configuration COMMAND USAGE The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add static addresses to the MAC Address Table Static addresses have the following characteristics u Static add...

Page 895: ...mac address table dynamic Console show mac address table This command shows classes of entries in the bridge forwarding database SYNTAX show mac address table address mac address mask interface interface vlan vlan id sort address vlan interface mac address MAC address mask Bits to match in the address interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channe...

Page 896: ...ry bit 0 means to match a bit and 1 means to ignore a bit For example a mask of 00 00 00 00 00 00 means an exact match and a mask of FF FF FF FF FF FF means any u The maximum number of address entries is 16K EXAMPLE Console show mac address table Interface MAC Address VLAN Type Life Time Eth 1 1 00 17 7C 94 34 DE 1 Config Delete on Reset Eth 1 21 00 17 7C F8 D8 D9 1 Learn Delete on Timeout Console...

Page 897: ...T SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show mac address table count Compute the number of MAC Address Maximum number of MAC Address which can be created in the system Total Number of MAC Address 16384 Number of Static MAC Address 1024 Current number of entries which have been created in the system Total Number of MAC Address 2 Number of Static MAC Address 1 Number of Dynamic M...

Page 898: ...CHAPTER 37 Address Table Commands 898 ...

Page 899: ...e same VLAN when global spanning tree is disabled GC spanning tree transmission limit Configures the transmission limit for RSTP MSTP GC max hops Configures the maximum number of hops allowed in the region before a BPDU is discarded MST mst priority Configures the priority of a spanning tree instance MST mst vlan Adds VLANs to a spanning tree instance MST name Configures the name for the multiple ...

Page 900: ...ce in the MST IC spanning tree mst port priority Configures the priority of an instance in the MST IC spanning tree port bpdu flooding Floods BPDUs to other ports when global spanning tree is disabled IC spanning tree port priority Configures the spanning tree priority of an interface IC spanning tree root guard Prevents a designated port from passing superior BPDUs IC spanning tree spanning disab...

Page 901: ...he maximum time in seconds the root device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to the discarding state otherwise temporary data loops migh...

Page 902: ...conds Time in seconds Range 6 40 seconds The minimum value is the higher of 6 or 2 x hello time 1 The maximum value is the lower of 40 or 2 x forward time 1 DEFAULT SETTING 20 seconds COMMAND MODE Global Configuration COMMAND USAGE This command sets the maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for d...

Page 903: ...vent network loops thus isolating group members When operating multiple VLANs we recommend selecting the MSTP option u Rapid Spanning Tree Protocol RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits as described below n STP Mode If the switch receives an 802 1D BPDU after...

Page 904: ...ee Use the no form to restore the default SYNTAX spanning tree pathcost method long short no spanning tree pathcost method long Specifies 32 bit based values that range from 1 200 000 000 This method is based on the IEEE 802 1w Rapid Spanning Tree Protocol short Specifies 16 bit based values that range from 1 65535 This method is based on the IEEE 802 1 Spanning Tree Protocol DEFAULT SETTING Long ...

Page 905: ...selecting the root device root port and designated port The device with the highest priority i e lower numeric value becomes the STA root device However if all devices have the same priority the device with the lowest MAC address will then become the root device EXAMPLE Console config spanning tree priority 40000 Console config spanning tree mst configuration This command changes to Multiple Spann...

Page 906: ... receiving port s native VLAN i e as determined by port s PVID DEFAULT SETTING Floods to all other ports in the same VLAN COMMAND MODE Global Configuration COMMAND USAGE The spanning tree system bpdu flooding command has no effect if BPDU flooding is disabled on a port see the spanning tree port bpdu flooding command EXAMPLE Console config spanning tree system bpdu flooding Console config spanning...

Page 907: ... Range 1 40 DEFAULT SETTING 20 COMMAND MODE MST Configuration COMMAND USAGE An MSTI region is treated as a single node by the STP and RSTP protocols Therefore the message age for BPDUs inside an MSTI region is never changed However each spanning tree instance within a region and the internal spanning tree IST that connects these instances use a hop count to specify the maximum number of bridges th...

Page 908: ...ridge of the specified instance The device with the highest priority i e lowest numerical value becomes the MSTI root device However if all devices have the same priority the device with the lowest MAC address will then become the root device u You can set this switch to act as the MSTI root device by specifying a priority of 0 or as the MSTI alternate device by specifying a priority of 16384 EXAM...

Page 909: ...ever remember that you must configure all bridges within the same MSTI Region page 909 with the same set of instances and the same instance on each bridge with the same set of VLANs Also note that RSTP treats each MSTI region as a single node connecting all regions to the Common Spanning Tree EXAMPLE Console config mstp mst 1 vlan 2 5 Console config mstp name This command configures the name for t...

Page 910: ...OMMAND USAGE The MST region name page 909 and revision number are used to designate a unique MST region A bridge i e spanning tree compliant device such as this switch can only belong to one MST region And all bridges in the same region must be configured with the same MST instances EXAMPLE Console config mstp revision 1 Console config mstp RELATED COMMANDS name 909 spanning tree bpdu filter This ...

Page 911: ...g if spanning tree bpdu filter Console config if RELATED COMMANDS spanning tree edge port 913 spanning tree bpdu guard This command shuts down an edge port i e an interface set for fast forwarding if it receives a BPDU Use the no form to disable this feature SYNTAX no spanning tree bpdu guard DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE u An edg...

Page 912: ...ects the speed and duplex mode used on each port and configures the path cost according to the values shown below Path cost 0 is used to indicate auto configuration mode When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is set to 65 535 COMMAND MODE Interface Configuration Ethernet Port Channel 16 Use the spannin...

Page 913: ...OMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or ...

Page 914: ... two or more bridges u When automatic detection is selected the switch derives the link type from the duplex mode A full duplex interface is considered a point to point link while a half duplex interface is assumed to be on a shared link u RSTP only works on point to point links between two bridges If you designate a port as a shared link RSTP is forbidden Since MSTP is an extension of RSTP this s...

Page 915: ...tection release mode auto Allows a port to automatically be released from the discarding state when the loopback state ends manual The port can only be released from the discarding state manually DEFAULT SETTING auto COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE u If the port is configured for automatic loopback release then the port will only be returned to the forwardi...

Page 916: ...ole config interface ethernet ethernet 1 5 Console config if spanning tree loopback detection trap spanning tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree Use the no form to restore the default auto configuration mode SYNTAX spanning tree mst instance id cost cost no spanning tree mst instance id cost instance id Instance identifier of the ...

Page 917: ...nd higher values assigned to interfaces with slower media u Use the no spanning tree mst cost command to specify auto configuration mode u Path cost takes precedence over interface priority EXAMPLE Console config interface Ethernet 1 5 Console config if spanning tree mst 1 cost 50 Console config if RELATED COMMANDS spanning tree mst port priority 917 spanning tree mst port priority This command co...

Page 918: ... mst cost 916 spanning tree port bpdu flooding This command floods BPDUs to other ports when spanning tree is disabled globally or disabled on a specific port Use the no form to restore the default setting SYNTAX no spanning tree port bpdu flooding DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE u When enabled BPDUs are flooded to all other ports on...

Page 919: ...e port with the highest priority that is lowest value will be configured as an active link in the spanning tree u Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled EXAMPLE Console config interface ethernet 1 5 Console config if spanning tree port priority 0 RELATED COMMANDS spanning tree cost 912 spanning tree root guard This command ...

Page 920: ...could also be used to form a border around part of the network where the root bridge is allowed u When spanning tree is initialized globally on the switch or on an interface the switch will wait for 20 seconds to ensure that the spanning tree has converged before enabling Root Guard EXAMPLE Console config interface ethernet ethernet 1 5 Console config if spanning tree edge port Console config if s...

Page 921: ...s EXAMPLE Console spanning tree loopback detection release ethernet 1 1 Console spanning tree protocol migration This command re checks the appropriate BPDU format to send on the selected interface SYNTAX spanning tree protocol migration interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 COMMAND MODE Privileged Exec CO...

Page 922: ...mand with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree CST and for every interface in the tree u Use the show spanning tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree CST u Use the show spanning tree mst instance id command to display the spanning tree configuration for an ins...

Page 923: ...ation Admin Status Enabled Role Disabled State Discarding External Admin Path Cost 0 Internal Admin Path Cost 0 External Oper Path Cost 100000 Internal Oper Path Cost 100000 Priority 128 Designated Cost 100000 Designated Port 128 1 Designated Root 32768 0 00177CF8D8C6 Designated Bridge 32768 0 123412341234 Fast Forwarding Disabled Forward Transitions 4 Admin Edge Port Disabled Oper Edge Port Disab...

Page 924: ...onfiguration This command shows the configuration of the multiple spanning tree COMMAND MODE Privileged Exec EXAMPLE Console show spanning tree mst configuration Mstp Configuration Information Configuration Name R D Revision Level 0 Instance VLANs 0 1 4093 Console ...

Page 925: ...erfaces Configures VLAN interface parameters including ingress and egress tagging mode ingress filtering PVID and GVRP Displaying VLAN Information Displays VLAN groups status port members and MAC addresses Configuring IEEE 802 1Q Tunneling Configures 802 1Q Tunneling QinQ Tunneling Configuring Port based Traffic Segmentation Configures traffic segmentation for different client sessions based on sp...

Page 926: ...D USAGE GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration and to support VLANs which extend beyond the local switch EXAMPLE Console config bridge ext gvrp Console config Table 105 GVRP and Bridge Extension Commands Command Function Mode bridge ext gvrp Enab...

Page 927: ...u Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are independent of the media access method or data rate These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration deregistration u Timer values are applied to GVRP ...

Page 928: ...G No VLANs are included in the forbidden list COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE u This command prevents a VLAN from being automatically added to the specified interface via GVRP u If a VLAN has been added to the set of allowed VLANs for an interface then you cannot add it to the set of forbidden VLANs for that same interface EXAMPLE The following example show...

Page 929: ...onsole show bridge ext Maximum Supported VLAN Numbers 4093 Maximum Supported VLAN ID 4093 Extended Multicast Filtering Services No Static Entry Individual Port Yes VLAN Learning IVL Configurable PVID Tagging Yes Local VLAN Capable No Traffic Classes Enabled Global GVRP Status Disabled GMRP Disabled Console show garp timer This command shows the GARP timers for the selected interface SYNTAX show ga...

Page 930: ...face interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 DEFAULT SETTING Shows both global and interface specific configuration COMMAND MODE Normal Exec Privileged Exec EXAMPLE Console show gvrp configuration ethernet 1 7 Eth 1 7 GVRP Configuration Disabled Console EDITING VLAN GROUPS Table 106 Commands for Editing VLAN Groups Co...

Page 931: ... you can display this file by entering the show running config command EXAMPLE Console config vlan database Console config vlan RELATED COMMANDS show vlan 939 vlan This command configures a VLAN Use the no form to restore the default settings or delete a VLAN SYNTAX vlan vlan id name vlan name media ethernet state active suspend no vlan vlan id name state vlan id VLAN ID specified as a single numb...

Page 932: ...NFIGURING VLAN INTERFACES Table 107 Commands for Configuring VLAN Interfaces Command Function Mode interface vlan Enters interface configuration mode for a specified VLAN GC switchport acceptable frame types Configures frame types to be accepted by an interface IC switchport allowed vlan Configures the VLANs associated with an interface IC switchport forbidden vlan Configures forbidden VLANs for a...

Page 933: ... configuration for the desired VLAN enter any Layer 3 configuration commands and save the configuration settings u To change a Layer 3 normal VLAN back to a Layer 2 VLAN use the no interface command EXAMPLE The following example shows how to set the interface configuration mode to VLAN 1 and then assign an IP address to the VLAN Console config interface vlan 1 Console config if ip address 192 168 ...

Page 934: ...e Use the no form to restore the default SYNTAX switchport allowed vlan add vlan list tagged untagged remove vlan list no switchport allowed vlan add vlan list List of VLAN identifiers to add remove vlan list List of VLAN identifiers to remove vlan list Separate nonconsecutive VLAN identifiers with a comma and no spaces use a hyphen to designate a range of IDs Do not enter leading zeros Range 1 40...

Page 935: ... and 6 to the allowed list as tagged VLANs for port 1 Console config interface ethernet 1 1 Console config if switchport allowed vlan add 1 2 5 6 tagged Console config if switchport ingress filtering This command enables ingress filtering for an interface Use the no form to restore the default SYNTAX no switchport ingress filtering DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethe...

Page 936: ...t as an end point for a VLAN trunk A trunk is a direct link between two switches so the port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames private vlan For an explanation of this command see the switchport mode private vlan command DEFAULT SETTING All ports are in hybrid...

Page 937: ...d to VLAN 1 as an untagged member For all other VLANs an interface must first be configured as an untagged member before you can assign its PVID to that group u If acceptable frame types is set to all or switchport mode is set to hybrid the PVID will be inserted into all untagged frames entering the ingress port EXAMPLE The following example shows how to set the PVID for port 1 to VLAN 3 Console c...

Page 938: ...e unknown to those switches to pass through their VLAN trunking ports u VLAN trunking is mutually exclusive with the access switchport mode see the switchport mode command If VLAN trunking is enabled on an interface then that interface cannot be set to access mode and vice versa u To prevent loops from forming in the spanning tree all unknown VLANs will be bound to a single instance either STP RST...

Page 939: ... Options community primary DEFAULT SETTING Shows all VLANs COMMAND MODE Normal Exec Privileged Exec EXAMPLE The following example shows how to display information for VLAN 1 Console show vlan id 1 VLAN ID 1 Type Static Name DefaultVlan Status Active Ports Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 9 S Eth1 10 S Eth1 11 S Eth1 12 S Eth1 13 S Eth1 14 S...

Page 940: ...ess mode switchport dot1q tunnel mode 4 Set the Tag Protocol Identifier TPID value of the tunnel access port This step is required if the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is 0x8100 See switchport dot1q tunnel tpid 5 Configure the QinQ tunnel access port to join the SPVLAN as an untagged member switchport allowed v...

Page 941: ...ocol is enabled be aware that a tunnel access or tunnel uplink port may be disabled if the spanning tree structure is automatically reconfigured to overcome a break in the tree It is therefore advisable to disable spanning tree on these ports dot1q tunnel system tunnel control This command sets the switch to operate in QinQ mode Use the no form to disable QinQ operating mode SYNTAX no dot1q tunnel...

Page 942: ...ontrol command before the switchport dot1q tunnel mode interface command can take effect u When a tunnel uplink port receives a packet from a customer the customer tag regardless of whether there are one or more tag layers is retained in the inner tag and the service provider s tag added to the outer tag u When a tunnel uplink port receives a packet from the service provider the outer service prov...

Page 943: ...e default VID of the edge router s ingress port This process is performed in a transparent manner as described under IEEE 802 1Q Tunneling on page 189 u When priority bits are found in the inner tag these are also copied to the outer tag This allows the service provider to differentiate service based on the indicated priority and appropriate methods of queue management at intermediate nodes across...

Page 944: ...0 ingress vlan translation Inject double tagged frame SVID 101 CVID 10 to Port 2 then Port 1 exits single tagged frame VID 10 switching 3 Port 1 switchport dot1q tunnel service 101 match cvid 10 remove ctag Inject tagged frame VID 10 to Port 1 then Port 2 exits single tagged frame SVID 101 ingress vlan translation Inject single tagged frame SVID 101 to Port 2 then Port 1 exits single tagged frame ...

Page 945: ... upon as untagged frames and assigned to the native VLAN of that port u All ports on the switch will be set to the same ethertype EXAMPLE Console config interface ethernet 1 1 Console config if switchport dot1q tunnel tpid 9100 Console config if RELATED COMMANDS show interfaces switchport 857 show dot1q tunnel This command displays information about QinQ tunnel ports SYNTAX show dot1q tunnel inter...

Page 946: ...LATED COMMANDS switchport dot1q tunnel mode 942 CONFIGURING PORT BASED TRAFFIC SEGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider port based traffic segmentation can be used to isolate traffic for individual clients traffic segmentation This command enables traffic segment...

Page 947: ...n the same switch Traffic may pass freely between uplink ports in segmented groups and ports in normal VLANs u Enter the traffic segmentation command without any parameters to enable traffic segmentation Then set the interface members for segmented groups u Enter no traffic segmentation to disable traffic segmentation and clear the configuration settings for segmented groups EXAMPLE This example e...

Page 948: ...ANs can be associated with each primary VLAN Note that private VLANs and normal VLANs can exist simultaneously within the same switch This section describes commands used to configure private VLANs To configure private VLANs follow these steps 1 Use the private vlan command to designate one or more community VLANs and the primary VLAN that will channel traffic outside of the community groups 2 Use...

Page 949: ...D of private VLAN Range 1 4093 no leading zeroes community A VLAN in which traffic is restricted to host members in the same VLAN and to promiscuous ports in the associate primary VLAN primary A VLAN which can contain one or more community VLANs and serves to channel traffic between community VLANs and other locations DEFAULT SETTING None COMMAND MODE VLAN Configuration COMMAND USAGE u Private VLA...

Page 950: ... secondary vlan id ID of secondary i e community VLAN Range 1 4093 no leading zeroes DEFAULT SETTING None COMMAND MODE VLAN Configuration COMMAND USAGE Secondary VLANs provide security for group members The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN e g servers configured with promiscuous ports and to resources outside of the p...

Page 951: ...g interface ethernet 1 3 Console config if switchport mode private vlan host Console config if switchport private vlan host association Use this command to associate an interface with a secondary VLAN Use the no form to remove this association SYNTAX switchport private vlan host association secondary vlan id no switchport private vlan host association secondary vlan id ID of secondary i e communit...

Page 952: ...o a primary VLAN can communicate with any other promiscuous ports in the same VLAN and with the group members within any associated secondary VLANs EXAMPLE Console config interface ethernet 1 2 Console config if switchport private vlan mapping 2 Console config if show vlan private vlan Use this command to show the private VLAN configuration settings on this switch SYNTAX show vlan private vlan com...

Page 953: ...d on the protocol type in use by the inbound packets To configure protocol based VLANs follow these steps 1 First configure VLAN groups for the protocols you want to use page 931 Although not mandatory we suggest configuring a separate VLAN for each major protocol running on your network Do not add port members at this time 2 Create a protocol group for each of the protocols you want to assign to ...

Page 954: ...MMAND MODE Global Configuration EXAMPLE The following creates protocol group 1 and specifies Ethernet frames with IP and ARP protocol types Console config protocol vlan protocol group 1 add frame type ethernet protocol type ip Console config protocol vlan protocol group 1 add frame type ethernet protocol type arp Console config protocol vlan protocol group Configuring Interfaces This command maps ...

Page 955: ...frames n If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN n If the frame is untagged but the protocol type does not match the frame is forwarded to the default VLAN for this interface EXAMPLE The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2 Console config interface eth...

