Edge-Core ES3510MA-DC Management Manual Download Page 338

Page: 338 / 1098

HAPTER

| Security Measures

Configuring 802.1X Port Authentication

– 338 –

Figure 190: Configuring Port Security

ONFIGURING

802.1X P

ORT

UTHENTICATION

Network switches can provide open and easy access to network resources

by simply attaching a client PC. Although this automatic configuration and

access is a desirable feature, it also allows unauthorized personnel to easily

intrude and possibly gain access to sensitive network data.

The IEEE 802.1X (dot1X) standard defines a port-based access control

procedure that prevents unauthorized access to a network by requiring

users to first submit credentials for authentication. Access to all switch
ports in a network can be centrally controlled from a server, which means

that authorized users can use the same credentials for authentication from

any point within the network.

This switch uses the Extensible Authentication Protocol over LANs (EAPOL)

to exchange authentication protocol messages with the client, and a

remote RADIUS authentication server to verify user identity and access

rights. When a client (i.e., Supplicant) connects to a switch port, the switch

(i.e., Authenticator) responds with an EAPOL identity request. The client

provides its identity (such as a user name) in an EAPOL response to the

switch, which it forwards to the RADIUS server. The RADIUS server verifies

the client identity and sends an access challenge back to the client. The

EAP packet from the RADIUS server contains not only the challenge, but

the authentication method to be used. The client can reject the

authentication method and request another, depending on the

configuration of the client software and the RADIUS server. The encryption

method used to pass authentication messages can be MD5 (Message-

Digest 5), TLS (Transport Layer Security), PEAP (Protected Extensible

Authentication Protocol), or TTLS (Tunneled Transport Layer Security). The

client responds to the appropriate method with its credentials, such as a

password or certificate. The RADIUS server verifies the client credentials

and responds with an accept or reject packet. If authentication is

successful, the switch allows the client to access the network. Otherwise,

non-EAP traffic on the port is blocked or assigned to a guest VLAN based on

the “intrusion-action” setting. In “multi-host” mode, only one host

connected to a port needs to pass authentication for all other hosts to be

granted network access. Similarly, a port can become unauthorized for all

Summary of Contents for ES3510MA-DC

Page 1: ...Management Guide www edge core com 8 Port Layer 2 Fast Ethernet Switch...

Page 2: ......

Page 3: ...MANAGEMENT GUIDE ES3510MA DC FAST ETHERNET SWITCH Layer 2 Switch with 8 10 100BASE TX RJ 45 Ports and 2 Gigabit Combination Ports RJ 45 SFP ES3510MA DC E122010 ST R01 150200000251A...

Page 4: ......

Page 5: ...r attention to related features or instructions CAUTION Alerts you to a potential hazard that could cause loss of data or damage the system or equipment WARNING Alerts you to a potential hazard that c...

Page 6: ...ABOUT THIS GUIDE 6...

Page 7: ...itch 63 Configuration Options 63 Required Connections 64 Remote Connections 65 Basic Configuration 66 Console Connection 66 Setting Passwords 66 Setting an IP Address 67 Downloading a Configuration Fi...

Page 8: ...107 Showing System Files 108 Automatic Operation Code Upgrade 109 Setting the System Clock 113 Setting the Time Manually 113 Setting the SNTP Polling Interval 114 Specifying SNTP Time Servers 115 Sett...

Page 9: ...iguring Dynamic VLAN Registration 175 IEEE 802 1Q Tunneling 178 Enabling QinQ Tunneling on the Switch 182 Adding an Interface to a QinQ Tunnel 183 Protocol VLANs 184 Configuring Protocol VLAN Groups 1...

Page 10: ...DSCP Values 239 Mapping CoS Priorities to Internal DSCP Values 242 12 QUALITY OF SERVICE 245 Overview 245 Configuring a Class Map 246 Creating QoS Policies 249 Attaching a Policy Map to a Port 259 13...

Page 11: ...ing the ACL Name and Type 312 Configuring a Standard IPv4 ACL 314 Configuring an Extended IPv4 ACL 315 Configuring a Standard IPv6 ACL 318 Configuring an Extended IPv6 ACL 319 Configuring a MAC ACL 32...

Page 12: ...fer Protocol Alerts 367 Link Layer Discovery Protocol 368 Setting LLDP Timing Attributes 369 Configuring LLDP Interface Attributes 370 Displaying LLDP Local Device Information 373 Displaying LLDP Remo...

Page 13: ...ng IPv6 Addresses 436 Showing the IPv6 Neighbor Cache 437 Showing IPv6 Statistics 439 Showing the MTU for Responding Destinations 444 17 IP SERVICES 445 Configuring General DNS Service Parameters 445...

Page 14: ...19 USING THE COMMAND LINE INTERFACE 487 Accessing the CLI 487 Console Connection 487 Telnet Connection 488 Entering Commands 489 Keywords and Arguments 489 Minimum Abbreviation 489 Command Completion...

Page 15: ...info 512 banner configure equipment location 513 banner configure ip lan 513 banner configure lp number 514 banner configure manager info 515 banner configure mux 515 banner configure note 516 show b...

Page 16: ...timeout login response 542 disconnect 543 show line 544 Event Logging 544 logging facility 545 logging history 546 logging host 547 logging on 547 logging trap 548 clear log 548 show log 549 show log...

Page 17: ...l 565 cluster member 566 rcommand 566 show cluster 567 show cluster members 567 show cluster candidates 568 22 SNMP COMMANDS 569 snmp server 570 snmp server community 571 snmp server contact 571 snmp...

Page 18: ...TICATION COMMANDS 597 User Accounts 597 enable password 598 username 599 Authentication Sequence 600 authentication enable 600 authentication login 601 RADIUS Client 602 radius server acct port 602 ra...

Page 19: ...net Server 621 ip telnet max sessions 621 ip telnet port 622 ip telnet server 622 show ip telnet 623 Secure Shell 623 ip ssh authentication retries 626 ip ssh server 626 ip ssh server key size 627 ip...

Page 20: ...nagement IP Filter 647 management 647 show management 648 25 GENERAL SECURITY MEASURES 651 Port Security 652 port security 652 Network Access MAC Address Authentication 654 network access aging 655 ne...

Page 21: ...P 671 show web auth 672 show web auth interface 672 show web auth summary 673 DHCP Snooping 673 ip dhcp snooping 674 ip dhcp snooping database flash 676 ip dhcp snooping information option 676 ip dhcp...

Page 22: ...ESS CONTROL LISTS 697 IPv4 ACLs 697 access list ip 698 permit deny Standard IP ACL 699 permit deny Extended IPv4 ACL 700 ip access group 702 show ip access group 703 show ip access list 703 IPv6 ACLs...

Page 23: ...ow interfaces counters 729 show interfaces status 731 show interfaces switchport 732 show interfaces transceiver 733 test cable diagnostics 734 show cable diagnostics 735 power save 736 show power sav...

Page 24: ...able port traps atc broadcast alarm clear 772 snmp server enable port traps atc broadcast alarm fire 772 snmp server enable port traps atc broadcast control apply 773 snmp server enable port traps atc...

Page 25: ...794 revision 794 spanning tree bpdu filter 795 spanning tree bpdu guard 796 spanning tree cost 797 spanning tree edge port 798 spanning tree link type 799 spanning tree loopback detection 799 spanning...

Page 26: ...GVRP and Bridge Extension Commands 826 bridge ext gvrp 826 garp timer 827 switchport forbidden vlan 828 switchport gvrp 828 show bridge ext 829 show garp timer 829 show gvrp configuration 830 Editing...

Page 27: ...Groups 849 protocol vlan protocol group Configuring Interfaces 849 show protocol vlan protocol group 850 show interfaces protocol vlan protocol group 851 Configuring IP Subnet VLANs 852 subnet vlan 85...

Page 28: ...class map 878 description 879 match 880 rename 881 policy map 881 class 882 police flow 883 police srtcm color 885 police trtcm color 887 set cos 889 set ip dscp 890 set phb 891 service policy 892 sho...

Page 29: ...ddress 909 ip igmp snooping vlan proxy query interval 910 ip igmp snooping vlan proxy query resp intvl 911 ip igmp snooping vlan static 911 show ip igmp snooping 912 show ip igmp snooping group 913 St...

Page 30: ...0 lldp basic tlv system capabilities 941 lldp basic tlv system description 941 lldp basic tlv system name 942 lldp dot1 tlv proto ident 942 lldp dot1 tlv proto vid 943 lldp dot1 tlv pvid 943 lldp dot1...

