Edge-Core ECS4610-24F Management Manual Download Page 750

Page: 750 / 1154

HAPTER

| Access Control Lists

IPv4 ACLs

– 750 –

permit

deny

(Extended IPv4 ACL)

This command adds a rule to an Extended IPv4 ACL. The rule sets a filter

condition for packets with specific source or destination IP addresses,

protocol types, source or destination protocol ports, or TCP control codes.

Use the

form to remove a rule.

YNTAX

{

permit

deny

} [

protocol

number |

udp

]

{

any

source address-bitmask |

host

source

}

{

any

destination address-bitmask |

host

destination

}

[

precedence

precedence

] [

tos

tos

] [

dscp

dscp

]

[

source

-port

sport

[

bitmask

]]

[

destination

-port

dport

[

port

bitmask

]]

[

time-range

time-range-name

]

{

permit

deny

} [

protocol

number |

udp

]

{

any

source address-bitmask |

host

source

}

{

any

destination address-bitmask |

host

destination

}

[

precedence

precedence

] [

tos

tos

] [

dscp

dscp

]

[

source

-port

sport

[

bitmask

]]

[

destination

-port

dport

[

port

bitmask

]]

{

permit

deny

}

tcp

{

any

source address-bitmask |

host

source

}

{

any

destination address-bitmask |

host

destination

}

[

precedence

precedence

] [

tos

tos

] [

dscp

dscp

]

[

source-port

sport

[

bitmask

]]

[

destination-port

dport

[

port

bitmask

]]

[

control-flag

control-flags

flag-bitmask

]

[

time-range

time-range-name

]

{

permit

deny

}

tcp

{

any

source address-bitmask |

host

source

}

{

any

destination address-bitmask |

host

destination

}

[

precedence

precedence

] [

tos

tos

] [

dscp

dscp

]

[

source-port

sport

[

bitmask

]]

[

destination-port

dport

[

port

bitmask

]]

[

control-flag

control-flags

flag-bitmask

]

protocol-number

– A specific protocol number. (Range: 0-255)

source

– Source IP address.

destination

– Destination IP address.

address-bitmask

– Decimal number representing the address bits to

match.

host

– Keyword followed by a specific IP address.

precedence

– IP precedence level. (Range: 0-7)

tos

– Type of Service level. (Range: 0-15)

dscp

– DSCP priority level. (Range: 0-63)

sport

– Protocol

source port number. (Range: 0-65535)

dport

– Protocol

destination port number. (Range: 0-65535)

11. Includes TCP, UDP or other protocol types.

Summary of Contents for ECS4610-24F

Page 1: ...Management Guide www edge core com ECS4610 24F 24 Port Layer 3 Gigabit Ethernet Switch...

Page 2: ......

Page 3: ...MANAGEMENT GUIDE ECS4610 24F GIGABIT ETHERNET SWITCH Layer 3 Switch with 22 1000BASE X SFP Ports and 2 Combination Gigabit Ports RJ 45 SFP ECS4610 24F E052010 ST R01 149100000092A...

Page 4: ......

Page 5: ...your attention to related features or instructions CAUTION Alerts you to a potential hazard that could cause loss of data or damage the system or equipment WARNING Alerts you to a potential hazard tha...

Page 6: ...ABOUT THIS GUIDE 6...

Page 7: ...tion 58 Access Control Lists 59 DHCP 59 Port Configuration 59 Port Mirroring 59 Port Trunking 59 Rate Limiting 60 Broadcast Storm Control 60 Static Addresses 60 IEEE 802 1D Bridge 60 Store and Forward...

Page 8: ...75 Saving or Restoring Configuration Settings 76 SECTION II WEB CONFIGURATION 79 3 USING THE WEB INTERFACE 81 Connecting to the Web Interface 81 Navigating the Web Browser Interface 82 Home Page 82 Co...

Page 9: ...Configuring Port Mirroring 130 Showing Port or Trunk Statistics 131 Trunk Configuration 135 Configuring a Static Trunk 136 Configuring a Dynamic Trunk 139 Displaying LACP Port Counters 144 Displaying...

Page 10: ...g the Dynamic Address Table 192 8 SPANNING TREE ALGORITHM 195 Overview 195 Configuring Loopback Detection 198 Configuring Global Settings for STA 199 Displaying Global Settings for STA 204 Configuring...

Page 11: ...gs for HTTPS 272 Replacing the Default Secure site Certificate 274 Configuring the Secure Shell 275 Configuring the SSH Server 278 Generating the Host Key Pair 279 Importing User Public Keys 281 Acces...

Page 12: ...ing Binding Information 332 14 BASIC ADMINISTRATION PROTOCOLS 335 Configuring Event Logging 335 System Log Configuration 335 Remote Log Configuration 337 Sending Simple Mail Transfer Protocol Alerts 3...

Page 13: ...ltering and Throttling 405 Configuring IGMP Filter Profiles 406 Configuring IGMP Filtering and Throttling for Interfaces 409 Layer 3 IGMP Query used with Multicast Routing 410 Configuring IGMP Proxy R...

Page 14: ...lobal Statistics 460 Displaying VRRP Group Statistics 461 19 IP SERVICES 463 Domain Name Service 463 Configuring General DNS Service Parameters 463 Configuring a List of Domain Names 464 Configuring a...

Page 15: ...figuring Stub Settings 516 Displaying Information on NSSA and Stub Areas 518 Configuring Area Ranges Route Summarization for ABRs 519 Redistributing External Routes 521 Configuring Summary Addresses f...

Page 16: ...Keywords and Arguments 569 Minimum Abbreviation 569 Command Completion 569 Getting Help on Commands 570 Partial Keyword Lookup 571 Negating the Effect of Commands 571 Using Command History 571 Underst...

Page 17: ...Frame Size 592 jumbo frame 592 File Management 593 boot system 594 copy 595 delete 598 dir 598 whichboot 599 Line 600 line 600 databits 601 exec timeout 602 login 603 parity 604 password 604 password...

Page 18: ...e 620 sntp client 620 sntp poll 621 sntp server 622 show sntp 622 clock timezone 623 calendar set 624 show calendar 624 Time Range 625 time range 625 absolute 626 periodic 626 25 SNMP COMMANDS 629 snm...

Page 19: ...654 show rmon history 654 show rmon statistics 655 27 AUTHENTICATION COMMANDS 657 User Accounts 657 enable password 658 username 659 Authentication Sequence 660 authentication enable 660 authenticati...

Page 20: ...g 677 Web Server 678 ip http port 678 ip http server 679 ip http secure server 679 ip http secure port 681 Telnet Server 681 ip telnet max sessions 682 ip telnet port 682 ip telnet server 683 show ip...

Page 21: ...management 705 show management 706 28 GENERAL SECURITY MEASURES 707 Port Security 708 mac learning 708 port security 709 Network Access MAC Address Authentication 711 network access aging 712 network...

Page 22: ...cp snooping database flash 731 show ip dhcp snooping 732 show ip dhcp snooping binding 732 IP Source Guard 733 ip source guard binding 733 ip source guard 735 ip source guard max binding 736 show ip s...

Page 23: ...ed IPv6 ACL 756 show ipv6 access list 758 ipv6 access group 759 show ipv6 access group 759 MAC ACLs 760 access list mac 760 permit deny MAC ACL 761 mac access group 763 show mac access group 764 show...

Page 24: ...790 lacp port priority 791 lacp system priority 792 lacp admin key Port Channel 792 show lacp 793 32 PORT MIRRORING COMMANDS 797 Local Port Mirroring Commands 797 port monitor 797 show port monitor 7...

Page 25: ...panning tree loopback detection release mode 822 spanning tree loopback detection trap 823 spanning tree mst cost 824 spanning tree mst port priority 825 spanning tree port priority 825 spanning tree...

Page 26: ...el tpid 848 show dot1q tunnel 849 Configuring Port based Traffic Segmentation 850 traffic segmentation 850 show traffic segmentation 851 Configuring Private VLANs 851 private vlan 853 private vlan ass...

Page 27: ...eue cos map 872 queue mode 873 queue weight 874 switchport priority default 875 show queue cos map 876 show queue mode 876 show queue weight 877 Priority Commands Layer 3 and 4 878 map ip dscp Global...

Page 28: ...ip igmp snooping tcn query solicit 909 ip igmp snooping unregistered data flood 910 ip igmp snooping unsolicited report interval 911 ip igmp snooping version 911 ip igmp snooping version exclusive 91...

Page 29: ...ow ip igmp profile 929 show ip igmp throttle interface 929 Multicast VLAN Registration 930 mvr 931 mvr immediate leave 932 mvr type 933 mvr vlan group 934 show mvr 935 IGMP Layer 3 937 ip igmp 937 ip...

Page 30: ...dp dot1 tlv proto ident 959 lldp dot1 tlv proto vid 959 lldp dot1 tlv pvid 960 lldp dot1 tlv vlan name 960 lldp dot3 tlv link agg 961 lldp dot3 tlv mac phy 961 lldp dot3 tlv max frame 962 lldp notific...

Page 31: ...6 dns server 986 domain name 987 hardware address 987 host 988 lease 989 netbios name server 990 netbios node type 991 network 991 next server 992 clear ip dhcp binding 993 show ip dhcp binding 993 sh...

Page 32: ...1014 show arp 1014 UDP Helper Configuration 1015 ip forward protocol udp 1015 ip helper 1016 ip helper address 1017 show ip helper 1018 45 IP ROUTING COMMANDS 1019 Global Routing Configuration 1019 ip...

Page 33: ...ortest Path First OSPFv2 1042 router ospf 1043 compatible rfc1583 1044 default information originate 1045 router id 1046 timers spf 1047 clear ip ospf process 1048 area default cost 1048 area range 10...

Page 34: ...ticast routing 1085 show ip mroute 1086 Static Multicast Routing 1088 ip igmp snooping vlan mrouter 1088 show ip igmp snooping mrouter 1089 PIM Multicast Routing 1090 PIM Commands 1090 router pim 1091...

Page 35: ...w ip pim bsr router 1110 show ip pim rp mapping 1111 show ip pim rp hash 1112 SECTION IV APPENDICES 1113 A SOFTWARE SPECIFICATIONS 1115 Software Features 1115 Management Features 1117 Standards 1117 M...

Page 36: ...CONTENTS 36...

Page 37: ...Zone 115 Figure 15 Console Port Settings 116 Figure 16 Telnet Connection Settings 118 Figure 17 Displaying CPU Utilization 119 Figure 18 Displaying Memory Utilization 119 Figure 19 Restarting the Swi...

Page 38: ...49 Figure 47 Configuring Members for Traffic Segmentation 150 Figure 48 Configuring VLAN Trunking 151 Figure 49 Configuring VLAN Trunking 152 Figure 50 VLAN Compliant and VLAN Non compliant Devices 15...

Page 39: ...orts 196 Figure 85 MSTP Region Internal Spanning Tree Multiple Spanning Tree 197 Figure 86 Common Internal Spanning Tree Common Spanning Tree Internal Spanning Tree 197 Figure 87 Configuring Port Loop...

Page 40: ...ation Server TACACS 251 Figure 122 Configuring AAA Server Groups 252 Figure 123 Showing AAA Server Groups 252 Figure 124 Configuring Global Settings for AAA Accounting 255 Figure 125 Configuring AAA A...

Page 41: ...289 Figure 157 Configuring an Extended IPv4 ACL 291 Figure 158 Configuring a Standard IPv6 ACL 293 Figure 159 Configuring an Extended IPv6 ACL 295 Figure 160 Configuring a MAC ACL 297 Figure 161 Confi...

Page 42: ...formation for LLDP Port 347 Figure 191 Displaying Remote Device Information for LLDP Port 351 Figure 192 Displaying Remote Device Information for LLDP Port Details 352 Figure 193 Displaying LLDP Devic...

Page 43: ...Attached a Multicast Router 396 Figure 230 Showing Current Interfaces Attached a Multicast Router 396 Figure 231 Assigning an Interface to a Multicast Service 398 Figure 232 Showing Static Interfaces...

Page 44: ...k Device 441 Figure 264 Proxy ARP 442 Figure 265 Configuring General Settings for ARP 443 Figure 266 Configuring Static ARP Entries 445 Figure 267 Displaying Static ARP Entries 445 Figure 268 Displayi...

Page 45: ...Figure 300 Configuring DHCP Server Address Pools Host 476 Figure 301 Showing Configured DHCP Server Address Pools 477 Figure 302 Shows Addresses Assigned by the DHCP Server 477 Figure 303 Enabling th...

Page 46: ...SA 513 Figure 337 Configuring Protocol Settings for an NSSA 516 Figure 338 OSPF Stub Area 516 Figure 339 Configuring Protocol Settings for a Stub 518 Figure 340 Displaying Information on NSSA and Stub...

Page 47: ...isplaying Detailed Entries from the Multicast Routing Table 547 Figure 364 Enabling PIM Multicast Routing 548 Figure 365 Configuring PIM Interface Settings Dense Mode 553 Figure 366 Configuring PIM In...

Page 48: ...FIGURES 48...

Page 49: ...tics 307 Table 14 ARP Inspection Log 308 Table 15 802 1X Statistics 320 Table 16 Logging Levels 336 Table 17 Chassis ID Subtype 345 Table 18 System Capabilities 346 Table 19 Port ID Subtype 348 Table...

Page 50: ...escription 641 Table 48 show snmp group display description 642 Table 49 show snmp user display description 643 Table 50 show snmp view display description 644 Table 51 RMON Commands 649 Table 52 Auth...

Page 51: ...84 show lacp neighbors display description 795 Table 85 show lacp sysid display description 796 Table 86 Port Mirroring Commands 797 Table 87 Mirror Port Commands 797 Table 88 Rate Limit Commands 801...

Page 52: ...on 936 Table 119 show mvr members display description 936 Table 120 IGMP Commands Layer 3 937 Table 121 show ip igmp groups display description 945 Table 122 show ip igmp groups detail display descrip...

Page 53: ...display description 1078 Table 150 show ip ospf interface display description 1079 Table 151 show ip ospf neighbor display description 1080 Table 152 show ip ospf neighbor display description 1082 Tab...

Page 54: ...TABLES 54...

Page 55: ...view of the switch and introduces some basic concepts about network switches It also describes the basic settings required to access the management interface This section includes these chapters Intro...

Page 56: ...SECTION I Getting Started 56...

Page 57: ...HA password Port IEEE 802 1X MAC address filtering General Security Measures Private VLANs Port Authentication Port Security DHCP Snooping IP Source Guard Access Control Lists Supports up to 36 ACLs p...

Page 58: ...r a web browser User names and passwords can be configured locally or can be verified via a remote authentication server i e RADIUS or IEEE 802 1D Bridge Supports dynamic data switching and addresses...

Page 59: ...client must physically reside on the same subnet Since it is not practical to have a DHCP server on every subnet DHCP Relay is also supported to allow dynamic configuration of local clients from a DH...

Page 60: ...ransparent bridging The address table facilitates data switching by learning addresses and then filtering or forwarding traffic based on this information The address table supports up to 16K addresses...

Page 61: ...restrict traffic to the VLAN groups to which a user has been assigned By segmenting your network into VLANs you can Eliminate broadcast storms which severely degrade performance in a flat network Sim...

Page 62: ...based on Layer 2 Layer 3 or Layer 4 information contained in each packet Based on network policies different kinds of traffic can be marked for different kinds of forwarding IP ROUTING The switch pro...

Page 63: ...resses to forward packets from one hop to the next Either static or dynamic entries can be configured in the ARP cache Proxy ARP allows hosts that do not support routing to determine the MAC address o...

Page 64: ...ustomer s frames when they enter the service provider s network and then stripping the tags when the frames leave the network SYSTEM DEFAULTS The switch s system defaults are provided in the configura...

Page 65: ...led Auto negotiation Enabled Flow Control Disabled Port Trunking Static Trunks None LACP all ports Disabled Congestion Control Rate Limiting Disabled Storm Control Broadcast Enabled 500 packets sec Ad...

Page 66: ...P Client Enabled Relay Disabled Server Disabled DNS Client Proxy service Disabled BOOTP Disabled ARP Enabled Cache Timeout 20 minutes Proxy Disabled Unicast Routing RIP Disabled OSPFv2 Disabled Router...

Page 67: ...andard web browser such as Internet Explorer 5 x or above Netscape 6 2 or above and Mozilla Firefox 2 0 0 0 or above The switch s web management interface can be accessed from any computer attached to...

Page 68: ...on any port for excessive broadcast traffic Display system information and statistics REQUIRED CONNECTIONS The switch provides an RS 232 serial port that enables a connection to a PC or terminal for...

Page 69: ...k and default gateway using a console connection or DHCP protocol An IPv4 address for this switch is obtained via DHCP by default To manually configure this address or enable dynamic address assignmen...

Page 70: ...nter admin 3 At the Password prompt also enter admin The password characters are not displayed on the console screen 4 The session is opened and the CLI displays the Console prompt indicating you have...

Page 71: ...specify a default gateway that resides between this device and management stations that exist on another network segment Valid IPv4 addresses consist of four decimal numbers 0 to 255 separated by per...

Page 72: ...start broadcasting service requests Note that the ip dhcp restart client command can also be used to start broadcasting service requests for all VLANs configured to obtain address assignments through...

Page 73: ...ing requested by the managers through trap messages which inform the manager that certain events have occurred The switch includes an SNMP agent that supports SNMP version 1 2c and 3 clients To provid...

Page 74: ...ngs If there are no community strings then SNMP management access from SNMP v1 and v2c clients is disabled TRAP RECEIVERS You can also specify SNMP stations that are to receive traps from the switch T...

Page 75: ...l on page 354 or refer to the specific CLI commands for SNMP starting on page 629 MANAGING SYSTEM FILES The switch s flash memory supports three types of system files that can be managed by the CLI pr...

Page 76: ...save all your configuration changes in nonvolatile storage you must copy the running configuration file to the start up configuration file using the copy command New startup configuration files must h...

Page 77: ...tftp startup config and press Enter 2 Enter the address of the TFTP server Press Enter 3 Enter the name of the startup file stored on the server Press Enter 4 Enter the name for the startup file on th...

Page 78: ...CHAPTER 2 Initial Switch Configuration Managing System Files 78...

Page 79: ...VLAN Configuration on page 153 Address Table Settings on page 187 Spanning Tree Algorithm on page 195 Rate Limit Configuration on page 219 Storm Control Configuration on page 221 Class of Service on...

Page 80: ...SECTION II Web Configuration 80 Unicast Routing on page 483 Multicast Routing on page 541...

Page 81: ...ateway using an out of band serial connection BOOTP or DHCP protocol See Setting an IP Address on page 71 2 Set user names and passwords using an out of band serial connection Access to the web agent...

Page 82: ...nistrator has Read Write access to all configuration parameters and statistics The default user name and password for the administrator is admin HOME PAGE When your web browser connects with the switc...

Page 83: ...Tools Internet Options General Temporary Internet Files Settings the setting for item Check for newer versions of stored pages should be Every visit to the page PANEL DISPLAY The web agent displays a...

Page 84: ...nual Manually sets the current time 111 SNTP Configures SNTP polling interval 112 Configure Time Server Configures a list of SNTP servers 113 Configure Time Zone Sets the local time zone for the syste...

Page 85: ...egation group members on the remote side 139 Show Information Counters Displays statistics for LACP protocol messages 144 Internal Displays configuration settings and operational state for the local s...

Page 86: ...vate Configure VLAN Add Creates primary or community VLANs 167 Show Display configured primary and community VLANs 167 Add Community VLAN Associates a community VLAN with a primary VLAN 168 Show Commu...

Page 87: ...obal Configure Configures global bridge settings for STP RSTP and MSTP 199 Show Informaton Displays STA values used for the bridge 204 Configure Interface Configure Configures interface settings for S...

Page 88: ...ice VLAN and VLAN aging time 239 Configure OUI 241 Add Maps the OUI in the source MAC address of ingress packets to the VoIP device manufacturer 241 Show Shows the OUI telephony list 241 Configure Int...

Page 89: ...lied to specific interfaces 258 User Accounts 261 Add Configures user names passwords and access levels 261 Show Shows authorized users 261 Modify Modifies user attributes 261 Network Access MAC addre...

Page 90: ...nd other packet attributes 286 Show Rule Shows the rules specified for an ACL 286 Configure Interface Binds a port to the specified ACL and time range 300 ARP Inspection 301 Configure General Enables...

Page 91: ...Layer Discovery Protocol 340 Configure Global Configures global LLDP timing parameters 340 Configure Interface Sets the message transmission mode enables SNMP notification and sets the LLDP attribute...

Page 92: ...r Group Assign a local user to a new group 368 Add SNMPv3 Remote User Configures SNMPv3 users from a remote device 370 Show SNMPv3 Remote User Shows SNMPv3 users set from a remote device 370 Configure...

Page 93: ...formation Dynamic Address Shows dynamically learned entries in the IP routing table 445 Other Address Shows internal addresses used by the switch 445 Statistics Shows statistics on ARP requests sent a...

Page 94: ...ws the name server address list 466 Static Host Table Add Configures static entries for domain name to address mapping 467 Show Shows the list of static mapping entries 467 Modify Modifies the static...

Page 95: ...ssigns ports that are attached to a neighboring multicast router 395 Show Static Multicast Router Displays ports statically configured as attached to a neighboring multicast router 395 Show Current Mu...

Page 96: ...for each VLAN 418 Show Detail Shows detailed information on each multicast group associated with a VLAN interface 418 Multicast Routing 541 General Globally enables multicast routing 544 Information 5...

Page 97: ...Redistribute 493 Add Imports external routing information from other routing domains that is protocols into the autonomous system 493 Show Shows the external routing information to be imported from ot...

Page 98: ...count LSA count and LSA checksum 518 Area Range 519 Add Configures route summaries to advertise at an area boundary 519 Show Shows route summaries advertised at an area boundary 519 Modify Modifies r...

Page 99: ...lays information neighboring PIM routers 554 PIM SM Protocol Independent Multicasting Sparse Mode Configure Global Configures settings for register messages and use of the SPT 554 BSR Candidate Config...

Page 100: ...CHAPTER 3 Using the Web Interface Navigating the Web Browser Interface 100...

Page 101: ...system start up files Setting the System Clock Sets the current time manually or through specified SNTP servers Console Port Settings Sets console port connection parameters Telnet Settings Sets Teln...

Page 102: ...management agent has been up System Name Name assigned to the switch system System Location Specifies the system location System Contact Administrator responsible for the system WEB INTERFACE To conf...

Page 103: ...Serial Number The serial number of the switch Number of Ports Number of built in ports Hardware Version Hardware version of the main board Internal Power Status Displays the status of the internal po...

Page 104: ...psulation fields CLI REFERENCES System Management Commands on page 587 USAGE GUIDELINES To use jumbo frames both the source and destination end nodes such as a computer or server must support this fea...

Page 105: ...ses This switch provides mapping of user priorities to multiple traffic classes Refer to Class of Service on page 223 Static Entry Individual Port This switch allows static filtering for unicast and m...

Page 106: ...g Bridge Extension Configuration MANAGING SYSTEM FILES This section describes how to upgrade the switch operating software or configuration files and set the system start up files COPYING FILES VIA FT...

Page 107: ...erver FTP TFTP Server IP Address IP address of an FTP or TFTP server User Name The user name for FTP server access Password The password for FTP server access File Type Specify Operation Code to copy...

Page 108: ...tch to overwrite or specify a new file name 9 Then click Apply Figure 7 Copy Firmware If you replaced a file currently used for startup and want to start using the new file reboot the system via the S...

Page 109: ...d the maximum length for file names is 31 characters for files on the switch Valid characters A Z a z 0 9 _ NOTE The maximum number of user defined configuration files is limited only by available fla...

Page 110: ...Up from the Action list 3 Mark the operation code or configuration file to be used at startup 4 Then click Apply Figure 9 Setting Start Up Files To start using the new firmware or configuration setti...

Page 111: ...actory default set at the last bootup When the SNTP client is enabled the switch periodically sends a request for a time update to a configured time server You can configure up to three time server IP...

Page 112: ...tem Clock CONFIGURING SNTP Use the System Time Configure General SNTP page to configure the switch to send time synchronization requests to time servers Set the SNTP polling interval SNTP servers and...

Page 113: ...e Time Server page to specify the IP address for up to three SNTP time servers CLI REFERENCES sntp server on page 622 PARAMETERS The following parameters are displayed in the web interface SNTP Server...

Page 114: ...of UTC You can choose one of the 80 predefined time zone definitions or your can manually configure the parameters for your local time zone PARAMETERS The following parameters are displayed in the we...

Page 115: ...that the system waits for a user to log into the CLI If a login attempt is not detected within the timeout interval the connection is terminated for the session Range 0 300 seconds Default 0 seconds E...

Page 116: ...aud rate for transmit to terminal and receive from terminal Set the speed to match the baud rate of the device connected to the serial port Range 9600 19200 or 38400 baud Default 115200 baud NOTE The...

Page 117: ...300 seconds Default 300 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is term...

Page 118: ...display information on CPU utilization CLI REFERENCES no comparable command PARAMETERS The following parameters are displayed in the web interface Time Interval The interval at which to update the dis...

Page 119: ...on parameters CLI REFERENCES no comparable command PARAMETERS The following parameters are displayed in the web interface Free Size The amount of memory currently free for use Used Size The amount of...

Page 120: ...ETERS The following parameters are displayed in the web interface System Reload Configuration Reset Mode Restarts the switch immediately or at the specified time s Immediately Restarts the system imme...