Page 956: ... for the selected interfaces SYNTAX show interfaces protocol vlan protocol group interface interface ethernet unit port unit Stack unit Range 1 8 port Port number ES3526MA 1 26 ES4524MA 1 24 port channel channel id Range 1 12 DEFAULT SETTING The mapping for all interfaces is displayed COMMAND MODE Privileged Exec EXAMPLE This shows that traffic entering Port 1 that matches the specifications for p...

Page 957: ...sk vlan vlan id priority priority no subnet vlan subnet ip address mask all ip address The IP address that defines the subnet Valid IP addresses consist of four decimal numbers 0 to 255 separated by periods mask This mask identifies the host address bits of the IP subnet vlan id VLAN to which matching IP subnet traffic is forwarded Range 1 4093 priority The priority assigned to untagged ingress tr...

Page 958: ...224 vlan 4 Console config show subnet vlan This command displays IP Subnet VLAN assignments COMMAND MODE Privileged Exec COMMAND USAGE u Use this command to display subnet to VLAN mappings u The last matched entry is used if more than one entry can be matched EXAMPLE The following example displays all configured IP subnet based VLANs Console show subnet vlan IP Address Mask VLAN ID Priority 192 16...

Page 959: ...emove an assignment SYNTAX mac vlan mac address mac address vlan vlan id priority priority no mac vlan mac address mac address all mac address The source MAC address to be matched Configured MAC addresses can only be unicast addresses The MAC address must be specified in the format xx xx xx xx xx xx or xxxxxxxxxxxx vlan id VLAN to which the matching source MAC address traffic is forwarded Range 1 ...

Page 960: ...Address VLAN ID Priority 00 00 00 11 22 33 10 0 Console CONFIGURING VOICE VLANS The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic VoIP traffic can be detected on switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the switch...

Page 961: ...on switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the switch automatically assigns the port as a tagged member of the Voice VLAN u Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN u The Voice VLAN ID c...

Page 962: ...igures the Voice VLAN aging time as 3000 minutes Console config voice vlan aging 3000 Console config voice vlan mac address This command specifies MAC address ranges to add to the OUI Telephony list Use the no form to remove an entry from the list SYNTAX voice vlan mac address mac address mask mask address description description no voice vlan mac address mac address mask mask address mac address ...

Page 963: ...UI Telephony list Console config voice vlan mac address 00 12 34 56 78 90 mask ff ff ff 00 00 00 description A new phone Console config switchport voice vlan This command specifies the Voice VLAN mode for ports Use the no form to disable the Voice VLAN feature on the port SYNTAX switchport voice vlan manual auto no switchport voice vlan manual The Voice VLAN feature is enabled on the port but the ...

Page 964: ...OMMAND USAGE Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port EXAMPLE The following example sets the CoS priority to 5 on port 1 Console config interface ethernet 1 1 Console config if switchport voice vlan priority 5 Console config if switchp...

Page 965: ...cting VoIP traffic Console config interface ethernet 1 1 Console config if switchport voice vlan rule oui Console config if switchport voice vlan security This command enables security filtering for VoIP traffic on a port Use the no form to disable filtering on a port SYNTAX no switchport voice vlan security DEFAULT SETTING Disabled COMMAND MODE Interface Configuration COMMAND USAGE u Security fil...

Page 966: ...status Global Voice VLAN Status Voice VLAN Status Enabled Voice VLAN ID 1234 Voice VLAN aging time 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority Remaining Age minutes Eth 1 1 Auto Enabled OUI 6 100 Eth 1 2 Disabled Disabled OUI 6 NA Eth 1 3 Manual Enabled OUI 5 100 Eth 1 4 Auto Enabled OUI 6 100 Eth 1 5 Disabled Disabled OUI 6 NA Eth 1 6 Disabled Disabled OUI 6 NA Eth 1 7 D...

Page 967: ...Function Priority Commands Layer 2 Configures the queue mode queue weights and default priority for untagged frames Priority Commands Layer 3 and 4 Maps TCP ports IP precedence tags or IP DSCP tags to class of service values Table 117 Priority Commands Layer 2 Command Function Mode queue cos map Assigns class of service values to the priority queues IC queue mode Sets the queue mode to strict prio...

Page 968: ...euing for each port Eight separate traffic classes are defined in IEEE 802 1p The default priority levels are assigned according to recommendations in the IEEE 802 1p standard as shown below COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE u CoS values assigned at the ingress port are also used at the egress port u This command sets the CoS priority for all interfaces EXAMP...

Page 969: ... Round Robin for the rest of the queues queue type list Indicates if the queue is a normal or strict type Options 0 indicates a normal queue 1 indicates a strict queue DEFAULT SETTING Weighted Round Robin COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE u The switch can be set to service the port queues based on strict priority WRR or a combination of strict and weighted qu...

Page 970: ... queue mode strict Console config if RELATED COMMANDS queue weight 970 show queue mode 972 queue weight This command assigns weights to the eight class of service CoS priority queues when using weighted queuing or one of the queuing modes that use a combination of strict and weighted queuing Use the no form to restore the default weights SYNTAX queue weight weight0 weight7 no queue weight weight0 ...

Page 971: ...r priority mapping is IP Port IP Precedence or IP DSCP and then default switchport priority u The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged frames This priority does not apply to IEEE 802 1Q VLAN tagged frames If the incoming frame is an IEEE 802 1Q VLAN tagged frame the IEEE 802 1p User Priority bits will ...

Page 972: ...e priority map SYNTAX show queue cos map interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show queue cos map ethernet 1 1 Information of Eth 1 1 CoS Value 0 1 2 3 4 5 6 7 Priority Queue 2 0 1 3 4 5 6 7 Console show queue mode This command shows the current queue...

Page 973: ...e show queue weight This command displays the weights used for the weighted queues SYNTAX show queue mode interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 COMMAND MODE Privileged Exec EXAMPLE Console show queue weight ethernet 1 1 Information of Eth 1 1 Queue ID Weight 0 1 1 2 2 4 3 6 4 8 5 10 6 12 7 14 Console ...

Page 974: ... IP DSCP cannot both be enabled Enabling one of these priority types will automatically disable the other type EXAMPLE The following example shows how to enable IP DSCP mapping globally Console config map ip dscp Console config Table 119 Priority Commands Layer 3 and 4 Command Function Mode map ip dscp Enables IP DSCP class of service mapping GC map ip port Enables TCP UDP class of service mapping...

Page 975: ...rt priority EXAMPLE The following example shows how to enable TCP UDP port mapping globally Console config map ip port Console config map ip precedence Global Configuration This command enables IP precedence mapping i e IP Type of Service Use the no form to disable IP precedence mapping SYNTAX no map ip precedence DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE u The prece...

Page 976: ...TTING The DSCP default values are defined in the following table Note that all the DSCP values that are not specified are mapped to CoS value 0 COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE u The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority u DSCP priority values are mapped to default Class of Service values accordin...

Page 977: ...os value no map ip port port number port number 16 bit TCP UDP port number Range 0 65535 cos value Class of Service value Range 0 7 DEFAULT SETTING None COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE u The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority u Up to 8 entries can be specified for IP Port priority mapping u Th...

Page 978: ...on Ethernet Port Channel COMMAND USAGE u The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority u IP Precedence values are mapped to default Class of Service values on a one to one basis according to recommendations in the IEEE 802 1p standard and then subsequently mapped to the eight hardware priority queues u This command sets the IP Precedence fo...

Page 979: ... 1 32 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show map ip dscp ethernet 1 1 DSCP mapping status Disabled Port DSCP CoS Eth 1 1 0 0 Eth 1 1 1 0 Eth 1 1 2 0 Eth 1 1 3 0 Eth 1 1 61 0 Eth 1 1 62 0 Eth 1 1 63 0 Console show map ip port This command shows the IP port priority map SYNTAX show map ip port interface interface ethernet unit port unit Stack unit Range 1 8 port Port ...

Page 980: ...recedence This command shows the IP precedence priority map SYNTAX show map ip precedence interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 COMMAND MODE Privileged Exec EXAMPLE Console show map ip precedence ethernet 1 5 Precedence mapping status Disabled Port Precedence CoS Eth 1 5 0 0 Eth 1 5 1 1 Eth 1 5 2 2 Eth 1 5...

Page 981: ...c classification for the policy to act on PM rename Redefines the name of a policy map PM police flow Defines an enforcer for classified traffic based on a metered flow rate PM C police srtcm color Defines an enforcer for classified traffic based on a single rate three color meter PM C police trtcm color Defines an enforcer for classified traffic based on a two rate three color meter PM C set Clas...

Page 982: ... class maps 5 Use the set command to modify the CoS value in the VLAN tag or the priority bits in the IP header for the matching traffic class and use one of the police commands to monitor parameters such as the average flow and burst rate and drop any traffic that exceeds the specified rate or just reduce the DSCP service level for traffic exceeding the specified rate 6 Use the service policy com...

Page 983: ...class maps may be added to the policy map nor any changes made to the assigned class maps with the match or set commands EXAMPLE This example creates a class map call rd class and sets it to match packets marked for DSCP service value 3 Console config class map rd class match any Console config cmap match ip dscp 3 Console config cmap RELATED COMMANDS show class map 995 description This command sp...

Page 984: ...p command to designate a class map and enter the Class Map configuration mode Then use match commands to specify the fields within ingress packets that must match to qualify for this class map u If an ingress packet matches an ACL specified by this command any deny rules included in the ACL will be ignored u If match criteria includes an IP ACL or IP priority rule then a VLAN rule cannot be includ...

Page 985: ...config cmap rename This command redefines the name of a class map or policy map SYNTAX rename map name map name Name of the class map or policy map Range 1 16 characters COMMAND MODE Class Map Configuration Policy Map Configuration EXAMPLE Console config class map rd class 1 Console config cmap rename rd class 9 Console config cmap policy map This command creates a policy map that can be attached ...

Page 986: ... response to drop any violating packets Console config policy map rd policy Console config pmap class rd class Console config pmap c set ip dscp 3 Console config pmap c police flow 10000 4000 conform action transmit violate action drop Console config pmap c class This command defines a traffic classification upon which a policy can act and enters Policy Map Class configuration mode Use the no form...

Page 987: ...violate action drop Console config pmap c police flow This command defines an enforcer for classified traffic based on the metered flow rate Use the no form to remove a policer SYNTAX no police flow committed rate committed burst violate action drop new dscp committed rate Committed information rate CIR in kilobits per second Range 64 1000000 kbps at a granularity of 64 kbps or maximum port speed ...

Page 988: ...token count Tc 0 BC Thereafter the token count Tc is updated CIR times per second as follows n If Tc is less than BC Tc is incremented by one else n Tc is not incremented When a packet of size B bytes arrives at time t the following happens n If Tc t B 0 the packet is green and Tc is decremented by B down to the minimum value of 0 else n else the packet is red and Tc is not decremented EXAMPLE Thi...

Page 989: ... 1600000 at a granularity of 4k bytes exceed action Action to take when rate exceeds the CIR and BC but is within the BE There are enough tokens in bucket BE to service the packet the packet is set yellow violate action Action to take when rate exceeds the BE There are not enough tokens in bucket BE to service the packet the packet is set red transmit Transmits without taking any action drop Drops...

Page 990: ...nted by one else n neither Tc nor Te is incremented When a packet of size B bytes arrives at time t the following happens if srTCM is configured to operate in color blind mode n If Tc t B 0 the packet is green and Tc is decremented by B down to the minimum value of 0 else n if Te t B 0 the packets is yellow and Te is decremented by B down to the minimum value of 0 n else the packet is red and neit...

Page 991: ...or meter in color blind mode trtcm color aware Two rate three color meter in color aware mode committed rate Committed information rate CIR in kilobits per second Range 64 1000000 kbps at a granularity of 64 kbps or maximum port speed whichever is lower committed burst Committed burst size BC in bytes Range 4000 16000000 at a granularity of 4k bytes peak rate Peak information rate PIR in kilobits ...

Page 992: ...meter operates in one of two modes In the color blind mode the meter assumes that the packet stream is uncolored In color aware mode the meter assumes that some preceding entity has pre colored the incoming packet stream so that each packet is either green yellow or red The marker re colors an IP packet according to the results of the meter The color is coded in the DS field RFC 2474 of the packet...

Page 993: ...ackets will receive and then uses the police trtcm color blind command to limit the average bandwidth to 100 000 Kbps the committed burst rate to 4000 bytes the peak information rate to 1 000 000 kbps the peak burst size to 6000 to remark any packets exceeding the committed burst size and to drop any packets exceeding the peak information rate Console config policy map rd policy Console config pma...

Page 994: ...t rate to 4000 bytes and configure the response to drop any violating packets Console config policy map rd policy Console config pmap class rd class Console config pmap c set cos 3 Console config pmap c police flow 10000 4000 conform action transmit violate action drop Console config pmap c service policy This command applies a policy map defined by the policy map command to the ingress side of a ...

Page 995: ...lass map This command displays the QoS class maps which define matching criteria used for classifying traffic SYNTAX show class map class map name class map name Name of the class map Range 1 32 characters DEFAULT SETTING Displays all class maps COMMAND MODE Privileged Exec EXAMPLE Console show class map Class Map match any rd class 1 Description Match ip dscp 10 Match access list rd access Match ...

Page 996: ...haracters DEFAULT SETTING Displays all policy maps and all classes COMMAND MODE Privileged Exec EXAMPLE Console show policy map Policy Map rd policy Description class rd class set cos 3 Console show policy map rd policy class rd class Policy Map rd policy class rd class set cos 3 Console show policy map interface This command displays the service policy assigned to the specified interface SYNTAX s...

Page 997: ...CHAPTER 41 Quality of Service Commands 997 EXAMPLE Console show policy map interface 1 5 input Service policy rd policy Console ...

Page 998: ...CHAPTER 41 Quality of Service Commands 998 ...

Page 999: ... service and group members Static Multicast Routing Configures static multicast router ports which forward all inbound multicast traffic to the attached VLANs IGMP Filtering and Throttling Configures IGMP filtering and throttling Multicast VLAN Registration Configures a single network wide multicast VLAN shared by hosts residing in other standard or private VLAN groups preserving security and data...

Page 1000: ...on Configures the IGMP version for snooping GC ip igmp snooping version exclusive Discards received IGMP messages which use a version different to that currently configured GC ip igmp snooping vlan general query suppression Suppresses general queries except for ports attached to downstream multicast hosts GC ip igmp snooping vlan immediate leave Immediately deletes a member port of a multicast ser...

Page 1001: ...per VLAN interface but the interface settings will not take effect until snooping is re enabled globally EXAMPLE The following example enables IGMP snooping globally Console config ip igmp snooping Console config ip igmp snooping vlan version Configures the IGMP version for snooping GC ip igmp snooping vlan version exclusive Discards received IGMP messages which use a version different to that cur...

Page 1002: ...ms IGMP Snooping with Proxy Reporting as defined in DSL Forum TR 101 April 2006 including report suppression last leave and query suppression Report suppression intercepts absorbs and summarizes IGMP reports coming from downstream hosts Last leave sends out a proxy query when the last member leaves a multicast group and query suppression means that neither specific queries nor general queries are ...

Page 1003: ...SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE As described in Section 9 1 of RFC 3376 for IGMP Version 3 the Router Alert Option can be used to protect against DOS attacks One common method of attack is launched by an intruder who takes over the role of querier and starts overloading multicast hosts by sending a large number of group and source specific queries each with a large...

Page 1004: ... flood This command enables flooding of multicast traffic if a spanning tree topology change notification TCN occurs Use the no form to disable flooding SYNTAX no ip igmp snooping tcn flood DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE u When a spanning tree topology change occurs the multicast membership information learned by the switch may be out of date For example a...

Page 1005: ...e root bridge sends a proxy query to quickly re learn the host membership port relations for multicast channels The root bridge also sends an unsolicited Multicast Router Discover MRD request to quickly locate the multicast routers in this VLAN The proxy query and unsolicited MRD request are flooded to all VLAN ports except for the receiving port when the switch receives such packets EXAMPLE The f...

Page 1006: ... ip igmp snooping tcn query solicit Console config ip igmp snooping unregistered data flood This command floods unregistered multicast traffic into the attached VLAN Use the no form to drop unregistered multicast traffic SYNTAX no ip igmp snooping unregistered data flood DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE Once the table used to store multicast entries for IGMP...

Page 1007: ... Configuration COMMAND USAGE u When a new upstream interface that is uplink port starts up the switch sends unsolicited reports for all currently learned multicast channels out through the new upstream interface u This command only applies when proxy reporting is enabled see page 1002 EXAMPLE Console config ip igmp snooping unsolicited report interval 5 Console config ip igmp snooping version This...

Page 1008: ...exclusive This command discards any received IGMP messages except for multicast protocol packets which use a version different to that currently configured by the ip igmp snooping version command Use the no form to disable this feature SYNTAX ip igmp snooping vlan vlan id version exclusive no ip igmp snooping version exclusive vlan id VLAN ID Range 1 4093 DEFAULT SETTING Global Disabled VLAN Disab...

Page 1009: ...sages are forwarded only to downstream ports which have joined a multicast service EXAMPLE Console config ip igmp snooping vlan 1 general query suppression Console config ip igmp snooping vlan immediate leave This command immediately deletes a member port of a multicast service if a leave packet is received at that port and immediate leave is enabled for the parent VLAN Use the no form to restore ...

Page 1010: ...immediate leave Console config ip igmp snooping vlan last memb query count This command configures the number of IGMP proxy group specific or group and source specific query messages that are sent out before the system assumes there are no more local members Use the no form to restore the default SYNTAX ip igmp snooping vlan vlan id last memb query count count no ip igmp snooping vlan vlan id last...

Page 1011: ...ved by the switch it checks to see if this host is the last to leave the group by sending out an IGMP group specific or group and source specific query message and starts a timer If no reports are received before the timer expires the group record is deleted and a report is sent to the upstream multicast router u A reduced value will result in reduced time to detect the loss of the last member of ...

Page 1012: ...c timer as a part of a router s start up procedure during the restart of a multicast forwarding interface and on receipt of a solicitation message When the multicast services provided to a VLAN is relatively stable the use of solicitation messages is not required and may be disabled using the no ip igmp snooping vlan mrd command u This command may also be used to disable multicast router solicitat...

Page 1013: ...placed with any valid unicast address other than the router s own address using this command EXAMPLE The following example sets the source address for proxied IGMP query messages to 10 0 1 8 Console config ip igmp snooping vlan 1 proxy address 10 0 1 8 Console config ip igmp snooping vlan query interval This command configures the interval between sending IGMP general queries Use the no form to re...