Page 31: ...ce points local detail mep 977 show ethernet cfm maintenance points remote detail 978 ethernet cfm cc ma interval 980 ethernet cfm cc enable 981 snmp server enable traps ethernet cfm cc 982 mep archiv...

Page 32: ...eshold 1003 efm oam link monitor frame window 1004 efm oam mode 1005 clear efm oam counters 1005 efm oam remote loopback 1006 efm oam remote loopback test 1007 show efm oam counters interface 1008 sho...

Page 33: ...how ip default gateway 1030 show ip interface 1030 traceroute 1031 ping 1032 ARP Configuration 1033 arp timeout 1033 clear arp cache 1034 show arp 1034 IPv6 Interface 1035 ipv6 default gateway 1036 ip...

Page 34: ...TWARE SPECIFICATIONS 1061 Software Features 1061 Management Features 1062 Standards 1063 Management Information Bases 1064 B TROUBLESHOOTING 1067 Problems Accessing the Management Interface 1067 Using...

Page 35: ...ervers 115 Figure 15 Setting the Time Zone 116 Figure 16 Console Port Settings 118 Figure 17 Telnet Connection Settings 120 Figure 18 Displaying CPU Utilization 121 Figure 19 Displaying Memory Utiliza...

Page 36: ...c Trunks 152 Figure 48 Displaying Connection Parameters for Dynamic Trunks 152 Figure 49 Displaying LACP Port Counters 153 Figure 50 Displaying LACP Port Internal Information 155 Figure 51 Displaying...

Page 37: ...ddress Aging Time 198 Figure 86 Displaying the Dynamic MAC Address Table 199 Figure 87 Clearing Entries in the Dynamic MAC Address Table 200 Figure 88 Mirroring Packets Based on the Source MAC Address...

Page 38: ...P Internal Mapping 241 Figure 120 Configuring CoS to DSCP Internal Mapping 243 Figure 121 Showing CoS to DSCP Internal Mapping 244 Figure 122 Configuring a Class Map 247 Figure 123 Showing Class Maps...

Page 39: ...nfiguring Interface Settings for Web Authentication 287 Figure 156 Configuring Global Settings for Network Access 290 Figure 157 Configuring Interface Settings for Network Access 292 Figure 158 Config...

Page 40: ...ce Settings for 802 1X Port Authenticator 345 Figure 194 Configuring Interface Settings for 802 1X Port Supplicant 347 Figure 195 Showing Statistics for 802 1X Port Authenticator 349 Figure 196 Showin...

Page 41: ...igure 227 Setting Community Access Strings 395 Figure 228 Showing Community Access Strings 396 Figure 229 Configuring Local SNMPv3 Users 397 Figure 230 Showing Local SNMPv3 Users 398 Figure 231 Config...

Page 42: ...3 Figure 266 Showing IPv6 Statistics UDP 444 Figure 267 Showing Reported MTU Values 444 Figure 268 Configuring General Settings for DNS 446 Figure 269 Configuring a List of Domain Names for DNS 447 Fi...

Page 43: ...ltering and Throttling Interface Settings 475 Figure 293 MVR Concept 476 Figure 294 Configuring Global Settings for MVR 478 Figure 295 Configuring an MVR Group Address Range 479 Figure 296 Displaying...

Page 44: ...FIGURES 44...

Page 45: ...ty Mapping 235 Table 15 CoS Priority Levels 235 Table 16 Mapping Internal Per hop Behavior to Hardware Queues 236 Table 17 Default Mapping of DSCP Values to Internal PHB Drop Values 240 Table 18 Defau...

Page 46: ...Commands 535 Table 48 Event Logging Commands 544 Table 49 Logging Levels 546 Table 50 show logging flash ram display description 550 Table 51 show logging trap display description 551 Table 52 Event...

Page 47: ...on Commands 687 Table 84 Access Control List Commands 697 Table 85 IPv4 ACL Commands 697 Table 86 IPv4 ACL Commands 704 Table 87 MAC ACL Commands 710 Table 88 ARP ACL Commands 715 Table 89 ACL Informa...

Page 48: ...21 Priority Commands Layer 2 863 Table 122 Priority Commands Layer 3 and 4 868 Table 123 Default Mapping of CoS CFI to Internal PHB Drop Precedence 869 Table 124 Default Mapping of DSCP Values to Inte...

Page 49: ...148 show dns cache display description 1018 Table 149 show hosts display description 1019 Table 150 DHCP Commands 1021 Table 151 DHCP Client Commands 1021 Table 152 IP Interface Commands 1027 Table 1...

Page 50: ...TABLES 50...

Page 51: ...view of the switch and introduces some basic concepts about network switches It also describes the basic settings required to access the management interface This section includes these chapters Intro...

Page 52: ...SECTION I Getting Started 52...

Page 53: ...assword Telnet SSH Web HTTPS General Security Measures AAA ARP Inspection DHCP Snooping with Option 82 relay information IP Source Guard Port Authentication IEEE 802 1X Port Security MAC address filte...

Page 54: ...er names and passwords can be configured locally or can be verified via a remote authentication server i e RADIUS or TACACS Port based authentication is also supported via the IEEE Store and Forward S...

Page 55: ...uplex mode and flow control used on specific ports or use auto negotiation to detect the connection settings used by the attached device Use the full duplex mode on ports whenever possible to double t...

Page 56: ...IEEE 802 1D transparent bridging The address table facilitates data switching by learning addresses and then filtering or forwarding traffic based on this information The address table supports up to...

Page 57: ...k The switch supports tagged VLANs based on the IEEE 802 1Q standard Members of VLAN groups can be dynamically learned via GVRP or ports can be manually assigned to a specific set of VLANs This allows...

Page 58: ...t traffic based on Layer 2 Layer 3 or Layer 4 information contained in each packet Based on network policies different kinds of traffic can be marked for different kinds of forwarding MULTICAST FILTER...

Page 59: ...h s system defaults are provided in the configuration file Factory_Default_Config cfg To reset the switch defaults this file should be set as the startup configuration file The following table lists s...

Page 60: ...isabled Port Trunking Static Trunks None LACP all ports Disabled Congestion Control Rate Limiting Disabled Storm Control Broadcast Enabled 64 kbits sec Multicast Disabled Unknown Unicast Disabled OAM...

Page 61: ...way 0 0 0 0 DHCP Client Enabled DNS Proxy service Disabled BOOTP Disabled Multicast Filtering IGMP Snooping Layer 2 Snooping Enabled Querier Disabled Multicast VLAN Registration Disabled IGMP Proxy Re...

Page 62: ...CHAPTER 1 Introduction System Defaults 62...

Page 63: ...rd web browser such as Internet Explorer 5 x or above Netscape 6 2 or above and Mozilla Firefox 2 0 0 0 or above The switch s web management interface can be accessed from any computer attached to the...

Page 64: ...h provides an RS 232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch A null modem console cable is provided with the switch Attach a VT100 compatibl...

Page 65: ...rotocol An IPv4 address for this switch is obtained via DHCP by default To manually configure this address or enable dynamic address assignment via DHCP see Setting an IP Address on page 67 NOTE This...

Page 66: ...nter admin 3 At the Password prompt also enter admin The password characters are not displayed on the console screen 4 The session is opened and the CLI displays the Console prompt indicating you have...

Page 67: ...d in Obtaining an IPv6 Address on page 71 The current software does not support DHCP for IPv6 so an IPv6 global unicast address for use in a network containing more than one subnet can only be manuall...

Page 68: ...o indicate the appropriate number of zeros required to fill the undefined fields For detailed information on the other ways to assign IPv6 addresses see Setting the Switch s IP Address IP Version 6 on...

Page 69: ...twork is the number of bits from the left of the prefix that form the network address and is expressed as a decimal number For example all IPv6 addresses that start with the first byte of 73 hexadecim...

Page 70: ...y few minutes using exponential backoff until IP configuration information is obtained from a BOOTP or DHCP server BOOTP and DHCP values can include the IP address subnet mask and default gateway If t...

Page 71: ...k Up Address is 00 12 CF DA FC E8 Index 1001 MTU 1500 Address Mode is DHCP IP Address 192 168 0 2 Mask 255 255 255 0 Console copy running config startup config Startup configuration file name startup...

Page 72: ...ddress for the switch complete the following steps 1 From the Global Configuration mode prompt type interface vlan 1 to access the interface configuration mode Press Enter 2 From the interface prompt...

Page 73: ...ration file based on information passed by the DHCP server it will not send any further DHCP client requests If the switch does not receive a DHCP response prior to completing the bootup process it wi...