Page 121: ...d Daily Every day Weekly Day of the week at which to reload Range Sunday Saturday Monthly Day of the month at which to reload Range 1 31 WEB INTERFACE To restart the switch 1 Click System then Reset 2...

Page 122: ...CHAPTER 4 Basic Management Tasks Resetting the System 122 Figure 20 Restarting the Switch In Figure 21 Restarting the Switch At...

Page 123: ...CHAPTER 4 Basic Management Tasks Resetting the System 123 Figure 22 Restarting the Switch Regularly...

Page 124: ...CHAPTER 4 Basic Management Tasks Resetting the System 124...

Page 125: ...CONFIGURATION This section describes how to configure port connections mirror traffic from one port to another and run cable diagnostics CONFIGURING BY PORT LIST Use the Interface Port General Config...

Page 126: ...t in RJ 45 port SFP Forced Always uses the SFP port even if a module is not installed This is the default for Ports 3 24 SFP Preferred Auto Uses SFP port if both combination types are functioning and...

Page 127: ...on enabled on Gigabit ports disabled on 10G ports Advertised capabilities for 1000BASE T 10half 10full 100half 100full 1000full 1000Base SX LX LH 1000full Speed Duplex Allows you to manually set the p...

Page 128: ...e 125 CLI REFERENCES Interface Commands on page 769 WEB INTERFACE To configure port connection parameters 1 Click Interface Port General 2 Select Configure by Port Range from the Action List 3 Enter t...

Page 129: ...pe Media type used Options Ports 1 2 Copper Forced SFP Forced or SFP Preferred Auto Ports 3 24 SFP Forced Default Ports 1 2 SFP Preferred Auto Ports 3 24 SFP Forced Autonegotiation Shows if auto negot...

Page 130: ...d source port speed otherwise traffic may be dropped from the monitor port When mirroring port traffic the target port must be included in the same VLAN as the source port when using MSTP see Spanning...

Page 131: ...c based on the RMON MIB Interfaces and Ethernet like statistics display errors on the traffic passing through each port This information can be used to identify potential problems with the switch such...

Page 132: ...discarding such a packet could be to free up buffer space Received Multicast Packets The number of packets delivered by this sub layer to a higher sub layer which were addressed to a multicast addres...

Page 133: ...rces Jabbers The total number of frames received that were longer than 1518 octets excluding framing bits but including FCS octets and had either an FCS or alignment error Fragments The total number o...

Page 134: ...The total number of packets including bad packets received and transmitted where the number of octets fall within the specified range excluding framing bits but including FCS octets Utilization Stati...

Page 135: ...s where bottlenecks exist as well as providing a fault tolerant link between two devices You can create up to 12 trunks at a time on the switch The switch supports both static trunking and dynamic Lin...

Page 136: ...at both ends of a connection must be configured as trunk ports When configuring static trunks on switches of different types they must be compatible with the Cisco EtherChannel standard The ports at b...

Page 137: ...before removing a static trunk via the configuration interface PARAMETERS These parameters are displayed in the web interface Trunk ID Trunk identifier Range 1 32 Member The initial trunk member Use...

Page 138: ...onfigure connection parameters for a static trunk 1 Click Interface Trunk Static 2 Select Configure General from the Step list 3 Select Configure from the Action list 4 Modify the required interface s...

Page 139: ...s also enabled LACP on the connected ports the trunk will be activated automatically A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID If more th...

Page 140: ...1 By default the Actor Admin Key is determined by port s link speed and copied to Oper Key The Partner Admin Key is assigned to zero and the Oper Key is set based upon LACP PDUs received from the Part...

Page 141: ...om the Step list 3 Set the Admin Key for the required LACP group 4 Click Apply Figure 37 Configuring the LACP Aggregator Admin Key To enable LACP for a port 1 Click Interface Trunk Dynamic 2 Select Co...

Page 142: ...st 3 Select Configure from the Action list 4 Click Actor or Partner 5 Configure the required settings 6 Click Apply Figure 39 Configuring LACP Parameters on a Port To show the active members of a dyna...

Page 143: ...4 Modify the required interface settings See Configuring by Port List on page 125 for a description of the interface settings 5 Click Apply Figure 41 Configuring Connection Settings for Dynamic Trunk...

Page 144: ...Port list Table 6 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group LACPDUs Received Number of valid LACPDUs received on this channel g...

Page 145: ...RENCES show lacp on page 793 PARAMETERS These parameters are displayed in the web interface Table 7 LACP Internal Configuration Information Parameter Description LACP System Priority LACP system prior...

Page 146: ...d in the absence of administrative changes or changes in received protocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not e...

Page 147: ...user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port...

Page 148: ...P settings and status for the remote side 1 Click Interface Trunk Dynamic 2 Select Configure Aggregation Port from the Step list 3 Select Show Information from the Action list 4 Click Neighbors 5 Sele...

Page 149: ...rts is only forwarded to and from uplink ports ENABLING TRAFFIC SEGMENTATION Use the Interface Traffic Segmentation Configure Global page to enable traffic segmentation CLI REFERENCES Configuring Port...

Page 150: ...ort based Traffic Segmentation on page 850 PARAMETERS These parameters are displayed in the web interface Interface Displays a list of ports or trunks Port Port Identifier Range 1 24 Trunk Trunk Ident...

Page 151: ...frames with unknown VLAN group tags However by enabling VLAN trunking on the intermediate switch ports along the path connecting VLANs 1 and 2 you only need to create these VLAN groups in switches A...

Page 152: ...nly be enabled on Gigabit ports Trunk Trunk Identifier Range 1 32 VLAN Trunking Status Enables VLAN trunking on the selected interface WEB INTERFACE To enable VLAN trunking on a port or trunk 1 Click...

Page 153: ...mapping table IEEE 802 1Q VLANS In large networks routers are used to isolate broadcast traffic for each subnet into separate domains This switch provides a similar service at Layer 2 by using VLANs t...

Page 154: ...AN 1 as untagged ports Add a port as a tagged port if you want it to carry traffic for one or more VLANs and any intermediate network devices or the host at the other end of the connection supports VL...

Page 155: ...ld be assigned If an end station or its network adapter supports the IEEE 802 1Q VLAN protocol it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join W...

Page 156: ...estination host the switch must first strip off the VLAN tag before forwarding the frame When the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag Howe...

Page 157: ...te VLAN groups 1 Click VLAN Static 2 Select Add from the Action list 3 Enter a VLAN ID or range of IDs 4 Mark Enable to configure the VLAN as operational 5 Click Apply Figure 52 Creating Static VLANs...

Page 158: ...ces Use the menus for editing port members to configure the VLAN behavior for specific interfaces including the mode of operation Hybrid or 1Q Trunk the default VLAN identifier PVID accepted frame typ...

Page 159: ...er of VLAN 1 and you assign its PVID to this VLAN the interface will automatically be added to VLAN 1 as an untagged member For all other VLANs the PVID must be defined first then the status of the VL...

Page 160: ...Automatic VLAN Registration on page 155 None Interface is not a member of the VLAN Packets associated with this VLAN will not be transmitted by the interface NOTE VLAN 1 is the default untagged VLAN c...

Page 161: ...hat Membership Type cannot be changed until an interface has been added to another VLAN and the PVID changed to anything other than 1 5 Click Apply Figure 55 Configuring Static Members by VLAN Index T...

Page 162: ...he Step list 3 Set the Interface type to display as Port or Trunk 4 Enter an interface range 5 Modify the VLAN parameters as required Remember that the PVID acceptable frame type and ingress filtering...

Page 163: ...tatus Enables disables GVRP for the interface GVRP must be globally enabled for the switch before this setting can take effect using the Configure General page When disabled any GVRP packets received...

Page 164: ...tch has joined through GVRP Interface Displays a list of ports or trunks which have joined the selected VLAN through GVRP WEB INTERFACE To configure GVRP on the switch 1 Click VLAN Dynamic 2 Select Co...

Page 165: ...this switch 1 Click VLAN Dynamic 2 Select Show Dynamic VLAN from the Step list 3 Select Show VLAN from the Action list Figure 60 Showing Dynamic VLANs Registered on the Switch To show the members of...

Page 166: ...t while the community ports provide restricted access to local users Multiple primary VLANs can be configured on this switch and multiple community VLANs can be associated with each primary VLAN Note...

Page 167: ...o community ports within secondary or community VLANs Community Conveys traffic between community ports and to their promiscuous ports in the associated primary VLAN WEB INTERFACE To configure private...

Page 168: ...S These parameters are displayed in the web interface Primary VLAN ID of primary VLAN 2 4093 Community VLAN VLAN associated with the selected primary VLAN WEB INTERFACE To associate a community VLAN w...

Page 169: ...ing Associated VLANs CONFIGURING PRIVATE VLAN INTERFACES Use the VLAN Private Configure Interface page to set the private VLAN interface type and assign the interfaces to a private VLAN CLI REFERENCES...

Page 170: ...scuous then specify the associated primary VLAN Community VLAN A community VLAN conveys traffic between community ports and from community ports to their designated promiscuous ports Set Port Mode to...

Page 171: ...VLAN IDs QinQ tunneling expands VLAN space by using a VLAN in VLAN hierarchy preserving the customer s original tagged packets and adding SPVLAN tags to each frame also called double tagging A port c...

Page 172: ...r tag if it is a tagged or priority tagged packet 2 After successful source and destination lookup the ingress process sends the packet to the switching process with two tags If the incoming packet is...

Page 173: ...l to the TPID of the uplink port no new VLAN tag is added If the uplink port is not the member of the outer VLAN of the incoming packets the packet will be dropped when ingress filtering is enabled If...

Page 174: ...formation are not supported on tunnel ports Spanning tree bridge protocol data unit BPDU filtering is automatically disabled on a tunnel port General Configuration Guidelines for QinQ 1 Enable Tunnel...

Page 175: ...ort Range hexadecimal 0800 FFFF Default 8100 Use this field to set a custom 802 1Q ethertype value This feature allows the switch to interoperate with third party switches that do not use the standard...

Page 176: ...ed client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames Then use the Configure Interface page to set the access interface on the edge switch to Tunnel mode and set the uplin...

Page 177: ...easily grouped into a common VLAN This may require non standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol This kind of...

Page 178: ...col groups CLI REFERENCES protocol vlan protocol group Configuring Groups on page 858 PARAMETERS These parameters are displayed in the web interface Frame Type Choose either Ethernet RFC 1042 or LLC O...

Page 179: ...rom the Action list 4 Select an entry from the Frame Type list 5 Select an entry from the Protocol Type list 6 Enter an identifier for the protocol group 7 Click Apply Figure 70 Configuring Protocol V...

Page 180: ...he frame is tagged it will be processed according to the standard rules applied to tagged frames If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN I...

Page 181: ...affic will be forwarded 7 Click Apply Figure 72 Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk 1 Click VLAN Protocol 2 Select Configure Interface from the...

Page 182: ...VLAN ID An IP subnet consists of an IP address and a mask When an untagged frame is received by a port the source IP address is checked against the IP subnet to VLAN mapping table and if an entry is...

Page 183: ...field 4 Enter a mask in the Subnet Mask field 5 Enter the identifier in the VLAN field Note that the specified VLAN need not already be configured 6 Enter a value to assign to untagged frames in the...

Page 184: ...es cannot be broadcast or multicast addresses When MAC based IP subnet based and protocol based VLANs are supported concurrently priority is applied in this sequence and then port based VLANs last PAR...

Page 185: ...tion Configuring MAC based VLANs 185 6 Click Apply Figure 76 Configuring MAC Based VLANs To show the MAC addresses mapped to a VLAN 1 Click VLAN MAC Based 2 Select Show from the Action list Figure 77...

Page 186: ...CHAPTER 6 VLAN Configuration Configuring MAC based VLANs 186...

Page 187: ...MAC ADDRESS LEARNING Use the MAC Address Learning Status page to enable or disable MAC address learning on an interface CLI REFERENCES mac learning on page 708 COMMAND USAGE When MAC address learning...

Page 188: ...ee Configuring Port Security on page 311 is enabled on the same interface PARAMETERS These parameters are displayed in the web interface Interface Displays a list of ports or trunks Port Port Identifi...

Page 189: ...n on another interface the address will be ignored and will not be written to the address table Static addresses will not be removed from the address table when a given interface link is down A static...

Page 190: ...GING THE AGING TIME Use the MAC Address Dynamic Configure Aging page to set the aging time for entries in the dynamic address table The aging time is used to age out dynamically learned forwarding inf...

Page 191: ...dress for traffic entering the switch When the destination address for inbound traffic is found in the database the packets intended for that address are forwarded directly to the associated port Othe...

Page 192: ...EARING THE DYNAMIC ADDRESS TABLE Use the MAC Address Dynamic Clear Dynamic MAC page to remove any learned entries from the forwarding database CLI REFERENCES clear mac address table dynamic on page 80...

Page 193: ...3 Select the method by which to clear the entries i e All MAC Address VLAN or Interface 4 Enter information in the additional fields required for clearing entries by MAC Address VLAN or Interface 5 C...

Page 194: ...CHAPTER 7 Address Table Settings Clearing the Dynamic Address Table 194...

Page 195: ...nt switch bridge or router in your network to ensure that only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes...

Page 196: ...seconds compared to 30 seconds or more for STP by reducing the number of state changes before active ports start learning predefining an alternate route that can be used when a node or port fails and...

Page 197: ...idge node for communications with STP or RSTP nodes in the global network Figure 86 Common Internal Spanning Tree Common Spanning Tree Internal Spanning Tree MSTP connects all bridges and LAN segments...

Page 198: ...s own BPDUs in a forward delay interval NOTE If loopback detection is not enabled and an interface receives it s own BPDU then the interface will drop the loopback BPDU according to IEEE Standard 802...

Page 199: ...ands on page 807 COMMAND USAGE Spanning Tree Protocol1 Uses RSTP for the internal state machine but sends only 802 1D BPDUs This creates one spanning tree instance for the entire network If multiple V...

Page 200: ...in a specific set of spanning tree instances A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments Be careful when switching between spanning tree modes Ch...

Page 201: ...Switch Becomes Root Hello Time Interval in seconds at which the root device transmits a configuration message Default 2 Minimum 1 Maximum The lower of 10 or Max Message Age 2 1 Maximum Age The maximu...

Page 202: ...ST Region Revision2 The revision for this MSTI Range 0 65535 Default 0 Region Name2 The name for this MSTI Maximum length 32 characters switch s MAC address Max Hop Count The maximum number of hops al...

Page 203: ...CHAPTER 8 Spanning Tree Algorithm Configuring Global Settings for STA 203 Figure 88 Configuring Global Settings for STA STP Figure 89 Configuring Global Settings for STA RSTP...

Page 204: ...n page 829 show spanning tree mst configuration on page 830 PARAMETERS The parameters displayed in the web interface are described in the preceding section except for the following items Bridge ID A u...

Page 205: ...ACE To display global STA settings 1 Click Spanning Tree STA 2 Select Configure Global from the Step list 3 Select Show Information from the Action list Figure 91 Displaying Global Settings for STA CO...

Page 206: ...ower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Also not that path cost takes precedence over port priority Range 0 for auto conf...

Page 207: ...iguration events does not cause the spanning tree to initiate reconfiguration when the interface changes state and also overcomes other STA related timeout problems However remember that Edge Port sho...

Page 208: ...n administrator must manually enable the port Default Disabled BPDU Filter BPDU filtering allows you to avoid transmitting BPDUs on configured edge ports that are connected to end nodes By default STA...

Page 209: ...Tree Shows if STA has been enabled on this interface STA Status Displays current state of this port within the Spanning Tree Discarding Port receives STA configuration messages but does not forward p...

Page 210: ...mmunicate with the root of the Spanning Tree Oper Path Cost The contribution of this port to the path cost of paths towards the spanning tree root which include this port Oper Link Type The operationa...

Page 211: ...Step list 3 Select Show Information from the Action list Figure 94 Displaying Interface Settings for STA Alternate port receives more useful BPDUs from another bridge and is therefore not selected as...

Page 212: ...thin the same MSTI Region page 199 with the same set of instances and the same instance on each bridge with the same set of VLANs Also note that RSTP treats each MSTI region as a single node connectin...

Page 213: ...the MST instance identifier and the initial VLAN member Additional member can be added using the Spanning Tree MSTP Configure Global Add Member page If the priority is not specified the default value...

Page 214: ...he priority for an MSTP Instance 5 Click Apply Figure 97 Modifying the Priority for an MST Instance To display global settings for MSTP 1 Click Spanning Tree MSTP 2 Select Configure Global from the St...

Page 215: ...ect an MST instance from the MST ID list 5 Enter the VLAN group to add to the instance in the VLAN ID field Note that the specified member does not have to be a configured VLAN 6 Click Apply Figure 99...

Page 216: ...d for this port in the Spanning Tree Protocol If the path cost for all ports on a switch are the same the port with the highest priority i e lowest value will be configured as an active link in the Sp...

Page 217: ...trunk 1 Click Spanning Tree MSTP 2 Select Configure Interface from the Step list 3 Select Configure from the Action list 4 Enter the priority and path cost for an interface 5 Click Apply Figure 101 Co...

Page 218: ...CHAPTER 8 Spanning Tree Algorithm Configuring Interface Settings for MSTP 218...

Page 219: ...is configured with this feature the traffic rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped conforming traffic is forwarded without any changes CLI REFERE...

Page 220: ...CHAPTER 9 Rate Limit Configuration 220 Figure 103 Configuring Rate Limits...

Page 221: ...REFERENCES switchport packet rate on page 777 COMMAND USAGE Broadcast Storm Control is enabled by default Broadcast control does not effect IP multicast traffic PARAMETERS These parameters are displa...

Page 222: ...CHAPTER 10 Storm Control Configuration 222 Figure 104 Configuring Broadcast Storm Control...

Page 223: ...t kinds of traffic can be marked for different kinds of forwarding All switches or routers that access the Internet rely on class information to provide the same forwarding treatment to packets in the...

Page 224: ...nitor the maximum throughput and burst rate Then specify the action to take for conforming traffic or the action to take for a policy violation 5 Use the Configure Interface page to assign a policy ma...

Page 225: ...the lone match command ACL Name of an access control list Any type of ACL can be specified including standard or extended IP ACLs and MAC ACLs IP DSCP A DSCP value Range 0 63 IP Precedence An IP Prec...

Page 226: ...aps To edit the rules for a class map 1 Click Traffic DiffServ 2 Select Configure Class from the Step list 3 Select Add Rule from the Action list 4 Select the name of a class map 5 Specify type of tra...

Page 227: ...ich indicates how to match the inbound packets according to an access list a DSCP or IP Precedence value or a member of specific VLAN A policy map is then configured which indicates the boundary param...

Page 228: ...lors as described below A packet is marked green if it doesn t exceed the committed information rate and committed burst size yellow if it does exceed the committed information rate and committed burs...

Page 229: ...peak information rate PIR and their associated burst sizes committed burst size BC or burst rate and peak burst size BP Action may taken for traffic conforming to the maximum throughput exceeding the...

Page 230: ...ed as red or if Tp t B 0 the packet is red else if the packet has been precolored as yellow or if Tc t B 0 the packet is yellow and Tp is decremented by B else the packet is green and both Tp and Tc a...

Page 231: ...committed burst size BC or burst rate and the action to take for conforming and non conforming traffic Policing is based on a token bucket where bucket depth that is the maximum burst before the buck...

Page 232: ...colors The color modes include Color Blind which assumes that the packet stream is uncolored and Color Aware which assumes that the incoming packets are pre colored The functional differences between...

Page 233: ...hroughput exceeding the maximum throughput but within the peak information rate or exceeding the peak information rate In addition to the actions defined by this command to transmit remark the DSCP se...

Page 234: ...ether traffic that exceeds the maximum rate CIR but is within the peak information rate PIR will be dropped or the DSCP service level will be reduced Set IP DSCP Decreases DSCP priority for out of con...

Page 235: ...olicy from the Step list 3 Select Add Rule from the Action list 4 Select the name of a policy map 5 Set the CoS or per hop behavior for matching packets to specify the quality of service to be assigne...

Page 236: ...Policies 236 Figure 111 Adding Rules to a Policy Map To show the rules for a policy map 1 Click Traffic DiffServ 2 Select Configure Policy from the Step list 3 Select Show Rule from the Action list Fi...

Page 237: ...ne policy map can be bound to an interface The switch does not allow a policy map to be bound to an interface for egress traffic PARAMETERS These parameters are displayed in the web interface Port Spe...

Page 238: ...CHAPTER 11 Quality of Service Attaching a Policy Map to a Port 238...

Page 239: ...isolating the VoIP traffic from other data traffic End to end QoS policies and high priority can be applied to VoIP VLAN traffic across the network guaranteeing the bandwidth it needs VLAN isolation...

Page 240: ...ady be created on the switch Range 1 4093 Voice VLAN Aging Time The time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port Range 5 43200 minutes Def...

Page 241: ...layed in the web interface Telephony OUI Specifies a MAC address range to add to the list Enter the MAC address in format 01 23 45 67 89 AB Mask Identifies a range of MAC addresses Selecting a mask of...

Page 242: ...ge to configure ports for VoIP traffic you need to set the mode Auto or Manual specify the discovery method to use and set the traffic priority You can also enable security filtering to ensure that on...

Page 243: ...the port Default OUI OUI Traffic from VoIP devices is detected by the Organizationally Unique Identifier OUI of the source MAC address OUI numbers are assigned to manufacturers and form the first thr...

Page 244: ...CHAPTER 12 VoIP Traffic Configuration Configuring VoIP Traffic Ports 244 Figure 117 Configuring Port Settings for a Voice VLAN...

Page 245: ...e web connection SSH Provide a secure shell for secure Telnet access ACL Access Control Lists provide packet filtering for IP frames based on address protocol Layer 4 protocol port number or TCP contr...

Page 246: ...ed services For example when the switch attempts to authenticate a user a request is sent to the first server in the defined group if there is no response the second server will be tried and so on If...

Page 247: ...ote authentication server is used you must specify the authentication sequence Then specify the corresponding parameters for the remote authentication protocol using the Security AAA Server page Local...

Page 248: ...DIUS aware or TACACS aware devices on the network An authentication server contains a database of multiple user name password pairs with associated privilege levels for each user that requires managem...

Page 249: ...ver RADIUS Global Provides globally applicable RADIUS settings Server Index Specifies one of five RADIUS servers that may be configured The switch attempts authentication using the listed sequence of...

Page 250: ...use blank spaces in the string Maximum length 48 characters Confirm Authentication Key Re type the string entered in the previous field to ensure no errors were made The switch will not change the en...

Page 251: ...6 Click Apply Figure 120 Configuring Remote Authentication Server RADIUS Figure 121 Configuring Remote Authentication Server TACACS To configure the RADIUS or TACACS server groups to use for accountin...

Page 252: ...server to use for each priority level 6 Click Apply Figure 122 Configuring AAA Server Groups To show the RADIUS or TACACS server groups used for accounting and authorization 1 Click Security AAA Serve...

Page 253: ...nutes where 0 means disabled Configure Method Accounting Type Specifies the service as 802 1X Accounting for end users Exec Administrative accounting for local console Telnet or SSH connections Method...

Page 254: ...unting service Method Name Displays the user defined or default accounting method Server Group Name Displays the accounting server group Interface Displays the port console or Telnet interface to whic...

Page 255: ...g method applied to various service types and the assigned server group 1 Click Security AAA Accounting 2 Select Configure Method from the Step list 3 Select Add from the Action list 4 Select the acco...

Page 256: ...e Action list Figure 126 Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces console commands entered at specific privilege levels and local console Telnet...

Page 257: ...ecified service types 1 Click Security AAA Accounting 2 Select Show Information from the Step list 3 Click Summary Figure 129 Displaying a Summary of Applied AAA Accounting Methods To display basic ac...

Page 258: ...onnections Method Name Specifies an authorization method for service requests The default method is used for a requested service if no other methods have been defined Range 1 255 characters Server Gro...

Page 259: ...the Exec service type and the assigned server group 1 Click Security AAA Authorization 2 Select Configure Method from the Step list 3 Specify the name of the authorization method and server group name...

Page 260: ...Configure Service from the Step list 3 Enter the required authorization method 4 Click Apply Figure 133 Configuring AAA Authorization Methods for Exec Service To display a the configured authorization...

Page 261: ...are displayed in the web interface User Name The name of the user Maximum length 8 characters maximum number of users 16 Access Level Specifies the user level Options 0 Normal 15 Privileged Normal pri...

Page 262: ...r software limitations This is often true for devices such as network printers IP phones and some wireless access points The switch enables network access from these devices to be controlled by authen...

Page 263: ...pper case Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires The maximum number of secure MAC addresses suppor...

Page 264: ...ne of the following conditions authentication result remains unchanged The Filter ID attribute cannot be found to carry the user profile The Filter ID attribute is empty The Filter ID attribute format...

Page 265: ...ss Authenticataion process described in this section as well as to any secure MAC addresses authenticated by 802 1X regardless of the 802 1X Operation Mode Single Host Multi Host or MAC Based authenti...

Page 266: ...Sets the maximum number of MAC addresses that can be authenticated on a port via MAC authentication that is the Network Access process described in this section Range 1 1024 Default 1024 Network Acce...

Page 267: ...s no VLAN configuration the authentication is still treated as a success and the host is assigned to the default untagged VLAN When the dynamic VLAN assignment status is changed on a port all authenti...