Page 1014: ...l queries Use the no form to restore the default SYNTAX ip igmp snooping vlan vlan id query resp intvl interval no ip igmp snooping vlan vlan id query resp intvl vlan id VLAN ID Range 1 4093 interval The maximum time the system waits for a response to general queries Range 10 31744 tenths of a second DEFAULT SETTING 100 10 seconds COMMAND MODE Global Configuration COMMAND USAGE u This command appl...

Page 1015: ...AND USAGE u Static multicast entries are never aged out u When a multicast entry is assigned to an interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN EXAMPLE The following shows how to statically configure a multicast group on a port Console config ip igmp snooping vlan 1 static 224 0 0 12 ethernet 1 5 Console config show ip igmp snooping This co...

Page 1016: ...ing global status Disabled Immediate leave Disabled Last member query interval 10 1 10s Last member query count 2 General query suppression Disabled Query interval 125 Query response interval 100 1 10s Proxy query address 0 0 0 0 Proxy reporting Using global status Disabled Multicast Router Discovery Enabled show ip igmp snooping group This command shows known multicast group source and host port ...

Page 1017: ...ommand shows known multicast addresses SYNTAX show mac address table multicast vlan vlan id user igmp snp user igmp snooping vlan id VLAN ID 1 to 4093 user Display only the user configured multicast entries igmp snooping Display only entries learned through IGMP snooping DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Member types displayed include IGMP or USER depending on selecte...

Page 1018: ...atic multicast router ports are configured COMMAND MODE Global Configuration COMMAND USAGE Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore if the IGMP querier is a known multicast router or switch connected over the network to an interface port or trunk on this switch that interface can be manually configured to join all the current m...

Page 1019: ... In certain switch applications the administrator may want to control the multicast services that are available to end users For example an IP TV service based on a specific subscription plan The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port and IGMP throttling limits the number of simultaneous multicast groups a port can jo...

Page 1020: ... denied the IGMP join report is dropped u IGMP filtering and throttling only applies to dynamically learned multicast groups it does not apply to statically configured groups u The IGMP filtering feature operates in the same manner when MVR is used to forward multicast traffic EXAMPLE Console config ip igmp filter Console config ip igmp max groups action Sets the IGMP throttling action for an inte...

Page 1021: ...o many interfaces but only one profile can be assigned to one interface Each profile has only one access mode either permit or deny EXAMPLE Console config ip igmp profile 19 Console config igmp profile permit deny This command sets the access mode for an IGMP filter profile Use the no form to delete a profile number SYNTAX permit deny DEFAULT SETTING Deny COMMAND MODE IGMP Profile Configuration CO...

Page 1022: ...oup range DEFAULT SETTING None COMMAND MODE IGMP Profile Configuration COMMAND USAGE Enter this command multiple times to specify more than one multicast address or address range for a profile EXAMPLE Console config ip igmp profile 19 Console config igmp profile range 239 1 1 1 Console config igmp profile range 239 2 3 1 239 2 3 100 Console config igmp profile ip igmp filter Interface Configuratio...

Page 1023: ...gmp max groups number no ip igmp max groups number The maximum number of multicast groups an interface can join at the same time Range 0 64 DEFAULT SETTING 64 COMMAND MODE Interface Configuration Ethernet COMMAND USAGE u IGMP throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can take one of t...

Page 1024: ...e action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group EXAMPLE Console config interface ethernet 1 1 Console config if ip igmp max groups action replace Console config if ip igmp query drop This command drops any received IGMP query packets Use the no form to restor...

Page 1025: ...ommand can be used to stop multicast services from being forwarded to users attached to the downstream port i e the interfaces specified by this command EXAMPLE Console config interface ethernet 1 1 Console config if ip multicast data drop Console config if show ip igmp filter This command displays the global and interface settings for IGMP filtering SYNTAX show ip igmp filter interface interface ...

Page 1026: ... 2 3 1 239 2 3 100 Console show ip igmp profile This command displays IGMP filtering profiles created on the switch SYNTAX show ip igmp profile profile number profile number An existing IGMP filter profile number Range 1 4294967295 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console show ip igmp profile 19 IGMP Profile 19 D...

Page 1027: ...1 32 DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Using this command without specifying an interface displays all interfaces EXAMPLE Console show ip igmp query drop interface ethernet 1 1 Ethernet 1 1 Enabled Console show ip igmp throttle interface This command displays the interface settings for IGMP throttling SYNTAX show ip igmp throttle interface interface interface ethernet...

Page 1028: ...le show ip multicast data drop This command shows if the specified interface is configured to drop multicast data packets SYNTAX show ip igmp throttle interface interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Using this command without specifying an int...

Page 1029: ...ic address or range of addresses Or use the no form with the vlan keyword to restore the default MVR VLAN SYNTAX no mvr group ip address count vlan vlan id group Defines a multicast service sent to all attached subscribers ip address IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 count The number of contiguous MVR group addresses Range 1 255 vlan Specifies the VLAN through w...

Page 1030: ... within the reserved IP multicast address range of 224 0 0 x u MVR source ports can be configured as members of the MVR VLAN using the switchport allowed vlan command and switchport native vlan command but MVR receiver ports should not be statically configured as members of this VLAN u IGMP snooping must be enabled to a allow a subscriber to dynamically join or leave an MVR group see the ip igmp s...

Page 1031: ...lticast stream as soon as it receives a leave message for that group Use the no form to restore the default settings SYNTAX no mvr immediate DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE u Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message W...

Page 1032: ...el COMMAND USAGE u A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering u Receiver ports can belong to different VLANs but should not be configured as a member of the MVR VLAN IGMP snooping can be used to allow a receiver port to dynamically join or leave multicast groups sourced th...

Page 1033: ... to which the specified multicast traffic is flooded Range 1 4093 group Defines a multicast service sent to the selected port ip address Statically configures an interface to receive multicast traffic from the IP address specified for an MVR multicast group Range 224 0 1 0 239 255 255 255 DEFAULT SETTING No receiver port is a member of any configured multicast group COMMAND MODE Interface Configur...

Page 1034: ...et unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 ip address IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 DEFAULT SETTING Displays global configuration settings for MVR when no keywords are used COMMAND MODE Privileged Exec COMMAND USAGE Enter this command without any keywords to display the global settings for MVR Use...

Page 1035: ... in the MVR environment are satisfied Running status is true as long as MVR Status is enabled and the specified MVR VLAN exists MVR Multicast VLAN Shows the VLAN used to transport all MVR multicast traffic MVR Current Groups The current number of MVR group addresses MVR Max Supported Groups The maximum number of supported MVR group addresses MVR Upstream Source IP The source IP address assigned to...

Page 1036: ...lticast services provided through the MVR VLAN Also shows the VLAN through which the service is received Note that this may be different from the MVR VLAN if the group address has been statically assigned Table 131 IGMP Commands Layer 3 Command Function Mode ip igmp Enables IGMP for the specified interface IC ip igmp last member query interval Configures the frequency at which to send query messag...

Page 1037: ... 100 resolution in 0 1 sec Last Member Query Interval 10 resolution in 0 1 sec Querier 0 0 0 0 Joined Groups Static Groups Console RELATED COMMANDS ip igmp snooping 1001 show ip igmp snooping 1015 ip igmp last member query interval This command configures the frequency at which to send IGMP group specific or IGMPv3 group source specific query messages in response to receiving a group specific or g...

Page 1038: ...to restore the default SYNTAX ip igmp max resp interval seconds no ip igmp max resp interval seconds The report delay advertised in IGMP queries Range 0 255 tenths of a second DEFAULT SETTING 100 10 seconds COMMAND MODE Interface Configuration VLAN COMMAND USAGE u IGMPv1 does not support a configurable maximum response time for query messages It is fixed at 10 seconds for IGMPv1 u By varying the M...

Page 1039: ...s send host query messages to determine the interfaces that are connected to downstream hosts requesting a specific multicast service Only the designated multicast router for a subnet sends host query messages which are addressed to the multicast address 224 0 0 1 and uses a time to live TTL value of 1 u For IGMP Version 1 the designated router is elected according to the multicast routing protoco...

Page 1040: ...zero indicating that the QRV field does not contain a declared robustness value the switch will set the robustness variable to the value statically configured by this command If the QRV exceeds 7 the maximum value of the QRV field the robustness value is set to zero meaning that this device will not advertise a QRV in any query messages it subsequently sends EXAMPLE Console config if ip igmp robus...

Page 1041: ...lticast group will also fail if the next node up the reverse path tree has enabled the PIM SSM protocol u If a static group is configured for an any source multicast G a source address cannot subsequently be defined for this group without first deleting the entry u If a static group is configured for one or more source specific multicasts S G an any source multicast G cannot subsequently be define...

Page 1042: ...the IGMP versions 1 3 u If the switch receives an IGMP Version 1 Membership Report it sets a timer to note that there are Version 1 hosts which are members of the group for which it heard the report If there are Version 1 hosts present for a particular group the switch will ignore any Leave Group messages that it receives for that group EXAMPLE Console config if ip igmp version 1 Console config if...

Page 1043: ...lticast group address interface vlan vlan id VLAN ID Range 1 4093 detail Displays detailed information about the multicast process and source addresses when available COMMAND MODE Privileged Exec COMMAND USAGE To display information about multicast groups IGMP must first be enabled on the interface to which a group has been assigned using the ip igmp command and multicast routing must be enabled g...

Page 1044: ...s multicast group address on this interface Uptime The time elapsed since this entry was created Expire The time remaining before this entry will be aged out The default is 260 seconds This field displays stopped if the Group Mode is INCLUDE V1 Timer The time remaining until the switch assumes that there are no longer any IGMP Version 1 members on the IP subnet attached to this interface u If the ...

Page 1045: ...sted in the source list parameter In EXCLUDE mode reception of packets sent to the given multicast address is requested from all IP source addresses except for those listed in the source list parameter and where the source timer status has expired Note that EXCLUDE mode does not apply to SSM addresses Last Reporter The IP address of the source of the last membership report received for this multic...

Page 1046: ... Use the ip igmp proxy unsolicited report interval command to indicate how often the system will send unsolicited reports to the upstream router ip igmp proxy This command enables IGMP proxy service for multicast routing forwarding IGMP membership information monitored on downstream interfaces onto the upstream interface in a summarized report Use the no form to disable proxy service SYNTAX no ip ...

Page 1047: ...work then the proxy device will act as an IGMPv1 or IGMPv2 host on the upstream interface accordingly Otherwise it will act as an IGMPv3 host u Multicast routing protocols are not supported on interfaces where IGMP proxy service is enabled u Only one upstream interface is supported on the system u A maximum of 1024 multicast streams are supported EXAMPLE The following example enables multicast rou...

Page 1048: ...ING Disabled Table 135 MLD Commands Layer 3 Command Function Mode ipv6 mld Enables MLD for the specified interface IC ipv6 mld last member query response interval Configures the frequency at which to send query messages in response to receiving a leave message IC ipv6 mld max resp interval Configures the maximum host response time IC ipv6 mld query interval Configures frequency for sending host qu...

Page 1049: ...val This command configures the frequency at which to send MLD group specific or MLDv2 group source specific query messages in response to receiving a group specific or group source specific leave message from the last known active host on the subnet Use the no form to restore the default setting SYNTAX ipv6 mld last member query response interval seconds no ipv6 mld last member query response int...

Page 1050: ...s no ipv6 mld max resp interval seconds The report delay advertised in MLD queries Range 0 255 tenths of a second DEFAULT SETTING 100 10 seconds COMMAND MODE Interface Configuration VLAN COMMAND USAGE u By varying the Maximum Response Interval the burstiness of MLD messages passed on the subnet can be tuned where larger values make the traffic less bursty as host responses are spread out over a la...

Page 1051: ...ulticast service Only the designated multicast router for a subnet sends host query messages which are addressed to the link scope all nodes multicast address FF02 1 and uses a time to live TTL value of 1 u The designated querier is the lowest IP addressed multicast router on the subnet EXAMPLE The following shows how to configure the query interval to 100 seconds Console config if ipv6 mld query ...

Page 1052: ...sends EXAMPLE Console config if ipv6 mld robustval 3 Console config if ipv6 mld static group This command statically binds multicast groups to a VLAN interface Use the no form to remove the static mapping SYNTAX ipv6 mld static group group address source source address no ipv6 mld static group group address source source address group address IPv6 multicast group address Note that link local scope...

Page 1053: ... on an interface Use the no form of this command to restore the default setting SYNTAX ipv6 mld version 1 2 no ipv6 mld version 1 MLD Version 1 2 MLD Version 2 DEFAULT SETTING MLD Version 2 COMMAND MODE Interface Configuration VLAN COMMAND USAGE u MLDv1 is derived from IGMPv2 and MLDv2 from IGMPv3 IGMP uses IP Protocol 2 message types and MLD uses IP Protocol 58 message types which is a subset of ...

Page 1054: ...for the specified group Enter the interface option to delete all multicast groups for the specified interface Enter no options to clear all multicast groups from the cache EXAMPLE The following example clears all multicast group entries for VLAN 1 Console clear ipv6 mld interface vlan 1 Console show ipv6 mld groups This command displays information on multicast groups active on the switch and lear...

Page 1055: ...tly attached or downstream from the switch Interface VLAN The interface on the switch that has received traffic directed to the multicast group address Uptime The time elapsed since this entry was created Expire The time remaining before this entry will be aged out The default is 260 seconds This field displays stopped if the Group Mode is INCLUDE Group Mode In Include mode reception of packets se...

Page 1056: ...r for active multicast services on this interface Console show ipv6 mld interface vlan 1 Vlan 1 Up MLD Enabled MLD Version 2 MLD Proxy Disabled MLD Unsolicited report interval 400 sec Robustness variable 2 Query Interval 125 sec Query Max Response Time 10 Last Member Query Interval 1 Querier FE80 200 E8FF FE93 82A0 Joined Groups Static Groups FFEE 101 Console Source Address The address of one of t...

Page 1057: ... proxy This command enables MLD proxy service for multicast routing forwarding MLD membership information monitored on downstream interfaces onto the upstream interface in a summarized report Use the no form to disable proxy service SYNTAX no ipv6 mld proxy DEFAULT SETTING Disabled COMMAND MODE Interface Configuration VLAN COMMAND USAGE u When MLD proxy is enabled on an interface that interface is...

Page 1058: ...d on interfaces where MLD proxy service is enabled u Only one upstream interface is supported on the system u MLD and MLD proxy cannot be enabled on the same interface u A maximum of 1024 multicast streams are supported EXAMPLE The following example enables multicast routing globally on the switch configures VLAN 2 as a downstream interface and then VLAN 1 as the upstream interface Console config ...

Page 1059: ...port interval only applies to the interface where MLD proxy has been enabled u MLD and MLD proxy cannot be enabled on the same interface EXAMPLE The following example sets the interval for sending unsolicited MLD reports to 5 seconds Console config interface vlan Console config if ip igmp proxy unsolicited report interval 5 Console config ...

Page 1060: ...CHAPTER 42 Multicast Filtering Commands MLD Proxy Routing 1060 ...

Page 1061: ...ing to re initialize after LLDP ports are disabled or the link goes down GC lldp tx delay Configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables GC lldp admin status Enables LLDP transmit receive or transmit and receive mode on the specified port IC lldp basic tlv management ip address Configures an LLDP enabled port to advertise ...

Page 1062: ...tion capabilities IC lldp dot3 tlv mac phy Configures an LLDP enabled port to advertise its MAC and physical layer specifications IC lldp dot3 tlv max frame Configures an LLDP enabled port to advertise its maximum frame size IC lldp notification Enables the transmission of SNMP trap notifications about LLDP changes IC show lldp config Shows LLDP configuration settings for all ports PE show lldp in...

Page 1063: ...s no lldp notification interval seconds Specifies the periodic interval at which SNMP notifications are sent Range 5 3600 seconds DEFAULT SETTING 5 seconds COMMAND MODE Global Configuration COMMAND USAGE u This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management u Information about changes in LLDP neighbors that occur between SNMP ...

Page 1064: ...he following rule refresh interval holdtime multiplier 65536 EXAMPLE Console config lldp refresh interval 60 Console config lldp reinit delay This command configures the delay before attempting to re initialize after LLDP ports are disabled or the link goes down Use the no form to restore the default setting SYNTAX lldp reinit delay seconds no lldp reinit delay seconds Specifies the delay before a...

Page 1065: ...event a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects and to increase the probability that multiple rather than single changes are reported in each transmission u This attribute must comply with the following rule 4 tx delay refresh interval EXAMPLE Console config lldp tx delay 10 Console config lldp admin status This command enables LLDP ...

Page 1066: ...port sending this advertisement u The management address TLV may also include information about the specific interface associated with this address and an object identifier indicating the type of hardware component or protocol entity associated with this address The interface number and OID are included to assist SNMP applications to perform network discovery by indicating enterprise specific or o...

Page 1067: ...ludes information about the manufacturer the product name and the version of the interface hardware software EXAMPLE Console config interface ethernet 1 1 Console config if lldp basic tlv port description Console config if lldp basic tlv system capabilities This command configures an LLDP enabled port to advertise its system capabilities Use the no form to disable this feature SYNTAX no lldp basic...

Page 1068: ...n RFC 3418 which includes the full name and version identification of the system s hardware type software operating system and networking software EXAMPLE Console config interface ethernet 1 1 Console config if lldp basic tlv system description Console config if lldp basic tlv system name This command configures an LLDP enabled port to advertise the system name Use the no form to disable this feat...

Page 1069: ...ises the protocols that are accessible through this interface EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot1 tlv proto ident Console config if lldp dot1 tlv proto vid This command configures an LLDP enabled port to advertise port related VLAN information Use the no form to disable this feature SYNTAX no lldp dot1 tlv proto vid DEFAULT SETTING Enabled COMMAND MODE Inte...

Page 1070: ...ith which untagged or priority tagged frames are associated see the switchport native vlan command EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot1 tlv pvid Console config if lldp dot1 tlv vlan name This command configures an LLDP enabled port to advertise its VLAN name Use the no form to disable this feature SYNTAX no lldp dot1 tlv vlan name DEFAULT SETTING Enabled COM...

Page 1071: ...status of the link and the 802 3 aggregated port identifier if this interface is currently a link aggregation member EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot3 tlv link agg Console config if lldp dot3 tlv mac phy This command configures an LLDP enabled port to advertise its MAC and physical layer capabilities Use the no form to disable this feature SYNTAX no lldp ...

Page 1072: ...size for this switch EXAMPLE Console config interface ethernet 1 1 Console config if lldp dot3 tlv max frame Console config if lldp notification This command enables the transmission of SNMP trap notifications about LLDP changes Use the no form to disable LLDP notifications SYNTAX no lldp notification DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE ...

Page 1073: ...e ethernet 1 1 Console config if lldp notification Console config if show lldp config This command shows LLDP configuration settings for all ports SYNTAX show lldp config detail interface detail Shows configuration summary interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 COMMAND MODE Privileged Exec EXAMPLE Console show lldp c...