Page 74: ...rovision tftp server name code 66 text option dynamicProvision bootfile name code 67 text subnet 192 168 255 0 netmask 255 255 255 0 range 192 168 255 160 192 168 255 200 option routers 192 168 255 10...

Page 75: ...he entire MIB tree and a default view for the private community string that provides read write access to the entire MIB tree However you may assign new views to version 1 or 2c community strings that...

Page 76: ...or is the user name of a version 3 host version indicates the SNMP client version and auth noauth priv means that authentication no authentication or authentication and privacy is used for v3 clients...

Page 77: ...ration files can be selected as a system start up file or can be uploaded via FTP TFTP to a server for backup The file named Factory_Default_Config cfg contains all the system default settings and can...

Page 78: ...e from 1 to 31 characters must not contain slashes or and the leading letter of the file name must not be a period Valid characters A Z a z 0 9 _ There can be more than one user defined configuration...

Page 79: ...ame of the startup file stored on the server Press Enter 4 Enter the name for the startup file on the switch Press Enter Console copy file startup config Console copy tftp startup config TFTP server I...

Page 80: ...CHAPTER 2 Initial Switch Configuration Managing System Files 80...

Page 81: ...Interface Configuration on page 127 VLAN Configuration on page 165 Address Table Settings on page 195 Spanning Tree Algorithm on page 203 Rate Limit Configuration on page 227 Storm Control Configurat...

Page 82: ...SECTION II Web Configuration 82...

Page 83: ...ateway using an out of band serial connection BOOTP or DHCP protocol See Setting an IP Address on page 67 2 Set user names and passwords using an out of band serial connection Access to the web agent...

Page 84: ...nistrator has Read Write access to all configuration parameters and statistics The default user name and password for the administrator is admin HOME PAGE When your web browser connects with the switc...

Page 85: ...or item Check for newer versions of stored pages should be Every visit to the page PANEL DISPLAY The web agent displays an image of the switch s ports The Mode can be set to display different informat...

Page 86: ...umbo frames shows the bridge extension parameters 102 103 File 104 Copy Allows the transfer and copying files 104 Set Startup Sets the startup file 107 Show Shows the files stored in flash memory allo...

Page 87: ...ion settings 145 Dynamic 147 Configure Aggregator Configures administration key for specific LACP groups 147 Configure Aggregation Port 145 Configure 145 General Allows ports to dynamically join trunk...

Page 88: ...VLAN attributes per interface 170 Edit Member by Interface Range Specifies VLAN attributes per interface range 170 Dynamic Configure General Enables GVRP VLAN registration protocol globally 175 Confi...

Page 89: ...h to a target port 200 Spanning Tree 203 Loopback Detection Configures Loopback Detection parameters 206 STA Spanning Tree Algorithm Configure Global Configure Configures global bridge settings for ST...

Page 90: ...35 Add Maps internal per hop behavior values to hardware queues 235 Show Shows the PHB to Queue mapping list 235 DiffServ 245 Configure Class 246 Add Creates a class map for a type of traffic 246 Show...

Page 91: ...at which the local accounting service updates information to the accounting server 275 Configure Method 275 Add Configures accounting for various service types 275 Show Shows the accounting settings u...

Page 92: ...addresses exempt from authentication 293 Show Shows the list of exempt MAC addresses 293 Show Information Shows the authenticated MAC address list 295 HTTPS Secure HTTP 297 Configure Global Enables H...

Page 93: ...owed management access 334 Port Security Configures per port security including status response for security breach and maximum allowed MAC addresses 336 Port Authentication IEEE 802 1X 338 Configure...

Page 94: ...85 Configure Engine 386 Set Engine ID Sets the SNMP v3 engine ID on this switch 386 Add Remote Engine Sets the SNMP v3 engine ID for a remote device 387 Show Remote Engine Shows configured engine ID f...

Page 95: ...ory Shows sampled data for each entry in the history group 411 Statistics Shows sampled data for each entry in the history group 414 Cluster 416 Configure Global Globally enables clustering for the sw...

Page 96: ...ddress mapping 449 Show Shows the list of static mapping entries 449 Modify Modifies the static address mapped to the selected host name 449 Cache Displays cache entries discovered by designated name...

Page 97: ...ulticast Group Range Assigns multicast groups to selected profile 471 Show Multicast Group Range Shows multicast groups assigned to a profile 471 Configure Interface Assigns IGMP filter profiles to po...

Page 98: ...CHAPTER 3 Using the Web Interface Navigating the Web Browser Interface 98...

Page 99: ...tem start up files Setting the System Clock Sets the current time manually or through specified SNTP servers Console Port Settings Sets console port connection parameters Telnet Settings Sets Telnet c...

Page 100: ...ystem Location Specifies the system location System Contact Administrator responsible for the system WEB INTERFACE To configure general system information 1 Click System General 2 Specify the system n...

Page 101: ...s Displays the status of the internal power supply Management Software Information Role Shows that this switch is operating as Master or Slave EPLD Version Version number of EEPROM Programmable Logic...

Page 102: ...m Management Commands on page 507 USAGE GUIDELINES To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is oper...

Page 103: ...st addresses Refer to Setting Static Addresses on page 195 VLAN Version Number Based on IEEE 802 1Q 1 indicates Bridges that support only single spanning tree SST operation and 2 indicates Bridges tha...

Page 104: ...e System File Copy page to upload download firmware or configuration settings using TFTP or HTTP By backing up a file to a TFTP server or management station that file can later be downloaded to the sw...

Page 105: ...for file names is 31 characters for files on the switch Valid characters A Z a z 0 9 _ NOTE Up to two copies of the system software i e the runtime firmware can be stored in the file directory on the...

Page 106: ...e which can be subsequently set as the startup file CLI REFERENCES copy on page 527 PARAMETERS The following parameters are displayed Copy Type The copy operation includes this option Running Config C...

Page 107: ...y used for startup and want to start using the new file reboot the system via the System Reset menu SETTING THE START UP FILE Use the System File Set Start Up page to specify the firmware or configura...

Page 108: ...System File Show page to show the files in the system directory or to delete a file NOTE Files designated for start up and the Factory_Default_Config cfg file cannot be deleted CLI REFERENCES dir on...

Page 109: ...RL The file name of the code stored on the remote server must be es3510ma bix using upper case and lower case letters exactly as indicated here Enter the file name for other switches described in this...

Page 110: ...e switch will immediately restart after the upgrade file is successfully written to the file system and set as the startup image PARAMETERS The following parameters are displayed Automatic Opcode Upgr...

Page 111: ...t be separated from the host and in nested directory structures from the parent directory with a prepended forward slash The forward slash must be the last character of the URL Examples The following...

Page 112: ...3 Mark the check box to enable Automatic Opcode Upgrade 4 Enter the URL of the FTP or TFTP server and the path and directory containing the operation code 5 Click Apply Figure 11 Configuring Automati...

Page 113: ...tch will attempt to poll each server in the configured sequence SETTING THE TIME MANUALLY Use the System Time Configure General Manual page to set the system time on the switch manually without using...

Page 114: ...Time on page 555 PARAMETERS The following parameters are displayed Current Time Shows the current time set on the switch SNTP Polling Interval Sets the interval between sending requests for a time up...

Page 115: ...RAMETERS The following parameters are displayed SNTP Server IP Address Sets the IPv4 or IPv6 address for up to three time servers The switch attempts to update the time from the first server if this f...

Page 116: ...d time zone definitions or your can manually configure the parameters for your local time zone CLI REFERENCES clock timezone on page 558 PARAMETERS The following parameters are displayed Direction Con...

Page 117: ...600 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent fo...

Page 118: ...he console connection see login on page 537 You can select authentication by a single global password as configured for the password command or by passwords set up for specific user name accounts The...

Page 119: ...t and Secure Shell i e both Telnet and SSH share a maximum number or eight sessions Login Timeout Sets the interval that the system waits for a user to log into the CLI If a login attempt is not detec...

Page 120: ...pecify the connection parameters as required 3 Click Apply Figure 17 Telnet Connection Settings DISPLAYING CPU UTILIZATION Use the System CPU Utilization page to display information on CPU utilization...

Page 121: ...AYING MEMORY UTILIZATION Use the System Memory Status page to display memory utilization parameters CLI REFERENCES show memory on page 518 PARAMETERS The following parameters are displayed Free Size T...

Page 122: ...ion information stored in non volatile memory by the copy running config startup config command See copy on page 527 PARAMETERS The following parameters are displayed System Reload Configuration Reset...