Page 268: ...which will trigger the port action Link up Only link up events will trigger the port action Link down Only link down events will trigger the port action Link up and down All link up and link down even...

Page 269: ...er tables can be defined There is no limitation on the number of entries used in a filter table PARAMETERS These parameters are displayed in the web interface Filter ID Adds a filter rule for the spec...

Page 270: ...ddress Filter Table for Network Access DISPLAYING SECURE MAC ADDRESS INFORMATION Use the Security Network Access Show Information page to display the authenticated MAC addresses stored in the secure M...

Page 271: ...nticated the MAC address Time The time when the MAC address was last authenticated Attribute Indicates a static or dynamic address WEB INTERFACE To display the authenticated MAC addresses stored in th...

Page 272: ...CES Web Server on page 678 COMMAND USAGE Both the HTTP and HTTPS service can be enabled independently on the switch However you cannot configure both services to use the same UDP port HTTP can only be...

Page 273: ...enable disable the HTTPS server feature on the switch Default Enabled HTTPS Port Specifies the UDP port number used for HTTPS connection to the switch s web interface Default Port 443 WEB INTERFACE T...

Page 274: ...ult certificate for the switch is not unique to the hardware you have purchased When you have obtained these place them on your TFTP server and transfer them to the switch to replace the default unrec...

Page 275: ...l and rcp remote copy are not secure from hostile attacks The Secure Shell SSH includes server client applications intended as a secure replacement for the older Berkeley remote access tools SSH can a...

Page 276: ...0 54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 76546801726272571413428762941301196195566782 595664104869...

Page 277: ...he client s public key to those stored in memory c If a match is found the switch uses its secret key to generate a random 256 bit string as a challenge encrypts this string with the user s public key...

Page 278: ...he web interface SSH Server Status Allows you to enable disable the SSH server on the switch Default Disabled Version The Secure Shell version number Version 2 0 is displayed but the switch supports m...

Page 279: ...rating this key pair you must provide the host public key to SSH clients and import the client s public key to the switch as described in the section Importing User Public Keys on page 281 NOTE A host...

Page 280: ...select this item prior to generating the host key pair Default Disabled WEB INTERFACE To generate the SSH host key pair 1 Click Security SSH 2 Select Configure Host Key from the Step list 3 Select Gen...

Page 281: ...ame This drop down box selects the user who s public key you wish to manage Note that you must first create users on the User Accounts page see Configuring User Accounts on page 261 User Key Type The...

Page 282: ...name and the public key type from the respective drop down boxes input the TFTP server IP address and the public key source file name 5 Click Apply Figure 148 Copying the SSH User s Public Key To disp...

Page 283: ...other more specific criteria This switch tests ingress packets against the conditions in an ACL one by one A packet will be accepted as soon as it matches a permit rule or dropped as soon as it matche...

Page 284: ...web interface Add Time Range Name Name of a time range Range 1 30 characters Add Rule Time Range Name of a time range Mode Absolute Specifies a specific time or time range Start End Specifies the hour...

Page 285: ...t 3 Select Show from the Action list Figure 151 Showing a List of Time Ranges To configure a rule for a time range 1 Click Security ACL 2 Select Configure Time Range from the Step list 3 Select Add Ru...

Page 286: ...the Step list 3 Select Show Rule from the Action list Figure 153 Showing the Rules Configured for a Time Range SETTING THE ACL NAME AND TYPE Use the Security ACL Configure ACL Add page to create an A...

Page 287: ...rs packets based on the source or destination IP address as well as the type of the next header and the flow label i e a request for special handling by IPv6 routers MAC MAC ACL mode filters packets b...

Page 288: ...bination of permit or deny rules Address Type Specifies the source IP address Use Any to include all possible addresses Host to specify a specific host address in the Address field or IP to specify a...

Page 289: ...address and the mask for an address range 9 Click Apply Figure 156 Configuring a Standard IPv4 ACL CONFIGURING AN EXTENDED IPV4 ACL Use the Security ACL Configure ACL Add Rule IP Extended page to con...

Page 290: ...tes a specific protocol number 0 255 Options TCP UDP Others Default TCP Service Type Packet priority settings based on the following criteria ToS Type of Service level Range 0 15 Precedence IP precede...

Page 291: ...elect Add Rule from the Action list 4 Select IP Extended from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the address type Any Host or...

Page 292: ...fy a range of addresses Options Any Host IPv6 prefix Default Any Source IPv6 Address An IPv6 source address or network class The address must be formatted according to RFC 2373 IPv6 Addressing Archite...

Page 293: ...elects the type of ACLs to show in the Name list Name Shows the names of ACLs matching the selected type Action An ACL can contain any combination of permit or deny rules Destination Address Type Spec...

Page 294: ...sts special handling by IPv6 routers such as non default quality of service or real time service see RFC 2460 Range 0 1048575 A flow label is assigned to a flow by the flow s source node New flow labe...

Page 295: ...ct IPv6 Extended from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the address type Any or IPv6 prefix 8 If you select Host enter a spe...

Page 296: ...dress range with the Address and Bit Mask fields Options Any Host MAC Default Any Source Destination MAC Address Source or destination MAC address Source Destination Bit Mask Hexadecimal mask for sour...

Page 297: ...Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the address type Any Host or MAC 8 If you select Host enter a specific address e g 11 22 33 44...

Page 298: ...ss Type Specifies the source or destination IPv4 address Use Any to include all possible addresses Host to specify a specific host address in the Address field or IP to specify a range of addresses wi...

Page 299: ...e list 6 Specify the action i e Permit or Deny 7 Select the packet type Request Response All 8 Select the address type Any Host or IP 9 If you select Host enter a specific address e g 11 22 33 44 55 6...

Page 300: ...roup on page 759 mac access group on page 763 show mac access group on page 764 Time Range on page 625 COMMAND USAGE This switch supports ACLs for ingress filtering only You only bind one ACL to any p...

Page 301: ...g database see DHCP Snooping Configuration on page 329 This database is built by DHCP snooping if it is enabled on globally on the switch and on the required VLANs ARP Inspection can also validate ARP...

Page 302: ...EFERENCES ARP Inspection on page 738 COMMAND USAGE ARP Inspection Validation By default ARP Inspection Validation is disabled Specifying at least one of the following validations enables ARP Inspectio...

Page 303: ...e oldest entry will be replaced with the newest entry PARAMETERS These parameters are displayed in the web interface ARP Inspection Status Enables ARP Inspection globally Default Disabled ARP Inspecti...

Page 304: ...N and to specify the ARP ACL to use CLI REFERENCES ARP Inspection on page 738 COMMAND USAGE ARP Inspection VLAN Filters ACLs By default no ARP Inspection ACLs are configured and the feature is disable...

Page 305: ...any configured ARP ACLs Default None Static When an ARP ACL is selected and static mode also selected the switch only performs ARP Inspection and bypasses validation against the DHCP Snooping Bindings...

Page 306: ...ss all ARP Inspection and ARP Inspection Validation checks and will always be forwarded while those arriving on untrusted interfaces are subject to all configured ARP inspection tests Packet Rate Limi...

Page 307: ...nspection rate limit Dropped ARP packets in the process of ARP inspection rate limit Count of ARP packets exceeding and dropped by ARP rate limiting ARP packets dropped by additional validation IP Cou...

Page 308: ...o show information about entries stored in the log including the associated VLAN port and address components CLI REFERENCES show ip arp inspection log on page 745 PARAMETERS These parameters are displ...

Page 309: ...lt Once you add an entry to a filter list access to that interface is restricted to the specified addresses If anyone tries to access a management interface on the switch from an invalid address the s...

Page 310: ...SNMP group Telnet Configures IP address es for the Telnet group Start IP Address A single IP address or the starting address of a range End IP Address The end address of a range WEB INTERFACE To crea...

Page 311: ...ess table will be authorized to access the network through that port If a device with an unauthorized MAC address attempts to use the switch port the intrusion will be detected and the switch can auto...

Page 312: ...e taken when a port security violation is detected None No action should be taken This is the default Trap Send an SNMP trap message Shutdown Disable the port Trap and Shutdown Send an SNMP trap messa...

Page 313: ...enticator responds with an EAPOL identity request The client provides its identity such as a user name in an EAPOL response to the switch which it forwards to the RADIUS server The RADIUS server verif...

Page 314: ...nd client also have to support the same EAP authentication type MD5 PEAP TLS or TTLS Native support for these encryption methods is provided in Windows XP and in Windows 2000 with Service Pack 4 To su...

Page 315: ...ches on to the authentication servers thereby allowing the authentication process to still be carried out by switches located on the edge of the network When this device is functioning as an edge swit...

Page 316: ...he web interface Port Port number Status Indicates if authentication is enabled or disabled on the port The status is disabled if the control mode is set to Force Authorized Authorized Displays the 80...

Page 317: ...Period Sets the time period during an authentication session that the switch waits before re transmitting an EAP packet Range 1 65535 Default 30 seconds Supplicant Timeout Sets the time that a switch...

Page 318: ...unt Number of times connecting state is re entered Current Identifier Identifier sent in each EAP Success Failure or Request packet by the Authentication Server Backend State Machine State Current sta...

Page 319: ...CHAPTER 13 Security Measures Configuring 802 1X Port Authentication 319 Figure 173 Configuring Interface Settings for 802 1X Port Authenticator...

Page 320: ...pe that have been received by this Authenticator Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Authenticator Rx Last EAPOLSrc The source MAC addr...

Page 321: ...d see DHCP Snooping on page 326 IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network This section describes command...

Page 322: ...9 IP source guard will check the VLAN ID source IP address port number and source MAC address for the SIP MAC option If a matching entry is found in the binding table and the entry type is static IP s...

Page 323: ...ype for each port 3 Click Apply Figure 175 Setting the Filter Type for IP Source Guard CONFIGURING STATIC BINDINGS FOR IP SOURCE GUARD Use the Security IP Source Guard Static Configuration page to bin...

Page 324: ...c IP source guard binding Only unicast addresses are accepted for static bindings PARAMETERS These parameters are displayed in the web interface Port The port to which a static entry is bound VLAN ID...

Page 325: ...e CLI REFERENCES show ip dhcp snooping binding on page 732 PARAMETERS These parameters are displayed in the web interface Query by Port A port on this switch VLAN ID of a configured VLAN Range 1 4093...

Page 326: ...ion to a DHCP server This information can be useful in tracking an IP address back to a physical port COMMAND USAGE DHCP Snooping Process Network traffic may be disrupted when malicious DHCP messages...

Page 327: ...only if the corresponding entry is found in the binding table If the DHCP packet is from a client such as a DISCOVER REQUEST INFORM DECLINE or RELEASE message the packet is forwarded if MAC address ve...

Page 328: ...by the switch and in reply packets sent back from the DHCP server This information may specify the MAC address or IP address of the requesting device that is the switch in this context By default the...

Page 329: ...Option 82 information relay Default Disabled DHCP Snooping Information Option Policy Specifies how to handle DHCP client request packets which already contain Option 82 information Drop Drops the clie...

Page 330: ...c VLANs but the changes will not take effect until DHCP snooping is globally re enabled When DHCP snooping is globally enabled and DHCP snooping is then disabled on a VLAN all dynamic bindings learned...

Page 331: ...e the network or fire wall When DHCP snooping is enabled both globally and on a VLAN DHCP packet filtering will be performed on any untrusted ports within the VLAN When an untrusted port is changed to...

Page 332: ...g to the client Lease Time seconds The time for which this IP address is leased to the client Type Entry types include DHCP Snooping Dynamically snooped Static DHCPSNP Statically configured VLAN VLAN...

Page 333: ...NTERFACE To display the binding table for DHCP Snooping 1 Click Security IP Source Guard DHCP Snooping 2 Select Show Information from the Step list 3 Use the Store or Clear function if required Figure...

Page 334: ...CHAPTER 13 Security Measures DHCP Snooping 334...

Page 335: ...ONFIGURING EVENT LOGGING The switch allows you to control the logging of error messages including the type of events that are recorded in switch memory logging to a remote System Log syslog server and...

Page 336: ...nge 0 7 Default 7 NOTE The Flash Level must be equal to or less than the RAM Level WEB INTERFACE To configure the logging of error messages to system memory 1 Click Administration Log System 2 Select...

Page 337: ...ss memory RAM i e memory flushed on power reset and up to 4096 entries in permanent flash memory Figure 184 Showing Error Messages Looged to System Memory REMOTE LOG CONFIGURATION Use the Administrati...

Page 338: ...storing messages in the corresponding database Range 16 23 Default 23 Logging Trap Level Limits log messages that are sent to the remote syslog server for all levels up to the specified level For exa...

Page 339: ...nts at this level or higher will be sent to the configured email recipients For example using Level 7 will report all events from level 7 to level 0 Default Level 7 Email Source Address Sets the email...

Page 340: ...capabilities and configuration settings LLDP also defines how to store and maintain information gathered about the neighboring network nodes it discovers SETTING LLDP TIMING ATTRIBUTES Use the Adminis...

Page 341: ...nges are reported in each transmission This attribute must comply with the rule 4 Delay Interval Transmission Interval Reinitialization Delay Configures the delay before attempting to re initialize af...

Page 342: ...he transmission of SNMP trap notifications about LLDP and LLDP MED changes Default Enabled This option sends out SNMP trap notifications to designated target stations at the interval specified by the...

Page 343: ...by a port and protocol VLAN TLV that indicates the VLAN identifier VID associated with the management address reported by this TLV Port Description The port description is taken from the ifDescr objec...

Page 344: ...gregation capabilities aggregation status of the link and the IEEE 802 3 aggregated port identifier if this interface is currently a link aggregation member Max Frame Size The maximum frame size See C...

Page 345: ...Identifies the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent There are several ways in which a chassis may be identified and a chassis ID subtype is used to i...

Page 346: ...the local system Interface Settings The attributes listed below apply to both port and trunk interface types When a trunk is listed the descriptions apply to the first port of the trunk Port Trunk Des...

Page 347: ...tion about devices connected directly to the switch s ports which are advertising information through LLDP or to display detailed information about an LLDP enabled device connected to a specific port...

Page 348: ...stem Description A textual description of the network entity Management Address The IPv4 address of the remote device If no management address is available the address should be the MAC address for th...

Page 349: ...Identity List Information about particular protocols that are accessible through a port This object represents an arbitrary local integer value used by this agent to identify a particular protocol ide...

Page 350: ...airs only are in use Remote Power MDI Supported Shows whether MDI power is supported on the given port associated with the remote system Remote Power Pair Controlable Indicates whether the pair select...

Page 351: ...ggregation state and or it does not support link aggregation this value should be zero Port Details 802 3 Extension Frame Information Remote Max Frame Size An integer value indicating the maximum supp...

Page 352: ...capable devices attached to the switch and for LLDP protocol messages transmitted or received on all local interfaces CLI REFERENCES show lldp info statistics on page 966 PARAMETERS These parameters a...

Page 353: ...es as well as any specific usage rules defined for the particular TLV Frames Invalid A count of all LLDPDUs received with one or more detectable errors Frames Received Number of LLDP PDUs received Fra...

Page 354: ...d to configure these devices for proper operation in a network environment as well as to monitor them to evaluate performance or detect potential problems Managed devices supporting SNMP contain softw...

Page 355: ...n as views The switch has a default view all MIB objects and default groups defined for security models v1 and v2c The following table shows the security models and levels available and the system def...

Page 356: ...p page to specify trap managers so that key events are reported by this switch to your management station 3 Use the Administration SNMP Configure Engine page to change the local engine ID If you want...

Page 357: ...required trap types 4 Click Apply Figure 195 Configuring Global Settings for SNMP SETTING THE LOCAL ENGINE ID Use the Administration SNMP Configure Engine Set Engine ID page to change the local engin...

Page 358: ...decimal characters 5 Click Apply Figure 196 Configuring the Local Engine ID for SNMP SPECIFYING A REMOTE ENGINE ID Use the Administration SNMP Configure Engine Add Remote Engine page to configure a en...

Page 359: ...9 is equivalent to 1234567890 Remote IP Host The IP address of a remote management station which is using the specified engine ID WEB INTERFACE To configure a remote SNMP engine ID 1 Click Administrat...

Page 360: ...er of a branch within the MIB tree Wild cards can be used to mask a specific portion of the OID string Use the Add OID Subtree page to configure additional object identifiers Type Indicates if the obj...

Page 361: ...an SNMP View To show the SNMP views of the switch s MIB database 1 Click Administration SNMP 2 Select Configure View from the Step list 3 Select Show View from the Action list Figure 200 Showing SNMP...

Page 362: ...an SNMP View To show the OID branches configured for the SNMP views of the switch s MIB database 1 Click Administration SNMP 2 Select Configure View from the Step list 3 Select Show OID Subtree from...

Page 363: ...ations This is the default security level AuthNoPriv SNMP communications use authentication but the data is not encrypted AuthPriv SNMP communications use both authentication and encryption Read View...

Page 364: ...of the SNMPv2 must be capable of generating this trap the snmpEnableAuthenTraps object indicates whether this trap will be generated RMON Events V2 risingAlarm 1 3 6 1 2 1 16 0 1 The SNMP trap that i...

Page 365: ...p is sent when a networkAccessPortLinkDetection event is triggered swCpuUtiRisingNotification 1 3 6 1 4 1 259 10 1 5 2 1 0 107 This notification indicates that the CPU utilization crossed cpuUtiRising...

Page 366: ...SNMP v1 and v2c For security reasons you should consider removing the default strings CLI REFERENCES snmp server community on page 630 PARAMETERS These parameters are displayed in the web interface C...

Page 367: ...lect Add Community from the Action list 4 Add new community strings as required and select the corresponding access rights from the Access Mode list 5 Click Apply Figure 205 Setting Community Access S...

Page 368: ...nge 1 32 characters Security Model The user security model SNMP v1 v2c or v3 Security Level The following security levels are only used for the groups assigned to the SNMP security model noAuthNoPriv...

Page 369: ...or authPriv then an authentication protocol and password must be specified If the security level is authPriv a privacy password must also be specified 5 Click Apply Figure 207 Configuring Local SNMPv...

Page 370: ...age 372 and Specifying a Remote Engine ID on page 358 PARAMETERS These parameters are displayed in the web interface User Name The name of user connecting to the SNMP agent Range 1 32 characters Group...

Page 371: ...it to a group Enter the IP address to identify the source of SNMPv3 inform messages sent from the local switch If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv...

Page 372: ...which include a request for acknowledgement of receipt Informs can be used to ensure that critical information is received by the host However note that informs consume more system resources because t...

Page 373: ...efining it in the Configure User Add Community page UDP Port Specifies the UDP port number used by the trap manager Default 162 SNMP Version 2c IP Address IP address of a new management station to rec...

Page 374: ...ange 0 2147483647 centiseconds Default 1500 centiseconds Retry times The maximum number of times to resend an inform message if the recipient does not acknowledge receipt Range 0 255 Default 3 Local U...

Page 375: ...P communications use both authentication and encryption WEB INTERFACE To configure trap managers 1 Click Administration SNMP 2 Select Configure Trap from the Step list 3 Select Add from the Action lis...

Page 376: ...o specified events on an independent basis This switch is an RMON capable device which can independently perform a wide range of tasks significantly reducing network management traffic It can continuo...

Page 377: ...rm is triggered it will not be triggered again until the statistical value crosses the opposite bounding threshold and then back across the trigger threshold CLI REFERENCES Remote Monitoring Commands...

Page 378: ...alue is less than or equal to the falling threshold and the last sample value was greater than this threshold then an alarm will be generated After a falling event has been generated another such even...

Page 379: ...Monitoring 379 Figure 215 Configuring an RMON Alarm To show configured RMON alarms 1 Click Administration RMON 2 Select Configure Global from the Step list 3 Select Show from the Action list 4 Click...

Page 380: ...the web interface Index Index to this entry Range 1 65535 Type Specifies the type of event to initiate None No event is generated Log Generates an RMON log entry when the event is triggered Log messag...

Page 381: ...list 4 Click Event 5 Enter an index number the type of event to initiate the community string to send with trap messages the name of the person who created this event and a brief description of the ev...

Page 382: ...nds on page 649 COMMAND USAGE Each index number equates to a port on the switch If history collection is already enabled on an interface the entry must be deleted before any changes can be made The in...

Page 383: ...Select Add from the Action list 4 Click History 5 Select a port from the list as the data source 6 Enter an index number the sampling interval the number of buckets to use and the name of the owner f...

Page 384: ...the list 5 Click History Figure 221 Showing Collected RMON History Samples CONFIGURING RMON STATISTICAL SAMPLES Use the Administration RMON Configure Interface Add Statistics page to collect statistic...

Page 385: ...ntry Range 1 65535 Owner Name of the person who created this entry Range 1 127 characters WEB INTERFACE To enable regular sampling of statistics on a port 1 Click Administration RMON 2 Select Configur...

Page 386: ...ure 223 Showing Configured RMON Statistical Samples To show collected RMON statistical samples 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select Show Details from th...

Page 387: ...security and data isolation OVERVIEW Multicasting is used to support real time applications such as video conferencing or streaming audio A multicast server does not have to establish a separate conn...

Page 388: ...embers but also supports the Protocol Independent Multicasting PIM routing protocol required to forward multicast traffic to other subnets page 1090 You can also configure a single network wide multic...

Page 389: ...ded by IGMPv3 snooping is in keeping track of information about the specific multicast sources which downstream IGMPv3 hosts have requested or refused The switch maintains information about both multi...

Page 390: ...ached VLAN or flooded throughout the VLAN if unregistered flooding is enabled see Configuring IGMP Snooping and Query Parameters on page 391 Static IGMP Router Interface If IGMP snooping cannot locate...

Page 391: ...ut the VLAN if unregistered flooding is enabled see Unregistered Data Flood in the Command Attributes section IGMP Querier A router or multicast enabled switch can periodically ask their hosts if they...

Page 392: ...nd all the uplink ports are subsequently deleted a time out mechanism is used to delete all of the currently learned multicast channels When a new uplink port starts up the switch sends unsolicited re...

Page 393: ...queries that do not contain the Router Alert option Unregistered Data Flooding Floods unregistered multicast traffic into the attached VLAN Default Disabled Once the table used to store multicast ent...

Page 394: ...less of the snooping version employed Querier Status When enabled the switch can serve as the Querier which is responsible for asking hosts if they want to receive multicast traffic This feature is no...

Page 395: ...te interfaces within the switch CLI REFERENCES Static Multicast Routing on page 922 PARAMETERS These parameters are displayed in the web interface VLAN Selects the VLAN which is to propagate all multi...

Page 396: ...ing protocol such as PIM to support IP multicasting across the Internet These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch To show all the i...

Page 397: ...19 COMMAND USAGE Static multicast addresses are never aged out When a multicast address is assigned to an interface in a specific VLAN the corresponding traffic can only be forwarded to ports within t...

Page 398: ...Select the VLAN for which to display this information Figure 232 Showing Static Interfaces Assigned to a Multicast Service To display information about all multicast groups IGMP Snooping or multicast...

Page 399: ...t routing devices MRD is used to discover which interfaces are attached to multicast routers allowing IGMP enabled devices to determine where to send multicast source and group membership messages MRD...

Page 400: ...acefully shut down Advertisement and Termination messages are sent to the All Snoopers multicast address Solicitation messages are sent to the All Routers multicast address NOTE MRD messages are flood...

Page 401: ...able fixed at 2 as defined in RFC 2236 If immediate leave is enabled the switch assumes that only one host is connected to the interface Therefore immediate leave should only be enabled on an interfac...

Page 402: ...o proxy general queries Range 10 31744 tenths of a second Default 10 seconds This attribute applies when the switch is serving as the querier page 391 or as a proxy host when IGMP snooping proxy repor...

Page 403: ...dress in IGMP reports sent to upstream ports Many hosts do not implement RFC 4541 and therefore do not understand query messages with the source address of 0 0 0 0 These hosts will therefore not reply...

Page 404: ...AMETERS These parameters are displayed in the web interface VLAN An interface on the switch that is forwarding traffic to downstream ports for the specified multicast group address Group Address IP mu...

Page 405: ...or a range of multicast addresses but only one profile can be assigned to a port When enabled IGMP join reports received on the port are checked against the filter profile If a requested multicast gro...

Page 406: ...nooping Filter Add page to create an IGMP profile and set its access mode Then use the Add Multicast Group Range page to configure the multicast groups to filter CLI REFERENCES IGMP Filtering and Thro...

Page 407: ...ange of multicast groups End Multicast IP Address Specifies the ending address of a range of multicast groups WEB INTERFACE To create an IGMP filter profile and set its access mode 1 Click Multicast I...

Page 408: ...ofile to configure and add a multicast group address or range of addresses 4 Click Apply Figure 240 Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an...

Page 409: ...s are displayed in the web interface Interface Port or trunk identifier An IGMP profile or throttling setting can be applied to a port or trunk When ports are configured as trunk members the trunk use...

Page 410: ...hich need to forward multicast traffic Layer 3 IGMP Query as described below is used in conjunction with both Layer 2 IGMP Snooping and multicast routing IGMP This protocol includes a form of multicas...

Page 411: ...n edge switches greatly reduces the processing load on those devices by not having to run more complicated multicast routing protocols such as PIM It also makes the proxy devices independent of the mu...

Page 412: ...oxy settings described in this section 4 Optional Indicate how often the system will send unsolicited reports to the upstream router using the Multicast IGMP Proxy page as described later in this sect...

Page 413: ...ould transmit unsolicited IGMP reports Range 1 65535 seconds Default 400 seconds WEB INTERFACE To configure IGMP Proxy Routing 1 Click Multicast IGMP Proxy 2 Select the upstream interface enable the I...