Page 1074: ...x frame Console show lldp info local device This command shows LLDP global and interface specific configuration settings for this device SYNTAX show lldp info local device detail interface detail Shows configuration summary interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 COMMAND MODE Privileged Exec EXAMPLE Console show lldp ...

Page 1075: ...thernet Port on unit 1 port 1 Console show lldp info remote device This command shows LLDP global and interface specific configuration settings for remote devices attached to an LLDP enabled port SYNTAX show lldp info remote device detail interface detail Shows configuration summary interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range ...

Page 1076: ...k Aggregation Remote link aggregation capable Yes Remote link aggregation enable No Remote link aggregation port id 0 Remote Max Frame Size 1518 Console show lldp info statistics This command shows statistics based on traffic received through all attached LLDP enabled interfaces SYNTAX show lldp info statistics detail interface detail Shows configuration summary interface ethernet unit port unit S...

Page 1077: ... 10 11 0 Eth 1 2 0 0 0 Eth 1 3 0 0 0 Eth 1 4 0 0 0 Eth 1 5 0 0 0 Console show lldp info statistics detail ethernet 1 1 LLDP Port Statistics Detail PortName Eth 1 1 Frames Discarded 0 Frames Invalid 0 Frames Received 12 Frames Sent 13 TLVs Unrecognized 0 TLVs Discarded 0 Neighbor Ageouts 0 Console ...

Page 1078: ...CHAPTER 43 LLDP Commands 1078 ...

Page 1079: ...name Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 68 characters DEFAULT SETTING None Table 139 Address Table Commands Command Function Mode ip domain list Defines a list of default domain names for incomplete host names GC ip domain lookup Enables DNS based host name to address translation GC ip domain name Defines a default domain name ...

Page 1080: ...st the default domain name is not used EXAMPLE This example adds two domain names to the current list and then displays the list Console config ip domain list sample com jp Console config ip domain list sample com uk Console config end Console show dns Domain Lookup Status DNS disabled Default Domain Name sample com Domain Name List sample com jp sample com uk Name Server List Console RELATED COMM...

Page 1081: ...1081 ip name server 1083 ip domain name This command defines the default domain name appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation Use the no form to remove the current domain name SYNTAX ip domain name name no ip domain name name Name of the host Do not include the initial dot that separates the host name from the domain name Ran...

Page 1082: ... ip host name address name Name of an IPv4 host Range 1 100 characters address Corresponding IPv4 address DEFAULT SETTING No static entries COMMAND MODE Global Configuration COMMAND USAGE Use the no ip host command to clear static entries or the clear host command to clear dynamic entries EXAMPLE This example maps an IPv4 address to a host name Console config ip host rd5 192 168 1 55 Console confi...

Page 1083: ... servers DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE The listed name servers are queried in the specified sequence until a response is received or the end of the list is reached with no response EXAMPLE This example adds two domain name servers to the list and then displays the list Console config ip name server 192 168 1 55 10 1 0 55 Console config end Console show dns Do...

Page 1084: ... values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields DEFAULT SETTING No static entries COMMAND MODE Global Configuration EXAMPLE This example maps an IPv6 address to a host name Console config ipv6 host rd6 2001 0db8 1 12 Console config end Console show hosts No Flag Type IP Address TTL Domain 0 2 Address 192 168 1 55...

Page 1085: ...ar host command to clear dynamic entries or the no ip host command to clear static entries EXAMPLE This example clears all static entries from the DNS table Console config clear host Console config show dns This command displays the configuration of the DNS service COMMAND MODE Privileged Exec EXAMPLE Console show dns Domain Lookup Status DNS enabled Default Domain Name sample com Domain Name List...

Page 1086: ...nsole show hosts No Flag Type IP Address TTL Domain 0 2 Address 192 168 1 55 rd5 1 2 Address 2001 DB8 1 12 rd6 3 4 Address 209 131 36 158 65 www real wa1 b yahoo com 4 4 CNAME POINTER TO 3 65 www yahoo com 5 4 CNAME POINTER TO 3 65 www wa1 b yahoo com Console Table 140 show dns cache display description Field Description No The entry number for each resource record Flag The flag is always 4 indica...

Page 1087: ... stored in the cache Type This field includes Address which specifies the primary name for the owner and CNAME which specifies multiple domain names or aliases which are mapped to the same IP address as an existing entry IP Address The IP address associated with this record TTL The time to live reported by the name server This field is always blank for static entries Domain The domain name associa...

Page 1088: ...CHAPTER 44 Domain Name Service Commands 1088 ...

Page 1089: ...h s VLAN interfaces to dynamically acquire IP address information Table 142 DHCP Commands Command Group Function DHCP Client Allows interfaces to dynamically acquire IPv4 address information DHCP Relay Relays DHCP requests from local hosts to a remote DHCP server DHCP Server Configures DHCP service using address pools or static bindings Table 143 DHCP Client Commands Command Function Mode DHCP for...

Page 1090: ...switch to the DHCP server which then uses this information to decide on how to service the client or the type of information to return u The general framework for this DHCP option is set out in RFC 2132 Option 60 This information is used to convey configuration settings or other identification information about a client but the specific string to use should be supplied by your service provider or ...

Page 1091: ...strative Up Link Up Address is 12 34 12 34 12 34 bia 12 34 12 34 12 34 Index 1001 MTU 1500 Bandwidth 1g Address Mode is DHCP IP Address 192 168 0 9 Mask 255 255 255 0 Proxy ARP is disabled Console RELATED COMMANDS ip address 1118 ipv6 dhcp client rapid commit vlan This command specifies the Rapid Commit option for DHCPv6 message exchange for all DHCPv6 client requests submitted from the specified ...

Page 1092: ...ces attached to the switch ip dhcp relay server This command specifies the addresses of DHCP servers to be used by the switch s DHCP relay agent Use the no form to clear all addresses SYNTAX ip dhcp relay server address1 address2 address3 no ip dhcp relay server address IP address of DHCP server Range 1 3 addresses DEFAULT SETTING None COMMAND MODE Interface Configuration VLAN USAGE GUIDELINES u Y...

Page 1093: ...server will know the subnet where the client is located Then the switch forwards the packet to the DHCP server on another network When the server receives the DHCP request it allocates a free IP address for the DHCP client from its defined scope for the DHCP client s subnet and sends a DHCP response back to the DHCP relay agent i e this switch This switch then broadcasts the DHCP response received...

Page 1094: ...C domain name Specifies the domain name for a DHCP client DC hardware address Specifies the hardware address of a DHCP client DC host These commands are used for manually binding an address to a client Specifies the IP address and network mask to manually bind to a DHCP client DC lease Sets the duration an IP address is assigned to a DHCP client DC netbios name server Configures NetBIOS Windows In...

Page 1095: ... pool and enter DHCP Pool Configuration mode Use the no form to remove the address pool SYNTAX no ip dhcp pool name name A string or integer Range 1 8 characters DEFAULT SETTING DHCP address pools are not configured COMMAND MODE Global Configuration USAGE GUIDELINES u After executing this command the switch changes to DHCP Pool Configuration mode identified by the config dhcp prompt u From this mo...

Page 1096: ...GE If the DHCP server is running you must restart it to implement any configuration changes EXAMPLE Console config service dhcp Console config bootfile This command specifies the name of the default boot image for a DHCP client This file should placed on the Trivial File Transfer Protocol TFTP server specified with the next server command Use the no form to delete the boot image name SYNTAX bootfi...

Page 1097: ...l value DEFAULT SETTING None COMMAND MODE DHCP Pool Configuration COMMAND USAGE u This command identifies a DHCP client to bind to an address specified in the host command If both a client identifier and hardware address are configured for a host address the client identifier takes precedence over the hardware address in the search procedure u BOOTP clients cannot transmit a client identifier To b...

Page 1098: ... to two routers Routers are listed in order of preference starting with address1 as the most preferred router EXAMPLE Console config dhcp default router 10 1 0 54 10 1 0 64 Console config dhcp dns server This command specifies the Domain Name System DNS IP servers available to a DHCP client Use the no form to remove the DNS server list SYNTAX dns server address1 address2 no dns server address1 Spe...

Page 1099: ...ient Range 1 32 characters DEFAULT SETTING None COMMAND MODE DHCP Pool Configuration EXAMPLE Console config dhcp domain name sample com Console config dhcp hardware address This command specifies the hardware address of a DHCP client This command is valid for manual bindings only Use the no form to remove the hardware address SYNTAX hardware address hardware address type no hardware address hardwa...

Page 1100: ...ess for the client SYNTAX host address mask no host address Specifies the IP address of a client mask Specifies the network mask of the client DEFAULT SETTING None COMMAND MODE DHCP Pool Configuration USAGE GUIDELINES u Host addresses must fall within the range specified for an existing network pool u When a client request is received the switch first checks for a network address pool matching the...

Page 1101: ...ress currently in use by the host EXAMPLE Console config dhcp host 10 1 0 21 255 255 255 0 Console config dhcp RELATED COMMANDS client identifier 1097 hardware address 1099 lease This command configures the duration that an IP address is assigned to a DHCP client Use the no form to restore the default value SYNTAX lease days hours minutes infinite no lease days Specifies the duration of the lease ...

Page 1102: ...m to remove the NetBIOS name server list SYNTAX netbios name server address1 address2 no netbios name server address1 Specifies IP address of primary NetBIOS WINS name server address2 Specifies IP address of alternate NetBIOS WINS name server DEFAULT SETTING None COMMAND MODE DHCP Pool Configuration USAGE GUIDELINES Servers are listed in order of preference starting with address1 as the most prefe...

Page 1103: ...r 1102 network This command configures the subnet number and mask for a DHCP address pool Use the no form to remove the subnet number and mask SYNTAX network network number mask no network network number The IP address of the DHCP address pool mask The bit combination that identifies the network or subnet and the host portion of the DHCP address pool COMMAND MODE DHCP Pool Configuration USAGE GUID...

Page 1104: ...rst field nnn determines the class 0 127 is class A only uses the first field in the network address 128 191 is class B uses the first two fields in the network address 192 223 is class C uses the first three fields in the network address u The DHCP server assumes that all host addresses are available You can exclude subsets of the address space by using the ip dhcp excluded address command EXAMPL...

Page 1105: ...d as the address parameter the DHCP server clears all automatic bindings u Use the no host command to delete a manual binding u This command is normally used after modifying the address pool or after moving DHCP service to another device EXAMPLE Console clear ip dhcp binding Console RELATED COMMANDS show ip dhcp binding 1105 show ip dhcp binding This command displays address bindings on the DHCP s...

Page 1106: ...2 1 3 21 00 17 7C 98 73 21 86400 Dec 25 08 01 57 2002 Console show ip dhcp This command displays DHCP address pools configured on the switch COMMAND MODE Privileged Exec EXAMPLE Console show ip dhcp Name Type IP Address Mask Active Pool tps Net 192 168 1 0 255 255 255 0 192 168 1 1 192 168 1 254 Total entry 1 Console ...

Page 1107: ...hich allows a router to take over as the master router when it comes on line if it has a higher priority than the currently active master router Table 146 VRRP Commands Command Function Mode vrrp authentication Configures a key used to authenticate VRRP packets received from other routers IC vrrp ip Enables VRRP and sets the IP address of the virtual router IC vrrp preempt Configures the router to...

Page 1108: ...to the string configured on this router If the keys match the message is accepted Otherwise the packet is discarded u Plain text authentication does not provide any real security It is supported only to prevent a misconfigured router from participating in VRRP EXAMPLE Console config if vrrp 1 authentication bluebird Console config if vrrp ip This command enables the Virtual Router Redundancy Proto...

Page 1109: ...ed to customize any of the other parameters for VRRP such as authentication priority or advertisement interval then first configure these parameters before enabling VRRP EXAMPLE This example creates VRRP group 1 using the primary interface for VLAN 1 as the VRRP group Owner Console config interface vlan 1 Console config if vrrp 1 ip 192 168 1 6 Console config if vrrp preempt This command configure...

Page 1110: ...rp priority 1110 vrrp priority This command sets the priority of this router in a VRRP group Use the no form to restore the default setting SYNTAX vrrp group priority level no vrrp group priority group Identifies the VRRP group Range 1 255 level Priority of this router in the VRRP group Range 1 254 DEFAULT SETTING Master 255 Backup 100 COMMAND MODE Interface VLAN COMMAND USAGE u A router that has ...

Page 1111: ...interval at which the master virtual router sends advertisements communicating its state as the master Use the no form to restore the default interval SYNTAX vrrp group timers advertise interval no vrrp group timers advertise group Identifies the VRRP group Range 1 255 interval Advertisement interval for the master virtual router Range 1 255 seconds DEFAULT SETTING 1 second COMMAND MODE Interface ...

Page 1112: ...group Identifies a VRRP group Range 1 255 interface Identifier of configured VLAN interface Range 1 4093 DEFAULTS None COMMAND MODE Privileged Exec EXAMPLE Console clear vrrp 1 interface 1 counters Console clear vrrp router counters This command clears VRRP system statistics COMMAND MODE Privileged Exec EXAMPLE Console clear vrrp router counters Console show vrrp This command displays status infor...

Page 1113: ...55 Authentication SimpleText Authentication Key bluebird Master Router 192 168 1 6 Master Priority 255 Master Advertisement Interval 5 sec Master Down Interval 15 Console Table 147 show vrrp display description Field Description State VRRP role of this interface master or backup Virtual IP address Virtual address that identifies this VRRP group Virtual MAC address Virtual MAC address derived from ...

Page 1114: ...er Master priority The priority of the router currently acting as the VRRP group master Master Advertisement interval The advertisement interval configured on the VRRP master Master down interval The down interval configured on the VRRP master This interval is used by all the routers in the group regardless of their local settings Table 148 show vrrp brief display description Field Description Int...

Page 1115: ...fies a VRRP group Range 1 255 interface Identifier of configured VLAN interface Range 1 4093 DEFAULTS None COMMAND MODE Privileged Exec EXAMPLE Console show vrrp 1 interface vlan 1 counters Total Number of Times Transitioned to MASTER 6 Total Number of Received Advertisements Packets 0 Total Number of Received Error Advertisement Interval Packets 0 Total Number of Received Authentication Failures ...

Page 1116: ...OMMAND MODE Privileged Exec EXAMPLE Note that unknown errors indicate VRRP packets received with an unknown or unsupported version number Console show vrrp router counters Total Number of VRRP Packets with Invalid Checksum 0 Total Number of VRRP Packets with Unknown Error 0 Total Number of VRRP Packets with Invalid VRID 0 Console ...

Page 1117: ...fault You must manually configure a new address to manage the switch over your network or to connect the switch to existing IP subnets You may also need to a establish a default gateway between this device and management stations or other devices that exist on another network segment if routing is not enabled This section includes commands for configuring IP interfaces the Address Resolution Proto...

Page 1118: ...ed media that will be assigned to a specific subnet then you must create a router interface for each VLAN that will support routing The router interface consists of an IP address and subnet mask This interface address defines both the network number to which the router interface is attached and the router s host number on that network In other words a router interface address defines the network a...

Page 1119: ...cannot be removed if a secondary address is still present Also if any router in a network segment uses a secondary address all other routers in that segment must also use a secondary address from the same network or subnet address space u If bootp or dhcp options are selected the system will immediately start broadcasting service requests for all VLANs configured to obtain address assignments thro...

Page 1120: ...rectly connects to the gateway has been configured on the router u The same link local address may be used by different interfaces nodes in different zones RFC 4007 Therefore when specifying a link local address for a default gateway include zone id information indicating the VLAN identifier after the delimiter For example FE80 7272 1 identifies VLAN 1 as the interface from which the ping is sent ...

Page 1121: ...17 7C 93 82 A0 via 00 17 7C 93 82 A0 Index 1001 MTU 1280 Bandwidth 1g Address Mode is User specified IP Address 192 168 1 3 Mask 255 255 255 0 Proxy ARP is disabled Console RELATED COMMANDS ip address 1118 show ipv6 interface 1140 traceroute This command shows the route packets take to the specified destination SYNTAX traceroute host host IP address or alias of the host DEFAULT SETTING None COMMAN...

Page 1122: ...aximum timeout has been reached may indicate this problem with the target device EXAMPLE Console traceroute 192 168 0 1 Press ESC to abort Source address 192 168 0 9 Destination address 192 168 0 1 Hop IP Address Packet 1 Packet 2 Packet 3 1 192 168 0 1 10 ms 10 ms 10 ms Trace completed Console ping This command sends IPv4 ICMP echo request packets to another node on the network SYNTAX ping host c...

Page 1123: ...LE Console ping 10 1 0 9 Type ESC to abort PING to 10 1 0 9 by 5 32 byte payload ICMP packets timeout is 5 seconds response time 10 ms response time 10 ms response time 10 ms response time 10 ms response time 0 ms Ping statistics for 10 1 0 9 5 packets transmitted 5 packets received 100 0 packets lost 0 Approximate round trip times Minimum 0 ms Maximum 10 ms Average 8 ms Console RELATED COMMANDS i...

Page 1124: ...addresses into 48 bit hardware i e Media Access Control addresses This cache includes entries for hosts and other routers on local network interfaces defined on this router u The maximum number of static entries allowed in the ARP cache is 128 u You may need to enter a static entry in the cache if there is no response to an ARP broadcast message For example some applications may not respond to ARP...

Page 1125: ... request packet is sent to re establish the MAC address u The aging time determines how long dynamic entries remain in the cache If the timeout is too short the router may tie up resources by repeating ARP requests for addresses recently flushed from the table EXAMPLE This example sets the ARP cache timeout for 15 minutes i e 900 seconds Console config arp timeout 900 Console config ip proxy arp T...

Page 1126: ...mmand deletes all dynamic entries from the Address Resolution Protocol ARP cache COMMAND MODE Privileged Exec EXAMPLE This example clears all dynamic entries in the ARP cache Console clear arp cache This operation will delete all the dynamic entries in ARP Cache Are you sure to continue this operation y n y Console show arp This command displays entries in the Address Resolution Protocol ARP cache...

Page 1127: ...cast traffic will be forwarded when the UDP helper is enabled Use the no form to remove a UDP port from the forwarding list SYNTAX no ip forward protocol udp destination port destination port UDP application port for which UDP service requests are forwarded Range 1 65535 DEFAULT SETTING The following UDP ports are included in the forwarding list when UDP helper is enabled with the ip helper comman...

Page 1128: ...casionally use UDP broadcasts to determine information such as address configuration and domain name mapping These broadcasts are confined to the local subnet either as an all hosts broadcast all ones broadcast 255 255 255 255 or a directed subnet broadcast such as 10 10 10 255 To reduce the number of application servers deployed in a multi segment network UDP helper can be used to forward broadca...