Page 123: ...eload the switch Time HH The hour at which to reload Range 0 23 MM The minute at which to reload Range 0 59 Period Daily Every day Weekly Day of the week at which to reload Range Sunday Saturday Month...

Page 124: ...CHAPTER 4 Basic Management Tasks Resetting the System 124 Figure 20 Restarting the Switch Immediately Figure 21 Restarting the Switch In...

Page 125: ...CHAPTER 4 Basic Management Tasks Resetting the System 125 Figure 22 Restarting the Switch At Figure 23 Restarting the Switch Regularly...

Page 126: ...CHAPTER 4 Basic Management Tasks Resetting the System 126...

Page 127: ...Configures static or dynamic trunks Saving Power Adjusts the power provided to ports based on the length of the cable used to connect to other devices Traffic Segmentation Configures the uplinks and...

Page 128: ...ERS These parameters are displayed Port Port identifier Range 1 10 Type Indicates the port type 100Base TX 1000Base T 100Base SFP 1000Base SFP Name Allows you to label an interface Range 1 64 characte...

Page 129: ...ex operation Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem Otherwise back pressure jamming signals may degrade overall performance for the seg...

Page 130: ...e or manually fix the speed duplex mode and flow control For more information on command usage and a description of the parameters refer to Configuring by Port List on page 127 CLI REFERENCES Interfac...

Page 131: ...tes the port type 100Base TX 1000Base T 100Base SFP or 1000Base SFP Name Interface label Admin Shows if the port is enabled or disabled Oper Status Indicates if the link is Up or Down Media Type Media...

Page 132: ...nation port on the same switch local port mirroring as described in this section or from one or more source ports on remote switches to a destination port on this switch remote port mirroring as descr...

Page 133: ...d Target Port The port that will mirror the traffic on the source port Type Allows you to select which traffic to mirror to the target port Rx receive Tx transmit or Both Default Rx WEB INTERFACE To c...

Page 134: ...it to any RSPAN destination port monitoring the RSPAN VLAN as shown in the figure below Figure 30 Configuring Remote Port Mirroring CLI REFERENCES RSPAN Mirroring Commands on page 754 COMMAND USAGE Tr...

Page 135: ...s switch RSPAN Ports Only ports can be configured as an RSPAN source destination or uplink static and dynamic trunks are not allowed A port can only be configured as one type of RSPAN interface source...

Page 136: ...ceive mirrored traffic for this session Remote VLAN The VLAN to which traffic mirrored from the source port will be flooded The VLAN specified in this field must first be reserved for the RSPAN applic...

Page 137: ...ols to which it has been assigned Tag Specifies whether or not the traffic exiting the destination port to the monitoring device carries the RSPAN VLAN tag WEB INTERFACE To configure a remote mirror s...

Page 138: ...statistics including a total count of different frame types and sizes passing through each port All values displayed have been accumulated since the last system reboot and are shown as counts per seco...

Page 139: ...el protocols requested be transmitted and which were addressed to a broadcast address at this sub layer including those that were discarded or not sent Received Unknown Packets The number of packets r...

Page 140: ...multicast packets Multicast Packets The total number of good packets received that were directed to this multicast address Undersize Packets The total number of packets received that were less than 64...

Page 141: ...rop down list 4 Use the Refresh button at the bottom of the page if you need to update the screen Figure 34 Showing Port Statistics Table To show a chart of port statistics 1 Click Interface Port Char...

Page 142: ...s test CLI REFERENCES Interface Commands on page 719 COMMAND USAGE Cable diagnostics are performed using Digital Signal Processing DSP test methods DSP analyses the cable by sending a pulsed signal in...

Page 143: ...These parameters are displayed Port Switch port identifier Type Displays media type FE Fast Ethernet GE Gigabit Ethernet Link Status Shows if the port link is up or down Test Result The results includ...

Page 144: ...aced in standby mode Should one link in the trunk fail one of the standby ports will automatically be activated to replace it COMMAND USAGE Besides balancing the load across each port in the trunk the...

Page 145: ...this switch are Cisco EtherChannel compatible To avoid creating a loop in the network be sure you add a static trunk via the configuration interface before connecting the ports and also disconnect the...

Page 146: ...t Add Member from the Action list 4 Select a trunk identifier 5 Set the unit and port for an additional trunk member 6 Click Apply Figure 39 Adding Static Trunks Members To configure connection parame...

Page 147: ...NFIGURING A DYNAMIC TRUNK Use the Interface Trunk Dynamic Configure Aggregator page to set the administrative key for an aggregation group enable LACP on a port and configure protocol parameters for l...

Page 148: ...y is not set when a channel group is formed i e it has a null value of 0 the operational value of this key is set to the same value as the port admin key used by the interfaces that joined the group s...

Page 149: ...ing LACP settings for a port only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with that port NOTE Configuring...

Page 150: ...Configure from the Action list 4 Click General 5 Enable LACP on the required ports 6 Click Apply Figure 44 Enabling LACP on a Port To configure LACP parameters for group members 1 Click Interface Tru...

Page 151: ...p List 3 Select Show Member from the Action List 4 Select a Trunk Figure 46 Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk 1 Click Interface Trunk Dynamic 2...

Page 152: ...NTERS Use the Interface Trunk Dynamic Configure Aggregation Port Show Information Counters page to display statistics for LACP protocol messages CLI REFERENCES show lacp on page 747 PARAMETERS These p...

Page 153: ...igure 49 Displaying LACP Port Counters Marker Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slo...

Page 154: ...min State Oper State Administrative or operational values of the actor s state parameters Expired The actor s receive machine is in the expired state Defaulted The actor s receive machine is using def...

Page 155: ...ner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Ope...

Page 156: ...al 5 Select a group member from the Port list Figure 51 Displaying LACP Port Remote Information SAVING POWER Use the Interface Green Ethernet page to enable power savings mode on the selected port CLI...

Page 157: ...ower saving when there is a link partner Traditional Ethernet connections typically operate with enough power to support at least 100 meters of cable even though average network cable length is shorte...

Page 158: ...ports from the uplink ports assigned to other clients or to forward traffic through the uplink ports used by other clients allowing different clients to share access to their uplink ports where secur...

Page 159: ...plink ports assigned to different sessions WEB INTERFACE To enable traffic segmentation 1 Click Interface Traffic Segmentation 2 Select Configure Global from the Step list 3 Mark the Status check box...

Page 160: ...ured in both an uplink and downlink list A port can only be assigned to one traffic segmentation session A downlink port can only communicate with an uplink port in the same session Therefore if an up...

Page 161: ...nterface Displays a list of ports or trunks Port Port Identifier Range 1 10 Trunk Trunk Identifier Range 1 5 WEB INTERFACE To configure the members of the traffic segmentation group 1 Click Interface...

Page 162: ...ace CLI REFERENCES vlan trunking on page 838 COMMAND USAGE Use this feature to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belon...

Page 163: ...LANs will be bound to a single instance either STP RSTP or an MSTP instance depending on the selected STA mode If both VLAN trunking and ingress filtering are disabled on an interface packets with unk...

Page 164: ...CHAPTER 5 Interface Configuration VLAN Trunking 164 Figure 57 Configuring VLAN Trunking...

Page 165: ...each subnet into separate domains This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains VLANs confine broadcast traffi...

Page 166: ...a tagged port if you want it to carry traffic for one or more VLANs and any intermediate network devices or the host at the other end of the connection supports VLANs Then assign ports on the other V...

Page 167: ...assigned If an end station or its network adapter supports the IEEE 802 1Q VLAN protocol it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join When t...

Page 168: ...rst strip off the VLAN tag before forwarding the frame When the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag However when this switch receives an u...

Page 169: ...ID ID of configured VLAN VLAN Name Name of the VLAN Status Operational status of configured VLAN Remote VLAN Shows if RSPAN is enabled on this VLAN see Configuring Remote Port Mirroring on page 134 WE...

Page 170: ...howing Static VLANs ADDING STATIC MEMBERS TO VLANS Use the VLAN Static page to configure port members for the selected VLAN index interface or a range of interfaces Use the menus for editing port memb...

Page 171: ...nk Specifies a port as an end point for a VLAN trunk A trunk is a direct link between two switches so the port transmits tagged frames that identify the source VLAN Note that frames belonging to the p...

Page 172: ...port will be untagged that is not carry a tag and therefore not carry VLAN or CoS information Note that an interface must be assigned to at least one group as an untagged port Forbidden Interface is f...

Page 173: ...re static members by the VLAN index 1 Click VLAN Static 2 Select Edit Member by VLAN from the Action list 3 Set the Interface type to display as Port or Trunk 4 Modify the settings for any interface a...