Page 414: ...web interface VLAN VLAN interface bound to a primary IP address Range 1 4093 IGMP Protocol Status Enables IGMP including IGMP query functions on a VLAN interface Default Disabled When a multicast rou...

Page 415: ...bursty as host responses are spread out over a larger interval The number of seconds represented by the maximum response interval must be less than the Query Interval Last Member Query Interval The f...

Page 416: ...tatically mapped this group to a specific source address Also if an address outside of the SSM address range is specified and a specific source address is included in the command the request to join t...

Page 417: ...1 Click Multicast IGMP Static Group 2 Select Add from the Action list 3 Select a VLAN interface to be assigned as a static multicast group member and then specify the multicast group If source specifi...

Page 418: ...AN identifier The selected entry must be a configured IP interface Range 1 4093 Group Address IP multicast group address with subscribers directly attached or downstream from the switch Last Reporter...

Page 419: ...ed in the source list parameter and for any other sources where the source timer status has expired Group Source List A list of zero or more IP unicast addresses from which multicast reception is desi...

Page 420: ...ross a service provider s network Any multicast traffic entering an MVR VLAN is sent to all attached subscribers This protocol can significantly reduce to processing overhead required to dynamically m...

Page 421: ...the multicast group to the participating interfaces see Assigning Static Multicast Groups to Interfaces on page 427 Although MVR operates on the underlying mechanism of IGMP snooping the two features...

Page 422: ...members of the MVR VLAN see Adding Static Members to VLANs on page 158 but MVR receiver ports should not be manually configured as members of this VLAN Default 1 MVR Running Status Indicates whether o...

Page 423: ...ayed in the web interface MVR Group IP IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 Default no groups are assigned to the MVR VLAN Any multicast data sent to this address is s...

Page 424: ...ulticast groups assigned to the MVR VLAN 1 Click Multicast MVR 2 Select Configure Group Range from the Step list 3 Select Show from the Action list Figure 253 Showing the Configured Group Range for MV...

Page 425: ...e ports Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message When immediate leave is disabled t...

Page 426: ...switch MVR status for receiver ports is Active only if there are subscribers receiving multicast traffic from one of the MVR groups or a multicast group has been statically assigned to an interface I...

Page 427: ...ess Defines a multicast service sent to the selected port Multicast groups must be assigned from the MVR group range configured on the Configure General page WEB INTERFACE To assign a static MVR group...

Page 428: ...interface Group IP Address Multicast groups assigned to the MVR VLAN Source IP Address Indicates the source address of the multicast service or displays an asterisk if the group address has been stat...

Page 429: ...CHAPTER 15 Multicast Filtering Multicast VLAN Registration 429 Figure 257 Showing All MVR Groups Assigned to a Port...

Page 430: ...CHAPTER 15 Multicast Filtering Multicast VLAN Registration 430...

Page 431: ...can direct the device to obtain an address from a BOOTP or DHCP server or manually configure a static IP address Valid IP addresses consist of four decimal numbers 0 to 255 separated by periods Anythi...

Page 432: ...ore than one IP subnet can be accessed through this interface For initial configuration set this parameter to Primary Options Primary Secondary Default Primary Note that a secondary address cannot be...

Page 433: ...3 Select any configured VLAN and set IP Address Mode to BOOTP or DHCP 4 Click Apply to save your changes IP will be enabled but will not function until a BOOTP or DHCP reply is received Requests are b...

Page 434: ...t you will lose management access to the switch In this case you can reboot the switch or submit a client request to restart DHCP service via the CLI If the address assigned by DHCP is no longer funct...

Page 435: ...g traffic between VLANs with different IP interfaces and routing traffic to external IP networks However when the switch is first booted default routing can only forward traffic between local IP inter...

Page 436: ...placing destination source MAC addresses for each hop Incrementing the hop count Decrementing the time to live Verifying and recalculating the Layer 3 checksum If the destination node is on the same s...

Page 437: ...ready there the switch broadcasts an ARP packet to all the ports on the destination VLAN to find out the destination MAC address After the MAC address is discovered the packet is reformatted and sent...

Page 438: ...ted to that interface and allows you to send IP packets to or from the router You can specify the IP subnets connected directly to this router by manually assigning an IP address to each VLAN or using...

Page 439: ...unt Number of packets to send Range 1 16 Packet Size Number of bytes in a packet Range 32 512 bytes The actual packet size will be eight bytes larger than the size specified because the switch adds he...

Page 440: ...the maximum timeout TTL is exceeded or the maximum number of hops is exceeded The trace route function first sends probe datagrams with the TTL value set at one This causes the first router to discard...

Page 441: ...hop to the next ARP is used to map an IP address to a physical layer i e MAC address When an IP frame is received by this router or any standards based router it first looks up the MAC address corresp...

Page 442: ...st for its own IP address it will send back a response and also cache the MAC of the source device s IP address BASIC ARP CONFIGURATION Use the IP ARP Configure General page to specify the timeout for...

Page 443: ...specified VLAN interfaces allowing a non routing device to determine the MAC address of a host on another subnet or network Default Disabled End stations that require Proxy ARP must view the entire n...

Page 444: ...used if there is no response to an ARP broadcast message For example some applications may not respond to ARP requests or the response arrives too late causing network operations to time out Static en...

Page 445: ...NAMIC OR LOCAL ARP ENTRIES The ARP cache contains static entries and entries for local interfaces including subnet host and broadcast addresses However most entries will be dynamically learned through...

Page 446: ...P Show Information page to display statistics for ARP messages crossing all interfaces on this router CLI REFERENCES show ip traffic on page 1023 PARAMETERS These parameters are displayed in the web i...

Page 447: ...to a subnet rather than using dynamic routing Static routes do not automatically change in response to changes in network topology so you should only configure a small number of stable routes to ensur...

Page 448: ...P address of the next router hop used for this route Distance An administrative distance indicating that this route can be overridden by dynamic routing information if the distance of the dynamic rout...

Page 449: ...e interface identifier and next hop information for each reachable destination network prefix based on the IP routing table When routing or topology changes occur in the network the routing table is u...

Page 450: ...isplay the routing table 1 Click IP Routing Routing Table 2 Select Show Information from the Action List Figure 273 Displaying the Routing Table EQUAL COST MULTIPATH ROUTING Use the IP Routing Routing...

Page 451: ...paths have the same lowest cost the static paths have precedence over dynamic paths Each path toward the same destination with equal cost takes up one entry in the routing table to record routing inf...

Page 452: ...he maximum ECMP number 1 Click IP Routing Routing Table 2 Select Configure ECMP Number from the Action List 3 Enter the maximum number of equal cost paths used to route traffic to the same destination...

Page 453: ...l router priority Router redundancy can be set up in any of the following configurations These examples use the address of one of the participating routers as the master router When the virtual router...

Page 454: ...has a higher priority than the currently active master router CLI REFERENCES VRRP Commands on page 995 COMMAND USAGE Address Assignment To designate a specific router as the VRRP master the IP addres...

Page 455: ...e virtual IP address Owner is the highest the original master router will always become the active master router when it recovers If two or more routers are configured with the same VRRP priority the...

Page 456: ...rmation about its priority and current state as the master VRRP advertisements are sent to the multicast address 224 0 0 8 Using a multicast address reduces the amount of traffic that has to be proces...

Page 457: ...n the group its authentication string is compared to the string configured on this router If the strings match the message is accepted Otherwise the packet is discarded State VRRP router role Values M...

Page 458: ...nfigure Group ID from the Step List 3 Select Show from the Action List Figure 279 Showing Configured VRRP Groups To configure the virtual router address for a VRRP group 1 Click IP VRRP 2 Select Confi...

Page 459: ...Configure Group ID from the Step List 3 Select Show IP Addresses from the Action List Figure 281 Showing the Virtual Addresses Assigned to VRRP Groups To configure detailed settings for a VRRP group...

Page 460: ...e parameters are displayed in the web interface VRRP Packets with Invalid Checksum The total number of VRRP packets received with an invalid VRRP checksum value VRRP Packets with Unknown Error The tot...

Page 461: ...to master Received Advertisement Packets Number of VRRP advertisements received by this router Received Error Advertisement Interval Packets Number of VRRP advertisements received for which the advert...

Page 462: ...n the type field Received Error Address List VRRP Packets Number of packets received for which the address list does not match the locally configured list for the virtual router Received Invalid Authe...

Page 463: ...tion to other name servers on the network When a client device designates this switch as a DNS server the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the s...

Page 464: ...the default domain name 4 Click Apply Figure 285 Configuring General Settings for DNS CONFIGURING A LIST OF DOMAIN NAMES Use the IP Service DNS General Add Domain Name page to configure a list of dom...

Page 465: ...466 PARAMETERS These parameters are displayed in the web interface Domain Name Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 68 characters...

Page 466: ...l a response is received or the end of the list is reached with no response If all name servers are deleted DNS will automatically be disabled This is done by disabling the domain lookup status PARAME...

Page 467: ...Static entries may be used for local devices connected directly to the attached network or for commonly used resources located elsewhere on the network PARAMETERS These parameters are displayed in th...

Page 468: ...ACHE Use the IP Service DNS Cache page to display entries in the DNS cache that have been learned via the designated name servers CLI REFERENCES show dns cache on page 976 COMMAND USAGE Servers or oth...

Page 469: ...N PROTOCOL Dynamic Host Configuration Protocol DHCP can dynamically allocate an IP address and other configuration information to network clients when they boot up If a subnet does not already include...

Page 470: ...erver to the client Figure 293 Layer 3 DHCP Relay Service CLI REFERENCES ip dhcp relay server on page 980 ip dhcp restart relay on page 981 COMMAND USAGE You must specify the IP address for at least o...

Page 471: ...er code or MAC address Figure 295 DHCP Server COMMAND USAGE First configure any excluded addresses including the address for this switch Then configure address pools for the network interfaces You can...

Page 472: ...ling the DHCP Server SETTING EXCLUDED ADDRESSES Use the IP Service DHCP Server Configure Excluded Addresses Add page to specify the IP addresses that should not be assigned to clients CLI REFERENCES i...

Page 473: ...7 Configuring Excluded Addresses on the DHCP Server To show the IP addresses excluded for DHCP clients 1 Click IP Service DHCP Server 2 Select Configure Excluded Addresses from the Step list 3 Select...

Page 474: ...ddress pool However if no matching address pool is found the request is ignored When searching for a manual binding the switch compares the client identifier and then the hardware address for DHCP cli...

Page 475: ...WINS name server used for Microsoft DHCP clients Netbios Type NetBIOS node type for Microsoft DHCP clients Options Broadcast Hybrid Mixed Peer to Peer Default Hybrid Domain Name The domain name of the...

Page 476: ...otocol 476 6 Click Apply Figure 299 Configuring DHCP Server Address Pools Network Figure 300 Configuring DHCP Server Address Pools Host To show the configured DHCP address pools 1 Click IP Service DHC...

Page 477: ...s DHCP server CLI REFERENCES show ip dhcp binding on page 993 PARAMETERS These parameters are displayed in the web interface IP Address IP address assigned to host MAC Address MAC address of host Lea...

Page 478: ...o forward broadcast packets for specified UDP application ports to remote servers located in another network segment To configure UDP helper enable it globally see Configuring General DNS Service Para...

Page 479: ...ce Destination UDP Port UDP application port for which UDP service requests are forwarded Range 1 65535 The following UDP ports are inlcuded in the forwarding list when the UDP helper is enabled and a...

Page 480: ...ed UDP broadcast packets are forwarded CLI REFERENCES ip helper address on page 1017 COMMAND USAGE Up to 20 helper addresses can be specified To forward UDP packets with the UDP helper the clients mus...

Page 481: ...by default as described on page 479 PARAMETERS These parameters are displayed in the web interface VLAN ID VLAN identifier Range 1 4093 IP Address Host address or directed broadcast address to which U...

Page 482: ...CHAPTER 19 IP Services Forwarding UDP Service Requests 482 Figure 307 Showing the Target Server or Subnet for UDP Requests...

Page 483: ...ate of transmission cost Each router broadcasts its advertisement every 30 seconds together with any updates to its routing table This allows all routers on the network to learn consistent tables of n...

Page 484: ...Just as Layer 2 switches use the Spanning Tree Algorithm to prevent loops routers also use methods for preventing loops that would cause endless retransmission of data traffic RIP utilizes the follow...

Page 485: ...mation Protocol RIP on page 1024 COMMAND USAGE RIP is used to specify how routers exchange routing information When RIP is enabled on this router it sends RIP messages to all devices in the network ev...

Page 486: ...and the router learns about the same external network with a better metric from a redistribution point other than that derived from the original source The default metric does not override the metric...

Page 487: ...outing protocol less sensitive to changes in the network configuration Timeout Sets the time after which there have been no update messages that a route is declared dead The route is marked inaccessib...

Page 488: ...ntire RIP network redistribute connected routes using the Routing Protocol RIP Redistribute screen page 493 to make the RIP network a connected route To delete the RIP routes learned from neighbors bu...

Page 489: ...l 2 Select Clear Route from the Action list 3 When clearing routes by type select the required type from the drop down list When clearing routes by network enter a valid network address and prefix len...

Page 490: ...the network portion of the address This mask identifies the network address bits used for the associated routing entries By VLAN Adds a Layer 3 VLAN to the RIP routing process The VLAN must be config...

Page 491: ...n interface the attached subnet will still continue to be advertised to other interfaces and updates from other routers on the specified interface will continue to be received and processed This featu...

Page 492: ...h a static neighbor specifically for point to point links rather than relying on broadcast or multicast messages generated by the RIP protocol This feature can be used in conjunction with the passive...

Page 493: ...ing Protocol RIP Redistribute Add page to import external routing information from other routing domains that is directly connected routes protocols or static routes into this autonomous system CLI RE...

Page 494: ...ed to routers up to 5 hops away at which point the metric exceeds the maximum hop count of 15 By defining a low metric of 1 traffic can follow an imported route the maximum number of hops allowed with...

Page 495: ...rding to the IP address of the router supplying the routing information For example to filter out unreliable routing information from routers not under your administrative control The administrative d...

Page 496: ...ion 4 Click Apply Figure 319 Setting the Distance Assigned to External Routes To show the distance assigned to external routes learned from other routing protocols 1 Click Routing Protocol RIP Distanc...

Page 497: ...d by RIPv2 including subnet mask next hop and authentication information This is the default setting Use Do Not Send to passively monitor route information advertised by other routers attached to the...

Page 498: ...se parameters are displayed in the web interface VLAN ID Layer 3 VLAN interface This interface must be configured with an IP address and have an active link Range 1 4093 Send Version The RIP version t...

Page 499: ...ame password Range 1 16 characters case sensitive Instability Prevention Specifies the method used to reduce the convergence time when the network topology changes and to prevent RIP protocol messages...

Page 500: ...S Use the Routing Protocol RIP Statistics Show Interface Information page to display information about RIP interface configuration settings CLI REFERENCES show ip rip on page 1041 PARAMETERS These par...

Page 501: ...rmation page to display information on neighboring RIP routers CLI REFERENCES show ip protocols rip on page 1040 PARAMETERS These parameters are displayed in the web interface Peer Address IP address...

Page 502: ...OSPF is more suited for large area networks which experience frequent changes in the links It also handles subnets much better than RIP OSPF protocol actively tests the status of each link to its neig...

Page 503: ...protocol message authentication and the addition of a point to multipoint interface which allows OSPF to run over non broadcast networks as well as support for overlapping area ranges When using OSPF...

Page 504: ...d areas and external links to other areas Use the Routing Protocol OSPF Network Area Add page to define an OSPF area and the interfaces that operate within this area An autonomous system must be confi...

Page 505: ...responding address range forms a routing interface and can be configured to aggregate LSAs from all of its subnetwork addresses and exchange this information with other routers in the network as descr...

Page 506: ...at is contiguous with all the other areas in the network and configure an area for all of the other OSPF interfaces 4 Click Apply Figure 328 Defining OSPF Network Areas Based on Addresses To to show t...

Page 507: ...OSPF this router should use RFC 1583 early OSPFv2 compatibility mode to ensure that all routers are using the same RFC for calculating summary route costs Enable this field to force the router to cal...

Page 508: ...h faster but uses more CPU processing time Default Metric The default metric for external routes imported from other protocols Range 0 16777214 Default 20 A default metric must be used to resolve the...

Page 509: ...advertisements add the internal cost to the external route metric Type 2 routes do not add the internal cost metric When comparing Type 2 routes the internal cost is only used as a tie breaker if seve...

Page 510: ...eter Description Router ID Type Indicates if the router ID was manually configured or automatically generated by the system Rx LSAs The number of link state advertisements that have been received Orig...

Page 511: ...a separate routing database for each area ASBR Status Autonomous System Boundary Router Indicates if this router exchanges routing information with boundary routers in other autonomous systems to whic...

Page 512: ...col OSPF Network Area Add page Range 1 65535 Area ID Identifier for a not so stubby area NSSA or stub The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from...

Page 513: ...BR An NSSA is similar to a stub It blocks most external routing information and can be configured to advertise a single default route for traffic passing between the NSSA and other areas within the au...

Page 514: ...own area and then leaked to adjacent areas Routes that can be advertised with NSSA external LSAs include network destinations outside the AS learned through OSPF the default route static routes route...

Page 515: ...BR it can import a default external AS route for routing protocol domains adjacent to the NSSA but not within the OSPF AS into the NSSA using this option Metric Type Type 1 or Type 2 external routes W...

Page 516: ...icantly reduce the amount of topology data that has to be exchanged over the network Figure 338 OSPF Stub Area By default a stub can only pass traffic to other areas in the autonomous system through t...

Page 517: ...ched stub Summary Controls the use of summary routes Summary Allows an Area Border Router ABR to send a summary link advertisement into the stub area No Summary Stops an ABR from sending a summary lin...

Page 518: ...en see page 504 Area ID Identifier for a not so stubby area NSSA or stub SPF Runs The number of times the Shortest Path First algorithim has been run for this area ABR Count The number of Area Border...

Page 519: ...Route Summarization for ABRs CLI REFERENCES router ospf on page 1043 area range on page 1049 COMMAND USAGE Use the Area Range configuration page to summarize intra area routes and advertise this info...

Page 520: ...es whether or not to advertise the summary route If the routes are set to be advertised the router will issue a Type 3 summary LSA for each specified address range If the summary is not advertised the...

Page 521: ...orts redistribution for all currently connected routes entries learned through RIP and static routes When you redistribute external routes into an OSPF autonomous system AS the router automatically be...

Page 522: ...signed to all external routes for the specified protocol Range 1 65535 Default 10 The metric value specified for redistributed routes supersedes the Default External Metric specified in the Routing Pr...

Page 523: ...ute individually in an external LSA as described in the preceding section The reduce the numer of protocol messages required to redistribute these external routes an Autonomous System Boundary Router...

Page 524: ...rtising into the local domain To summarize routes sent between OSPF areas use the Area Range Configuration screen page 519 This router supports up 20 Type 5 summary routes PARAMETERS These parameters...

Page 525: ...assign an interface address range to an OSPF area After assigning a routing interface to an OSPF area use the Routing Protocol OSPF Interface Configure by VLAN or Configure by Address page to configur...

Page 526: ...o prevent a router from being elected as a DR or BDR If set to any value other than zero the router with the highest priority becomes the DR and the router with the next highest priority becomes the B...

Page 527: ...d trip delay between any two routers on the attached network to avoid unnecessary retransmissions Authentication Type Specifies the authentication type used for an interface Options None Simple MD5 De...

Page 528: ...incoming packets Neighbor routers must use the same key identifier and key value When changing to a new key the router will send multiple copies of all protocol messages one with the old key and anot...

Page 529: ...s for All Interfaces Assigned to a VLAN To configure interface settings for a specific area assigned to a VLAN 1 Click Routing Protocol OSPF Interface 2 Select Configure by Address from the Action lis...

Page 530: ...LAN To show the configuration settings for OSPF interfaces 1 Click Routing Protocol OSPF Interface 2 Select Show from the Action list 3 Select the VLAN ID Figure 351 Showing OSPF Interfaces To show th...

Page 531: ...kbone area i e transit area to reach the backbone To define this path you must configure an ABR that serves as an endpoint connecting the isolated area to the common transit area and specify a neighbo...

Page 532: ...ee page 504 Area ID Identifies the transit area for the virtual link The area ID must be in the form of an IPv4 address or also as a four octet unsigned integer ranging from 0 4294967295 Neighbor Rout...

Page 533: ...settings for a virtual link 1 Click Routing Protocol OSPF Virtual Link 2 Select Configure Detailed Settings from the Action list 3 Specify the process ID then modify the protocol timers and authentica...

Page 534: ...zed with neighboring routers through a process called reliable flooding You can show information about different LSAs stored in this router s database which may include any of the following types Rout...

Page 535: ...s to be displayed Link ID Network portion described by an LSA The Link ID is either An IP network number for Type 3 Summary and Type 5 AS External LSAs When an Type 5 AS External LSA is describing a d...

Page 536: ...to show the Link State Advertisements LSAs stored in the link state database for virtual links CLI REFERENCES show ip ospf virtual links on page 1081 PARAMETERS These parameters are displayed in the...

Page 537: ...o message is due This time is determined by the Hello Interval which must be the same for all router attached to a common network Adjacency State The state of the virtual neighbor relationship Down Co...

Page 538: ...s include Down Connection down Attempt Connection down but attempting contact non broadcast networks Init Have received Hello packet but communications not yet established Two way Bidirectional commun...

Page 539: ...CHAPTER 20 Unicast Routing Configuring the Open Shortest Path First Protocol Version 2 539 3 Select the process identifier Figure 360 Displaying Neighbor Routers Stored in the Link State Database...

Page 540: ...CHAPTER 20 Unicast Routing Configuring the Open Shortest Path First Protocol Version 2 540...

Page 541: ...ability of multicast group members is low such as the Internet Also note that if PIM is not enabled on this router or another multicast routing protocol is used on the network the switch ports attache...

Page 542: ...al network segment to which the host is attached However when the multicast load from a particular source is heavy enough to justify it PIM SM can be configured to construct a Shortest Path Tree SPT d...

Page 543: ...PIM SM the multicast flow is confined to the shared tree Also note that more than one flow can be carried over the same shared tree but only one RP is responsible for each flow Shortest Path Tree SPT...

Page 544: ...s IP multicast routing Default Disabled WEB INTERFACE To enable multicast routing 1 Click Multicast Multicast Routing General 2 Enable Multicast Forwarding Status 3 Click Apply Figure 361 Enabling Mul...

Page 545: ...gister to indicate that a pseudo interface is being used to receive PIM SM register packets This can occur for the Rendezvous Point RP which is the root of the Reverse Path Tree RPT In this case any V...

Page 546: ...f traffic arriving over the shared tree has exceeded the SPT threshold for this group If the SPT flag is set for G entries the next S G packet received will cause the router to join the shortest path...

Page 547: ...ticast Routing Table To display detailed information on a specific flow in multicast routing table 1 Click Multicast Multicast Routing Information 2 Select Show Details from the Action List 3 Select a...

Page 548: ...ssary to the multicast protocol parameters To use PIM multicast routing must be enabled on the switch see Enabling Multicast Routing Globally on page 544 WEB INTERFACE To enable PIM multicast routing...

Page 549: ...received from a downstream router or if group members are directly connected to the interface When routers want to receive a multicast flow they periodically send join messages to the RP and are subs...

Page 550: ...prune state is maintained until the join prune holdtime timer expires or a graft message is received for the forwarding entry PIM SM The multicast interface that first receives a multicast stream from...

Page 551: ...e hello delay is set to random value between 0 and the trigger hello delay This prevents synchronization of Hello messages on multi access links if multiple routers are powered on simultaneously Also...

Page 552: ...a priority in its hello messages it is assumed to have the highest priority and is elected as the DR If more than one router is not advertising its priority then the router with the highest IP address...

Page 553: ...CHAPTER 21 Multicast Routing Configuring PIM for IPv4 553 Figure 365 Configuring PIM Interface Settings Dense Mode Figure 366 Configuring PIM Interface Settings Sparse Mode...

Page 554: ...G GLOBAL PIM SM SETTINGS Use the Routing Protocol PIM SM Configure Global page to configure the rate at which register messages are sent the source of register messages and switchover to the Shortest...

Page 555: ...gh the RP is not always the shortest path Therefore the router uses the RP to forward only the first packet from a new multicast group to its receivers Afterwards it calculates the shortest path tree...

Page 556: ...ge This router will continue to be the BSR until it receives a bootstrap message from another candidate with a higher priority or a higher IP address if the priorities are the same To improve failover...

Page 557: ...ge 0 255 Default 0 WEB INTERFACE To configure the switch as a BSR candidate 1 Click Multicast Multicast Routing SM 2 Select BSR Candidate from the Step list 3 Specify the VLAN interface for which this...

Page 558: ...over the one statically configured All routers within the same PIM SM domain must be configured with the same RP s Selecting an RP through the dynamic election process is therefore preferable for most...

Page 559: ...RENCES ip pim rp candidate on page 1105 COMMAND USAGE When this router is configured as an RP candidate it periodically sends PIMv2 messages to the BSR advertising itself as a candidate RP for the spe...

Page 560: ...one of these routers as both the primary BSR and RP PARAMETERS These parameters are displayed in the web interface VLAN Identifier of configured VLAN interface Range 1 4093 Interval The interval at w...