Page 1129: ...d UDP packets with the UDP helper the clients must be connected to the selected interface and the interface configured with an IP address u The UDP packets to be forwarded must be specified by the ip forward protocol udp command and the packets meet the following criteria n The MAC address of the received frame must be all ones broadcast address ffff ffff ffff n The IP destination address must be ...

Page 1130: ...Console config if show ip helper This command displays configuration settings for UDP helper COMMAND MODE Privileged Exec COMMAND USAGE This command displays all configuration settings for UDP helper including its functional status the UDP ports for which broadcast traffic will be forwarded and the remote servers or subnets to which the traffic will be forwarded EXAMPLE Console show ip helper Help...

Page 1131: ...y and configured settings for IPv6 interfaces NE PE show ipv6 mtu Displays maximum transmission unit MTU information for IPv6 interfaces NE PE show ipv6 traffic Displays statistics about IPv6 traffic NE PE clear ipv6 traffic Resets IPv6 traffic counters PE ping6 Sends IPv6 ICMP echo request packets to another node on the network PE Neighbor Discovery ipv6 hop limit Configures the maximum number of...

Page 1132: ...mal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields u The same link local address may be used by different interfaces nodes in different zones RFC 4007 Therefore when specifying a link local address include zone id information indicating the VLAN identifier after the delimiter For example FE80 7272 1 identifies VL...

Page 1133: ...ork with multiple subnets you must configure a global unicast address This address can be manually configured with this command u If a link local address has not yet been assigned to this interface this command will assign the specified static global unicast address and also dynamically generate a link local unicast address for the interface The link local address is made with an address prefix of...

Page 1134: ...ui 64 1134 show ipv6 interface 1140 ip address 1118 ipv6 address eui 64 This command configures an IPv6 address for an interface using an EUI 64 interface ID in the low order 64 bits and enables IPv6 on the interface Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface Use the no form with a specific address to remove it from the interface SYNTA...

Page 1135: ... 48 format it must be converted into EUI 64 format by inverting the universal local bit in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address u For example if a device had an EUI 48 address of 28 9F 18 1C 82 35 the global local bit must first be inverted to meet EUI 64 requirements i e 1 for globally defined addresses and 0 for locally ...

Page 1136: ...1000 milliseconds Console RELATED COMMANDS show ipv6 interface 1140 ipv6 address link local This command configures an IPv6 link local address for an interface and enables IPv6 on the interface Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface Use the no form with a specific address to remove it from the interface SYNTAX ipv6 address ipv6 add...

Page 1137: ... ipv6 address FE80 269 3EF9 FE19 6779 link local Console config if end Console show ipv6 interface Vlan 1 is up IPv6 is enable Link local address FE80 269 3EF9 FE19 6779 64 Global unicast address es 2001 DB8 1 2E0 CFF FE00 FD 64 subnet is 2001 DB8 1 0 0 0 0 64 EUI 2001 DB8 2222 7272 72 96 subnet is 2001 DB8 2222 7272 96 EUI Joined group address es FF02 1 FF19 6779 FF02 1 FF00 72 FF02 1 FF00 FD FF0...

Page 1138: ...sole u The no ipv6 enable command does not disable IPv6 for an interface that has been explicitly configured with an IPv6 address EXAMPLE In this example IPv6 is enabled on VLAN 1 and the link local address FE80 2E0 CFF FE00 FD 64 is automatically generated by the switch Console config interface vlan 1 Console config if ipv6 enable Console config if end Console show ipv6 interface Vlan 1 is up IPv...

Page 1139: ...s currently fixed at 1500 bytes u If a non default value is configured an MTU option is included in the router advertisements sent from this device u IPv6 routers do not fragment IPv6 packets forwarded from other routers However traffic originating from an end station connected to an IPv6 router may be fragmented u All devices on the same physical medium must use the same MTU in order to operate c...

Page 1140: ...n may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields prefix length A decimal value indicating how many of the contiguous bits from the left of the address comprise the prefix i e the network portion of the address COMMAND MODE Normal Exec Privileged Exec EXAMPLE This example displays all the IPv6 addresses configured for the switch Console ...

Page 1141: ... respectively FF01 1 16 is the transient node local multicast address for all attached IPv6 nodes and FF02 1 16 is the link local multicast address for all attached IPv6 nodes The node local multicast address is only used for loopback transmission of multicast traffic Link local multicast addresses cover the same types as used by link local unicast addresses including all nodes FF02 1 all routers ...

Page 1142: ...ODE Normal Exec Privileged Exec EXAMPLE The following example shows statistics for all IPv6 unicast and multicast traffic as well as ICMP UDP and TCP statistics Console show ipv6 traffic IPv6 Statistics IPv6 received total received header errors too big errors no routes address errors unknown protocols truncated packets discards delivers reassembly request datarams reassembled succeeded reassemble...

Page 1143: ...nreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages 7 router solicit messages router advertisement messages 3 neighbor solicit messages neighbor advertisement messages redirect messages group membership query messages group membership response messages group membership reduction messages multicast listener discovery...

Page 1144: ...ressed which might not be necessarily the input interface for some of the datagrams reassembly request datagrams The number of IPv6 fragments received which needed to be reassembled at this interface Note that this counter is incremented at the interface to which these fragments were addressed which might not be necessarily the input interface for some of the fragments reassembled succeeded The nu...

Page 1145: ... the interface received but determined as having ICMP specific errors bad ICMP checksums bad length etc destination unreachable messages The number of ICMP Destination Unreachable messages received by the interface packet too big messages The number of ICMP Packet Too Big messages received by the interface time exceeded messages The number of ICMP Time Exceeded messages received by the interface p...

Page 1146: ...messages The number of ICMP Router Advertisement messages sent by the interface neighbor solicit messages The number of ICMP Neighbor Solicit messages sent by the interface neighbor advertisement messages The number of ICMP Router Advertisement messages sent by the interface redirect messages The number of Redirect messages sent For a host this object will always be zero since hosts do not send re...

Page 1147: ...es One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields host name A host name string which can be resolved into an IPv6 address through a domain name server count Number of packets to send Range 1 16 size Number of bytes in a packet Range 48 18024 bytes The actual packet size will be eight bytes larger than the size specified...

Page 1148: ...0 2E0 CFF FE9C CA10 seq_no 5 Ping statistics for FE80 2E0 CFF FE9C CA10 1 64 5 packets transmitted 5 packets received 100 0 packets lost 0 Approximate round trip times Minimum 0 ms Maximum 20 ms Average 8 ms Console ipv6 neighbor This command configures a static entry in the IPv6 neighbor discovery cache Use the no form to remove a static entry from the cache SYNTAX ipv6 neighbor ipv6 address vlan...

Page 1149: ...ic entries in the IPv6 neighbor discovery cache are not modified if subsequently detected by the neighbor discovery process u Disabling IPv6 on an interface with the no ipv6 enable command see page 1137 deletes all dynamically learned entries in the IPv6 neighbor discovery cache for that interface but does not delete static entries EXAMPLE The following maps a static entry for global unicast addre...

Page 1150: ...n 1 Console config ipv6 hop limit 64 Console config ipv6 nd dad attempts This command configures the number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection Use the no form to restore the default setting SYNTAX ipv6 nd dad attempts count no ipv6 nd dad attempts count The number of neighbor solicitation messages sent to determine whether or not a...

Page 1151: ...e global unicast address is detected it is not used All configuration commands associated with a duplicate address remain configured while the address is in duplicate state u If the link local address for an interface is changed duplicate address detection is performed on the new link local address but not for any of the IPv6 global unicast addresses already associated with the interface EXAMPLE T...

Page 1152: ...sements and by the router itself u This command specifies the interval between transmitting neighbor solicitation messages when resolving an address or when probing the reachability of a neighbor Therefore avoid using very short intervals for normal IPv6 operations EXAMPLE The following sets the interval between sending neighbor solicitation messages to 30000 milliseconds Console config interface ...

Page 1153: ...lliseconds is advertised in router advertisements COMMAND MODE Interface Configuration VLAN COMMAND USAGE u The time limit configured by this command allows the router to detect unavailable neighbors u This time limit is included in all router advertisements sent out through an interface ensuring that nodes on the same link use the same time value u Setting the time limit to 0 means that the confi...

Page 1154: ...ble colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields DEFAULT SETTING All IPv6 neighbor discovery cache entries are displayed COMMAND MODE Privileged Exec EXAMPLE The following shows all known IPv6 neighbors for this switch Console show ipv6 neighbors State I1 Incomplete I2 Invalid R Reachable S Stale D Delay P1 Probe P2 Permanent U ...

Page 1155: ...ed that the forward path was functioning A packet was sent within the last DELAY_FIRST_PROBE_TIME interval If no reachability confirmation is received within this interval after entering the DELAY state the switch will send a neighbor solicitation message and change the state to PROBE P1 Probe A reachability confirmation is actively sought by resending neighbor solicitation messages every RetransT...

Page 1156: ...mode specify the IPv4 address of the far end of the tunnel using the tunnel destination command 7 Bind the tunnel to a VLAN with the tunnel source vlan command 8 Assign an IPv6 global unicast address to the tunnel using the ipv6 address command 9 Then check your configuration settings using the show ipv6 tunnel command and the interface status of the tunnel using the show ip interface or show ip i...

Page 1157: ...r IPv4 clouds without explicit tunnels using RFC 3056 u Configured IPv6 over IPv4 tunneling uses point to point tunnels by encapsulating IPv6 packets within IPv4 headers to carry them over IPv4 routing infrastructures u Transporting IPv6 over IPv4 clouds based on RFC 3056 defines a method for assigning a unique IPv6 address prefix to any site that currently has at least one globally unique IPv4 ad...

Page 1158: ...be used in conjunction with 6to4 automatic tunneling u The tunnel end point address of a default tunnel could be the IPv4 address of one IPv6 IPv4 router at the border of the IPv6 backbone Alternatively the tunnel end point could be an IPv4 anycast address Using this approach multiple IPv6 IPv4 routers at the border advertise IPv4 reachability to the same IPv4 address All of these routers accept p...

Page 1159: ...T SETTING configured COMMAND MODE Interface Configuration IPv6 v4 Tunnel COMMAND USAGE u Configured tunneling of IPv6 over IPv4 based on RFC 2893 uses point to point tunnels made by encapsulating IPv6 packets within IPv4 headers to carry them over IPv4 routing infrastructures These tunnels can be either unidirectional or bidirectional Bidirectionally configured tunnels behave as virtual point to p...

Page 1160: ... to a router The end point of this type of tunnel is an intermediate router which must decapsulate the IPv6 packet and forward it on to its final destination When tunneling to a router the end point of the tunnel is different from the destination of the packet being tunneled So the addresses in the IPv6 packet being tunneled can not provide the IPv4 address of the tunnel end point Instead the tunn...

Page 1161: ...t of a tunnel is assigned Use the no form to detach the tunnel from the assigned VLAN SYNTAX tunnel source vlan vlan id no tunnel source vlan vlan id VLAN ID Range 1 4093 DEFAULT SETTING None COMMAND MODE Interface Configuration IPv6 v4 Tunnel COMMAND USAGE The VLAN assigned to a tunnel must be a L3 VLAN with an IPv4 address Otherwise an error message will be displayed on the console EXAMPLE Conso...

Page 1162: ...by only one when an IPv6 packet traverses the tunnel The single hop model serves to hide the existence of a tunnel The tunnel is opaque to users of the network and is not detectable by network diagnostic tools such as traceroute EXAMPLE Console config interface tunnel 2 Console config if tunnel ttl 5 Console config if show ipv6 tunnel This command displays the status and configuration settings for...

Page 1163: ...smit interval is 1000 milliseconds Tunnel 1 is up IPv6 is stale Link local address FE80 C0A8 3 64 Global unicast address es 2002 DB9 2222 7272 72 48 subnet is 2002 DB9 2222 48 Joined group address es FF02 1 IPv6 link MTU is 0 bytes ND DAD is enabled number of DAD attempts 2 ND retransmit interval is 1000 milliseconds Console show ipv6 interface brief Interface VLAN IPv6 IPv6 Address VLAN 1 Up Down...

Page 1164: ...CHAPTER 47 IP Interface Commands IPv6 to IPv4 Tunnels 1164 ...

Page 1165: ... CONFIGURATION Table 160 IP Routing Commands Command Group Function Global Routing Configuration Configures global parameters for static and dynamic routing displays the routing table and statistics for protocols used to exchange routing information Routing Information Protocol RIP Configures global and interface specific parameters for RIP Open Shortest Path First OSPFv2 Configures global and int...

Page 1166: ...ed by the dynamic unicast routing protocols is 110 for OSPF and 120 for RIP Range 1 255 Default 1 Removes all static routing table entries DEFAULT SETTING No static routes are configured COMMAND MODE Global Configuration COMMAND USAGE u Up to 512 static routes can be configured u Up to eight equal cost multipaths ECMP can be configured for static routing using the maximum paths command u If an adm...

Page 1167: ...form to restore the default settings SYNTAX maximum paths path count no maximum paths path count The maximum number of equal cost paths to the same destination that can be installed in the routing table Range 1 8 DEFAULT SETTING Enabled 4 paths COMMAND MODE Global Configuration EXAMPLE switch config maximum paths 8 switch config show ip route This command displays information in the Forwarding Inf...

Page 1168: ...ary paths A FIB entry consists of the minimum amount of information necessary to make a forwarding decision on a particular packet The typical components within a forwarding information base entry are a network prefix a router port identifier and next hop information u This command only displays routes which are currently accessible for forwarding The router must be able to directly reach the next...

Page 1169: ...ected S static R RIP B BGP O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OSPF external type 1 E2 OSPF external type 2 i IS IS L1 IS IS level 1 L2 IS IS level 2 ia IS IS inter area selected route FIB route p stale info C 127 0 0 0 8 is directly connected lo0 C 192 168 1 0 24 is directly connected VLAN1 Console show ip traffic This command displays statistics...

Page 1170: ...stamp reply messages source quench messages address mask request messages address mask reply messages UDP Statistics 2 input no port errors other errors output TCP Statistics 4698 input input errors 5867 output Console ipv6 route This command configures static IPv6 routes Use the no form to remove static routes SYNTAX no ipv6 route destination ipv6 address prefix length gateway address distance li...

Page 1171: ...AGE u Up to 1K static routes can be configured u Up to eight equal cost multipaths ECMP can be configured for static routing using the maximum paths command u If an administrative distance is defined for a static route and the same destination can be reached through a dynamic route at a lower administration distance then the dynamic route will be used u The default distance of 1 will take preceden...

Page 1172: ...vileged Exec COMMAND USAGE u The FIB contains information required to forward IP traffic It contains the interface identifier and next hop information for each reachable destination network prefix based on the IP routing table When routing or topology changes occur in the network the routing table is updated and those changes are immediately reflected in the FIB The FIB is distinct from the routin...

Page 1173: ...e default metric assigned to external routes imported from other protocols RC distance Defines an administrative distance for external routes learned from other routing protocols RC maximum prefix Sets the maximum number of RIP routes allowed RC neighbor Defines a neighboring router with which to exchange information RC network Specifies the network interfaces that are to use RIP routing RC passiv...

Page 1174: ...nfig router rip Console config router RELATED COMMANDS network 1178 ip rip receive packet Configures the interface to receive of RIP packets IC ip rip send version Sets the RIP send version to use on a network interface IC ip rip send packet Configures the interface to send RIP packets IC ip rip split horizon Enables split horizon or poison reverse loop prevention IC clear ip rip route Clears spec...

Page 1175: ...address 0 0 0 0 EXAMPLE Console config router default information originate Console config router RELATED COMMANDS ip route 1166 redistribute 1180 default metric This command sets the default metric assigned to external routes imported from other protocols Use the no form to restore the default value SYNTAX default metric metric value no default metric metric value Metric assigned to external rout...

Page 1176: ...external network with a better metric from a redistribution point other than that derived from the original source EXAMPLE This example sets the default metric to 5 Console config router default metric 5 Console config router RELATED COMMANDS redistribute 1180 distance This command defines an administrative distance for external routes learned from other routing protocols Use the no form to restor...

Page 1177: ... administrative control u The administrative distance is applied to all routes learned for the specified network EXAMPLE Console config router distance 2 192 168 3 0 255 255 255 0 Console config router maximum prefix This command sets the maximum number of RIP routes allowed by the system Use the no form to restore the default setting SYNTAX maximum prefix maximum routes no maximum prefix maximum ...

Page 1178: ...ulticast messages generated by the RIP protocol u Use this command in conjunction with the passive interface command to control the routing updates sent to specific neighbors EXAMPLE Console config router neighbor 10 2 0 254 Console config router RELATED COMMANDS passive interface 1179 network This command specifies the network interfaces that will be included in the RIP routing process Use the no...

Page 1179: ... routing updates on the specified interface Use the no form to disable this feature SYNTAX no passive interface vlan vlan id vlan id VLAN ID Range 1 4093 DEFAULT SETTING Disabled COMMAND MODE Router Configuration COMMAND USAGE u If this command is used to stop sending routing updates on an interface the attached subnet will still continue to be advertised to other interfaces and updates from other...

Page 1180: ...ic value to be used for all imported external routes u A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics u It is advisable to use a low metric when redistributing routes from another protocol into RIP Using a high metric limits the usefulness of external routes redistributed into RIP For example if a metric of 10 is defined for redistrib...

Page 1181: ... seconds DEFAULT SETTING Update 30 seconds Timeout 180 seconds Garbage collection 120 seconds COMMAND MODE Router Configuration COMMAND USAGE u The update timer sets the rate at which updates are sent This is the fundamental timer used to control all basic RIP processes u The timeout timer is the time after which there have been no update messages that a route is declared dead The route is marked ...

Page 1182: ...RIPv1 or RIPv2 packets Send Route information is broadcast to other routers with RIPv2 COMMAND MODE Router Configuration COMMAND USAGE u When this command is used to specify a global RIP version any VLAN interface not previously set by the ip rip receive version or ip rip send version command will use the global RIP version setting u When the no form of this command is used to restore the default ...

Page 1183: ... string command u This command requires the interface to exchange routing information with other routers based on an authorized password Note that this command only applies to RIPv2 u For authentication to function properly both the sending and receiving interface must be configured with the same password or authentication key u MD5 is a one way hash algorithm is that takes the authentication key ...

Page 1184: ...hat this command does not apply to RIPv1 u For authentication to function properly both the sending and receiving interface must be configured with the same password and authentication enabled by the ip rip authentication mode command EXAMPLE This example sets an authentication password of small to verify incoming routing messages and to tag outgoing routing messages Console config interface vlan ...

Page 1185: ... there are still some older routers using RIPv1 EXAMPLE This example sets the interface version for VLAN 1 to receive RIPv1 packets Console config interface vlan 1 Console config if ip rip receive version 1 Console config if RELATED COMMANDS version 1182 ip rip receive packet This command configures the interface to receive RIP packets Use the no form to disable this feature SYNTAX no ip rip recei...