Page 174: ...LAN Members by Interface To configure static members by interface range 1 Click VLAN Static 2 Select Edit Member by Interface Range from the Action list 3 Set the Interface type to display as Port or...

Page 175: ...AN members on ports across the network VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network GVRP must be enabled to permit automatic VLA...

Page 176: ...e for VLAN group participants and the port leaving the group This interval should be considerably larger than the Leave Time to minimize the amount of traffic generated by nodes rejoining the group Ra...

Page 177: ...ic 2 Select Configure Interface from the Step list 3 Set the Interface type to display as Port or Trunk 4 Modify the GVRP status or timers for any interface 5 Click Apply Figure 67 Configuring GVRP fo...

Page 178: ...rvice Provider VLAN SPVLAN tags into the customer s frames when they enter the service provider s network and then stripping the tags when the frames leave the network A service provider s customers m...

Page 179: ...cket exits another trunk port on the same core switch the same SPVLAN tag is again added to the packet When a packet enters the trunk port on the service provider s egress switch the outer tag is agai...

Page 180: ...outgoing packets will have two tags Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets Untagged One tag CVLAN or SPVLAN Double tag CVLAN SPV...

Page 181: ...st be an untagged member of the SPVLAN Then the outer SPVLAN tag will be stripped when the packets are sent out Another reason is that it causes non customer packets to be forwarded to the SPVLAN Stat...

Page 182: ...vider s metropolitan area network You can also globally set the Tag Protocol Identifier TPID value of the tunnel port if the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q...

Page 183: ...ating interface CLI REFERENCES Configuring IEEE 802 1Q Tunneling on page 840 COMMAND USAGE Use the Configure Global page to set the switch to QinQ mode before configuring a tunnel port or tunnel uplin...

Page 184: ...l and the tunnel uplink port to Tunnel Uplink 4 Click Apply Figure 72 Adding an Interface to a QinQ Tunnel PROTOCOL VLANS The network devices required to support multiple protocols cannot be easily gr...

Page 185: ...reate protocol groups CLI REFERENCES protocol vlan protocol group Configuring Groups on page 849 PARAMETERS These parameters are displayed Frame Type Choose either Ethernet RFC 1042 or LLC Other as th...

Page 186: ...rom the Action list 4 Select an entry from the Frame Type list 5 Select an entry from the Protocol Type list 6 Enter an identifier for the protocol group 7 Click Apply Figure 73 Configuring Protocol V...

Page 187: ...e associated VLAN When a frame enters a port that has been assigned to a protocol VLAN it is processed in the following manner If the frame is tagged it will be processed according to the standard rul...

Page 188: ...lect a port or trunk 5 Enter the identifier for a protocol group 6 Enter the corresponding VLAN to which the protocol traffic will be forwarded 7 Click Apply Figure 75 Assigning Interfaces to Protocol...

Page 189: ...to only one VLAN ID An IP subnet consists of an IP address and a mask When an untagged frame is received by a port the source IP address is checked against the IP subnet to VLAN mapping table and if a...

Page 190: ...field 4 Enter a mask in the Subnet Mask field 5 Enter the identifier in the VLAN field Note that the specified VLAN need not already be configured 6 Enter a value to assign to untagged frames in the...

Page 191: ...VLANs on page 854 COMMAND USAGE The MAC to VLAN mapping applies to all ports on the switch Source MAC addresses can be mapped to only one VLAN ID Configured MAC addresses cannot be broadcast or multic...

Page 192: ...s in the MAC Address field 4 Enter an identifier in the VLAN field Note that the specified VLAN need not already be configured 5 Enter a value to assign to untagged frames in the Priority field 6 Clic...

Page 193: ...led the target port can receive a mirrored packet twice once from the source mirror port and again from the source mirrored VLAN The target port receives traffic from all monitored source VLANs and ca...

Page 194: ...mirroring 1 Click VLAN Mirror 2 Select Add from the Action list 3 Select the source VLAN and select a target port 4 Click Apply Figure 81 Configuring VLAN Mirroring To show the VLANs to be mirrored 1...

Page 195: ...C addresses A static address can be assigned to a specific interface on this switch Static addresses are bound to the assigned interface and will not be moved When a static address is seen on another...

Page 196: ...us Sets the time to retain the specified address Delete on reset Assignment lasts until the switch is reset Permanent Assignment is permanent This is the default WEB INTERFACE To configure a static MA...

Page 197: ...orwarding information CLI REFERENCES mac address table aging time on page 777 PARAMETERS These parameters are displayed Aging Status Enables disables the function Aging Time The time after which a lea...

Page 198: ...to all ports CLI REFERENCES show mac address table on page 779 PARAMETERS These parameters are displayed Sort Key You can sort the information displayed based on MAC address VLAN or interface port or...

Page 199: ...parameters are displayed Clear by All entries can be cleared or you can clear the entries for a specific MAC address all the entries in a VLAN or all the entries associated with a port or trunk WEB IN...

Page 200: ...et port will be mirrored to the destination port All mirror sessions must share the same destination port Spanning Tree BPDU packets are not mirrored to the target port When mirroring port traffic the...

Page 201: ...packets based on a MAC address 1 Click MAC Address Mirror 2 Select Add from the Action list 3 Specify the source MAC address and destination port 4 Click Apply Figure 88 Mirroring Packets Based on th...

Page 202: ...CHAPTER 7 Address Table Settings Configuring MAC Address Mirroring 202...

Page 203: ...nt switch bridge or router in your network to ensure that only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes...

Page 204: ...seconds compared to 30 seconds or more for STP by reducing the number of state changes before active ports start learning predefining an alternate route that can be used when a node or port fails and...

Page 205: ...cations with STP or RSTP nodes in the global network Figure 92 Common Internal Spanning Tree Common Spanning Tree Internal Spanning Tree MSTP connects all bridges and LAN segments with a single Common...

Page 206: ...eceive it s own BPDUs in a forward delay interval NOTE If loopback detection is not enabled and an interface receives it s own BPDU then the interface will drop the loopback BPDU according to IEEE Sta...

Page 207: ...MAND USAGE Spanning Tree Protocol1 Uses RSTP for the internal state machine but sends only 802 1D BPDUs This creates one spanning tree instance for the entire network If multiple VLANs are implemented...

Page 208: ...t have compatible VLAN instance assignments Be careful when switching between spanning tree modes Changing modes stops all spanning tree instances for the previous mode and restarts the system in the...

Page 209: ...ndard Path Cost Method The path cost is used to determine the best path between devices The path cost method is used to determine the range of values that can be assigned to each interface Long Specif...

Page 210: ...uration Settings for MSTP Max Instance Numbers The maximum number of MSTP instances to which this switch can be assigned Configuration Digest An MD5 signature key that contains the VLAN ID to MST ID m...

Page 211: ...CHAPTER 8 Spanning Tree Algorithm Configuring Global Settings for STA 211 Figure 94 Configuring Global Settings for STA STP Figure 95 Configuring Global Settings for STA RSTP...

Page 212: ...ning tree on page 807 show spanning tree mst configuration on page 809 PARAMETERS The parameters displayed are described in the preceding section except for the following items Bridge ID A unique iden...

Page 213: ...ACE To display global STA settings 1 Click Spanning Tree STA 2 Select Configure Global from the Step list 3 Select Show Information from the Action list Figure 97 Displaying Global Settings for STA CO...

Page 214: ...loops Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Default 128 Range 0 240 in steps of 16 Admin Path Cost This parameter is used by...

Page 215: ...ing tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or servers retains the current forwarding database to reduce the amount of frame flooding...

Page 216: ...te In a valid configuration configured edge ports should not receive BPDUs If an edge port receives a BPDU an invalid configuration exists such as a connection to an unauthorized device The BPDU guard...

Page 217: ...has been enabled on this interface BPDU Flooding Shows if BPDUs will be flooded to other ports when spanning tree is disabled globally on the switch or disabled on a specific port STA Status Displays...

Page 218: ...the designated bridging device through which this switch must communicate with the root of the Spanning Tree Oper Path Cost The contribution of this port to the path cost of paths towards the spanning...

Page 219: ...tep list 3 Select Show Information from the Action list Figure 100 Displaying Interface Settings for STA Alternate port receives more useful BPDUs from another bridge and is therefore not selected as...

Page 220: ...bridges within the same MSTI Region page 207 with the same set of instances and the same instance on each bridge with the same set of VLANs Also note that RSTP treats each MSTI region as a single nod...