Page 561: ...Select an interface from the VLAN list Figure 373 Showing Settings for an RP Candidate DISPLAYING THE BSR ROUTER Use the Routing Protocol PIM SM Show Information Show BSR Router page to display Infor...

Page 562: ...the new BSR s identity and the RP set Accept Preferred The router knows the identity of the current BSR and is using the RP set provided by that BSR Only bootstrap messages from that BSR or from a C B...

Page 563: ...yed in the web interface Groups A multicast group address RP Address IP address of the RP for the listed multicast group Information Source RP that advertised the mapping how the RP was selected Stati...

Page 564: ...CHAPTER 21 Multicast Routing Configuring PIM for IPv4 564 Figure 375 Showing RP Mapping...

Page 565: ...Commands on page 649 Authentication Commands on page 657 General Security Measures on page 707 Access Control Lists on page 747 Interface Commands on page 769 Link Aggregation Commands on page 787 Po...

Page 566: ...Line Interface 566 Domain Name Service Commands on page 969 DHCP Commands on page 979 VRRP Commands on page 995 IP Interface Commands on page 1005 IP Routing Commands on page 1019 Multicast Routing Co...

Page 567: ...nsole prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CL...

Page 568: ...54 Console config If your corporate network is connected to another network outside your office or to the Internet you need to apply for a registered IP address However if you are attached to an isola...

Page 569: ...each command in the required order For example to enable Privileged Exec command mode and display the startup configuration enter Console enable Console show startup config To enter commands that req...

Page 570: ...ion history Shows history information hosts Host information interfaces Shows interface information ip IP information ipv6 IPv6 information lacp LACP statistics line TTY line information lldp LLDP log...

Page 571: ...mand and question mark For example s shows all the keywords starting with s Console show s snmp sntp spanning tree ssh startup config subnet vlan system Console show s NEGATING THE EFFECT OF COMMANDS...

Page 572: ...rompt Only a limited number of the commands are available in this mode You can access all commands only from the Privileged Exec command mode or administrator mode To access Privilege Exec mode open a...

Page 573: ...ommunity Access Control List Configuration These commands are used for packet filtering Class Map Configuration Creates a DiffServ class map for a specified traffic type IGMP Profile Sets a profile gr...

Page 574: ...ethernet 1 5 Console config if exit Console config Table 28 Configuration Command Modes Mode Command Prompt Page Access Control List access list ip standard access list ip extended access list mac ac...

Page 575: ...tart of command line Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor...

Page 576: ...ltering DHCP requests and replies and discarding invalid ARP responses 707 Access Control List Provides filtering for IPv4 frames based on address protocol TCP UDP port number or TCP control code IPv6...

Page 577: ...arameters specifies ports attached to a multicast router also configures multicast VLAN registration 903 Link Layer Discovery Protocol Configures LLDP settings to enable information discovery about ne...

Page 578: ...CHAPTER 22 Using the Command Line Interface CLI Command Groups 578...

Page 579: ...arts the system at a specified time after a specified delay or at a periodic interval GC enable Activates privileged mode NE quit Exits a CLI session NE PE show history Shows the command history buffe...

Page 580: ...hich to reload Range 0 23 minute The minute at which to reload Range 0 59 month The month at which to reload january december day The day of the month at which to reload Range 1 31 year The year at wh...

Page 581: ...e you sure to reboot the system at the specified time y n enable This command activates Privileged Exec mode In privileged mode additional commands are available and certain commands display additiona...

Page 582: ...Exec COMMAND USAGE The quit and exit commands can both exit the configuration program EXAMPLE This example shows how to quit a CLI session Console quit Press ENTER to start session User Access Verific...

Page 583: ...tory buffer when you are in any of the configuration modes In this example the 2 command repeats the second command in the Execution history buffer config Console 2 Console config Console config confi...

Page 584: ...ed to the end of the prompt to indicate that the system is in normal access mode EXAMPLE Console disable Console RELATED COMMANDS enable 581 reload Privileged Exec This command restarts the system NOT...

Page 585: ...ays 0 hours 29 minutes 52 seconds Console end This command returns to Privileged Exec mode DEFAULT SETTING None COMMAND MODE Global Configuration Interface Configuration Line Configuration VLAN Databa...

Page 586: ...EXAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console config exit Console exit Press ENTER to start session Use...

Page 587: ...ersion information Frame Size Enables support for jumbo frames File Management Manages code image or switch configuration files Line Sets communication parameters for the serial port including baud ra...

Page 588: ...rmation currently in use COMMAND MODE Privileged Exec COMMAND USAGE Use this command in conjunction with the show startup config command to compare the information in running memory to the information...

Page 589: ...0000000000000 stackingDB stackingMac 01_00 00 e8 93 82 a0_01 stackingMac stackingMac 00_00 00 00 00 00 00_00 stackingMac stackingMac 00_00 00 00 00 00 00_00 stackingMac stackingMac 00_00 00 00 00 00 0...

Page 590: ...d displays the following information MAC address for the switch SNMP community strings Users names access levels and encrypted passwords VLAN database VLAN ID name and state VLAN configuration setting...

Page 591: ...ed Console show users Shows all active console and Telnet sessions including user name idle time and IP address of Telnet client DEFAULT SETTING None COMMAND MODE Normal Exec Privileged Exec COMMAND U...

Page 592: ...rsion 1 00 Number of Ports 24 Main Power Status Up Redundant Power Status Not present Role Master Loader Version 0 0 1 1 Linux Kernel Version 2 6 19 2 0 1 Boot ROM Version 0 0 0 1 Operation Code Versi...

Page 593: ...system command EXAMPLE Console config jumbo frame Console config FILE MANAGEMENT Managing Firmware Firmware can be uploaded and downloaded to or from an FTP TFTP server By saving runtime code to a fil...

Page 594: ...equired DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE A colon is required after the specified file type If the file contains an error it cannot be set as the default file EXAMPL...

Page 595: ...certificate Keyword that allows you to copy the HTTPS secure site certificate public key Keyword that allows you to copy a SSH key from a TFTP server See Secure Shell on page 684 running config Keywor...

Page 596: ...t as the default user name EXAMPLE The following example shows how to download new firmware from a TFTP server Console copy tftp file TFTP server ip address 10 1 0 19 Choose file type 1 config 2 opcod...

Page 597: ...certificate Source private file name SS private Private password Success Console reload System will be restarted continue y n y This example shows how to copy a public key used by SSH from an TFTP se...

Page 598: ...LE This example shows how to delete the test2 cfg configuration file from flash memory Console delete test2 cfg Console RELATED COMMANDS dir 598 delete public key 689 dir This command displays a list...

Page 599: ...onsole whichboot This command displays which files were booted when the system powered up DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE This example shows the information displayed by the...

Page 600: ...console Telnet or SSH connections LC databits Sets the number of data bits per character that are interpreted and generated by hardware LC exec timeout Sets the interval that the command interpreter...

Page 601: ...nfig line RELATED COMMANDS show line 609 show users 591 databits This command sets the number of data bits per character that are interpreted and generated by the console port Use the no form to resto...

Page 602: ...cifies the timeout interval Range 0 65535 seconds 0 no timeout DEFAULT SETTING CLI No timeout Telnet 10 minutes COMMAND MODE Line Configuration COMMAND USAGE If user input is detected within the timeo...

Page 603: ...mmand When using this method the management interface starts in Normal Exec NE mode login local selects authentication via the user name and password specified by the username command i e default sett...

Page 604: ...as terminals and modems often require a specific parity bit setting EXAMPLE To specify no parity enter this command Console config line parity none Console config line password This command specifies...

Page 605: ...There is no need for you to manually configure encrypted passwords EXAMPLE Console config line password 0 secret Console config line RELATED COMMANDS login 603 password thresh 605 password thresh Thi...

Page 606: ...lent time seconds no silent time seconds The number of seconds to disable console response Range 0 65535 0 30 seconds DEFAULT SETTING The default value is no silent time COMMAND MODE Line Configuratio...

Page 607: ...tion the switch will automatically detect the baud rate configured on the attached terminal and adjust the speed accordingly EXAMPLE To specify 57600 bps enter this command Console config line speed 5...

Page 608: ...minated for the session This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the defa...

Page 609: ...al for remote console access i e Telnet DEFAULT SETTING Shows all lines COMMAND MODE Normal Exec Privileged Exec EXAMPLE To show all lines enter this command Console show line Console Configuration Pa...

Page 610: ...64 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to sort messages or to store messages in the corresponding database EXAMPLE Consol...

Page 611: ...ash errors level 3 0 RAM debugging level 7 0 COMMAND MODE Global Configuration COMMAND USAGE The message level specified for flash memory must be a higher priority i e numerically lower than that spec...

Page 612: ...wed is five EXAMPLE Console config logging host 10 1 0 3 Console config logging on This command controls logging of error messages sending debug or error messages to a logging process The no form disa...

Page 613: ...le on page 611 Messages sent include the selected level through level 0 DEFAULT SETTING Disabled Level 7 COMMAND MODE Global Configuration COMMAND USAGE Using this command with a specified level enabl...

Page 614: ...ry stored in flash memory i e permanent memory ram Event history stored in temporary RAM i e memory flushed on power reset DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE The following examp...

Page 615: ...ging is enabled the message level for flash memory is errors i e default level 3 0 and the message level for RAM is debugging i e default level 7 0 Console show logging flash Syslog logging Enabled Hi...

Page 616: ...he logging trap command REMOTELOG facility type The facility type for remote logging of syslog messages as specified in the logging facility command REMOTELOG level type The severity threshold for sys...

Page 617: ...g DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE You can specify up to three SMTP servers for event handing However you must enter a separate command to specify each server To se...

Page 618: ...D MODE Global Configuration COMMAND USAGE The specified level indicates an event threshold All events at this level or higher will be sent to the configured email recipients For example using Level 7...

Page 619: ...default value SYNTAX logging sendmail source email email address no logging sendmail source email email address The source email address used in alert messages Range 1 41 characters DEFAULT SETTING N...

Page 620: ...command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp server command Use the no form to disable SNTP client requests SYNTAX no sntp client...

Page 621: ...rver 10 1 0 19 Console config sntp poll 60 Console config sntp client Console config end Console show sntp Current Time Dec 23 02 52 44 2002 Poll Interval 60 Current Mode unicast SNTP Status Enabled S...

Page 622: ...ommand specifies time servers from which the switch will poll for time updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It...

Page 623: ...3 hours after UTC minutes Number of minutes before after UTC Range 0 59 minutes before utc Sets the local time zone before east of UTC after utc Sets the local time zone after west of UTC DEFAULT SETT...

Page 624: ...Range 1 31 month january february march april may june july august september october november december year Year 4 digit Range 2001 2100 DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE...

Page 625: ...of the time range Range 1 30 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE This command sets a time range for use by other functions such as Access Control Lists EXAM...

Page 626: ...e Range Configuration COMMAND USAGE If a time range is already configured you must use the no form of this command to remove the current entry prior to configuring a new time range EXAMPLE This exampl...

Page 627: ...weekdays Weekdays weekend Weekends hour Hour in 24 hour format Range 0 23 minute Minute Range 0 59 DEFAULT SETTING None COMMAND MODE Time Range Configuration EXAMPLE This example configures a time ran...

Page 628: ...CHAPTER 24 System Management Commands Time Range 628...

Page 629: ...Command Function Mode General SNMP Commands snmp server Enables the SNMP agent GC snmp server community Sets up the community access string to permit access to SNMP commands GC snmp server contact Se...

Page 630: ...ver community string string Community string that acts like a password and permits access to the SNMP protocol Maximum length 32 characters case sensitive Maximum number of strings 5 ro Specifies read...

Page 631: ...Use the no form to remove the system contact information SYNTAX snmp server contact string no snmp server contact string String that describes the system contact information Maximum length 255 charac...

Page 632: ...t and output protocol data units and whether or not SNMP logging has been enabled with the snmp server enable traps command EXAMPLE Console show snmp SNMP Agent Enabled SNMP Traps Authentication Enabl...

Page 633: ...n order to configure this device to send SNMP notifications you must enter at least one snmp server enable traps command If you enter the command with no keywords both authentication and link up down...

Page 634: ...conds The number of seconds to wait for an acknowledgment before resending an inform message Range 0 2147483647 centiseconds Default 1500 centiseconds community string Password like community string s...

Page 635: ...t informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider these effects when deciding whether to...

Page 636: ...es an SNMP engine on a remote device ip address The Internet address of the remote device engineid string String identifying the engine ID Range 1 26 hexadecimal characters DEFAULT SETTING A unique en...

Page 637: ...ineID remote 9876543210 192 168 1 19 Console config RELATED COMMANDS snmp server host 634 snmp server group This command adds an SNMP group mapping SNMP users to SNMP views Use the no form to remove a...

Page 638: ...rithm is used as specified in the snmp server user command When privacy is selected the DES 56 bit algorithm is used for data encryption For additional information on the notification messages support...

Page 639: ...password Authentication password Enter as plain text if the encrypted option is not used Otherwise enter an encrypted password A minimum of eight characters is required priv des56 Uses SNMPv3 with pri...

Page 640: ...nfig snmp server user steve group r d v3 auth md5 greenpeace priv des56 einstien Console config snmp server user mark group r d remote 192 168 1 19 v3 auth md5 greenpeace priv des56 einstien Console c...

Page 641: ...show snmp engine id This command shows the SNMP engine ID COMMAND MODE Privileged Exec EXAMPLE This example shows the default engine ID Console show snmp engine id Local SNMP EngineID 8000002a8000000...

Page 642: ...latile Row Status active Group Name public Security Model v2c Read View defaultview Write View No writeview specified Notify View No notifyview specified Storage Type volatile Row Status active Group...

Page 643: ...active Console Notify View The associated notify view Storage Type The storage type for this entry Row Status The row status of this entry Table 48 show snmp group display description Continued Field...

Page 644: ...on log SYNTAX no nlm filter name filter name Notification log name Range 1 32 characters DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE Notification logging is enabled by defa...

Page 645: ...rameter is only required to complete mandatory fields in the SNMP Notification MIB DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Systems that support SNMP often need a mechanism...

Page 646: ...tain up to 256 entries and the entry aging time is 1440 minutes Information recorded in a notification log and the entry aging time can only be configured using SNMP from a network management station...

Page 647: ...s command displays the configured notification logs COMMAND MODE Privileged Exec EXAMPLE This example displays the configured notification logs and associated target hosts Console show snmp notify fil...

Page 648: ...CHAPTER 25 SNMP Commands 648...

Page 649: ...Event and Alarm groups When RMON is enabled the system gradually builds up information about its physical interfaces storing this information in the relevant RMON database group A management agent the...

Page 650: ...ue and the difference is then compared to the thresholds threshold An alarm threshold for the sampled variable Range 1 65535 event index The index of the event to use if an alarm is triggered If there...

Page 651: ...Log messages are processed based on the current configuration settings for event logging see Event Logging on page 610 trap Sends a trap message to all configured trap managers see snmp server host o...

Page 652: ...rmon collection history index index Index to this entry Range 1 65535 number The number of buckets requested for this entry Range 1 65536 seconds The polling interval Range 1 3600 seconds name Name o...

Page 653: ...on who created this entry Range 1 127 characters DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE By default each index number equates to a port on the swich but can...

Page 654: ...ed by steve Description is for r d Event firing causes log and trap to community public last fired 00 00 00 Console show rmon history This command shows the sampling parameters configured for each ent...

Page 655: ...tistics Interface 1 is valid and owned by Monitors 1 3 6 1 2 1 2 2 1 1 1 which has Received 164289 octets 2372 packets 120 broadcast and 2211 multicast packets 0 undersized and 0 oversized packets 0 f...

Page 656: ...CHAPTER 26 Remote Monitoring Commands 656...

Page 657: ...uthentication Commands Command Group Function User Accounts Configures the basic user names and passwords for management access Authentication Sequence Defines logon authentication method and preceden...

Page 658: ...el Maximum length 8 characters plain text 32 encrypted case sensitive DEFAULT SETTING The default is level 15 The default password is super COMMAND MODE Global Configuration COMMAND USAGE You cannot s...

Page 659: ...encrypted password password password The authentication password for the user Maximum length 8 characters plain text 32 encrypted case sensitive DEFAULT SETTING The default access level is Normal Exe...

Page 660: ...offers best effort delivery while TCP offers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS e...

Page 661: ...e TACACS uses TCP UDP only offers best effort delivery while TCP offers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to...

Page 662: ...t port This command sets the RADIUS server network port for accounting messages Use the no form to restore the default SYNTAX radius server acct port port number no radius server acct port port number...

Page 663: ...ADIUS servers and authentication and accounting parameters that apply to each server Use the no form to remove a specified server or to restore the default values SYNTAX no radius server index host ho...

Page 664: ...Global Configuration EXAMPLE Console config radius server 1 host 192 168 1 20 port 181 timeout 10 retransmit 5 key green Console config radius server key This command sets the RADIUS encryption key Us...

Page 665: ...SETTING 2 COMMAND MODE Global Configuration EXAMPLE Console config radius server retransmit 5 Console config radius server timeout This command sets the interval between transmitting authentication re...

Page 666: ...e TACACS CLIENT Terminal Access Controller Access Control System TACACS is a logon authentication protocol that uses software running on a central server to control access to TACACS aware devices on t...

Page 667: ...ss for the client Do not use blank spaces in the string Maximum length 48 characters port number TACACS server TCP port used for authentication messages Range 1 65535 DEFAULT SETTING 10 11 12 13 COMMA...

Page 668: ...ring Maximum length 48 characters DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE Console config tacacs server key green Console config tacacs server port This command specifies the TAC...

Page 669: ...uire the use of configured RADIUS or TACACS servers in the network Table 58 AAA Commands Command Function Mode aaa accounting commands Enables accounting of Exec mode commands GC aaa accounting dot1x...

Page 670: ...rver group to use tacacs Specifies all TACACS hosts configure with the tacacs server host command server group Specifies the name of a server group configured with the aaa group server command Range 1...

Page 671: ...s accounting from starting point and stopping point group Specifies the server group to use radius Specifies all RADIUS hosts configure with the radius server host command tacacs Specifies all TACACS...

Page 672: ...ecifies all RADIUS hosts configure with the radius server host command tacacs Specifies all TACACS hosts configure with the tacacs server host command server group Specifies the name of a server group...

Page 673: ...interim interval enables updates but does not change the current interval setting EXAMPLE Console config aaa accounting update periodic 30 Console config aaa authorization exec This command enables t...

Page 674: ...zation type applies except those that have a named method explicitly defined EXAMPLE Console config aaa authorization exec default group tacacs Console config aaa group server Use this command to name...

Page 675: ...host command When specifying the index for a TACACS server that server index must already be defined by the tacacs server host command EXAMPLE Console config aaa group server radius tps Console confi...

Page 676: ...he aaa accounting exec command DEFAULT SETTING None COMMAND MODE Line Configuration EXAMPLE Console config line console Console config line accounting exec tps Console config line exit Console config...

Page 677: ...e user name interface interface exec statistics statistics commands Displays command accounting information level Displays command accounting information for a specifiable command level dot1x Displays...

Page 678: ...efault port SYNTAX ip http port port number no ip http port port number The TCP port to be used by the browser interface Range 1 65535 DEFAULT SETTING 80 COMMAND MODE Global Configuration EXAMPLE Cons...

Page 679: ...590 ip http secure server This command enables the secure hypertext transfer protocol HTTPS over the Secure Socket Layer SSL providing secure access i e an encrypted connection to the switch s web in...

Page 680: ...Firefox 2 0 0 0 or above The following web browsers and operating systems currently support HTTPS To specify a secure site certificate see Replacing the Default Secure site Certificate on page 274 Als...

Page 681: ...nnect to the HTTPS server must specify the port number in the URL in this format https device port_number EXAMPLE Console config ip http secure port 1000 Console config RELATED COMMANDS ip http secure...

Page 682: ...n count no ip telnet max sessions session count The maximum number of allowed Telnet session Range 0 4 DEFAULT SETTING 4 sessions COMMAND MODE Global Configuration COMMAND USAGE A maximum of four sess...

Page 683: ...se the no form to disable this function SYNTAX no ip telnet server DEFAULT SETTING Enabled COMMAND MODE Global Configuration EXAMPLE Console config ip telnet server Console config show ip telnet This...

Page 684: ...have to generate authentication keys on the switch and enable the SSH server Table 62 Secure Shell Commands Command Function Mode ip ssh authentication retries Specifies the number of retries allowed...

Page 685: ...e public key for all the SSH client s granted management access to the switch Note that these clients must be configured locally on the switch with the username command The clients are subsequently au...

Page 686: ...he challenge string computes the MD5 checksum and sends the checksum back to the switch e The switch compares the checksum sent from the client against that computed for the original string it sent If...

Page 687: ...tires 2 Console config RELATED COMMANDS show ip ssh 691 ip ssh server This command enables the Secure Shell SSH server on this switch Use the no form to disable this service SYNTAX no ip ssh server DE...

Page 688: ...size key size The size of server key Range 512 896 bits DEFAULT SETTING 768 bits COMMAND MODE Global Configuration COMMAND USAGE The server key is a private key that is never shared outside the switc...

Page 689: ...config RELATED COMMANDS exec timeout 602 show ip ssh 691 delete public key This command deletes the specified user s public key SYNTAX delete public key username dsa rsa username Name of an SSH user...

Page 690: ...you must manually create a known hosts file and place the host public key in it The SSH server uses this host key to negotiate a session key and encryption method with the client trying to connect to...

Page 691: ...ey from RAM to flash memory SYNTAX ip ssh save host key DEFAULT SETTING Saves both the DSA and RSA key COMMAND MODE Privileged Exec EXAMPLE Console ip ssh save host key dsa Console RELATED COMMANDS ip...

Page 692: ...last string is the encoded modulus EXAMPLE Console show public key host Host RSA 1024 65537 13236940658254764031382795526536375927835525327972629521130241 071942106165575942459093923609695405036277525...

Page 693: ...r State The authentication negotiation state Values Negotiation Started Authentication Started Session Started Username The user name of the client Table 64 802 1X Port Authentication Commands Command...

Page 694: ...through command can be used to forward EAPOL frames from other switches on to the authentication servers thereby allowing the authentication process to still be carried out by switches located on the...

Page 695: ...802 1X port authentication globally on the switch Use the no form to restore the default SYNTAX no dot1x system auth control DEFAULT SETTING Disabled COMMAND MODE Global Configuration EXAMPLE Console...

Page 696: ...Console config if dot1x intrusion action guest vlan Console config if dot1x max req This command sets the maximum number of times the switch port will retransmit an EAP request identity packet to the...

Page 697: ...s multiple hosts to connect to this port with each host needing to be authenticated DEFAULT Single host COMMAND MODE Interface Configuration COMMAND USAGE The max count parameter specified by this com...

Page 698: ...force authorized COMMAND MODE Interface Configuration EXAMPLE Console config interface eth 1 2 Console config if dot1x port control auto Console config if dot1x re authentication This command enables...

Page 699: ...ault SYNTAX dot1x timeout quiet period seconds no dot1x timeout quiet period seconds The number of seconds Range 1 65535 DEFAULT 60 seconds COMMAND MODE Interface Configuration EXAMPLE Console config...

Page 700: ...er than EAP request identity frames If dot1x authentication is enabled on a port the switch will initiate authentication when the port link state comes up It will send an EAP request identity frame to...

Page 701: ...c interface SYNTAX dot1x re authenticate interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 24 COMMAND MODE Privileged Exec COMMAND USAGE The re authentication pro...

Page 702: ...ype Administrative state for port access control Enabled Authenticator or Supplicant Operation Mode Allows single or multiple hosts page 697 Control Mode Dot1x port control mode page 698 Authorized Au...

Page 703: ...ckend State Machine State Current state including request response success fail timeout idle initialize Request Count Number of EAP Request packets sent to the Supplicant without receiving a response...

Page 704: ...ifier 0 Authenticator PAE State Machine State Authenticated Reauth Count 0 Current Identifier 3 Backend State Machine State Idle Request Count 0 Identifier Server 2 Reauthentication State Machine Stat...

Page 705: ...nvalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access re...

Page 706: ...esses for all groups http client Displays IP addresses for the web group snmp client Displays IP addresses for the SNMP group telnet client Displays IP addresses for the Telnet group COMMAND MODE Priv...

Page 707: ...Function Port Security The priority of execution for these filtering commands is Port Security Port Authentication Network Access Access Control Lists DHCP Snooping and then IP Source Guard Configures...

Page 708: ...ally take action by disabling the port and sending a trap message mac learning This command enables MAC address learning on the selected interface Use the no form to disable MAC address learning SYNTA...

Page 709: ...o restore the default settings for a response to security violation or for the maximum number of allowed addresses SYNTAX port security action shutdown trap trap and shutdown max mac count address cou...

Page 710: ...mand to disable port security and reset the maximum number of addresses to the default You can also manually add secure addresses with the mac address table static command A secure port has the follow...

Page 711: ...s guest vlan Specifies the guest VLAN IC network access link detection Enables the link detection feature IC network access link detection link down Configures the link detection feature to detect and...

Page 712: ...ured by the MAC Address Authenticataion process described in this section as well as to any secure MAC addresses authenticated by 802 1X regardless of the 802 1X Operation Mode Single Host Multi Host...

Page 713: ...g network access mac filter 1 mac address 11 22 33 44 55 66 Console config mac authentication reauth time Use this command to set the time period after which a connected MAC address must be re authent...

Page 714: ...QoS configuration for the port When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port the user is denied acce...