Page 1186: ...G 1 compatible Route information is broadcast to other routers with RIPv2 COMMAND MODE Interface Configuration VLAN COMMAND USAGE u Use this command to override the global setting specified by the RIP version command u You can specify the send version based on these options n Use version 1 or version 2 if all routers in the local network are based on RIPv1 or RIPv2 respectively n Use 1 compatible ...

Page 1187: ...ODE Interface Configuration VLAN DEFAULT SETTING Enabled COMMAND USAGE The no form of this command allows the router to passively monitor route information advertised by other routers attached to the network without transmitting any RIP updates EXAMPLE Console config interface vlan 1 Console config if ip rip send packet Console config if RELATED COMMANDS ip rip receive packet 1185 ip rip split hor...

Page 1188: ... deemed unreachable EXAMPLE This example propagates routes back to the source using poison reverse Console config interface vlan 1 Console config if ip split horizon poison reverse Console config if clear ip rip route This command clears specified data from the RIP routing table SYNTAX clear ip rip route ip address netmask all connected ospf rip static ip address IP address of a route entry netmas...

Page 1189: ... ip protocols rip This command displays RIP process parameters COMMAND MODE Privileged Exec EXAMPLE Console show ip protocols rip Routing Protocol is rip Sending updates every 30 seconds with 5 seconds Timeout after 180 seconds garbage collect after 120 seconds Outgoing update filter list for all interface is not set Incoming update filter list for all interface is not set Default redistribution m...

Page 1190: ...fied interface vlan id VLAN ID Range 1 4093 COMMAND MODE Privileged Exec EXAMPLE Console show ip rip Codes R RIP Rc RIP connected Rs RIP static C Connected S Static O OSPF Network Next Hop Metric From Interface Time Rc 192 168 0 0 24 1 VLAN1 01 57 Console show ip rip interface vlan 1 Interface vlan1 Routing Protocol RIP Receive RIPv1 and RIPv2 packets Send RIPv1 Compatible Passive interface Disabl...

Page 1191: ...ault metric for external routes imported from other protocols RC redistribute Redistribute routes from one routing domain to another RC summary address Summarizes routes advertised by an ASBR RC Area Configuration area nssa Defines a not so stubby that can import external routes RC area stub Defines a stubby area that cannot send or receive LSAs RC area virtual link Defines a virtual link from an ...

Page 1192: ...erval Specifies the time between resending a link state advertisement IC ip ospf transmit delay Estimates time to send a link state update packet over an interface IC passive interface Suppresses OSPF routing traffic on the specified interface RC Display Information show ip ospf Displays general information about the routing processes PE show ip ospf border routers Displays routing table entries f...

Page 1193: ...e destination When disabled preference is based on type of path where type 1 external paths are preferred over type 2 external paths using cost only to break ties RFC 2328 u All routers in an OSPF routing domain should use the same RFC for calculating summary routes u If there are any OSPF routers in an area exchanging summary information specifically ABRs which have not been upgraded to OSPFv2 th...

Page 1194: ...rtise a default external route into the AS if it has been configured to import external routes through other routing protocols or static routing and such a route is known See the redistribute command u The metric for the default external route is used to calculate the path cost for traffic passed from other routers within the AS out through the ASBR u When you use this command to redistribute rout...

Page 1195: ...efault information originate metric 20 metric type 2 Console config router RELATED COMMANDS ip route 1166 redistribute 1241 router id This command assigns a unique router ID for this device within the autonomous system for the current OSPF process Use the no form to use the default router identification method i e the highest interface address SYNTAX router id ip address no router id ip address Ro...

Page 1196: ...nge and starting the shortest path first SPF calculation and the hold time between making two consecutive SPF calculations Use the no form to restore the default values SYNTAX timers spf spf delay spf holdtime no timers spf spf delay The delay after receiving a topology change notification and starting the SPF calculation Range 0 2147483647 seconds spf holdtime Minimum time between two consecutive...

Page 1197: ...ommand specifies a cost for the default summary route sent into a stub or NSSA from an Area Border Router ABR Use the no form to remove the assigned default cost SYNTAX area area id default cost cost no area area id default cost area id Identifies the stub or NSSA The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0 4294967295 cost Cost for the defau...

Page 1198: ...emain hidden from the rest of the network COMMAND MODE Router Configuration DEFAULT SETTING Disabled COMMAND USAGE u This command can be used to summarize intra area routes and advertise this information to other areas through Area Border Routers ABRs u If the network addresses within an area are assigned in a contiguous manner the ABRs can advertise a summary route that covers all of the individu...

Page 1199: ...lculates the cost for an interface by dividing the reference bandwidth by the interface bandwidth By default the cost is 1 Mbps for all port types including 100 Mbps ports 1 Gigabit ports and 10 Gigabit ports u A higher reference bandwidth can be used for aggregate links to indicate preferred use as a lower cost interface u The ip ospf cost command overrides the cost calculated by the auto cost re...

Page 1200: ...ls Range 0 16777214 COMMAND MODE Router Configuration DEFAULT SETTING 20 COMMAND USAGE u The default metric must be used to resolve the problem of redistributing external routes from other protocols that use incompatible metrics u This command does not override the metric value set by the redistribute command When a metric value has not been configured by the redistribute command the default metri...

Page 1201: ...rnal route metric tag value A tag placed in the AS external LSA to identify a specific external routing domain or to pass additional information between routers Range 0 4294967295 COMMAND MODE Router Configuration DEFAULT SETTING redistribution none metric value 10 type metric 2 COMMAND USAGE u This command is used to import routes learned from other routing protocols into the OSPF domain and to g...

Page 1202: ... learned from RIP as Type 1 external routes Console config router redistribute rip metric type 1 Console config router RELATED COMMANDS default information originate 1194 summary address This command aggregates routes learned from other protocols Use the no form to remove a summary address SYNTAX no summary address summary address netmask summary address Summary address covering a range of address...

Page 1203: ...cates NSSA ABR translator role for Type 5 external LSAs candidate Router translates NSSA LSAs to Type 5 external LSAs if elected never Router never translates NSSA LSAs to Type 5 external LSAs always Router always translates NSSA LSAs to Type 5 external LSAs no redistribution Use this keyword when the router is an NSSA Area Border Router ABR and you want the redistribute command to import routes o...

Page 1204: ...word u External routes advertised into an NSSA can include network destinations outside the AS learned via OSPF the default route static routes routes imported from other routing protocols such as RIP and networks directly connected to the router that are not running OSPF u NSSA external LSAs Type 7 are converted by any ABR adjacent to the NSSA into external LSAs Type 5 and propagated into other a...

Page 1205: ...table space is saved in a stub by blocking Type 4 AS summary LSAs and Type 5 external LSAs The default setting for this command completely isolates the stub by blocking Type 3 summary LSAs that advertise the default route for destinations external to the local area or the autonomous system u Use the no summary parameter of this command on the ABR attached to the stub to define a totally stubby are...

Page 1206: ...s or as a four octet unsigned integer ranging from 0 4294967295 router id Router ID of the virtual link neighbor This specifies the Area Border Router ABR at the other end of the virtual link To create a virtual link enter this command for an ABR at both ends of the link One of the ABRs must be next to the isolated area and the transit area at one end of the link while the other ABR must be next t...

Page 1207: ... Specifies message digest MD5 authentication null Indicates that no authentication is used authentication key key Sets a plain text password up to 8 characters that is used by neighboring routers on a virtual link to generate or verify the authentication field in protocol message headers A separate password can be assigned to each network interface However this key must be the same for all neighbo...

Page 1208: ...example creates a virtual link using the defaults for all optional parameters Console config router network 10 4 0 0 0 255 255 0 0 area 10 4 0 0 Console config router area 10 4 0 0 virtual link 10 4 3 254 Console config router This example creates a virtual link using MD5 authentication Console config router network 10 4 0 0 0 255 255 0 0 area 10 4 0 0 Console config router area 10 4 0 0 virtual l...

Page 1209: ...ea has been specified EXAMPLE This example creates the backbone 0 0 0 0 covering class B addresses 10 1 x x and a normal transit area 10 2 9 0 covering the class C addresses 10 2 9 x Console config router network 10 1 0 0 255 255 0 0 area 0 0 0 0 Console config router network 10 2 9 0 255 255 255 0 area 10 1 0 0 Console config router ip ospf authentication This command specifies the authentication...

Page 1210: ...earn the authentication key by snooping on routing protocol packets u When using Message Digest 5 MD5 authentication the router uses the MD5 algorithm to verify data integrity by creating a 128 bit message digest from the authentication key Without the proper key and key id it is nearly impossible to produce any message that matches the pre specified target message digest u Before specifying plain...

Page 1211: ... password COMMAND USAGE u Before specifying plain text password authentication for an interface with the ip ospf authentication command configure a password with this command u This command creates a password key that is inserted into the OSPF header when routing protocol packets are originated by this device Assign a separate password to each network for different interfaces All neighboring route...

Page 1212: ...ric for this interface Use higher values to indicate slower ports Range 1 65535 COMMAND MODE Interface Configuration VLAN DEFAULT SETTING 1 COMMAND USAGE u The interface cost indicates the overhead required to send packets across a certain interface This is advertised as the link cost in router link state advertisements u Routes are assigned a metric equal to the sum of all metrics for each interf...

Page 1213: ...ted to the current interface seconds The maximum time that neighbor routers can wait for a hello packet before declaring the transmitting router down This interval must be set to the same value for all routers on the network Range 1 65535 COMMAND MODE Interface Configuration VLAN DEFAULT SETTING 40 or four times the interval specified by the ip ospf hello interval command COMMAND USAGE The dead in...

Page 1214: ...that the sending router is still active Setting the hello interval to a smaller value can reduce the delay in detecting topological changes but will increase routing traffic EXAMPLE Console config interface vlan 1 Console config if ip ospf hello interval 5 Console config if ip ospf message digest key This command enables message digest MD5 authentication on the specified interface and to assign a ...

Page 1215: ...ork administrator time to update all the routers on the network without affecting the network connectivity Once all the network routers have been updated with the new key the old key should be removed for security reasons EXAMPLE This example sets a message digest key identifier and password Console config interface vlan 1 Console config if ip ospf message digest key 1 md5 aiebel Console config if...

Page 1216: ...rk segment when this interface comes up the new router will accept the current DR regardless of its own priority The DR will not change until the next time the election process is initiated u Configure router priority for multi access networks only and not for point to point networks EXAMPLE Console config interface vlan 1 Console config if ip ospf priority 5 Console config if ip ospf retransmit i...

Page 1217: ... SYNTAX ip ospf ip address transmit delay seconds no ip ospf ip address transmit delay ip address This parameter can be used to indicate a specific IP address connected to the current interface If not specified the command applies to all networks connected to the current interface seconds Sets the estimated time required to send a link state update Range 1 65535 COMMAND MODE Interface Configuratio...

Page 1218: ...ING None COMMAND USAGE You can configure an OSPF interface as passive to prevent OSPF routing traffic from exiting or entering that interface No OSPF adjacency can be formed if one of the interfaces involved is set to passive mode The specified interface will appear as a stub in the OSPF domain Also if you configure an OSPF interface as passive where an adjacency already exists the adjacency will ...

Page 1219: ...OSPF process ID and router ID The router ID uniquely identifies the router in the autonomous system By convention this is normally set to one of the router s IP interface addresses Process uptime The time this process has been running Conforms to RFC2328 Shows that this router is compliant with OSPF Version 2 RFC1583 Compatibility flag Shows whether or not compatibility with the RFC 1583 an earlie...

Page 1220: ...umber of new link state advertisements that have been originated Number of LSA received The number of link state advertisements that have been received Number of areas attached to this router The number of configured areas attached to this router Number of interfaces in this area is The number of interfaces attached to this area Number of fully adjacent neighbors in this area is The number of neig...

Page 1221: ...tion about all advertising routers is displayed ip address IP address of the specified router If no address is entered information about the local router is displayed link state id The network portion described by an LSA The link state id entered should be n An IP network number for Type 3 Summary and External LSAs n A Router ID for Router Network and Type 4 AS Summary LSAs Also note that when an ...

Page 1222: ...rd Console show ip os database asbr summary OSPF Router with ID 0 0 0 0 Process ID 1 ASBR Summary Link States Area 0 0 0 1 LS age 0 Options 0x2 E LS Type ASBR summary LSA Table 165 show ip ospf database display description Field Description OSPF Router Process with ID OSPF process ID and router ID The router ID uniquely identifies the router in the autonomous system By convention this is normally ...

Page 1223: ...Mask 24 Metric Type 2 Larger than any link state path TOS 0 Metric 20 Forward Address 10 10 11 50 External Route Tag 0 Table 166 show ip ospf database summary display description Field Description OSPF Router ID Router ID LS age Age of LSA in seconds Options Optional capabilities associated with the LSA LS Type Summary Links LSA describes routes to AS boundary routers Link State ID Interface addre...

Page 1224: ...d with the LSA LS Type AS External Links LSA describes routes to destinations outside the AS including default external routes for the AS Link State ID IP network number External Network Number Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA used to detect older duplicate LSAs Checksum Checksum of the complete contents of the LSA Length The length of the LSA in b...

Page 1225: ...Process ID 1 Router Link States Area 0 0 0 0 LS age 0 Options 0x2 E Flags 0x2 ASBR LS Type router LSA Table 168 show ip ospf database network display description Field Description OSPF Router ID Router ID LS age Age of LSA in seconds Options Optional capabilities associated with the LSA LS Type Network Link LSA describes the routers attached to the network Link State ID Interface address of the de...

Page 1226: ...ssociated with the LSA Flags Indicate if this router is a virtual link endpoint an ASBR or an ABR LS Type Router Link LSA describes the router s interfaces Link State ID Router ID of the router that originated the LSA Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA used to detect older duplicate LSAs Checksum Checksum of the complete contents of the LSA Length Th...

Page 1227: ...Address 192 168 0 2 Backup Designated Router ID 192 168 0 3 Interface Address 192 168 0 3 Timer intervals configured Hello 10 Dead 40 Wait 40 Retransmit 5 Hello due in 00 00 10 Neighbor Count is 1 Adjacent neighbor count is 1 Hello received 920 sent 975 DD received 5 sent 4 LS Req received 1 sent 1 LS Upd received 14 sent 18 Table 170 show ip ospf database summary display description Field Descrip...

Page 1228: ...s interface but interface is down u Loopback This is a loopback interface u Waiting Router is trying to find the DR and BDR u DR Designated Router u BDR Backup Designated Router u DRother Interface is on a multiaccess network but is not the DR or BDR Priority Router priority Designated Router Designated router ID and respective interface address Backup Designated Router Backup designated router ID...

Page 1229: ...ription Neighbor ID Neighbor s router ID Pri Neighbor s router priority State OSPF state and identification flag States include Down Connection down Attempt Connection down but attempting contact for non broadcast networks Init Have received Hello packet but communications not yet established Two way Bidirectional communications established ExStart Initializing adjacency between neighbors Exchange...

Page 1230: ...0 10 11 0 24 10 is directly connected fe1 2 Area 0 0 0 0 O 10 10 11 100 32 10 is directly connected lo Area 0 0 0 0 E2 10 15 0 0 24 10 50 via 10 10 0 1 vlan1 IA 172 16 10 0 24 30 via 10 10 11 50 vlan2 Area 0 0 0 0 E2 192 168 0 0 16 10 20 via 10 10 11 50 vlan2 Console show ip ospf virtual links This command displays detailed information about virtual links SYNTAX show ip ospf virtual links COMMAND ...

Page 1231: ... virtual link crosses to reach the target router Local address The IP address of ABR that serves as an endpoint connecting the isolated area to the common transit area Remote address The IP address this virtual neighbor is using The neighbor must be an ABR at the other endpoint connecting the common transit area to the backbone itself Transmit Delay Estimated transmit delay in seconds on the virtu...

Page 1232: ...hange and the hold time between consecutive SPF calculations RC Route Metrics and Summaries area default cost Sets the cost for a default summary route sent into a stub RC area range Summarizes routes advertised by an ABR RC default metric Sets the default metric for external routes imported from other protocols RC redistribute Redistribute routes from one routing domain to another RC Area Configu...

Page 1233: ... the ipv6 router ospf tag area command to assign an area to each interface that will participate in the specified OSPF process ipv6 ospf retransmit interval Specifies the time between resending a link state advertisement IC ipv6 ospf transmit delay Estimates time to send a link state update packet over an interface IC passive interface Suppresses OSPF routing traffic on the specified interface RC ...

Page 1234: ... routing processes It should not be confused with the instance id configured with the ipv6 router ospf area command which is used to distinguish between different routing processes running on the same link local network segment EXAMPLE Console config router ipv6 ospf tag 0 Console config router end Console show ipv6 ospf Routing Process ospf r d with ID 192 168 0 2 Process uptime is 1 hour 34 minu...

Page 1235: ...he backbone area n IBM Interpretation A router is considered to be an ABR if it has more than one actively attached area and the backbone area is configured n Standard Interpretation A router is considered to be an ABR if it is attached to two or more areas It does not have to be attached to the backbone area u To successfully route traffic to inter area and AS external destinations an ABR must be...

Page 1236: ... router only advertises intra area routes into non backbone areas EXAMPLE Console config router abr type ibm Console config router max current dd This command sets the maximum number of neighbors with which the switch can concurrently exchange database descriptor DD packets Use the no form to restore the default setting SYNTAX max current dd max packets no max current dd max packets The maximum nu...

Page 1237: ...ter ID must be unique for every router in the autonomous system Note that the router ID can also be set to 255 255 255 255 u If this router already has registered neighbors the new router ID will be used when the router is rebooted or manually restarted by entering the no router ipv6 ospf followed by the router ipv6 ospf command u If the priority values of the routers bidding to be the designated ...

Page 1238: ...guration DEFAULT SETTING SPF delay 5 seconds SPF holdtime 10 seconds COMMAND USAGE u Setting the SPF holdtime to 0 means that there is no delay between consecutive calculations u Using a low value for the holdtime allows the router to switch to a new path faster but uses more CPU processing time EXAMPLE Console config router timers spf 20 Console config router area default cost This command specif...

Page 1239: ... not advertise area id Identifies an area for which the routes are summarized The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0 4294967295 ipv6 prefix A full IPv6 address including the network prefix and host address bits prefix length A decimal value indicating how many contiguous bits from the left of the address comprise the prefix i e the port...

Page 1240: ... range 73 8 advertise Console config router default metric This command sets the default metric for external routes imported from other protocols Use the no form to remove the default metric for the supported protocol types SYNTAX default metric metric value no default metric metric value Metric assigned to all external routes imported from other protocols Range 0 16777214 COMMAND MODE Router Conf...