Page 221: ...lect Configure Global from the Step list 3 Select Add from the Action list 4 Specify the MST instance identifier and the initial VLAN member Additional member can be added using the Spanning Tree MSTP...

Page 222: ...from the Step list 3 Select Show from the Action list Figure 102 Displaying MST Instances To modify the priority for an MST instance 1 Click Spanning Tree MSTP 2 Select Configure Global from the Step...

Page 223: ...isplaying Global Settings for STA on page 212 Figure 104 Displaying Global Settings for an MST Instance To add additional VLAN groups to an MSTP instance 1 Click Spanning Tree MSTP 2 Select Configure...

Page 224: ...mands on page 783 PARAMETERS These parameters are displayed MST ID Instance identifier to configure Default 0 Interface Displays a list of ports or trunks STA Status Displays the current state of this...

Page 225: ...media and higher values assigned to ports with slower media Path cost takes precedence over port priority Note that when the Path Cost Method is set to short page 3 63 the maximum path cost is 65 535...

Page 226: ...Interface Settings for MSTP 226 To display MSTP parameters for a port or trunk 1 Click Spanning Tree MSTP 2 Select Configure Interface from the Step list 3 Select Show Information from the Action list...

Page 227: ...plied to individual ports When an interface is configured with this feature the traffic rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped conforming traffic...

Page 228: ...uration 228 WEB INTERFACE To configure rate limits 1 Click Traffic Rate Limit 2 Enable the Rate Limit Status for the required ports 3 Set the rate limit for the individual ports 4 Click Apply Figure 1...

Page 229: ...broadcast and multicast or unknown unicast traffic packets exceeding the threshold are dropped until the rate falls back down beneath the threshold The rate limits set by this function are also used...

Page 230: ...nd unknown unicast storm control Rate Threshold level as a rate i e packets per second Range 64 100000 Kbps for Fast Ethernet ports 64 1000000 Kbps for Gigabit Ethernet ports Default 64 Kbps NOTE Only...

Page 231: ...ocessing LAYER 2 QUEUE SETTINGS This section describes how to configure the default priority for untagged frames set the queue mode set the weights assigned to each queue and map class of service tags...

Page 232: ...Click Traffic Priority Default Priority 2 Select the interface type to display Port or Trunk 3 Modify the default priority for any interface 4 Click Apply Figure 111 Setting the Default Port Priority...

Page 233: ...pplications assigned a specific priority value Service time is shared at the egress ports by defining scheduling weights for WRR or one of the queuing modes that use a combination of strict and weight...

Page 234: ...queue mode 1 Click Traffic Priority Queue 2 Set the queue mode 3 If the weighted queue mode is selected the queue weight can be modified if required 4 If the queue mode that uses a combination of str...

Page 235: ...arate traffic priorities are defined in IEEE 802 1p Default priority levels are assigned according to recommendations in the IEEE 802 1p standard as shown in Table 14 The following table indicates the...

Page 236: ...where 3 is the highest CoS priority queue WEB INTERFACE To map internal PHB to hardware queues 1 Click Traffic Priority PHB to Queue 2 Select Configure from the Action list 3 Select a port 4 Map an i...

Page 237: ...s 237 Figure 115 Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map 1 Click Traffic Priority PHB to Queue 2 Select Show from the Action list 3 Select an interface Figur...

Page 238: ...ine the hardware queues used for egress traffic not to replace the priority values These defaults are designed to optimize priority services for the majority of network applications It should not be n...

Page 239: ...Apply Figure 117 Setting the Trust Mode MAPPING INGRESS DSCP VALUES TO INTERNAL DSCP VALUES Use the Traffic Priority DSCP to DSCP page to map DSCP values in incoming packets to per hop behavior and dr...

Page 240: ...rs are displayed Port Specifies a port DSCP DSCP value in ingress packets Range 0 63 PHB Per hop behavior or the priority used for this router hop Range 0 7 Drop Precedence Drop precedence used for Ra...

Page 241: ...DSCP 2 Select Configure from the Action list 3 Select a port 4 Set the PHB and drop precedence for any DSCP value 5 Click Apply Figure 118 Configuring DSCP to DSCP Internal Mapping To show the DSCP t...

Page 242: ...p behavior PHB which determines the queue to which a packet is sent and two bits for drop precedence namely color which is used by Random Early Detection RED to control traffic congestion RED starts d...

Page 243: ...o DSCP 2 Select Configure from the Action list 3 Select a port 4 Set the PHB and drop precedence for any of the CoS CFI combinations 5 Click Apply Figure 120 Configuring CoS to DSCP Internal Mapping T...

Page 244: ...e Layer 3 4 Priority Settings 244 To show the CoS CFI to internal PHB drop precedence map 1 Click Traffic Priority CoS to DSCP 2 Select Show from the Action list 3 Select a port Figure 121 Showing CoS...

Page 245: ...t kinds of traffic can be marked for different kinds of forwarding All switches or routers that access the Internet rely on class information to provide the same forwarding treatment to packets in the...

Page 246: ...ured to monitor the maximum throughput and burst rate Then specify the action to take for conforming traffic or the action to take for a policy violation 5 Use the Configure Interface page to assign a...

Page 247: ...e of an access control list Any type of ACL can be specified including standard or extended IP ACLs and MAC ACLs IP DSCP A DSCP value Range 0 63 IP Precedence An IP Precedence value Range 0 7 IPv6 DSC...

Page 248: ...aps To edit the rules for a class map 1 Click Traffic DiffServ 2 Select Configure Class from the Step list 3 Select Add Rule from the Action list 4 Select the name of a class map 5 Specify type of tra...

Page 249: ...ich indicates how to match the inbound packets according to an access list a DSCP or IP Precedence value or a member of specific VLAN A policy map is then configured which indicates the boundary param...

Page 250: ...Early Detection A packet is marked green if it doesn t exceed the committed information rate and committed burst size yellow if it does exceed the committed information rate and committed burst size b...

Page 251: ...roughput peak information rate PIR and their associated burst sizes committed burst size BC or burst rate and peak burst size BP Action may taken for traffic conforming to the maximum throughput excee...

Page 252: ...ed or if Tp t B 0 the packet is red else if the packet has been precolored as yellow or if Tc t B 0 the packet is yellow and Tp is decremented by B else the packet is green and both Tp and Tc are decr...

Page 253: ...edence on page 243 Set PHB Configures the service provided to ingress traffic by setting the internal per hop behavior for a matching packet as specified in rule settings for a class map Range 0 7 See...

Page 254: ...the maximum throughput but within the excess burst size or exceeding the excess burst size In addition to the actions defined by this command to transmit remark the DSCP service value or drop a packet...

Page 255: ...committed burst size BC or burst rate and peak burst size BP and the action to take for traffic conforming to the maximum throughput exceeding the maximum throughput but within the peak information ra...

Page 256: ...level Transmit Transmits in conformance traffic without any change to the DSCP service level Exceed Specifies whether traffic that exceeds the maximum rate CIR but is within the peak information rate...

Page 257: ...onfigure Policy from the Step list 3 Select Add from the Action list 4 Enter a policy name 5 Enter a description 6 Click Add Figure 126 Configuring a Policy Map To show the configured policy maps 1 Cl...

Page 258: ...behavior for matching packets to specify the quality of service to be assigned to the matching traffic class Use one of the metering options to define parameters such as the maximum throughput and bur...

Page 259: ...raffic DiffServ Configure Interface page to bind a policy map to an ingress port CLI REFERENCES Quality of Service Commands on page 877 COMMAND USAGE First define a class map define a policy map and b...

Page 260: ...o bind a policy map to a port 1 Click Traffic DiffServ 2 Select Configure Interface from the Step list 3 Check the box under the Ingress field to enable a policy map for a port 4 Select a policy map f...

Page 261: ...isolating the VoIP traffic from other data traffic End to end QoS policies and high priority can be applied to VoIP VLAN traffic across the network guaranteeing the bandwidth it needs VLAN isolation...

Page 262: ...ted on the switch Range 1 4093 Voice VLAN Aging Time The time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port Range 5 43200 minutes Default 1440 m...

Page 263: ...rs are displayed Telephony OUI Specifies a MAC address range to add to the list Enter the MAC address in format 01 23 45 67 89 AB Mask Identifies a range of MAC addresses Selecting a mask of FF FF FF...

Page 264: ...nterface page to configure ports for VoIP traffic you need to set the mode Auto or Manual specify the discovery method to use and set the traffic priority You can also enable security filtering to ens...

Page 265: ...the port Default OUI OUI Traffic from VoIP devices is detected by the Organizationally Unique Identifier OUI of the source MAC address OUI numbers are assigned to manufacturers and form the first thr...