Page 715: ...VLAN configuration or they are treated as an authentication failure If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration the authentication is still trea...

Page 716: ...e effective see the dot1x intrusion action command EXAMPLE Console config interface ethernet 1 1 Console config if network access guest vlan 25 Console config if network access link detection Use this...

Page 717: ...isable the port DEFAULT SETTING Disabled COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 1 Console config if network access link detection link down action trap Consol...

Page 718: ...onse to take when port security is violated shutdown Disable port only trap Issue SNMP trap message only trap and shutdown Issue SNMP trap message and disable the port DEFAULT SETTING Disabled COMMAND...

Page 719: ...en enabled on a port the authentication process sends a Password Authentication Protocol PAP request to a configured RADIUS server The user name and password are both equal to the MAC address being au...

Page 720: ...ype attribute set to 802 EXAMPLE Console config if network access mode mac authentication Console config if network access port mac filter Use this command to enable the specified MAC address filter U...

Page 721: ...e Con figuration EXAMPLE Console config if mac authentication intrusion action block traffic Console config if mac authentication max mac count Use this command to set the maximum number of MAC addres...

Page 722: ...nit port unit Stack unit Range 1 port Port number Range 1 24 DEFAULT SETTING Displays the settings for all interfaces COMMAND MODE Privileged Exec EXAMPLE Console show network access interface etherne...

Page 723: ...ge 1 port Port number Range 1 24 sort Sorts displayed entries by either MAC address or interface DEFAULT SETTING Displays all filters COMMAND MODE Privileged Exec COMMAND USAGE When using a bit mask t...

Page 724: ...Snooping Commands Command Function Mode ip dhcp snooping Enables DHCP snooping globally GC ip dhcp snooping database flash Writes all dynamically learned snooping entries to flash memory GC ip dhcp s...

Page 725: ...tered based upon dynamic entries learned via DHCP snooping Table entries are only learned for trusted interfaces Each entry includes a MAC address IP address lease time VLAN identifier and port identi...

Page 726: ...trusted ports in the same VLAN If a DHCP packet is from server is received on a trusted port it will be forwarded to both trusted and untrusted ports in the same VLAN If the DHCP snooping is globally...

Page 727: ...n option DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server Known...

Page 728: ...ying it keep Retains the Option 82 information in the client request and forwards the packets to trusted ports replace Replaces the Option 82 information circuit id and remote id fields in the client...

Page 729: ...acket is dropped EXAMPLE This example enables MAC address verification Console config ip dhcp snooping verify mac address Console config RELATED COMMANDS ip dhcp snooping 725 ip dhcp snooping vlan 729...

Page 730: ...d Use the no form to restore the default setting SYNTAX no ip dhcp snooping trust DEFAULT SETTING All interfaces are untrusted COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE...

Page 731: ...lient request to the DHCP server must be configured as trusted EXAMPLE This example sets port 5 to untrusted Console config interface ethernet 1 5 Console config if no ip dhcp snooping trust Console c...

Page 732: ...le DHCP Snooping Information Policy replace DHCP Snooping is configured on the following VLANs 1 Verify Source Mac Address enable Interface Trusted Eth 1 1 No Eth 1 2 No Eth 1 3 No Eth 1 4 No Eth 1 5...

Page 733: ...dress interface no ip source guard binding mac address vlan vlan id mac address A valid unicast MAC address vlan id ID of a configured VLAN Range 1 4093 ip address A valid unicast IP address including...

Page 734: ...ed as follows If there is no entry with same VLAN ID and MAC address a new entry is added to binding table using the type of static IP source guard binding If there is an entry with same VLAN ID and M...

Page 735: ...d port Use the sip option to check the VLAN ID source IP address and port number against all entries in the binding table Use the sip mac option to check these same parameters plus the source MAC addr...

Page 736: ...ard if enabled on an interface for which IP source bindings dynamically learned via DHCP snooping or manually configured are not yet configured the switch will drop all IP traffic on that port except...

Page 737: ...nding 1 Console config if show ip source guard This command shows whether source guard is enabled or disabled on each interface COMMAND MODE Privileged Exec EXAMPLE Console show ip source guard Interf...

Page 738: ...hosts with statically configured IP addresses This section describes commands used to configure ARP Inspection Table 72 ARP Inspection Commands Command Function Mode ip arp inspection Enables ARP Ins...

Page 739: ...ction is enabled When ARP Inspection is disabled all ARP request and reply packets bypass the ARP Inspection engine and their manner of switching matches that of all other packets Disabling and then r...

Page 740: ...not checked DEFAULT SETTING ARP ACLs are not bound to any VLAN Static mode is not enabled COMMAND MODE Global Configuration COMMAND USAGE ARP ACLs are configured with the commands described on page 29...

Page 741: ...ogging is active for ARP Inspection and cannot be disabled When the switch drops a packet it places an entry in the log buffer Each entry contains flow information such as the receiving VLAN the port...

Page 742: ...e target IP addresses are checked only in ARP responses src mac Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP...

Page 743: ...ine and their manner of switching matches that of all other packets Disabling and then re enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs When ARP Inspect...

Page 744: ...pted from ARP Inspection Use the no form to restore the default setting SYNTAX no ip arp inspection trust DEFAULT SETTING Untrusted COMMAND MODE Interface Configuration Port COMMAND USAGE Packets arri...

Page 745: ...interface interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 24 COMMAND MODE Privileged Exec EXAMPLE Console show ip arp inspection interface ethernet 1 1 Port Nu...

Page 746: ...AC address 0 ARP packets dropped by additional validation destination MAC address 0 ARP packets dropped by additional validation IP address 0 ARP packets dropped by ARP ACLs 0 ARP packets dropped by D...

Page 747: ...oup Function IPv4 ACLs Configures ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code IPv6 ACLs Configures ACLs based on IPv6 addresses or DSCP traffic class MAC ACLs C...

Page 748: ...er more specific criteria acl name Name of the ACL Maximum length 16 characters no spaces or other special characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE When you crea...

Page 749: ...one COMMAND MODE Standard IPv4 ACL COMMAND USAGE New rules are appended to the end of the list Address bit masks are similar to a subnet mask containing four integers from 0 to 255 each separated by a...

Page 750: ...t deny tcp any source address bitmask host source any destination address bitmask host destination precedence precedence tos tos dscp dscp source port sport bitmask destination port dport port bitmask...

Page 751: ...tmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned You can specify both Precedenc...

Page 752: ...0 255 255 255 0 any destination port 80 Console config ext acl This permits all TCP packets from class C addresses 192 168 1 0 with the TCP control code set to SYN Console config ext acl permit tcp 1...

Page 753: ...ccess list 753 Time Range 625 show ip access group This command shows the ports assigned to IP ACLs COMMAND MODE Privileged Exec EXAMPLE Console show ip access group Interface ethernet 1 2 IP access l...

Page 754: ...ess list ipv6 standard extended acl name standard Specifies an ACL that filters packets based on the source IP address extended Specifies an ACL that filters packets based on the destination IP addres...

Page 755: ...ard IPv6 ACL The rule sets a filter condition for packets emanating from the specified source Use the no form to remove a rule SYNTAX permit deny any host source ipv6 address source ipv6 address prefi...

Page 756: ...mit deny any destination ipv6 address prefix length dscp dscp flow label flow label next header next header time range time range name any Any IP address an abbreviation for the IPv6 prefix 0 destinat...

Page 757: ...handling might be conveyed to the routers by a control protocol such as a resource reservation protocol or by information within the flow s packets themselves e g in a hop by hop option A flow is uniq...

Page 758: ...ext ipv6 acl permit 2009 DB9 2229 79 48 flow label 43 Console config ext ipv6 acl RELATED COMMANDS access list ipv6 754 Time Range 625 show ipv6 access list This command displays the rules for config...

Page 759: ...DE Interface Configuration Ethernet COMMAND USAGE A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding wi...

Page 760: ...ial characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new...

Page 761: ...bitmask any host destination destination address bitmask vid vid vid bitmask ethertype protocol protocol bitmask NOTE The default is for Ethernet II packets permit deny tagged eth2 any host source sou...

Page 762: ...bitmask tagged eth2 Tagged Ethernet II packets untagged eth2 Untagged Ethernet II packets tagged 802 3 Tagged Ethernet 802 3 packets untagged 802 3 Untagged Ethernet 802 3 packets any Any MAC source...

Page 763: ...MANDS access list mac 760 Time Range 625 mac access group This command binds a MAC ACL to a port Use the no form to remove the port SYNTAX mac access group acl name in time range time range name acl n...

Page 764: ...ace ethernet 1 5 MAC access list M5 in Console RELATED COMMANDS mac access group 763 show mac access list This command displays the rules for configured MAC ACLs SYNTAX show mac access list acl name a...

Page 765: ...LT SETTING None COMMAND MODE Global Configuration COMMAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom...

Page 766: ...esponse ip any host source ip source ip ip address bitmask any host destination ip destination ip ip address bitmask mac any host source mac source mac mac address bitmask any host destination mac des...

Page 767: ...mac any any Console config mac acl RELATED COMMANDS access list arp 765 show arp access list This command displays the rules for configured ARP ACLs SYNTAX show arp access list acl name acl name Name...

Page 768: ...es COMMAND MODE Privileged Exec EXAMPLE Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 0 0 255 255 15 0 IP extended access list bob permit 10 7 1 1 255 255...

Page 769: ...egotiation Enables autonegotiation of a given interface IC shutdown Disables an interface IC speed duplex Configures the speed and duplex operation of a given interface when autonegotiation is disable...

Page 770: ...Port number Range 1 24 port channel channel id Range 1 32 vlan vlan id Range 1 4093 DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE To specify port 4 enter the following command Consol...

Page 771: ...s 1 Gbps full duplex operation 100full Supports 100 Mbps full duplex operation 100half Supports 100 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 10half Supports 10 Mbps hal...

Page 772: ...o remove the description SYNTAX description string no description string Comment or a description to help you remember what is attached to this interface Range 1 64 characters DEFAULT SETTING None COM...

Page 773: ...low control on or off with the flowcontrol or no flowcontrol command use the no negotiation command to disable auto negotiation on the selected interface When using the negotiation command to enable a...

Page 774: ...Ports 1 2 EXAMPLE This forces the switch to use the built in RJ 45 port for the combination port 25 Console config interface ethernet 1 25 Console config if media type copper forced Console config if...

Page 775: ...ig if RELATED COMMANDS capabilities 771 speed duplex 776 shutdown This command disables an interface To restart a disabled interface use the no form SYNTAX no shutdown DEFAULT SETTING All interfaces a...

Page 776: ...tion COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE The 1000BASE T standard does not support forced mode Auto negotiation should always be used to establish a connection over...

Page 777: ...rate falls back down beneath the threshold Using both rate limiting and storm control on the same interface may lead to unexpected results For example suppose broadcast storm control is set to 500 pps...

Page 778: ...played statistics to zero for the current management session However if you log out and back into the management interface the statistics displayed will show the absolute value accumulated since the l...

Page 779: ...ti cast Input 1342 Multi cast Output 210 Broadcast Input 2 Broadcast Output Ether like Stats 0 Alignment Errors 0 FCS Errors 0 Single Collision Frames 0 Multiple Collision Frames 0 SQE Test Errors 0 D...

Page 780: ...s for all interfaces COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE If no interface is specified information on all interfaces is displayed For a description of the items displayed by this com...

Page 781: ...GE If no interface is specified information on all interfaces is displayed EXAMPLE This example shows the configuration setting for port 21 Console show interfaces switchport ethernet 1 21 Information...

Page 782: ...page 841 Acceptable Frame Type Shows if acceptable VLAN frames include all types or tagged frames only page 839 Native VLAN Indicates the default Port VLAN ID page 843 Priority for Untagged Traffic I...

Page 783: ...r Not Supported This message is displayed for any Fast Ethernet ports that are linked up or for any Gigabit Ethernet ports linked up at a speed lower than 1000 Mbps Impedance mismatch Terminating impe...

Page 784: ...agnostics This command shows the results of a cable diagnostics test SYNTAX show cable diagnostics interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range...

Page 785: ...CHAPTER 30 Interface Commands 785 EXAMPLE Console show loop internal interface ethernet 1 1 Port Test Result Last Update Eth 1 1 Succeeded 2024 07 15 15 26 56 Console...

Page 786: ...CHAPTER 30 Interface Commands 786...

Page 787: ...A trunk can have up to 8 ports The ports at both ends of a connection must be configured as trunk ports All ports in a trunk must be configured in an identical manner including communication mode i e...

Page 788: ...it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group However if the port channel admin key...

Page 789: ...ned the next available port channel ID If the target switch has also enabled LACP on the connected ports the trunk will be activated automatically If more than eight ports attached to the same target...

Page 790: ...an aggregate link key The port admin key must be set to the same value for ports that belong to the same link aggregation group LAG Range 0 65535 DEFAULT SETTING 0 COMMAND MODE Interface Configuratio...

Page 791: ...uration Ethernet COMMAND USAGE Setting a lower value indicates a higher effective priority If an active port link goes down the backup port with the highest priority is selected to replace the downed...

Page 792: ...switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a link has been established LACP...

Page 793: ...e interfaces that joined the group Note that when the LAG is no longer used the port channel admin key is reset to 0 EXAMPLE Console config interface port channel 1 Console config if lacp admin key 3...

Page 794: ...his channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group LACPDUs Unknown Pkts Number of...

Page 795: ...mation Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in re...

Page 796: ...signed to this aggregation port by the partner Admin Key Current administrative value of the Key for the protocol partner Oper Key Current operational value of the Key for the protocol partner Admin S...

Page 797: ...n SYNTAX port monitor interface rx tx both no port monitor interface interface ethernet unit port source port unit Stack unit Range 1 port Port number Range 1 24 rx Mirror received packets tx Mirror t...

Page 798: ...onitor command to specify the source of the traffic to mirror When mirroring traffic from a port the mirror port and monitor port speeds should match otherwise traffic may be dropped from the monitor...

Page 799: ...tion port and mirror mode i e RX TX RX TX EXAMPLE The following shows mirroring configured from port 6 to port 11 Console config interface ethernet 1 11 Console config if port monitor ethernet 1 6 Con...

Page 800: ...CHAPTER 32 Port Mirroring Commands Local Port Mirroring Commands 800...

Page 801: ...lt rate Use the no form to restore the default status of disabled SYNTAX rate limit input output rate no rate limit input output input Input rate for specified interface output Output rate for specifi...

Page 802: ...the storm control command It is therefore not advisable to use both of these commands on the same interface EXAMPLE Console config interface ethernet 1 1 Console config if rate limit input 64 Console...

Page 803: ...ng DEFAULT SETTING 300 seconds COMMAND MODE Global Configuration COMMAND USAGE The aging time is used to age out dynamically learned forwarding information EXAMPLE Console config mac address table agi...

Page 804: ...e default mode is permanent COMMAND MODE Global Configuration COMMAND USAGE The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add stati...

Page 805: ...address interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 24 port channel channel id Range 1 32 vlan id VLAN ID Range 1 4093 sort Sort by address vlan or interface DEFAULT...

Page 806: ...ss table Interface MAC Address VLAN Type Life Time Eth 1 1 00 E0 29 94 34 DE 1 Config Delete on Reset Eth 1 21 00 01 EC F8 D8 D9 1 Learn Delete on Timeout Console show mac address table aging time Thi...

Page 807: ...e maximum number of hops allowed in the region before a BPDU is discarded MST mst priority Configures the priority of a spanning tree instance MST mst vlan Adds VLANs to a spanning tree instance MST n...

Page 808: ...s down EXAMPLE This example shows how to enable the Spanning Tree Algorithm for the switch Console config spanning tree Console config spanning tree port priority Configures the spanning tree priority...

Page 809: ...evice must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to the discard...

Page 810: ...of 40 or 2 x forward time 1 DEFAULT SETTING 20 seconds COMMAND MODE Global Configuration COMMAND USAGE This command sets the maximum time in seconds a device can wait without receiving a configuration...

Page 811: ...P supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits as described below STP M...

Page 812: ...method long Specifies 32 bit based values that range from 1 200 000 000 This method is based on the IEEE 802 1w Rapid Spanning Tree Protocol short Specifies 16 bit based values that range from 1 65535...

Page 813: ...electing the root device root port and designated port The device with the highest priority i e lower numeric value becomes the STA root device However if all devices have the same priority the device...

Page 814: ...ole config spanning tree transmission limit 4 Console config max hops This command configures the maximum number of hops in the region before a BPDU is discarded Use the no form to restore the default...

Page 815: ...e Range 0 61440 in steps of 4096 Options 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440 DEFAULT SETTING 32768 COMMAND MODE MST Configuration COMMAND USAGE MS...

Page 816: ...allowing for faster convergence of a new topology for the failed instance By default all VLANs are assigned to the Internal Spanning Tree MSTI 0 that connects all bridges and LANs within the MST regi...

Page 817: ...on This command configures the revision number for this multiple spanning tree configuration of this switch Use the no form to restore the default SYNTAX revision number number Revision number of the...

Page 818: ...ng port connected to another switch or bridging device is mistakenly configured as an edge port and BPDU filtering is enabled on this port this might cause a loop in the spanning tree Before enabling...

Page 819: ...onfig interface ethernet ethernet 1 5 Console config if spanning tree edge port Console config if spanning tree bpdu guard Console config if RELATED COMMANDS spanning tree edge port 820 spanning tree...

Page 820: ...a and higher values assigned to ports with slower media Path cost takes precedence over port priority When the path cost method page 812 is set to short the maximum value for path cost is 65 535 EXAMP...

Page 821: ...figures the link type for Rapid Spanning Tree and Multiple Spanning Tree Use the no form to restore the default SYNTAX spanning tree link type auto point to point shared no spanning tree link type aut...

Page 822: ...BPDU according to IEEE Standard 802 1W 2001 9 3 4 Note 1 Port Loopback Detection will not be active if Spanning Tree is disabled on the switch EXAMPLE Console config interface ethernet 1 5 Console co...

Page 823: ...Note 1 Port Loopback Detection will not be active if Spanning Tree is disabled on the switch When configured for manual release mode then a link down up event will not release the port from the discar...

Page 824: ...auto configuration mode When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is set to 65 535 The default path costs...

Page 825: ...ple spanning tree If the path cost for all interfaces on a switch are the same the interface with the highest priority that is lowest value will be configured as an active link in the spanning tree Wh...

Page 826: ...ort Channel COMMAND USAGE A bridge with a lower bridge identifier or same identifier and lower MAC address can take over as the root bridge at any time When Root Guard is enabled and the switch receiv...

Page 827: ...AMPLE This example disables the spanning tree algorithm for port 5 Console config interface ethernet 1 5 Console config if spanning tree spanning disabled Console config if spanning tree loopback dete...

Page 828: ...ort number Range 1 24 port channel channel id Range 1 32 COMMAND MODE Privileged Exec COMMAND USAGE If at any time the switch detects STP BPDUs including Configuration or Topology Change Notification...

Page 829: ...for every interface in the tree Use the show spanning tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree CST Use the show spanning tree...

Page 830: ...1 Designated Root 32768 0 0001ECF8D8C6 Designated Bridge 32768 0 123412341234 Fast Forwarding Disabled Forward Transitions 4 Admin Edge Port Disabled Oper Edge Port Disabled Admin Link Type Auto Oper...

Page 831: ...rfaces Configures VLAN interface parameters including ingress and egress tagging mode ingress filtering PVID and GVRP Displaying VLAN Information Displays VLAN groups status port members and MAC addre...

Page 832: ...D USAGE GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration...

Page 833: ...AGE Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are indepen...

Page 834: ...NG No VLANs are included in the forbidden list COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This command prevents a VLAN from being automatically added to the specified int...

Page 835: ...Console show bridge ext Maximum Supported VLAN Numbers 4093 Maximum Supported VLAN ID 4093 Extended Multicast Filtering Services No Static Entry Individual Port Yes VLAN Learning IVL Configurable PVID...

Page 836: ...erface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 24 port channel channel id Range 1 32 DEFAULT SETTING Shows both global and interface specific configuration COMMAN...

Page 837: ...u can display this file by entering the show running config command EXAMPLE Console config vlan database Console config vlan RELATED COMMANDS show vlan 845 vlan This command configures a VLAN Use the...

Page 838: ...URING VLAN INTERFACES Table 96 Commands for Configuring VLAN Interfaces Command Function Mode interface vlan Enters interface configuration mode for a specified VLAN GC switchport acceptable frame typ...

Page 839: ...configuration for the desired VLAN enter any Layer 3 configuration commands and save the configuration settings To change a Layer 3 normal VLAN back to a Layer 2 VLAN use the no interface command EXAM...

Page 840: ...ce Use the no form to restore the default SYNTAX switchport allowed vlan add vlan list tagged untagged remove vlan list no switchport allowed vlan add vlan list List of VLAN identifiers to add remove...

Page 841: ...and 6 to the allowed list as tagged VLANs for port 1 Console config interface ethernet 1 1 Console config if switchport allowed vlan add 1 2 5 6 tagged Console config if switchport ingress filtering...

Page 842: ...r untagged frames trunk Specifies a port as an end point for a VLAN trunk A trunk is a direct link between two switches so the port transmits tagged frames that identify the source VLAN Note that fram...

Page 843: ...to VLAN 1 as an untagged member For all other VLANs an interface must first be configured as an untagged member before you can assign its PVID to that group If acceptable frame types is set to all or...

Page 844: ...AN trunking ports The following restrictions apply to this feature VLAN trunking can only be enabled on Gigabit Ethernet ports or trunks VLAN trunking is mutually exclusive with the access switchport...

Page 845: ...ec Privileged Exec EXAMPLE The following example shows how to display information for VLAN 1 Console show vlan id 1 VLAN ID 1 Type Static Name DefaultVlan Status Active Ports Port Channels Eth1 1 S Et...

Page 846: ...ifier TPID value of the tunnel access port This step is required if the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is 0x8100...

Page 847: ...nel control This command sets the switch to operate in QinQ mode Use the no form to disable QinQ operating mode SYNTAX no dot1q tunnel system tunnel control DEFAULT SETTING Disabled COMMAND MODE Globa...

Page 848: ...d the packet passed on to the VLAN indicated by the inner tag If no inner tag is found the packet is passed onto the native VLAN defined for the uplink port EXAMPLE Console config interface ethernet 1...

Page 849: ...tch will be set to the same ethertype EXAMPLE Console config interface ethernet 1 1 Console config if switchport dot1q tunnel tpid 9100 Console config if RELATED COMMANDS show interfaces switchport 78...

Page 850: ...OMMAND MODE Global Configuration COMMAND USAGE Traffic segmentation provides port based security and isolation between ports within the VLAN Data traffic on the downlink ports can only be forwarded to...

Page 851: ...ide port based security and isolation of local ports contained within different private VLAN groups This switch supports two types of private VLANs primary and community groups A primary VLAN contains...

Page 852: ...port to a community VLAN 5 Use the switchport private vlan mapping command to assign a port to a primary VLAN 6 Use the show vlan private vlan command to verify your configuration settings Table 100 P...

Page 853: ...tween community VLANs and other locations DEFAULT SETTING None COMMAND MODE VLAN Configuration COMMAND USAGE Private VLANs are used to restrict traffic to ports within the same community and channel t...

Page 854: ...provide security for group members The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN e g servers configured with promiscuous ports...

Page 855: ...tchport private vlan host association Use this command to associate an interface with a secondary VLAN Use the no form to remove this association SYNTAX switchport private vlan host association second...

Page 856: ...a primary VLAN can communicate with any other promiscuous ports in the same VLAN and with the group members within any associated secondary VLANs EXAMPLE Console config interface ethernet 1 2 Console...

Page 857: ...on the protocol type in use by the inbound packets To configure protocol based VLANs follow these steps 1 First configure VLAN groups for the protocols you want to use page 837 Although not mandatory...

Page 858: ...MAND MODE Global Configuration EXAMPLE The following creates protocol group 1 and specifies Ethernet frames with IP and ARP protocol types Console config protocol vlan protocol group 1 add frame type...

Page 859: ...ames If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the d...

Page 860: ...for the selected interfaces SYNTAX show interfaces protocol vlan protocol group interface interface ethernet unit port unit Stack unit Range 1 port Port number ES3526MA 1 26 ES4524MA 1 24 port channe...

Page 861: ...ask vlan vlan id priority priority no subnet vlan subnet ip address mask all ip address The IP address that defines the subnet Valid IP addresses consist of four decimal numbers 0 to 255 separated by...

Page 862: ...24 vlan 4 Console config show subnet vlan This command displays IP Subnet VLAN assignments COMMAND MODE Privileged Exec COMMAND USAGE Use this command to display subnet to VLAN mappings The last match...

Page 863: ...remove an assignment SYNTAX mac vlan mac address mac address vlan vlan id priority priority no mac vlan mac address mac address all mac address The source MAC address to be matched Configured MAC add...

Page 864: ...dress VLAN ID Priority 00 00 00 11 22 33 10 0 Console CONFIGURING VOICE VLANS The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic VoIP traffic can...

Page 865: ...n switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the switch automatically a...

Page 866: ...gures the Voice VLAN aging time as 3000 minutes Console config voice vlan aging 3000 Console config voice vlan mac address This command specifies MAC address ranges to add to the OUI Telephony list Us...

Page 867: ...Telephony list Console config voice vlan mac address 00 12 34 56 78 90 mask ff ff ff 00 00 00 description A new phone Console config switchport voice vlan This command specifies the Voice VLAN mode fo...