Page 1241: ...default Routers do not add internal route metric to external route metric COMMAND MODE Router Configuration DEFAULT SETTING redistribution none metric value 20 type metric 2 COMMAND USAGE u This command is used to import routes learned from other routing protocols into the OSPF domain and to generate AS external LSAs u When you redistribute external routes into an OSPF autonomous system AS the rou...

Page 1242: ...are sent into the stub COMMAND USAGE u All routers in a stub must be configured with the same area ID u Routing table space is saved by stopping an ABR from flooding Type 4 Inter Area Router and Type 5 AS External LSAs into the stub Since no information on external routes is known inside the stub an ABR will advertise the default route 0 0 0 using a Type 3 Inter Area Prefix LSA u The default setti...

Page 1243: ... the virtual link To create a virtual link enter this command for an ABR at both ends of the link One of the ABRs must be next to the isolated area and the transit area at one end of the link while the other ABR must be next to the transit area and backbone at the other end of the link dead interval seconds Specifies the time that neighbor routers will wait for a hello packet before they declare t...

Page 1244: ...one area 0 0 0 0 to maintain routing connectivity throughout the autonomous system If it not possible to physically connect an area to the backbone you can use a virtual link A virtual link can provide a logical path to the backbone for an isolated area or can be configured as a backup connection that can take over if the normal connection to the backbone fails u A virtual link can be configured b...

Page 1245: ... 255 COMMAND MODE Interface Configuration DEFAULT SETTING None COMMAND USAGE u An area ID uniquely defines an OSPF broadcast area The area ID 0 0 0 0 indicates the OSPF backbone for an autonomous system Each router must be connected to the backbone via a direct connection or a virtual link u Set the area ID to the same value for all routers on a network segment u The process name is only used on t...

Page 1246: ...ange Alphanumeric string up to 16 characters instance id Identifies a specific OSPFv3 routing process on the link local network segment attached to this interface Range 0 255 COMMAND MODE Interface Configuration VLAN DEFAULT SETTING No areas are defined COMMAND USAGE u An area ID uniquely defines an OSPF broadcast area The area ID 0 0 0 0 indicates the OSPF backbone for an autonomous system Each r...

Page 1247: ...ance id cost Link metric for this interface Use higher values to indicate slower ports Range 1 65535 instance id Identifies a specific OSPFv3 routing process on the link local network segment attached to this interface Range 0 255 COMMAND MODE Interface Configuration VLAN DEFAULT SETTING 1 COMMAND USAGE u The interface cost indicates the overhead required to send packets across a certain interface...

Page 1248: ...fore declaring the transmitting router down This interval must be set to the same value for all routers on the network Range 1 65535 instance id Identifies a specific OSPFv3 routing process on the link local network segment attached to this interface Range 0 255 COMMAND MODE Interface Configuration VLAN DEFAULT SETTING 40 seconds or four times the interval specified by the ipv6 ospf hello interval...

Page 1249: ...seconds COMMAND USAGE Hello packets are used to inform other routers that the sending router is still active Setting the hello interval to a smaller value can reduce the delay in detecting topological changes but will increase routing traffic EXAMPLE Console config interface vlan 1 Console config if ipv6 ospf hello interval 5 Console config if RELATED COMMANDS ipv6 ospf dead interval 1248 ipv6 osp...

Page 1250: ...ed u If a DR already exists for a network segment when this interface comes up the new router will accept the current DR regardless of its own priority The DR will not change until the next time the election process is initiated u Configure router priority for multi access networks only and not for point to point networks EXAMPLE Console config interface vlan 1 Console config if ipv6 ospf priority...

Page 1251: ...to send a link state update packet over an interface Use the no form to restore the default value SYNTAX ipv6 ospf transmit delay seconds instance id instance id no ipv6 ospf transmit delay instance id instance id seconds Sets the estimated time required to send a link state update Range 1 65535 instance id Identifies a specific OSPFv3 routing process on the link local network segment attached to ...

Page 1252: ... interface vlan vlan id ipv6 address vlan id VLAN ID Range 1 4093 ipv6 address A full IPv6 address including the network prefix and host address bits COMMAND MODE Router Configuration DEFAULT SETTING None COMMAND USAGE You can configure an OSPF interface as passive to prevent OSPF routing traffic from exiting or entering that interface No OSPF adjacency can be formed if one of the interfaces invol...

Page 1253: ...es the router in the autonomous system By convention this is normally set to one of the router s IP interface addresses Process uptime The time this process has been running Supports only single TOS TOS0 routes Optional Type of Service ToS specified in OSPF Version 2 Appendix F 1 2 is not supported so only one cost per interface can be assigned SPF schedule delay The delay after receiving a topolo...

Page 1254: ...l LSA Link State ID ADV Router Age Seq CkSum Console Checksum The sum of the LS checksums of opaque link state advertisements contained in the link state database Number of LSA received The number of link state advertisements that have been received Number of areas attached to this router The number of configured areas attached to this router Area Information Area The area identifier Note that Ina...

Page 1255: ...d 0 sent 0 LS Req received 0 sent 0 LS Upd received 0 sent 0 LS Ack received 0 sent 0 Discarded 0 Console Table 177 show ip ospf database display description Field Description OSPF Router Process with ID OSPF router ID and process ID The router ID uniquely identifies the router in the autonomous system By convention this is normally set to one of the router s IP interface addresses Link State ID T...

Page 1256: ... u DROther Interface is on a multiaccess network but is not the DR or BDR u Loopback This is a loopback interface u PointToPoint A direct link between two routers u Waiting Router is trying to find the DR and BDR Priority Router priority Designated Router Designated router ID and respective interface address Backup Designated Router Backup designated router ID and respective interface address Time...

Page 1257: ... L1 IS IS level 1 L2 IS IS level 2 ia IS IS inter area C 1 128 lo0 Table 179 show ipv6 ospf neighbor display description Field Description ID Neighbor s router ID Pri Neighbor s router priority State OSPF state and identification flag States include Down Connection down Attempt Connection down but attempting contact for non broadcast networks Init Have received Hello packet but communications not ...

Page 1258: ...92 168 0 2 Transmit Delay is 1 sec State Point To Point Timer intervals configured Hello 10 Dead 40 Wait 40 Retransmit 5 Hello due in 00 00 02 Adjacency state Full Console Table 180 show ip ospf neighbor display description Field Description Virtual Link to router OSPF neighbor and link state up or down Transit area Common area the virtual link crosses to reach the target router Local address The ...

Page 1259: ...on down Attempt Connection down but attempting contact for non broadcast networks Init Have received Hello packet but communications not yet established Two way Bidirectional communications established ExStart Initializing adjacency between neighbors Exchange Database descriptions being exchanged Loading LSA databases being exchanged Full Neighboring routers now fully adjacent Table 180 show ip os...

Page 1260: ...CHAPTER 48 IP Routing Commands Open Shortest Path First OSPFv3 1260 ...

Page 1261: ...X no ip multicast routing DEFAULT SETTING Disabled Table 181 Multicast Routing Commands Command Group Function General Multicast Routing Enables IP multicast routing globally also displays the IP multicast routing table created from static and dynamic routing information Static Multicast Routing Configures static multicast router ports PIM Multicast Routing Configures global and interface settings...

Page 1262: ...is command displays the IPv4 multicast routing table SYNTAX show ip mroute group address source summary group address An IPv4 multicast group address with subscribers directly attached or downstream from this router source The IPv4 subnetwork at the root of the multicast delivery tree This subnetwork contains a known multicast source summary Displays summary information for each entry in the IP mu...

Page 1263: ...SSM u C Connected A member of the multicast group is present on this interface u P Pruned This route has been terminated u F Register flag This device is registering for a multicast source u R RP bit set The S G entry is pointing to the Rendezvous Point RP which normally indicates a pruned state along the shared tree for a particular source u T SPT bit set Multicast packets have been received from...

Page 1264: ...outing using the router pim6 Incoming Interface Interface leading to the upstream neighbor PIM creates a multicast routing tree based on the unicast routing table If the related unicast routing table does not exist PIM will still create a multicast routing entry but displays Null for the upstream interface to indicate that the unicast routing table is not valid This field may also display Register...

Page 1265: ... for each entry in the IP multicast routing table COMMAND MODE Privileged Exec COMMAND USAGE This command displays information for multicast routing If no optional parameters are selected detailed information for each entry in the multicast address table is displayed If you select a multicast group and source pair detailed information is displayed only for the specified entry If the summary option...

Page 1266: ...t for S G the router immediately joins the shortest path tree Interface state The multicast state for the displayed interface group address IP multicast group address for a requested service source Subnetwork containing the IP multicast source Uptime The time elapsed since this entry was created Owner The associated multicast protocol PIM Incoming Interface Interface leading to the upstream neighb...

Page 1267: ...outes on the switch ip igmp snooping vlan mrouter This command statically configures a multicast router port Use the no form to remove the configuration SYNTAX ip igmp snooping vlan vlan id mrouter interface no ip igmp snooping vlan vlan id mrouter interface vlan id VLAN ID Range 1 4093 interface ethernet unit port unit Stack unit Range 1 8 port Port number port channel channel id Range 1 32 DEFAU...

Page 1268: ...thin VLAN 1 Console config ip igmp snooping vlan 1 mrouter ethernet 1 11 Console config show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports SYNTAX show ip igmp snooping mrouter vlan vlan id vlan id VLAN ID Range 1 4093 DEFAULT SETTING Displays multicast router ports for all configured VLANs COMMAND MODE Privileged ...

Page 1269: ... a neighboring PIM router before declaring it dead IC ip pim hello interval Sets the interval between sending PIM hello messages IC ip pim join prune holdtime Configures the hold time for the prune state IC ip pim lan prune delay Informs downstream routers of the delay before it prunes a flow after receiving a prune request IC ip pim override interval Specifies the time it takes a downstream route...

Page 1270: ...gures the rate at which register messages are sent by the Designated Router DR GC ip pim register source Configure the IP source address of a register message to an address other than the outgoing interface address of the designated router DR leading toward the rendezvous point RP GC ip pim rp address Sets a static address for the rendezvous point GC ip pim rp candidate Configures the switch rende...

Page 1271: ...mode Enables PIM Sparse Mode DEFAULT SETTING Disabled COMMAND MODE Interface Configuration VLAN COMMAND USAGE u To fully enable PIM you need to enable multicast routing globally for the router with the ip multicast routing command enable PIM globally for the router with the router pim command and also enable PIM DM or PIM SM for each interface that will participate in multicast routing with this c...

Page 1272: ... join messages toward the source They also send prune messages toward the RP to prune the shared path if they have already connected to the source through the SPT or if there are no longer any group members connected to the interface EXAMPLE Console config interface vlan 1 Console config if ip pim dense mode Console show ip pim interface PIM is enabled Vlan 1 is up PIM Mode Dense Mode IP Address 1...

Page 1273: ...lo interval seconds Interval between sending PIM hello messages Range 1 65535 DEFAULT SETTING 30 seconds COMMAND MODE Interface Configuration VLAN COMMAND USAGE Hello messages are sent to neighboring PIM routers from which this device has received probes and are used to verify whether or not these neighbors are still active members of the multicast tree EXAMPLE Console config if ip pim hello inter...

Page 1274: ...eiving a prune request Use the no form to disable this feature SYNTAX no ip pim lan prune delay DEFAULT SETTING Disabled COMMAND MODE Interface Configuration VLAN COMMAND USAGE u When other downstream routers on the same VLAN are notified that this upstream router has received a prune request they must send a Join to override the prune before the prune delay expires if they want to continue receiv...

Page 1275: ...tinue receiving the flow referenced in the message Range 500 6000 milliseconds DEFAULT SETTING 2500 milliseconds COMMAND MODE Interface Configuration VLAN COMMAND USAGE The override interval configured by this command and the propagation delay configured by the ip pim propagation delay command are used to calculate the LAN prune delay If a downstream router has group members which want to continue...

Page 1276: ...ulate the LAN prune delay If a downstream router has group members which want to continue receiving the flow referenced in a LAN prune delay message then the propagation delay represents the time required for the lan prune delay message to be propagated down from the upstream router to all downstream routers attached to the same VLAN interface EXAMPLE Console config if ip pim propagation delay 600...

Page 1277: ...nsole config if show ip pim interface This command displays information about interfaces configured for PIM SYNTAX show ip pim interface vlan vlan id vlan id VLAN ID Range 1 4094 COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE This command displays the PIM settings for the specified interface as described in the preceding pages It also shows the address of the designated PIM router and the ...

Page 1278: ...sole ip pim graft retry interval This command configures the time to wait for a Graft acknowledgement before resending a Graft Use the no form to restore the default value SYNTAX ip pim graft retry interval seconds no ip pim graft retry interval seconds The time before resending a Graft Range 1 10 seconds DEFAULT SETTING 3 seconds COMMAND MODE Interface Configuration VLAN Table 188 show ip pim nei...

Page 1279: ... to resend a Graft message if it has not been acknowledged Use the no form to restore the default value SYNTAX ip pim max graft retries retries no ip pim max graft retries retries The maximum number of times to resend a Graft Range 1 10 DEFAULT SETTING 3 COMMAND MODE Interface Configuration VLAN EXAMPLE Console config if ip pim max graft retries 5 Console config if ip pim state refresh origination...

Page 1280: ... Router BSR candidate Use the no form to restore the default value SYNTAX ip pim bsr candidate interface vlan vlan id hash hash mask length priority priority no ip pim bsr candidate vlan id VLAN ID Range 1 4094 hash mask length Hash mask length in bits used for RP selection see ip pim rp candidate and ip pim rp address The portion of the hash specified by the mask length is ANDed with the group ad...

Page 1281: ...st two core routers in diverse locations each to serve as both a candidate BSR and candidate RP It is also preferable to set up one of these routers as both the primary BSR and RP EXAMPLE The following example configures the router to start sending bootstrap messages out of the interface for VLAN 1 to all of its PIM SM neighbors Console config ip pim bsr candidate interface vlan 1 hash 20 priority...

Page 1282: ...ds back toward the rendezvous point RP Use the no form to restore the default setting SYNTAX ip pim register source interface vlan vlan id no ip pim register source vlan id VLAN ID Range 1 4094 DEFAULT SETTING The IP address of the DR s outgoing interface that leads back to the RP COMMAND MODE Global Configuration COMMAND USAGE When the source address of a register message is filtered by intermedi...

Page 1283: ...P address is specified that was previously used for an RP then the older entry is replaced u Multiple RPs can be defined for different groups or group ranges If a group is matched by more than one entry the router will use the RP associated with the longer group prefix length If the prefix lengths are the same then the static RP with the highest IP address is chosen u Static definitions for RP add...

Page 1284: ...ommand configures the router to advertise itself as a Rendezvous Point RP candidate to the bootstrap router BSR Use the no form to remove this router as an RP candidate SYNTAX ip pim rp candidate interface vlan vlan id group prefix group address mask interval seconds priority value no ip pim rp candidate interface interface vlan vlan id vlan id VLAN ID Range 1 4094 group address An IP multicast gr...

Page 1285: ...ased on the group address RP address priority and hash mask included in the bootstrap messages n If there is a tie use the candidate RP with the highest IP address u This distributed election process provides faster convergence and minimal disruption when an RP fails It also serves to provide load balancing by distributing groups across multiple RPs Moreover when an RP fails the responsible RPs ar...

Page 1286: ...ce to a receiver is through the RP However the path through the RP is not always the shortest path Therefore the router uses the RP to forward only the first packet from a new multicast group to its receivers Afterwards it calculates the shortest path tree SPT directly between the receiver and source and then uses the SPT to send all subsequent packets from the source to the receiver instead of us...

Page 1287: ...le election process u The router with the highest priority configured on an interface is elected as the DR If more than one router attached to this interface uses the same priority then the router with the highest IP address is elected to serve as the DR u If a router does not advertise a priority in its hello messages it is assumed to have the highest priority and is elected as the DR If more tha...

Page 1288: ...ance will be adversely affected u The multicast interface that first receives a multicast stream from a particular source forwards this traffic only to those interfaces on the router that have requested to join this group When there are no longer any requesting groups on that interface the leaf node sends a prune message upstream and enters a prune state for this multicast stream The protocol main...

Page 1289: ...ion changes to the RP u Use the show ip pim rp mapping command to display active RPs that are cached with associated multicast groups EXAMPLE This example clears the RP map Console clear ip pim bsr rp set Console show ip pim rp mapping PIM Group to RP Mappings Console show ip pim bsr router This command displays information about the bootstrap router BSR COMMAND MODE Privileged Exec COMMAND USAGE ...

Page 1290: ... of significant bits used in the multicast group comparison mask This mask determines the multicast group for which this router can be a BSR Expire The time before this entry will be removed Role Candidate BSR or Non candidate BSR State Operation state of BSR includes u No information No information stored for this device u Accept Any The router does not know of an active BSR and will accept the f...

Page 1291: ...via null Console Table 190 show ip pim rp mapping display description Field Description Groups The multicast group address mask length managed by the RP RP address IP address of the RP used for the listed multicast group Info source RP that advertised the mapping how the RP was selected Static or Bootstrap and the priority used in the bidding process Uptime The time this RP has been up and running...

Page 1292: ...owledgement before resending a Graft message IC ipv6 pim hello holdtime Sets the time to wait for hello messages from a neighboring PIM router before declaring it dead IC ipv6 pim hello interval Sets the interval between sending PIM hello messages IC ipv6 pim join prune holdtime Configures the hold time for the prune state IC ipv6 pim lan prune delay Informs downstream routers of the delay before ...

Page 1293: ...face that will participate in multicast routing with this command u If you enable PIM on an interface you should also enable IGMP on that interface PIM mode selection determines how the switch populates the multicast routing table and how it forwards packets received from directly connected LAN interfaces Dense mode interfaces are always added to the multicast routing table u Dense mode interfaces...

Page 1294: ...OMMAND MODE Interface Configuration VLAN COMMAND USAGE A graft message is sent by a router to cancel a prune state When a router receives a graft message it must respond with an graft acknowledgement message If this acknowledgement message is lost the router that sent the graft message will resend it a number of times as defined by the ipv6 pim max graft retries command EXAMPLE Console config if i...

Page 1295: ...y at which PIM hello messages are transmitted Use the no form to restore the default value SYNTAX ipv6 pim hello interval seconds no pimv6 hello interval seconds Interval between sending PIM hello messages Range 1 65535 DEFAULT SETTING 30 seconds COMMAND MODE Interface Configuration VLAN COMMAND USAGE Hello messages are sent to neighboring PIM routers from which this device has received probes and...

Page 1296: ...te for this multicast stream The prune state is maintained until the join prune holdtime timer expires or a graft message is received for the forwarding entry EXAMPLE Console config if ipv6 pim join prune holdtime 60 Console config if ipv6 pim lan prune delay This command causes this device to inform downstream routers of how long it will wait before pruning a flow after receiving a prune request ...