Page 266: ...CHAPTER 13 VoIP Traffic Configuration Configuring VoIP Traffic Ports 266 Figure 134 Configuring Port Settings for a Voice VLAN...

Page 267: ...are infeasible or impractical Network Access Configure MAC authentication intrusion response dynamic VLAN assignment and dynamic QoS assignment HTTPS Provide a secure web connection SSH Provide a sec...

Page 268: ...ers in the network The security servers can be defined as sequential groups that are applied as a method for controlling user access to specified services For example when the switch attempts to authe...

Page 269: ...e on page 600 COMMAND USAGE By default management access is always checked against the authentication database stored on the local switch If a remote authentication server is used you must specify the...

Page 270: ...e logon authentication protocols that use software running on a central server to control access to RADIUS aware or TACACS aware devices on the network An authentication server contains a database of...

Page 271: ...gest 5 TLS Transport Layer Security or TTLS Tunneled Transport Layer Security PARAMETERS These parameters are displayed Configure Server RADIUS Global Provides globally applicable RADIUS settings Serv...

Page 272: ...CS server used for authentication messages Range 1 65535 Default 49 Set Key Mark this box to set or modify the encryption key Authentication Key Encryption key used to authenticate logon access for cl...

Page 273: ...globally to all specified servers or select a specific Server Index to specify the parameters that apply to a specific server 5 To set or modify the authentication key mark the Set Key box enter the...

Page 274: ...Step list 3 Select Add from the Action list 4 Select RADIUS or TACACS server type 5 Enter the group name followed by the index of the server to use for each priority level 6 Click Apply Figure 139 Co...

Page 275: ...ters are displayed Configure Global Periodic Update Specifies the interval at which the local accounting service updates information for all users on the system to the accounting server Range 0 214748...

Page 276: ...ed in the Configure Method page Range 1 255 characters Exec Console Method Name Specifies a user defined method name to apply to console connections Telnet Method Name Specifies a user defined method...

Page 277: ...lick Apply Figure 141 Configuring Global Settings for AAA Accounting To configure the accounting method applied to various service types and the assigned server group 1 Click Security AAA Accounting 2...

Page 278: ...e Action list Figure 143 Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces console commands entered at specific privilege levels and local console Telnet...

Page 279: ...ecified service types 1 Click Security AAA Accounting 2 Select Show Information from the Step list 3 Click Summary Figure 146 Displaying a Summary of Applied AAA Accounting Methods To display basic ac...

Page 280: ...Method Name Specifies an authorization method for service requests The default method is used for a requested service if no other methods have been defined Range 1 255 characters Server Group Name Spe...

Page 281: ...the Exec service type and the assigned server group 1 Click Security AAA Authorization 2 Select Configure Method from the Step list 3 Specify the name of the authorization method and server group name...

Page 282: ...Configure Service from the Step list 3 Enter the required authorization method 4 Click Apply Figure 150 Configuring AAA Authorization Methods for Exec Service To display a the configured authorization...

Page 283: ...ame of the user Maximum length 32 characters maximum number of users 16 Access Level Specifies the user level Options 0 Normal 15 Privileged Normal privilege level provides access to a limited number...

Page 284: ...in situations where 802 1X or Network Access authentication are infeasible or impractical The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address...

Page 285: ...e enabled for any port where required under the Configure Interface menu Session Timeout Configures how long an authenticated session stays active before it must re authenticate itself Range 300 3600...

Page 286: ...s for the port Host IP Address Indicates the IP address of each connected host Remaining Session Time Indicates the remaining time until the current authorization session for the host expires Apply En...

Page 287: ...ddress authentication feature to work properly See Configuring Remote Logon Authentication Servers on page 270 NOTE MAC authentication cannot be configured on trunk ports CLI REFERENCES Network Access...

Page 288: ...ype 802 Tunnel Private Group ID 1u 2t VLAN ID list The VLAN identifier list is carried in the RADIUS Tunnel Private Group ID attribute The VLAN list can contain multiple VLAN identifiers in the format...

Page 289: ...conditions occur Illegal characters found in a profile value for example a non digital character in an 802 1p profile value Failure to configure the received profiles on the authenticated port When t...

Page 290: ...he reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server During the reauthentication process traffic through the port remains unaffected Range 120 1000000...

Page 291: ...cator Settings for 802 1X on page 341 Dynamic VLAN Enables dynamic VLAN assignment for an authenticated port When enabled any VLAN identifiers returned by the RADIUS server are applied to the port pro...

Page 292: ...when MAC Authentication or 802 1X Authentication fails and the dynamic VLAN and QoS assignments 5 Click Apply Figure 157 Configuring Interface Settings for Network Access CONFIGURING PORT LINK DETECTI...

Page 293: ...Security Network Access 2 Select Configure Interface from the Step list 3 Click the Link Detection button 4 Modify the link detection status trigger condition and the response for any port 5 Click App...

Page 294: ...s Mask MAC Address Mask The filter rule will check for the range of MAC addresses defined by the MAC bit mask If you omit the mask the system will assign the default mask of an exact match Range 00000...

Page 295: ...MAC Address Authentication on page 654 PARAMETERS These parameters are displayed Query By Specifies parameters to use in the MAC address query Sort Key Sorts the information displayed based on MAC add...

Page 296: ...Select Show Information from the Step list 3 Use the sort key to display addresses based MAC address interface or attribute 4 Restrict the displayed addresses by entering a specific address in the MA...

Page 297: ...ber When you start HTTPS the connection is established in this way The client authenticates the server using the server s digital certificate The client and server negotiate a set of security protocol...

Page 298: ...certificate When you log onto the web interface using HTTPS for secure access a Secure Sockets Layer SSL certificate appears for the switch By default the certificate that Netscape and Internet Explor...

Page 299: ...file Certificate Source File Name Name of certificate file stored on the TFTP server Private Key Source File Name Name of private key file stored on the TFTP server Private Password Password stored in...

Page 300: ...SSH also encrypts all data transfers passing between the switch and SSH enabled management station clients and ensures that data traveling over the network arrives unaltered NOTE You need to install...

Page 301: ...blic key for all the SSH client s granted management access to the switch Note that these clients must be configured locally on the switch via the User Accounts page as described on page 283 The clien...

Page 302: ...he client d The client uses its private key to decrypt the challenge string computes the MD5 checksum and sends the checksum back to the switch e The switch compares the checksum sent from the client...

Page 303: ...rsion 1 5 or 2 0 clients Authentication Timeout Specifies the time interval in seconds that the SSH server waits for a response from a client during an authentication attempt Range 1 120 seconds Defau...

Page 304: ...g the SSH Server on page 303 CLI REFERENCES Secure Shell on page 623 PARAMETERS These parameters are displayed Host Key Type The key type used to generate the host key pair i e public and private keys...

Page 305: ...4 Select the host key type from the drop down box 5 Select the option to save the host key from memory to flash if required 6 Click Apply Figure 165 Generating the SSH Host Key Pair To display or clea...

Page 306: ...y Type The type of public key to upload RSA The switch accepts a RSA version 1 encrypted public key DSA The switch accepts a DSA version 2 encrypted public key The SSH server uses RSA or DSA for key e...

Page 307: ...Public Key To display or clear the SSH user s public key 1 Click Security SSH 2 Select Configure User Key from the Step list 3 Select Show from the Action list 4 Select a user from the User Name list...

Page 308: ...n as it matches a permit rule or dropped as soon as it matches a deny rule If no rules match the packet is accepted COMMAND USAGE The following restrictions apply to ACLs The maximum number of ACLs is...

Page 309: ...Rule Time Range Name of a time range Mode Absolute Specifies a specific time or time range Start End Specifies the hours minutes month day and year at which to start or end Periodic Specifies a period...

Page 310: ...re 170 Showing a List of Time Ranges To configure a rule for a time range 1 Click Security ACL 2 Select Configure Time Range from the Step list 3 Select Add Rule from the Action list 4 Select the name...

Page 311: ...CLI REFERENCES show access list tcam utilization on page 518 COMMAND USAGE Policy control entries PCEs are used by various system functions which rely on rule based searches including Access Control L...

Page 312: ...ecurity ACL Configure ACL Add page to create an ACL CLI REFERENCES access list ip on page 698 show ip access list on page 703 PARAMETERS These parameters are displayed ACL Name Name of the ACL Maximum...

Page 313: ...RP ARP ACL specifies static IP to MAC address bindings used for ARP inspection see ARP Inspection on page 326 WEB INTERFACE To configure the name and type of an ACL 1 Click Security ACL 2 Select Confi...