Page 868: ...MMAND USAGE Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is ac...

Page 869: ...ing VoIP traffic Console config interface ethernet 1 1 Console config if switchport voice vlan rule oui Console config if switchport voice vlan security This command enables security filtering for VoI...

Page 870: ...tatus Global Voice VLAN Status Voice VLAN Status Enabled Voice VLAN ID 1234 Voice VLAN aging time 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority Remaining Age minutes Eth 1 1 Au...

Page 871: ...unction Priority Commands Layer 2 Configures the queue mode queue weights and default priority for untagged frames Priority Commands Layer 3 and 4 Maps TCP ports IP precedence tags or IP DSCP tags to...

Page 872: ...ueuing for each port Eight separate traffic classes are defined in IEEE 802 1p The default priority levels are assigned according to recommendations in the IEEE 802 1p standard as shown below COMMAND...

Page 873: ...ted Round Robin for the rest of the queues queue type list Indicates if the queue is a normal or strict type Options 0 indicates a normal queue 1 indicates a strict queue DEFAULT SETTING Weighted Roun...

Page 874: ...queue mode strict Console config if RELATED COMMANDS queue weight 874 show queue mode 876 queue weight This command assigns weights to the eight class of service CoS priority queues when using weighte...

Page 875: ...r priority mapping is IP Port IP Precedence or IP DSCP and then default switchport priority The default priority applies for an untagged frame received on a port set to accept all frame types i e rece...

Page 876: ...rvice priority map SYNTAX show queue cos map interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 24 port channel channel id Range 1 32 DEFAULT SETTING None COMMAND MODE Privi...

Page 877: ...ole show queue weight This command displays the weights used for the weighted queues SYNTAX show queue mode interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 24 p...

Page 878: ...DSCP cannot both be enabled Enabling one of these priority types will automatically disable the other type EXAMPLE The following example shows how to enable IP DSCP mapping globally Console config ma...

Page 879: ...ort priority EXAMPLE The following example shows how to enable TCP UDP port mapping globally Console config map ip port Console config map ip precedence Global Configuration This command enables IP pr...

Page 880: ...SETTING The DSCP default values are defined in the following table Note that all the DSCP values that are not specified are mapped to CoS value 0 COMMAND MODE Interface Configuration Ethernet Port Cha...

Page 881: ...cos value no map ip port port number port number 16 bit TCP UDP port number Range 0 65535 cos value Class of Service value Range 0 7 DEFAULT SETTING None COMMAND MODE Interface Configuration Ethernet...

Page 882: ...tion Ethernet Port Channel COMMAND USAGE The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority IP Precedence values are mapped to default Class of Ser...

Page 883: ...1 32 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show map ip dscp ethernet 1 1 DSCP mapping status Disabled Port DSCP CoS Eth 1 1 0 0 Eth 1 1 1 0 Eth 1 1 2 0 Eth 1 1 3 0 Eth 1 1...

Page 884: ...precedence This command shows the IP precedence priority map SYNTAX show map ip precedence interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 24 port channel chan...

Page 885: ...olicy map PM police flow Defines an enforcer for classified traffic based on a metered flow rate PM C police srtcm color Defines an enforcer for classified traffic based on a single rate three color m...

Page 886: ...he matching traffic class and use one of the police commands to monitor parameters such as the average flow and burst rate and drop any traffic that exceeds the specified rate or just reduce the DSCP...

Page 887: ...ommands EXAMPLE This example creates a class map call rd class and sets it to match packets marked for DSCP service value 3 Console config class map rd class match any Console config cmap match ip dsc...

Page 888: ...map command to designate a class map and enter the Class Map configuration mode Then use match commands to specify the fields within ingress packets that must match to qualify for this class map If an...

Page 889: ...onfig cmap rename This command redefines the name of a class map or policy map SYNTAX rename map name map name Name of the class map or policy map Range 1 16 characters COMMAND MODE Class Map Configur...

Page 890: ...o drop any violating packets Console config policy map rd policy Console config pmap class rd class Console config pmap c set ip dscp 3 Console config pmap c police flow 10000 4000 conform action tran...

Page 891: ...ice flow 10000 4000 conform action transmit violate action drop Console config pmap c police flow This command defines an enforcer for classified traffic based on the metered flow rate Use the no form...

Page 892: ...d Burst Size The token bucket C is initially full that is the token count Tc 0 BC Thereafter the token count Tc is updated CIR times per second as follows If Tc is less than BC Tc is incremented by on...

Page 893: ...burst Excess burst size BE in bytes Range 4000 1600000 at a granularity of 4k bytes conform action Action to take when rate is within the CIR and BC There are enough tokens in bucket BC to service th...

Page 894: ...ken count Tc 0 BC and the token count Te 0 BE Thereafter the token counts Tc and Te are updated CIR times per second as follows If Tc is less than BC Tc is incremented by one else if Te is less then B...

Page 895: ...olor blind trtcm color aware committed rate committed burst peak rate peak burst conform action transmit new dscp exceed action drop new dscp violate action drop new dscp trtcm color blind Two rate th...

Page 896: ...ol queue congestion A packet is marked red if it exceeds the PIR Otherwise it is marked either yellow or green depending on whether it exceeds or doesn t exceed the CIR The trTCM is useful for ingress...

Page 897: ...on other aspects of trTCM EXAMPLE This example creates a policy called rd policy uses the class command to specify the previously defined rd class uses the set phb command to classify the service that...

Page 898: ...op any violating packets Console config policy map rd policy Console config pmap class rd class Console config pmap c set cos 3 Console config pmap c police flow 10000 4000 conform action transmit vio...

Page 899: ...licy map defined by the policy map command to the ingress side of a particular interface Use the no form to remove this mapping SYNTAX no service policy input policy map name input Apply to the input...

Page 900: ...ss list rd access Match ip dscp 0 Class Map match any rd class 2 Match ip precedence 5 Class Map match any rd class 3 Match vlan 1 Console show policy map This command displays the QoS policy maps whi...

Page 901: ...sole show policy map interface This command displays the service policy assigned to the specified interface SYNTAX show policy map interface interface input interface unit port unit Stack unit Range 1...

Page 902: ...CHAPTER 38 Quality of Service Commands 902...

Page 903: ...oups via IGMP snooping or static assignment sets the IGMP version enables proxy reporting displays current snooping settings and displays the multicast service and group members Static Multicast Routi...

Page 904: ...Configures the IGMP version for snooping GC ip igmp snooping version exclusive Discards received IGMP messages which use a version different to that currently configured GC ip igmp snooping vlan gene...

Page 905: ...VLAN interface but the interface settings will not take effect until snooping is re enabled globally EXAMPLE The following example enables IGMP snooping globally Console config ip igmp snooping Conso...

Page 906: ...IGMP Snooping with Proxy Reporting as defined in DSL Forum TR 101 April 2006 including report suppression last leave and query suppression Report suppression intercepts absorbs and summarizes IGMP re...

Page 907: ...ING Disabled COMMAND MODE Global Configuration COMMAND USAGE As described in Section 9 1 of RFC 3376 for IGMP Version 3 the Router Alert Option can be used to protect against DOS attacks One common me...

Page 908: ...flood This command enables flooding of multicast traffic if a spanning tree topology change notification TCN occurs Use the no form to disable flooding SYNTAX no ip igmp snooping tcn flood DEFAULT SE...

Page 909: ...t bridge sends a proxy query to quickly re learn the host membership port relations for multicast channels The root bridge also sends an unsolicited Multicast Router Discover MRD request to quickly lo...

Page 910: ...p igmp snooping tcn query solicit Console config ip igmp snooping unregistered data flood This command floods unregistered multicast traffic into the attached VLAN Use the no form to drop unregistered...

Page 911: ...l Configuration COMMAND USAGE When a new upstream interface that is uplink port starts up the switch sends unsolicited reports for all currently learned multicast channels out through the new upstream...

Page 912: ...clusive This command discards any received IGMP messages except for multicast protocol packets which use a version different to that currently configured by the ip igmp snooping version command Use th...

Page 913: ...es are forwarded only to downstream ports which have joined a multicast service EXAMPLE Console config ip igmp snooping vlan 1 general query suppression Console config ip igmp snooping vlan immediate...

Page 914: ...ediate leave Console config ip igmp snooping vlan last memb query count This command configures the number of IGMP proxy group specific or group and source specific query messages that are sent out be...

Page 915: ...ved by the switch it checks to see if this host is the last to leave the group by sending out an IGMP group specific or group and source specific query message and starts a timer If no reports are rec...

Page 916: ...timer as a part of a router s start up procedure during the restart of a multicast forwarding interface and on receipt of a solicitation message When the multicast services provided to a VLAN is relat...

Page 917: ...placed with any valid unicast address other than the router s own address using this command EXAMPLE The following example sets the source address for proxied IGMP query messages to 10 0 1 8 Console c...

Page 918: ...queries Use the no form to restore the default SYNTAX ip igmp snooping vlan vlan id query resp intvl interval no ip igmp snooping vlan vlan id query resp intvl vlan id VLAN ID Range 1 4093 interval T...

Page 919: ...D USAGE Static multicast entries are never aged out When a multicast entry is assigned to an interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN EXAM...

Page 920: ...ng global status Disabled Immediate leave Disabled Last member query interval 10 1 10s Last member query count 2 General query suppression Disabled Query interval 125 Query response interval 100 1 10s...

Page 921: ...mand shows known multicast addresses SYNTAX show mac address table multicast vlan vlan id user igmp snp user igmp snooping vlan id VLAN ID 1 to 4093 user Display only the user configured multicast ent...

Page 922: ...multicast router ports are configured COMMAND MODE Global Configuration COMMAND USAGE Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore i...

Page 923: ...In certain switch applications the administrator may want to control the multicast services that are available to end users For example an IP TV service based on a specific subscription plan The IGMP...

Page 924: ...ecked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP f...

Page 925: ...o many interfaces but only one profile can be assigned to one interface Each profile has only one access mode either permit or deny EXAMPLE Console config ip igmp profile 19 Console config igmp profil...

Page 926: ...p range DEFAULT SETTING None COMMAND MODE IGMP Profile Configuration COMMAND USAGE Enter this command multiple times to specify more than one multicast address or address range for a profile EXAMPLE C...

Page 927: ...p max groups number no ip igmp max groups number The maximum number of multicast groups an interface can join at the same time Range 0 64 DEFAULT SETTING 64 COMMAND MODE Interface Configuration Ethern...

Page 928: ...witch can take one of two actions either deny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing...

Page 929: ...mp profile profile number profile number An existing IGMP filter profile number Range 1 4294967295 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show ip igmp profile IGMP Profile 1...

Page 930: ...ocessing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN Also note that MVR maintains the user isolation and data security provided by VLAN seg...

Page 931: ...must be assigned vlan id MVR VLAN ID Range 1 4093 DEFAULT SETTING MVR is disabled No MVR group address is defined The default number of contiguous addresses is 0 MVR VLAN ID is 1 COMMAND MODE Global...

Page 932: ...t Port Channel COMMAND USAGE Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message When immediat...

Page 933: ...used to allow a receiver port to dynamically join or leave multicast groups sourced through the MVR VLAN Also note that VLAN membership for MVR receiver ports cannot be set to trunk mode see the switc...

Page 934: ...AULT SETTING No receiver port is a member of any configured multicast group COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE Multicast groups can be statically assigned to a re...

Page 935: ...ivileged Exec COMMAND USAGE Enter this command without any keywords to display the global settings for MVR Use the interface keyword to display information about interfaces attached to the MVR VLAN Or...

Page 936: ...mber of contiguous MVR group addresses Table 118 show mvr interface display description Field Description Port Shows interfaces attached to the MVR Type Shows the MVR port type Status Shows the MVR st...

Page 937: ...ferent from the MVR VLAN if the group address has been statically assigned Table 119 show mvr members display description Continued Field Description Table 120 IGMP Commands Layer 3 Command Function M...

Page 938: ...sec Last Member Query Interval 10 resolution in 0 1 sec Querier 0 0 0 0 Joined Groups Static Groups Console RELATED COMMANDS ip igmp snooping 905 show ip igmp snooping 919 ip igmp last member query in...

Page 939: ...d to restore the default SYNTAX ip igmp max resp interval seconds no ip igmp max resp interval seconds The report delay advertised in IGMP queries Range 0 255 tenths of a second DEFAULT SETTING 100 10...

Page 940: ...send host query messages to determine the interfaces that are connected to downstream hosts requesting a specific multicast service Only the designated multicast router for a subnet sends host query m...

Page 941: ...o indicating that the QRV field does not contain a declared robustness value the switch will set the robustness variable to the value statically configured by this command If the QRV exceeds 7 the max...

Page 942: ...multicast group will also fail if the next node up the reverse path tree has enabled the PIM SSM protocol If a static group is configured for an any source multicast G a source address cannot subseque...

Page 943: ...e IGMP versions 1 3 If the switch receives an IGMP Version 1 Membership Report it sets a timer to note that there are Version 1 hosts which are members of the group for which it heard the report If th...

Page 944: ...ticast group address interface vlan vlan id VLAN ID Range 1 4093 detail Displays detailed information about the multicast process and source addresses when available COMMAND MODE Privileged Exec COMMA...

Page 945: ...is multicast group address on this interface Uptime The time elapsed since this entry was created Expire The time remaining before this entry will be aged out The default is 260 seconds This field dis...

Page 946: ...ed in the source list parameter In EXCLUDE mode reception of packets sent to the given multicast address is requested from all IP source addresses except for those listed in the source list parameter...

Page 947: ...Use the ip igmp proxy unsolicited report interval command to indicate how often the system will send unsolicited reports to the upstream router ip igmp proxy This command enables IGMP proxy service fo...

Page 948: ...k then the proxy device will act as an IGMPv1 or IGMPv2 host on the upstream interface accordingly Otherwise it will act as an IGMPv3 host Multicast routing protocols are not supported on interfaces w...

Page 949: ...T SETTING 400 seconds COMMAND MODE Interface Configuration VLAN EXAMPLE The following example sets the interval for sending unsolicited IGMP reports to 5 seconds Console config interface vlan Console...

Page 950: ...CHAPTER 39 Multicast Filtering Commands IGMP Proxy Routing 950...

Page 951: ...g to re initialize after LLDP ports are disabled or the link goes down GC lldp tx delay Configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB...

Page 952: ...ion capabilities IC lldp dot3 tlv mac phy Configures an LLDP enabled port to advertise its MAC and physical layer specifications IC lldp dot3 tlv max frame Configures an LLDP enabled port to advertise...

Page 953: ...ds no lldp notification interval seconds Specifies the periodic interval at which SNMP notifications are sent Range 5 3600 seconds DEFAULT SETTING 5 seconds COMMAND MODE Global Configuration COMMAND U...

Page 954: ...e following rule refresh interval holdtime multiplier 65536 EXAMPLE Console config lldp refresh interval 60 Console config lldp reinit delay This command configures the delay before attempting to re i...

Page 955: ...ent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects and to increase the probability that multiple rather than single changes are reported in...

Page 956: ...port sending this advertisement The management address TLV may also include information about the specific interface associated with this address and an object identifier indicating the type of hardwa...

Page 957: ...des information about the manufacturer the product name and the version of the interface hardware software EXAMPLE Console config interface ethernet 1 1 Console config if lldp basic tlv port descripti...

Page 958: ...RFC 3418 which includes the full name and version identification of the system s hardware type software operating system and networking software EXAMPLE Console config interface ethernet 1 1 Console...

Page 959: ...es the protocols that are accessible through this interface EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot1 tlv proto ident Console config if lldp dot1 tlv proto vid This...

Page 960: ...h which untagged or priority tagged frames are associated see the switchport native vlan command EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot1 tlv pvid Console config if...

Page 961: ...tatus of the link and the 802 3 aggregated port identifier if this interface is currently a link aggregation member EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot3 tlv lin...

Page 962: ...size for this switch EXAMPLE Console config interface ethernet 1 1 Console config if lldp dot3 tlv max frame Console config if lldp notification This command enables the transmission of SNMP trap noti...

Page 963: ...ethernet 1 1 Console config if lldp notification Console config if show lldp config This command shows LLDP configuration settings for all ports SYNTAX show lldp config detail interface detail Shows...

Page 964: ...x frame Console show lldp info local device This command shows LLDP global and interface specific configuration settings for this device SYNTAX show lldp info local device detail interface detail Show...

Page 965: ...Ethernet Port on unit 1 port 1 Console show lldp info remote device This command shows LLDP global and interface specific configuration settings for remote devices attached to an LLDP enabled port SYN...

Page 966: ...ink Aggregation Remote link aggregation capable Yes Remote link aggragation enable No Remote link aggragation port id 0 Remote Max Frame Size 1518 Console show lldp info statistics This command shows...

Page 967: ...0 11 0 Eth 1 2 0 0 0 Eth 1 3 0 0 0 Eth 1 4 0 0 0 Eth 1 5 0 0 0 Console show lldp info statistics detail ethernet 1 1 LLDP Port Statistics Detail PortName Eth 1 1 Frames Discarded 0 Frames Invalid 0 Fr...

Page 968: ...CHAPTER 40 LLDP Commands 968...

Page 969: ...ist name name Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 68 characters Table 125 Address Table Commands Command Function Mode ip domain l...

Page 970: ...main name command is used If there is a domain list the default domain name is not used EXAMPLE This example adds two domain names to the current list and then displays the list Console config ip doma...

Page 971: ...192 168 1 55 10 1 0 55 Console RELATED COMMANDS ip domain name 971 ip name server 973 ip domain name This command defines the default domain name appended to incomplete host names i e host names pass...

Page 972: ...ve an entry SYNTAX no ip host name address name Name of an IPv4 host Range 1 100 characters address Corresponding IPv4 address DEFAULT SETTING No static entries COMMAND MODE Global Configuration COMMA...

Page 973: ...servers DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE The listed name servers are queried in the specified sequence until a response is received or the end of the list is reach...

Page 974: ...values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields DEFAULT SETTING No static entries COMMAND MODE Global Configuration...

Page 975: ...ear host command to clear dynamic entries or the no ip host command to clear static entries EXAMPLE This example clears all static entries from the DNS table Console config clear host Console config s...

Page 976: ...sole show hosts No Flag Type IP Address TTL Domain 0 2 Address 192 168 1 55 rd5 1 2 Address 2001 DB8 1 12 rd6 3 4 Address 209 131 36 158 65 www real wa1 b yahoo com 4 4 CNAME POINTER TO 3 65 www yahoo...

Page 977: ...tored in the cache Type This field includes Address which specifies the primary name for the owner and CNAME which specifies multiple domain names or aliases which are mapped to the same IP address as...

Page 978: ...CHAPTER 41 Domain Name Service Commands 978...

Page 979: ...address information ip dhcp restart client This command submits a BOOTP or DHCP client request DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE This command issues a BOOTP or DHCP clie...

Page 980: ...34 12 34 Index 1001 MTU 1500 Bandwidth 1g Address Mode is DHCP IP Address 192 168 0 9 Mask 255 255 255 0 Proxy ARP is disabled Console RELATED COMMANDS ip address 1006 DHCP RELAY This section describ...

Page 981: ...host devices attached to the switch If DHCP relay service is enabled and this switch sees a DHCP request broadcast it inserts its own IP address into the request so the DHCP server will know the subn...

Page 982: ...servers available to a DHCP client DC domain name Specifies the domain name for a DHCP client DC hardware address Specifies the hardware address of a DHCP client DC host These commands are used for m...

Page 983: ...s pool and enter DHCP Pool Configuration mode Use the no form to remove the address pool SYNTAX no ip dhcp pool name name A string or integer Range 1 8 characters DEFAULT SETTING DHCP address pools ar...

Page 984: ...If the DHCP server is running you must restart it to implement any configuration changes EXAMPLE Console config service dhcp Console config bootfile This command specifies the name of the default boot...

Page 985: ...l value DEFAULT SETTING None COMMAND MODE DHCP Pool Configuration COMMAND USAGE This command identifies a DHCP client to bind to an address specified in the host command If both a client identifier an...

Page 986: ...to two routers Routers are listed in order of preference starting with address1 as the most preferred router EXAMPLE Console config dhcp default router 10 1 0 54 10 1 0 64 Console config dhcp dns serv...

Page 987: ...nt Range 1 32 characters DEFAULT SETTING None COMMAND MODE DHCP Pool Configuration EXAMPLE Console config dhcp domain name sample com Console config dhcp hardware address This command specifies the ha...

Page 988: ...ess for the client SYNTAX host address mask no host address Specifies the IP address of a client mask Specifies the network mask of the client DEFAULT SETTING None COMMAND MODE DHCP Pool Configuration...

Page 989: ...currently in use by the host EXAMPLE Console config dhcp host 10 1 0 21 255 255 255 0 Console config dhcp RELATED COMMANDS client identifier 985 hardware address 987 lease This command configures the...

Page 990: ...to remove the NetBIOS name server list SYNTAX netbios name server address1 address2 no netbios name server address1 Specifies IP address of primary NetBIOS WINS name server address2 Specifies IP addr...

Page 991: ...r 990 network This command configures the subnet number and mask for a DHCP address pool Use the no form to remove the subnet number and mask SYNTAX network network number mask no network network numb...

Page 992: ...st field nnn determines the class 0 127 is class A only uses the first field in the network address 128 191 is class B uses the first two fields in the network address 192 223 is class C uses the firs...

Page 993: ...d as the address parameter the DHCP server clears all automatic bindings Use the no host command to delete a manual binding This command is normally used after modifying the address pool or after movi...

Page 994: ...1 3 21 00 00 e8 98 73 21 86400 Dec 25 08 01 57 2002 Console show ip dhcp This command displays DHCP address pools configured on the switch COMMAND MODE Privileged Exec EXAMPLE Console show ip dhcp Na...

Page 995: ...ch allows a router to take over as the master router when it comes on line if it has a higher priority than the currently active master router Table 132 VRRP Commands Command Function Mode vrrp authen...

Page 996: ...the string configured on this router If the keys match the message is accepted Otherwise the packet is discarded Plain text authentication does not provide any real security It is supported only to pr...

Page 997: ...customize any of the other parameters for VRRP such as authentication priority or advertisement interval then first configure these parameters before enabling VRRP EXAMPLE This example creates VRRP gr...

Page 998: ...p priority 998 vrrp priority This command sets the priority of this router in a VRRP group Use the no form to restore the default setting SYNTAX vrrp group priority level no vrrp group priority group...

Page 999: ...nterval at which the master virtual router sends advertisements communicating its state as the master Use the no form to restore the default interval SYNTAX vrrp group timers advertise interval no vrr...

Page 1000: ...roup Identifies a VRRP group Range 1 255 interface Identifier of configured VLAN interface Range 1 4093 DEFAULTS None COMMAND MODE Privileged Exec EXAMPLE Console clear vrrp 1 interface 1 counters Con...

Page 1001: ...uthentication SimpleText Authentication Key bluebird Master Router 192 168 1 6 Master Priority 255 Master Advertisement Interval 5 sec Master Down Interval 15 Console Table 133 show vrrp display descr...

Page 1002: ...r Master priority The priority of the router currently acting as the VRRP group master Master Advertisement interval The advertisement interval configured on the VRRP master Master down interval The d...

Page 1003: ...ies a VRRP group Range 1 255 interface Identifier of configured VLAN interface Range 1 4093 DEFAULTS None COMMAND MODE Privileged Exec EXAMPLE Console show vrrp 1 interface vlan 1 counters Total Numbe...

Page 1004: ...MMAND MODE Privileged Exec EXAMPLE Note that unknown errors indicate VRRP packets received with an unknown or unsupported version number Console show vrrp router counters Total Number of VRRP Packets...

Page 1005: ...by default You must manually configure a new address to manage the switch over your network or to connect the switch to existing IP subnets You may also need to a establish a default gateway between...

Page 1006: ...edia that will be assigned to a specific subnet then you must create a router interface for each VLAN that will support routing The router interface consists of an IP address and subnet mask This inte...

Page 1007: ...ress cannot be removed if a secondary address is still present Also if any router in a network segment uses a secondary address all other routers in that segment must also use a secondary address from...

Page 1008: ...ic to the designated address or subnet passes through a preferred gateway A default gateway can only be successfully set when a network interface that directly connects to the gateway has been configu...

Page 1009: ...ackets take to the specified destination SYNTAX traceroute host host IP address or alias of the host DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Use the traceroute command to deter...

Page 1010: ...ther node on the network SYNTAX ping host count count size size host IP address or IP alias of the host count Number of packets to send Range 1 16 size Number of bytes in a packet Range 32 512 The act...

Page 1011: ...transmitted 5 packets received 100 0 packets lost 0 Approximate round trip times Minimum 0 ms Maximum 10 ms Average 8 ms Console RELATED COMMANDS interface 770 ARP CONFIGURATION This section describe...

Page 1012: ...there is no response to an ARP broadcast message For example some applications may not respond to ARP requests or the response arrives too late causing network operations to time out Static entries w...

Page 1013: ...rp This command enables proxy Address Resolution Protocol ARP Use the no form to disable proxy ARP SYNTAX no ip proxy arp DEFAULT SETTING Disabled COMMAND MODE Interface Configuration VLAN COMMAND USA...

Page 1014: ...Exec Privileged Exec COMMAND USAGE This command displays information about the ARP cache The first line shows the cache timeout It also shows each cache entry including the IP address MAC address typ...

Page 1015: ...d in the forwarding list when UDP helper is enabled with the ip helper command and a remote server address is configured with the ip helper address command BOOTP client port 67 BOOTP server port 68 Do...