Page 1297: ...erride interval from those advertised by each neighbor including this switch EXAMPLE Console config if ipv6 pim lan prune delay Console config if RELATED COMMANDS ipv6 pim override interval 1298 ipv6 pim propagation delay 1298 ipv6 pim max graft retries This command configures the maximum number of times to resend a Graft message if it has not been acknowledged Use the no form to restore the defau...

Page 1298: ...tion delay command are used to calculate the LAN prune delay If a downstream router has group members which want to continue receiving the flow referenced in a LAN prune delay message then the override interval represents the time required for the downstream router to process the message and then respond by sending a Join message back to the upstream router to ensure that the flow is not terminate...

Page 1299: ...TED COMMANDS ipv6 pim override interval 1298 ipv6 pim lan prune delay 1296 ipv6 pim state refresh origination interval This command sets the interval between sending PIM DM state refresh control messages Use the no form to restore the default value SYNTAX ipv6 pim state refresh origination interval seconds no ipv6 pim max graft retries seconds The interval between sending PIM DM state refresh cont...

Page 1300: ...ce Use the no form to restore the default value SYNTAX ipv6 pim trigger hello delay seconds no ipv6 pim trigger hello delay seconds The maximum time before sending a triggered PIM Hello message Range 0 5 DEFAULT SETTING 5 seconds COMMAND MODE Interface Configuration VLAN COMMAND USAGE u When a router first starts or PIM is enabled on an interface the hello delay is set to random value between 0 an...

Page 1301: ...f neighboring PIM routers EXAMPLE Console show ip pim interface vlan 1 PIM is enabled Vlan 1 is up PIM Mode Dense Mode IPv6 Address None Hello Interval 30 sec Hello HoldTime 105 sec Triggered Hello Delay 5 sec Join Prune Holdtime 210 sec Lan Prune Delay Disabled Propagation Delay 500 ms Override Interval 2500 ms Graft Retry Interval 3 sec Max Graft Retries 3 State Refresh Ori Int 60 sec Console sh...

Page 1302: ...AN 1 00 01 23 00 01 23 FF80 0202 VLAN 2 1d 11h Never Console Table 193 show ipv6 pim neighbor display description Field Description Neighbor Address IP address of the next hop router VLAN Interface Interface number that is attached to this neighbor Uptime The duration this entry has been active Expiration Time The time before this entry will be removed ...

Page 1303: ... 1303 SECTION IV APPENDICES This section provides additional information and includes these items u Software Specifications on page 1305 u Troubleshooting on page 1311 u License Information on page 1313 ...

Page 1304: ...SECTION IV Appendices 1304 ...

Page 1305: ...R ER 10 Gbps at full duplex Module 10GBASE T 10 Gbps 1000 Mbps 100 Mbps at full duplex Module FLOW CONTROL Full Duplex IEEE 802 3 2005 Half Duplex Back pressure STORM CONTROL Broadcast traffic throttled above a critical threshold PORT MIRRORING 26 sessions one or more source ports to one destination port RATE LIMITS Input Output Limits Range configured per port PORT TRUNKING Static trunks Cisco Et...

Page 1306: ...rvice policies MULTICAST FILTERING IGMP Snooping Layer 2 IGMP Layer 3 IGMP Proxy Multicast VLAN Registration IP ROUTING ARP Proxy ARP Static routes CIDR Classless Inter Domain Routing RIP RIPv2 OSPFv2 OSPFv3 unicast routing PIM SM PIM DM PIMv6 multicast routing VRRP Virtual Router Redundancy Protocol ADDITIONAL FEATURES BOOTP Client DHCP Client Relay Option 82 Server DNS Client Proxy LLDP Link Lay...

Page 1307: ... Discovery Protocol IEEE 802 1D 2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802 1p Priority tags IEEE 802 1Q VLAN IEEE 802 1v Protocol based VLANs IEEE 802 1X Port Authentication IEEE 802 3 2005 Ethernet Fast Ethernet Gigabit Ethernet and 10 Gigabit Ethernet fiber and short haul copper Link Aggregation...

Page 1308: ...56 TFTP RFC 1350 VRRP RFC 3768 MANAGEMENT INFORMATION BASES Bridge MIB RFC 1493 Differentiated Services MIB RFC 3289 DNS Resolver MIB RFC 1612 Entity MIB RFC 2737 Ether like MIB RFC 2665 Extended Bridge MIB RFC 2674 Extensible SNMP Agents MIB RFC 2742 Forwarding Table MIB RFC 2096 IGMP MIB RFC 2933 Interface Group MIB RFC 2233 Interfaces Evolution MIB RFC 2863 IP MIB RFC 2011 IP Forwarding Table M...

Page 1309: ...on Client MIB RFC 2619 RIP1 MIB RFC 1058 RIP2 MIB RFC 2453 RIP2 Extension RFC1724 RMON MIB RFC 2819 RMON II Probe Configuration Group RFC 2021 partial implementation SNMP Community MIB RFC 3584 SNMP Framework MIB RFC 3411 SNMP MPD MIB RFC 3412 SNMP Target MIB SNMP Notification MIB RFC 3413 SNMP User Based SM MIB RFC 3414 SNMP View Based ACM MIB RFC 3415 SNMPv2 IP MIB RFC 2011 TACACS Authentication...

Page 1310: ...APPENDIX A Software Specifications Management Information Bases 1310 ...

Page 1311: ...t Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell u If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time u Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH client software is properly config...

Page 1312: ...6 Repeat the sequence of commands or other actions that lead up to the error 7 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 8 Set up your terminal emulation software so that it can capture all console output to a file Then enter the show tech support command to record all system settings in this file 9 Contact your distributor ...

Page 1313: ... of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that you know you can do these things To protect your rights we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights These restrictions translate to ce...

Page 1314: ...t notices stating that you changed the files and the date of any change b You must cause any work that you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof to be licensed as a whole at no charge to all third parties under the terms of this License c If the modified program normally reads commands interactively when run you must cause it whe...

Page 1315: ...uired to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These actions are prohibited by law if you do not accept this License Therefore by modifying or distributing the Program or any work based on the Program you indicate your acceptance of this License to do so and all its terms and condition...

Page 1316: ...ribution conditions are different write to the author to ask for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WAR...

Page 1317: ...d round robin service to enforce priority service and prevent blockage of lower level queues Priority may be set according to the port default the packet s priority bit in the VLAN tag TCP UDP port number IP Precedence bit or DSCP priority bit DHCP Dynamic Host Control Protocol Provides a framework for passing configuration information to hosts on a TCP IP network DHCP is based on the Bootstrap Pr...

Page 1318: ...e and password is requested by the switch and then passed to an authentication server e g RADIUS for verification EAPOL is implemented as part of the IEEE 802 1X Port Authentication standard EUI Extended Universal Identifier is an address format used by IPv6 to identify the host portion of the network address The interface identifier in EUI compatible addresses is based on the link layer MAC addre...

Page 1319: ...LANs to communicate across switched networks IEEE 802 1P An IEEE standard for providing quality of service QoS in Ethernet networks The standard uses packet tags that define up to eight traffic classes and allows switches to transmit packets based on the tagged priority value IEEE 802 1S An IEEE standard for the Multiple Spanning Tree Protocol MSTP which provides independent spanning trees for VLA...

Page 1320: ...y belong The elected querier will be the device with the lowest IP address in the subnetwork IGMP SNOOPING Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members IN BAND MANAGEMENT Management of the network from a station attached directly to the network IP MULTICAST FILTERING A process whereby th...

Page 1321: ...l used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers This process allows IGMP enabled devices to determine where to send multicast source and group membership messages MSTP Multiple Spanning Tree Protocol can provide an independent spanning tree for different VLANs It simplifies network management provides for even faster convergence ...

Page 1322: ...ggregation and trunking method which specifies how to create a single high speed logical link that combines several lower speed physical links PRIVATE VLANS Private VLANs provide port based security and isolation between ports within the assigned VLAN Data traffic on downlink ports can only be forwarded to and from uplink ports QINQ QinQ tunneling is designed for service providers carrying traffic...

Page 1323: ...s network management services SNTP Simple Network Time Protocol allows a device to set its internal clock based on periodic updates from a Network Time Protocol NTP server Updates can be requested from a specific NTP server or can be received via broadcasts sent by NTP servers SSH Secure Shell is a secure replacement for remote access functions including Telnet SSH can authenticate users with a cr...

Page 1324: ...ith highly accurate atomic time The UTC does not have daylight saving time VLAN Virtual LAN A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network A VLAN serves as a logical workgroup with no physical barriers and allows users to share information and resources as though located on the same LAN VR...

Page 1325: ...e 891 auto traffic control control release 891 auto traffic control release timer 886 B boot system 660 bootfile 1100 bridge ext gvrp 930 C calendar set 691 capabilities 851 channel group 868 class 990 class map 986 clear arp cache 1130 clear counters 858 clear dns cache 1088 clear host 1089 clear ip dhcp binding 1109 clear ip dhcp snooping database flash 811 clear ip igmp group 1046 clear ip ospf...

Page 1326: ...ooping database flash 807 ip dhcp snooping information option 807 ip dhcp snooping information policy 808 ip dhcp snooping trust 810 ip dhcp snooping verify mac address 809 ip dhcp snooping vlan 809 ip domain list 1083 ip domain lookup 1084 ip domain name 1085 ip forward protocol udp 1131 ip helper 1132 ip helper address 1133 ip host 1086 ip http port 752 ip http secure port 755 ip http secure ser...

Page 1327: ...ceive version 1188 ip rip receive packet 1189 ip rip send version 1190 ip rip send packet 1191 ip rip split horizon 1191 ip route 1170 ip source guard 815 ip source guard binding 813 ip source guard max binding 816 ip ssh authentication retries 761 ip ssh crypto host key generate 763 ip ssh crypto zeroize 764 ip ssh save host key 765 ip ssh server 761 ip ssh server key size 762 ip ssh timeout 762 ...

Page 1328: ...group 843 mac address table aging time 897 mac address table static 898 mac authentication intrusion action 795 mac authentication max mac count 795 mac authentication reauth time 787 mac learning 782 mac vlan 963 management 779 map ip dscp Global Configuration 978 map ip dscp Interface Configuration 980 map ip port Global Configuration 979 map ip port Interface Configuration 981 map ip precedence...

Page 1329: ...story 720 rmon collection rmon1 721 rmon event 719 router ipv6 ospf 1238 router ospf 1196 router pim 1274 router pim6 1296 router rip 1178 router id 1199 router id 1241 S server 749 service dhcp 1100 service policy 998 set 997 sflow destination 725 sflow max datagram size 726 sflow max header size 727 sflow owner 727 sflow sample 728 sflow source 728 sflow timeout 729 show access group 848 show ac...

Page 1330: ...bor 1260 show ipv6 ospf route 1261 show ipv6 ospf virtual links 1262 show ipv6 pim interface 1305 show ipv6 pim neighbor 1305 show ipv6 route 1176 show ipv6 traffic 1146 show ipv6 tunnel 1166 show lacp 873 show line 676 show lldp config 1077 show lldp info local device 1078 show lldp info remote device 1079 show lldp info statistics 1080 show log 681 show logging 682 show logging sendmail 686 show...

Page 1331: ... hello time 905 spanning tree link type 918 spanning tree loopback detection 918 spanning tree loopback detection release 925 spanning tree loopback detection release mode 919 spanning tree loopback detection trap 920 spanning tree max age 906 spanning tree mode 907 spanning tree mst configuration 909 spanning tree mst cost 920 spanning tree mst port priority 921 spanning tree pathcost method 908 ...

Page 1332: ...935 vlan database 935 vlan trunking 941 voice vlan 965 voice vlan aging 966 voice vlan mac address 966 vrrp authentication 1112 vrrp ip 1112 vrrp preempt 1113 vrrp priority 1114 vrrp timers advertise 1115 W web auth 801 web auth login attempts 799 web auth quiet period 800 web auth re authenticate IP 802 web auth re authenticate Port 802 web auth session timeout 800 web auth system auth control 80...

Page 1333: ...6 Standard 322 327 834 835 MAC 322 331 840 time range 318 692 Address Resolution Protocol See ARP address table 207 897 aging time 210 897 aging time displaying 210 900 aging time setting 210 897 administrative users displaying 656 ARP ACL 333 820 configuration 498 1127 description 497 proxy 498 1129 statistics 502 1173 ARP inspection 336 818 ACL filter 339 820 additional validation criteria 338 8...

Page 1334: ...rmation option enabling 365 807 policy selection 365 808 specifying trusted interfaces 367 810 verifying MAC addresses 365 809 VLAN configuration 366 809 Differentiated Services See DiffServ DiffServ 255 985 binding policy to interface 269 998 class map 256 986 990 class map description 257 987 classifying QoS traffic 256 988 color aware srTCM 264 993 color aware trTCM 265 995 color blind srTCM 26...

Page 1335: ...iguring 307 755 HTTPS secure server 306 753 I IEEE 802 1D 215 907 IEEE 802 1s 215 907 IEEE 802 1w 215 907 IEEE 802 1X 348 767 769 IGMP clearing the cache 1046 enabling per interface 453 1040 filter profiles binding to interface 448 1026 filter profiles configuration 445 1025 filter interface configuration 448 1026 1028 filter parameters 445 filtering throttling 444 1023 filtering throttling enabli...

Page 1336: ...er criteria 357 815 setting maximum bindings 358 816 IP statistics 483 1173 IPv4 address BOOTP DHCP 470 1122 dynamic configuration 85 manual configuration 83 setting 82 469 1122 IPv6 configuring static neighbors 1152 displaying neighbors 481 1152 duplicate address detection 481 1154 enabling 475 1141 hop limit advertisements 1154 MTU 475 1143 IPv6 address dynamic configuration global unicast 87 47...

Page 1337: ... 1053 maximum response interval 1054 query interval 1055 robustness value 1055 static groups binding 1056 version 1057 MLD proxy routing enabling 1061 MSTP 215 232 907 global settings configuring 219 232 903 global settings displaying 224 926 interface settings configuring 225 236 903 interface settings displaying 237 926 max hop count 222 911 path cost 236 920 region name 222 913 region revision ...

Page 1338: ...571 576 1207 process ID 563 565 570 572 575 576 578 579 582 1196 process parameters displaying 568 1235 redistributing external routes 579 1205 retransmit interval 585 1220 RFC 1583 compatible 565 1197 router ID 565 1199 router priority 584 1219 routing table displaying 592 1234 SPF timers 566 1200 stub 570 574 1209 transit area 562 563 572 574 589 590 1210 transmit delay over interface 585 1221 v...

Page 1339: ...1 849 duplex mode 143 856 flow control 143 853 forced selection on combo ports 142 854 loopback test 865 mirroring 146 877 mirroring local traffic 146 877 multicast storm threshold 242 857 speed 143 856 statistics 148 859 unknown unicast storm threshold 241 857 primary VLAN 186 188 189 953 priority default port ingress 243 975 private key 310 758 private VLANs configuring 186 952 private VLANs dis...

Page 1340: ...2 statistics collection 421 721 statistics displaying 422 722 root guard 227 923 router redundancy protocols 509 1111 VRRP 509 1111 Routing Information Protocol See RIP routing nformation base description 1172 routing table displaying 505 1171 RSA encryption 314 315 763 RSTP 215 907 global settings configuring 219 907 global settings displaying 224 926 interface settings configuring 225 914 924 in...

Page 1341: ...1170 statistics ARP 502 1173 ICMP 1173 IP 1173 TCP 1173 UDP 1173 statistics port 148 859 STP 219 907 Also see STA summary accounting 286 751 switch settings restoring 123 660 saving 123 660 system clock setting 125 687 setting manually 126 691 setting the time zone 129 690 setting with SNTP 127 687 689 system logs 371 679 system software downloading from server 120 661 T TACACS logon authenticatio...

Page 1342: ...configuration 200 958 PVID 179 941 tunneling unknown groups 171 941 voice 271 964 voice VLANs 271 964 detecting VoIP devices 272 965 enabling for ports 274 967 969 identifying client devices 273 966 VoIP traffic 271 964 ports configuring 274 967 969 telephony OUI configuring 273 966 voice VLAN configuring 271 964 VoIP detecting devices 275 968 VRRP 509 1111 authentication 513 1112 configuration se...

Page 1343: ...DG GS4826S DG GS4850S E012011 R02 F1 2 2 0 ...

Page 1344: ......

Reviews:

No comments

Related manuals for DG-GS4826S

GarrettCom MAGNUM 6KM Installation And User Manual preview
MAGNUM 6KM
Brand: GarrettCom Pages: 24
IDEC HS5L Series Instruction Sheet preview
HS5L Series
Brand: IDEC Pages: 8
IDEM SAFETY SWITCHES MPR Operating Instructions preview
MPR
Brand: IDEM SAFETY SWITCHES Pages: 2
UNICOM DynaGST/2402G GEP-33224T-1 Specifications preview
DynaGST/2402G GEP-33224T-1
Brand: UNICOM Pages: 1
UNICONTROL Electronic Cleveland Controls RSS-498-013 Manual preview
Cleveland Controls RSS-498-013
Brand: UNICONTROL Electronic Pages: 2
Black Box LB9019A Installation preview
LB9019A
Brand: Black Box Pages: 2
plasa SRS Lighting DTS16F-DIN Instruction Manual preview
SRS Lighting DTS16F-DIN
Brand: plasa Pages: 4
Hama 00047693 Operating Instructions preview
00047693
Brand: Hama Pages: 2
Niles VSA-5 Owner'S Manual preview
VSA-5
Brand: Niles Pages: 7
Z-Band ZBT0100052 User Manual And Installation Manual preview
ZBT0100052
Brand: Z-Band Pages: 13
Harman AMX ENOVA DVX-3250HD-SP Instruction Manual preview
AMX ENOVA DVX-3250HD-SP
Brand: Harman Pages: 119
Ormazabal velatia cgm.3 system General Instructions Manual preview
velatia cgm.3 system
Brand: Ormazabal Pages: 76
Control 4 LSZ-101-W Installation And User Manual preview
LSZ-101-W
Brand: Control 4 Pages: 2
Enterasys Vertical Horizon VH-2402-L3 Management Manual preview
Vertical Horizon VH-2402-L3
Brand: Enterasys Pages: 201
3One data IES205 Hardware Installation Manual preview
IES205
Brand: 3One data Pages: 9
Black Box KVS4-1002HV User Manual preview
KVS4-1002HV
Brand: Black Box Pages: 15
Epcom KIT-TT4PVTURBO Quick Setup Manual preview
KIT-TT4PVTURBO
Brand: Epcom Pages: 2
Parallax Power Supply ATS 501 Series Manual preview
ATS 501 Series
Brand: Parallax Power Supply Pages: 2

Brands by name

Popular brands

Load more brands