Page 1016: ...roadcast all ones broadcast 255 255 255 255 or a directed subnet broadcast such as 10 10 10 255 To reduce the number of application servers deployed in a multi segment network UDP helper can be used t...

Page 1017: ...igured with an IP address The UDP packets to be forwarded must be specifed by the ip forward protocol udp command and the packets meet the following criteria The MAC address of the received frame must...

Page 1018: ...settings for UDP helper COMMAND MODE Privileged Exec COMMAND USAGE This command displays all configuration settings for UDP helper including its functional status the UDP ports for which broadcast tra...

Page 1019: ...ct the router to the enterprise network GLOBAL ROUTING CONFIGURATION Table 139 IP Routing Commands Command Group Function Global Routing Configuration Configures global parameters for static and dynam...

Page 1020: ...used by the dynamic unicast routing protocols is 110 for OSPF and 120 for RIP Range 1 255 Default 1 Removes all static routing table entries DEFAULT SETTING No static routes are configured COMMAND MO...

Page 1021: ...led 4 paths COMMAND MODE Global Configuration EXAMPLE switch config maximum paths 8 switch config show ip route This command displays information in the Forwarding Information Base FIB SYNTAX show ip...

Page 1022: ...tes which are currently accessible for forwarding The router must be able to directly reach the next hop so the VLAN interface associated with any dynamic or static route entry must be up Note that ro...

Page 1023: ...UDP TCP and ARP protocols COMMAND MODE Privileged Exec EXAMPLE Console show ip traffic IP Statistics IP received 4877 total received header errors unknown protocols address errors discards 4763 delive...

Page 1024: ...tric assigned to external routes imported from other protocols RC distance Defines an administrative distance for external routes learned from other routing protocols RC maximum prefix Sets the maximu...

Page 1025: ...COMMANDS network 1029 ip rip receive version Sets the RIP receive version to use on a network interface IC ip rip receive packet Configures the interface to receive of RIP packets IC ip rip send versi...

Page 1026: ...address 0 0 0 0 EXAMPLE Console config router default information originate Console config router RELATED COMMANDS ip route 1020 redistribute 1031 default metric This command sets the default metric a...

Page 1027: ...ernal network with a better metric from a redistribution point other than that derived from the original source EXAMPLE This example sets the default metric to 5 Console config router default metric 5...

Page 1028: ...dministrative control The administrative distance is applied to all routes learned for the specified network EXAMPLE Console config router distance 2 192 168 3 0 255 255 255 0 Console config router ma...

Page 1029: ...lticast messages generated by the RIP protocol Use this command in conjunction with the passive interface command to control the routing updates sent to specific neighbors EXAMPLE Console config route...

Page 1030: ...g routing updates on the specified interface Use the no form to disable this feature SYNTAX no passive interface vlan vlan id vlan id VLAN ID Range 1 4093 DEFAULT SETTING Disabled COMMAND MODE Router...

Page 1031: ...ic value to be used for all imported external routes A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics It is advisable to use a low metric...

Page 1032: ...240 seconds DEFAULT SETTING Update 30 seconds Timeout 180 seconds Garbage collection 120 seconds COMMAND MODE Router Configuration COMMAND USAGE The update timer sets the rate at which updates are sen...

Page 1033: ...RIPv1 or RIPv2 packets Send Route information is broadcast to other routers with RIPv2 COMMAND MODE Router Configuration COMMAND USAGE When this command is used to specify a global RIP version any VL...

Page 1034: ...n string command This command requires the interface to exchange routing information with other routers based on an authorized password Note that this command only applies to RIPv2 For authentication...

Page 1035: ...at this command does not apply to RIPv1 For authentication to function properly both the sending and receiving interface must be configured with the same password and authentication enabled by the ip...

Page 1036: ...e are still some older routers using RIPv1 EXAMPLE This example sets the interface version for VLAN 1 to receive RIPv1 packets Console config interface vlan 1 Console config if ip rip receive version...

Page 1037: ...TING 1 compatible Route information is broadcast to other routers with RIPv2 COMMAND MODE Interface Configuration VLAN COMMAND USAGE Use this command to override the global setting specified by the RI...

Page 1038: ...DE Interface Configuration VLAN DEFAULT SETTING Enabled COMMAND USAGE The no form of this command allows the router to passively monitor route information advertised by other routers attached to the n...

Page 1039: ...med unreachable EXAMPLE This example propagates routes back to the source using poison reverse Console config interface vlan 1 Console config if ip split horizon poison reverse Console config if clear...

Page 1040: ...ip protocols rip This command displays RIP process parameters COMMAND MODE Privileged Exec EXAMPLE Console show ip protocols rip Routing Protocol is rip Sending updates every 30 seconds with 5 seconds...

Page 1041: ...ied interface vlan id VLAN ID Range 1 4093 COMMAND MODE Privileged Exec EXAMPLE Console show ip rip Codes R RIP Rc RIP connected Rs RIP static C Connected S Static O OSPF Network Next Hop Metric From...

Page 1042: ...ult metric for external routes imported from other protocols RC redistribute Redistribute routes from one routing domain to another RC summary address Summarizes routes advertised by an ASBR RC Area C...

Page 1043: ...l Specifies the time between resending a link state advertisement IC ip ospf transmit delay Estimates time to send a link state update packet over an interface IC passive interface Suppresses OSPF rou...

Page 1044: ...e destination When disabled preference is based on type of path where type 1 external paths are preferred over type 2 external paths using cost only to break ties RFC 2328 All routers in an OSPF routi...

Page 1045: ...vertise a default external route into the AS if it has been configured to import external routes through other routing protocols or static routing and such a route is known See the redistribute comman...

Page 1046: ...fault information originate metric 20 metric type 2 Console config router RELATED COMMANDS ip route 1020 redistribute 1052 router id This command assigns a unique router ID for this device within the...

Page 1047: ...ge and starting the shortest path first SPF calculation and the hold time between making two consecutive SPF calculations Use the no form to restore the default values SYNTAX timers spf spf delay spf...

Page 1048: ...ommand specifies a cost for the default summary route sent into a stub or NSSA from an Area Border Router ABR Use the no form to remove the assigned default cost SYNTAX area area id default cost cost...

Page 1049: ...s remain hidden from the rest of the network COMMAND MODE Router Configuration DEFAULT SETTING Disabled COMMAND USAGE This command can be used to summarize intra area routes and advertise this informa...

Page 1050: ...lculates the cost for an interface by dividing the reference bandwidth by the interface bandwidth By default the cost is 1 Mbps for all port types including 100 Mbps ports 1 Gigabit ports and 10 Gigab...

Page 1051: ...ols Range 0 16777214 COMMAND MODE Router Configuration DEFAULT SETTING 20 COMMAND USAGE The default metric must be used to resolve the problem of redistributing external routes from other protocols th...

Page 1052: ...ternal route metric tag value A tag placed in the AS external LSA to identify a specific external routing domain or to pass additional information between routers Range 0 4294967295 COMMAND MODE Route...

Page 1053: ...earned from RIP as Type 1 external routes Console config router redistribute rip metric type 1 Console config router RELATED COMMANDS default information originate 1045 summary address This command ag...

Page 1054: ...ates NSSA ABR translator role for Type 5 external LSAs candidate Router translates NSSA LSAs to Type 5 external LSAs if elected never Router never translates NSSA LSAs to Type 5 external LSAs always R...

Page 1055: ...yword External routes advertised into an NSSA can include network destinations outside the AS learned via OSPF the default route static routes routes imported from other routing protocols such as RIP...

Page 1056: ...able space is saved in a stub by blocking Type 4 AS summary LSAs and Type 5 external LSAs The default setting for this command completely isolates the stub by blocking Type 3 summary LSAs that adverti...

Page 1057: ...or as a four octet unsigned integer ranging from 0 4294967295 router id Router ID of the virtual link neighbor This specifies the Area Border Router ABR at the other end of the virtual link To create...

Page 1058: ...Specifies message digest MD5 authentication null Indicates that no authentication is used authentication key key Sets a plain text password up to 8 characters that is used by neighboring routers on a...

Page 1059: ...ple creates a virtual link using the defaults for all optional parameters Console config router network 10 4 0 0 0 255 255 0 0 area 10 4 0 0 Console config router area 10 4 0 0 virtual link 10 4 3 254...

Page 1060: ...as been specified EXAMPLE This example creates the backbone 0 0 0 0 covering class B addresses 10 1 x x and a normal transit area 10 2 9 0 covering the class C addresses 10 2 9 x Console config router...

Page 1061: ...arn the authentication key by snooping on routing protocol packets When using Message Digest 5 MD5 authentication the router uses the MD5 algorithm to verify data integrity by creating a 128 bit messa...

Page 1062: ...No password COMMAND USAGE Before specifying plain text password authentication for an interface with the ip ospf authentication command configure a password with this command This command creates a pa...

Page 1063: ...etric for this interface Use higher values to indicate slower ports Range 1 65535 COMMAND MODE Interface Configuration VLAN DEFAULT SETTING 1 COMMAND USAGE The interface cost indicates the overhead re...

Page 1064: ...ed to the current interface seconds The maximum time that neighbor routers can wait for a hello packet before declaring the transmitting router down This interval must be set to the same value for all...

Page 1065: ...hat the sending router is still active Setting the hello interval to a smaller value can reduce the delay in detecting topological changes but will increase routing traffic EXAMPLE Console config inte...

Page 1066: ...administrator time to update all the routers on the network without affecting the network connectivity Once all the network routers have been updated with the new key the old key should be removed for...

Page 1067: ...segment when this interface comes up the new router will accept the current DR regardless of its own priority The DR will not change until the next time the election process is initiated Configure rou...

Page 1068: ...SYNTAX ip ospf ip address transmit delay seconds no ip ospf ip address transmit delay ip address This parameter can be used to indicate a specific IP address connected to the current interface If not...

Page 1069: ...NG None COMMAND USAGE You can configure an OSPF interface as passive to prevent OSPF routing traffic from exiting or entering that interface No OSPF adjacency can be formed if one of the interfaces in...

Page 1070: ...OSPF process ID and router ID The router ID uniquely identifies the router in the autonomous system By convention this is normally set to one of the router s IP interface addresses Process uptime The...

Page 1071: ...mber of new link state advertisements that have been originated Number of LSA received The number of link state advertisements that have been received Number of areas attached to this router The numbe...

Page 1072: ...ation about all advertising routers is displayed ip address IP address of the specified router If no address is entered information about the local router is displayed link state id The network portio...

Page 1073: ...d Console show ip os database asbr summary OSPF Router with ID 0 0 0 0 Process ID 1 ASBR Summary Link States Area 0 0 0 1 LS age 0 Options 0x2 E LS Type ASBR summary LSA Table 144 show ip ospf databas...

Page 1074: ...ask 24 Metric Type 2 Larger than any link state path TOS 0 Metric 20 Forward Address 10 10 11 50 External Route Tag 0 Table 145 show ip ospf database summary display description Field Description OSPF...

Page 1075: ...d with the LSA LS Type AS External Links LSA describes routes to destinations outside the AS including default external routes for the AS Link State ID IP network number External Network Number Advert...

Page 1076: ...rocess ID 1 Router Link States Area 0 0 0 0 LS age 0 Options 0x2 E Flags 0x2 ASBR LS Type router LSA Table 147 show ip ospf database network display description Field Description OSPF Router ID Router...

Page 1077: ...associated with the LSA Flags Indicate if this router is a virtual link endpoint an ASBR or an ABR LS Type Router Link LSA describes the router s interfaces Link State ID Router ID of the router that...

Page 1078: ...ddress 192 168 0 2 Backup Designated Router ID 192 168 0 3 Interface Address 192 168 0 3 Timer intervals configured Hello 10 Dead 40 Wait 40 Retransmit 5 Hello due in 00 00 10 Neighbor Count is 1 Adja...

Page 1079: ...his interface but interface is down Loopback This is a loopback interface Waiting Router is trying to find the DR and BDR DR Designated Router BDR Backup Designated Router DRother Interface is on a mu...

Page 1080: ...iption Neighbor ID Neighbor s router ID Pri Neighbor s router priority State OSPF state and identification flag States include Down Connection down Attempt Connection down but attempting contact for n...

Page 1081: ...10 11 0 24 10 is directly connected fe1 2 Area 0 0 0 0 O 10 10 11 100 32 10 is directly connected lo Area 0 0 0 0 E2 10 15 0 0 24 10 50 via 10 10 0 1 vlan1 IA 172 16 10 0 24 30 via 10 10 11 50 vlan2...

Page 1082: ...virtual link crosses to reach the target router Local address The IP address of ABR that serves as an endpoint connecting the isolated area to the common transit area Remote address The IP address thi...

Page 1083: ...ting for Summary Address Shows the networks for which route summarization is in effect Distance The administrative distance used for external routes learned by OSPF see the ip route command Table 153...

Page 1084: ...CHAPTER 45 IP Routing Commands Open Shortest Path First OSPFv2 1084...

Page 1085: ...ing DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE This command is used to enable IP multicast routing globally for the router A specific multicast routing protocol also need...

Page 1086: ...known multicast source summary Displays summary information for each entry in the IP multicast routing table COMMAND MODE Privileged Exec COMMAND USAGE This command displays information for multicast...

Page 1087: ...the SPT flag is set for S G the router immediately joins the shortest path tree Interface state The multicast state for the displayed interface group address IP multicast group address for a requested...

Page 1088: ...st routes on the switch ip igmp snooping vlan mrouter This command statically configures a multicast router port Use the no form to remove the configuration SYNTAX ip igmp snooping vlan vlan id mroute...

Page 1089: ...hin VLAN 1 Console config ip igmp snooping vlan 1 mrouter ethernet 1 11 Console config show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned...

Page 1090: ...pagation delay required for a LAN prune delay message to reach downstream routers IC ip pim trigger hello delay Configures the trigger hello delay IC show ip pim interface Displays information about i...

Page 1091: ...ig router pim Console config exit Console show ip pim interface PIM is enabled Vlan 1 is up PIM Mode Dense Mode IP Address 192 168 0 2 Hello Interval 30 sec Hello HoldTime 105 sec Triggered Hello Dela...

Page 1092: ...eived from directly connected LAN interfaces Dense mode interfaces are always added to the multicast routing table Sparse mode interfaces are added only when periodic join messages are received from d...

Page 1093: ...n Delay 500 ms Override Interval 2500 ms Graft Retry Interval 3 sec Max Graft Retries 3 State Refresh Ori Int 60 sec Console ip pim hello holdtime This command configures the interval to wait for hell...

Page 1094: ...mbers of the multicast tree EXAMPLE Console config if ip pim hello interval 60 Console config if ip pim join prune holdtime This command configures the hold time for the prune state Use the no form to...

Page 1095: ...st they must send a Join to override the prune before the prune delay expires if they want to continue receiving the flow The message generated by this command effectively prompts any downstream neigh...

Page 1096: ...ation delay command are used to calculate the LAN prune delay If a downstream router has group members which want to continue receiving the flow referenced in a LAN prune delay message then the overri...

Page 1097: ...onfig if ip pim propagation delay 600 Console config if RELATED COMMANDS ip pim override interval 1096 ip pim lan prune delay 1095 ip pim trigger hello delay This command configures the maximum time b...

Page 1098: ...command displays the PIM settings for the specified interface as described in the preceding pages It also shows the address of the designated PIM router and the number of neighboring PIM routers EXAM...

Page 1099: ...l seconds The time before resending a Graft Range 1 10 seconds DEFAULT SETTING 3 seconds COMMAND MODE Interface Configuration VLAN COMMAND USAGE A graft message is sent by a router to cancel a prune s...

Page 1100: ...AN EXAMPLE Console config if ip pim max graft retries 5 Console config if ip pim state refresh origination interval This command sets the interval between sending PIM DM state refresh control messages...

Page 1101: ...k length Hash mask length in bits used for RP selection see ip pim rp candidate and ip pim rp address The portion of the hash specified by the mask length is ANDed with the group address Therefore whe...

Page 1102: ...ferable to set up one of these routers as both the primary BSR and RP EXAMPLE The following example configures the router to start sending bootstrap messages out of the interface for VLAN 1 to all of...

Page 1103: ...rendezvous point RP Use the no form to restore the default setting SYNTAX ip pim register source interface vlan vlan id no ip pim register source vlan id VLAN ID Range 1 4094 DEFAULT SETTING The IP a...

Page 1104: ...IP address is specified that was previously used for an RP then the older entry is replaced Multiple RPs can be defined for different groups or group ranges If a group is matched by more than one entr...

Page 1105: ...mmand configures the router to advertise itself as a Rendezvous Point RP candidate to the bootstrap router BSR Use the no form to remove this router as an RP candidate SYNTAX ip pim rp candidate inter...

Page 1106: ...d on the group address RP address priority and hash mask included in the bootstrap messages If there is a tie use the candidate RP with the highest IP address This distributed election process provide...

Page 1107: ...ce to a receiver is through the RP However the path through the RP is not always the shortest path Therefore the router uses the RP to forward only the first packet from a new multicast group to its r...

Page 1108: ...le election process The router with the highest priority configured on an interface is elected as the DR If more than one router attached to this interface uses the same priority then the router with...

Page 1109: ...ce will be adversely affected The multicast interface that first receives a multicast stream from a particular source forwards this traffic only to those interfaces on the router that have requested t...

Page 1110: ...on changes to the RP Use the show ip pim rp mapping command to display active RPs that are cached with associated multicast groups EXAMPLE This example clears the RP map Console clear ip pim bsr rp se...

Page 1111: ...umber of significant bits used in the multicast group comparison mask This mask determines the multicast group for which this router can be a BSR Expire The time before this entry will be removed Role...

Page 1112: ...ia null Console Table 161 show ip pim rp mapping display description Field Description Groups The multicast group address mask length managed by the RP RP address IP address of the RP used for the lis...

Page 1113: ...1113 SECTION IV APPENDICES This section provides additional information and includes these items Software Specifications on page 1115 Troubleshooting on page 1121 License Information on page 1123...

Page 1114: ...SECTION IV Appendices 1114...

Page 1115: ...duplex 1000BASE SX LX LH LHX ZX 1000 Mbps at full duplex SFP FLOW CONTROL Full Duplex IEEE 802 3 2005 Half Duplex Back pressure STORM CONTROL Broadcast traffic throttled above a critical threshold POR...

Page 1116: ...nd service policies MULTICAST FILTERING IGMP Snooping Layer 2 IGMP Layer 3 IGMP Proxy Multicast VLAN Registration IP ROUTING ARP Proxy ARP Static routes CIDR Classless Inter Domain Routing RIP RIPv2 O...

Page 1117: ...er Discovery Protocol IEEE 802 1D 2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802 1p Priority tags IEEE...

Page 1118: ...6 TFTP RFC 1350 VRRP RFC 3768 MANAGEMENT INFORMATION BASES Bridge MIB RFC 1493 Differentiated Services MIB RFC 3289 DNS Resolver MIB RFC 1612 Entity MIB RFC 2737 Ether like MIB RFC 2665 Extended Bridg...

Page 1119: ...n Client MIB RFC 2619 RIP1 MIB RFC 1058 RIP2 MIB RFC 2453 RIP2 Extension RFC1724 RMON MIB RFC 2819 RMON II Probe Configuration Group RFC 2021 partial implementation SNMP Community MIB RFC 3584 SNMP Fr...

Page 1120: ...APPENDIX A Software Specifications Management Information Bases 1120...

Page 1121: ...t Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH...

Page 1122: ...ssages reported to include all categories 3 Enable SNMP 4 Enable SNMP traps 5 Designate the SNMP host that is to receive the error messages 6 Repeat the sequence of commands or other actions that lead...

Page 1123: ...of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that yo...

Page 1124: ...notices stating that you changed the files and the date of any change b You must cause any work that you distribute or publish that in whole or in part contains or is derived from the Program or any...

Page 1125: ...ired to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These actions are prohibited by law if y...

Page 1126: ...ibution conditions are different write to the author to ask for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exc...

Page 1127: ...TFTP server that contains the devices system files and the name of the boot file COS Class of Service is supported by prioritizing packets based on the required level of service and then placing them...

Page 1128: ...of forwarding The DSCP bits are mapped to the Class of Service categories and then into the output queues EAPOL Extensible Authentication Protocol over LAN EAPOL is a client authentication protocol u...

Page 1129: ...thod for the operation of MAC bridges including the Spanning Tree Protocol IEEE 802 1Q VLAN Tagging Defines Ethernet frame tags which carry VLAN information It allows switches to assign endstations to...

Page 1130: ...oup membership information onto the upstream interface based on IGMP messages monitored on downstream interfaces and forwards multicast traffic based on that information There is no need for multicast...

Page 1131: ...tion meaning that it takes a message and converts it into a fixed string of digits also called a message digest MIB Management Information Base An acronym for Management Information Base It is a set o...

Page 1132: ...ls such as RIP It includes features such as unlimited hop count authentication of routing updates and Variable Length Subnet Masks VLSM OUT OF BAND MANAGEMENT Management of the network from a station...

Page 1133: ...et alarms on a variety of traffic conditions including specific error types RSTP Rapid Spanning Tree Protocol RSTP reduces the convergence time for network topology changes to about 10 of that require...

Page 1134: ...hen TCP would be too complex too slow or just unnecessary UTC Universal Time Coordinate UTC is a time scale that couples Greenwich Mean Time based solely on the Earth s rotation rate with highly accur...

Page 1135: ...r ip igmp group 943 clear ip ospf process 1048 clear ip pim bsr rp set 1110 clear ip rip route 1039 clear log 613 clear mac address table dynamic 805 clear vrrp interface counters 1000 clear vrrp rout...

Page 1136: ...gmp max groups 927 ip igmp max groups action 928 ip igmp max resp interval 939 ip igmp profile 925 ip igmp proxy 947 ip igmp proxy unsolicited report interval 948 ip igmp query interval 940 ip igmp ro...

Page 1137: ...access group 759 ipv6 host 974 J interface 770 jumbo frame 592 L lacp 789 lacp admin key Ethernet Interface 790 lacp admin key Port Channel 792 lacp port priority 791 lacp system priority 792 lease 9...

Page 1138: ...password 604 password thresh 605 periodic 626 permit deny 925 permit deny ARP ACL 766 permit deny Extended IPv4 ACL 750 permit deny Extended IPv6 ACL 756 permit deny MAC ACL 761 permit deny Standard...

Page 1139: ...f virtual links 1081 show ip pim bsr router 1110 show ip pim interface 1098 show ip pim neighbor 1098 show ip pim rp mapping 1111 show ip pim rp hash 1112 show ip protocols ospf 1082 show ip protocols...

Page 1140: ...0 spanning tree mode 811 spanning tree mst configuration 813 spanning tree mst cost 824 spanning tree mst port priority 825 spanning tree pathcost method 812 spanning tree port priority 825 spanning t...

Page 1141: ...COMMAND LIST 1141 vrrp authentication 996 vrrp ip 996 vrrp preempt 997 vrrp priority 998 vrrp timers advertise 999 W whichboot 599...

Page 1142: ...COMMAND LIST 1142...

Page 1143: ...v6 Extended 287 293 754 756 IPv6 Standard 287 292 754 755 MAC 287 296 760 time range 284 625 Address Resolution Protocol See ARP address table 187 803 aging time 190 803 aging time displaying 190 806...

Page 1144: ...on rate 231 232 233 891 893 895 configuring 223 885 conforming traffic configuring response 231 891 893 895 description 887 excess burst size 232 893 metering configuring 227 228 229 891 peak burst si...

Page 1145: ...ast member query interval 415 938 Layer 2 389 904 Layer 3 410 937 maximum response time 415 939 multicast groups displaying 418 944 proxy 411 947 proxy routing 410 947 proxy routing configuring 411 94...

Page 1146: ...splay device information 345 347 965 displaying remote information 347 965 interface attributes configuring 342 955 962 local device information displaying 345 964 message attributes 342 951 message s...

Page 1147: ...eave 426 932 N network access authentication 262 711 dynamic QoS assignment 267 714 dynamic VLAN assignment 267 715 guest VLAN 266 715 port configuration 266 719 reauthentication 265 713 secure MAC in...

Page 1148: ...iguring 311 708 ports autonegotiation 126 774 broadcast storm threshold 221 777 capabilities 126 771 configuring 125 769 duplex mode 127 776 flow control 127 773 forced selection on combo ports 126 77...

Page 1149: ...arm setting 380 651 statistics history collection 382 652 statistics history displaying 383 654 statistics collection 384 653 statistics displaying 385 655 root guard 207 826 router redundancy protoco...

Page 1150: ...accounting 254 677 switch settings restoring 108 593 saving 108 593 system clock setting 111 620 setting manually 111 624 setting the time zone 114 623 setting with SNTP 112 620 622 system logs 335 61...

Page 1151: ...protocol interface configuration 180 858 PVID 159 843 tunneling unknown groups 151 843 voice 239 864 voice VLANs 239 864 detecting VoIP devices 240 865 enabling for ports 242 867 869 identifying clie...

Page 1152: ...INDEX 1152...

Page 1153: ......

Page 1154: ...ECS4610 24F E052010 ST R01 149100000092A...

Search results

Summary of Contents for ECS4610-24F

Reviews:

Related manuals for ECS4610-24F

Brands by name

Popular brands

Edge-Core ECS4610-24F, Management Manual

Search results

Summary of Contents for ECS4610-24F

Reviews:

Related manuals for ECS4610-24F

Brands by name

Popular brands