Page 314: ...ddress and Subnet Mask fields Options Any Host IP Default Any Source IP Address Source IP address Source Subnet Mask A subnet mask containing four integers from 0 to 255 each separated by a period The...

Page 315: ...s matching the selected type Action An ACL can contain any combination of permit or deny rules Source Destination Address Type Specifies the source or destination IP address Use Any to include all pos...

Page 316: ...yte 14 of the TCP header Range 0 63 Control Code Bit Mask Decimal number representing the code bits to match Range 0 63 The control bit mask is a decimal number for an equivalent binary bit mask that...

Page 317: ...xtended from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the address type Any Host or IP 8 If you select Host enter a specific address...

Page 318: ...ge of addresses Options Any Host IPv6 Prefix Default Any Source IPv6 Address An IPv6 source address or network class The address must be formatted according to RFC 2373 IPv6 Addressing Architecture us...

Page 319: ...elects the type of ACLs to show in the Name list Name Shows the names of ACLs matching the selected type Action An ACL can contain any combination of permit or deny rules Destination Address Type Spec...

Page 320: ...for the IPv4 Protocol field in RFC 1700 and includes these commonly used headers 0 Hop by Hop Options RFC 2460 6 TCP Upper layer Header RFC 1700 17 UDP Upper layer Header RFC 1700 43 Routing RFC 2460...

Page 321: ...the Name list Name Shows the names of ACLs matching the selected type Action An ACL can contain any combination of permit or deny rules Source Destination Address Type Use Any to include all possible...

Page 322: ...IP 0806 ARP 8137 IPX Ethernet Type Bit Mask Protocol bit mask Range 600 ffff hex Time Range Name of a time range WEB INTERFACE To add rules to a MAC ACL 1 Click Security ACL 2 Select Configure ACL fr...

Page 323: ...parameters are displayed Type Selects the type of ACLs to show in the Name list Name Shows the names of ACLs matching the selected type Action An ACL can contain any combination of permit or deny rule...

Page 324: ...tion MAC Bit Mask Hexadecimal mask for source or destination MAC address Log Logs a packet when it matches the access control entry WEB INTERFACE To add rules to an ARP ACL 1 Click Security ACL 2 Sele...

Page 325: ...t and one MAC access list to any port CLI REFERENCES ip access group on page 702 show ip access group on page 703 mac access group on page 713 show mac access group on page 714 Time Range on page 560...

Page 326: ...an in the middle attacks This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the...

Page 327: ...not affect the ARP Inspection configuration of any VLANs When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for individual VLANs These configuration changes will...

Page 328: ...e controlled basis After the system message is generated the entry is cleared from the log buffer Each log entry contains flow information such as the receiving VLAN the port number the source and des...

Page 329: ...ARP Inspection 2 Select Configure General from the Step list 3 Enable ARP inspection globally enable any of the address validation options and adjust any of the logging parameters if required 4 Click...

Page 330: ...RS These parameters are displayed ARP Inspection VLAN ID Selects any configured VLAN Default 1 ARP Inspection VLAN Status Enables ARP Inspection for the selected VLAN Default Disabled ARP Inspection A...

Page 331: ...re subject to ARP packet rate limiting and all trusted ports are exempt from ARP packet rate limiting Packets arriving on trusted interfaces bypass all ARP Inspection and ARP Inspection Validation che...

Page 332: ...us reasons CLI REFERENCES show ip arp inspection statistics on page 695 PARAMETERS These parameters are displayed Table 21 ARP Inspection Statistics Parameter Description Received ARP packets before A...

Page 333: ...N port and address components CLI REFERENCES show ip arp inspection log on page 695 PARAMETERS These parameters are displayed ARP packets dropped by additional validation Src MAC Count of packets that...

Page 334: ...to all IP addresses by default Once you add an entry to a filter list access to that interface is restricted to the specified addresses If anyone tries to access a management interface on the switch f...

Page 335: ...rt address and end address PARAMETERS These parameters are displayed Mode Web Configures IP address es for the web group SNMP Configures IP address es for the SNMP group Telnet Configures IP address e...

Page 336: ...ess table will be authorized to access the network through that port If a device with an unauthorized MAC address attempts to use the switch port the intrusion will be detected and the switch can auto...

Page 337: ...n a port security violation is detected None No action should be taken This is the default Trap Send an SNMP trap message Shutdown Disable the port Trap and Shutdown Send an SNMP trap message and disa...

Page 338: ...enticator responds with an EAPOL identity request The client provides its identity such as a user name in an EAPOL response to the switch which it forwards to the RADIUS server The RADIUS server verif...

Page 339: ...nd client also have to support the same EAP authentication type MD5 PEAP TLS or TTLS Native support for these encryption methods is provided in Windows XP and in Windows 2000 with Service Pack 4 To su...

Page 340: ...ile User Name The dot1x supplicant user name Range 1 8 characters The global supplicant user name and password are used to identify this switch as a supplicant when responding to an MD5 challenge from...

Page 341: ...s attached to the switch and the authentication server configure the parameters for the exchange of EAP messages between the authenticator and clients on the Authenticator configuration page When devi...

Page 342: ...s the port to deny access to all clients either dot1x aware or otherwise Operation Mode Allows single or multiple hosts clients to connect to an 802 1X authorized port Default Single Host Single Host...

Page 343: ...e requests for authentication information It may also send other EAP request frames to the client during an active connection as required for reauthentication Server Timeout Sets the time that a switc...

Page 344: ...Current state including request response success fail timeout idle initialize Request Count Number of EAP Request packets sent to the Supplicant without receiving a response Identifier Server Identif...

Page 345: ...t page to configure 802 1X port settings for supplicant requests issued from a port to an authenticator on another device When 802 1X is enabled and the control mode is set to Force Authorized see Con...

Page 346: ...displayed Port Port number PAE Supplicant Enables PAE supplicant mode Default Disabled If the attached client must be authenticated through another device in the network supplicant status must be ena...

Page 347: ...X STATISTICS Use the Security Port Authentication Show Statistics page to display statistics for dot1x protocol exchanges for any port CLI REFERENCES show dot1x on page 644 PARAMETERS These parameters...

Page 348: ...OL frames that have been received by this Supplicant in which the frame type is not recognized Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Supplicant Rx...

Page 349: ...rt Authentication 349 WEB INTERFACE To display port authenticator statistics for 802 1X 1 Click Security Port Authentication 2 Select Show Statistics from the Step list 3 Click Authenticator Figure 19...

Page 350: ...nooping on page 355 IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network This section describes commands used to co...

Page 351: ...see page 358 IP source guard will check the VLAN ID source IP address port number and source MAC address for the SIP MAC option If a matching entry is found in the binding table and the entry type is...

Page 352: ...ype for each port 3 Click Apply Figure 197 Setting the Filter Type for IP Source Guard CONFIGURING STATIC BINDINGS FOR IP SOURCE GUARD Use the Security IP Source Guard Static Configuration page to bin...

Page 353: ...arameters are displayed Add Port The port to which a static entry is bound VLAN ID of a configured VLAN Range 1 4093 MAC Address A valid unicast MAC address IP Address A valid unicast IP address inclu...

Page 354: ...IP Source Guard DISPLAYING INFORMATION FOR DYNAMIC IP SOURCE GUARD BINDINGS Use the Security IP Source Guard Dynamic Binding page to display the source guard binding table for a selected interface CLI...

Page 355: ...ick Security IP Source Guard Dynamic Binding 2 Mark the search criteria and enter the required values 3 Click Query Figure 200 Showing the IP Source Guard Binding Table DHCP SNOOPING The addresses ass...

Page 356: ...via DHCP snooping Filtering rules are implemented as follows If the global DHCP snooping is disabled all DHCP packets are forwarded If DHCP snooping is enabled globally and also enabled on the VLAN w...

Page 357: ...attacks from attached clients on DHCP services such as IP Spoofing Client Identifier Spoofing MAC Address Spoofing and Address Exhaustion DHCP Snooping must be enabled for Option 82 information to be...

Page 358: ...tion Option Status Enables or disables DHCP Option 82 information relay Default Disabled DHCP Snooping Information Option Policy Specifies how to handle DHCP client request packets which already conta...

Page 359: ...e DHCP snooping is globally disabled DHCP snooping can still be configured for specific VLANs but the changes will not take effect until DHCP snooping is globally re enabled When DHCP snooping is glob...

Page 360: ...hat is configured to receive only messages from within the network An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall When DHCP snoopin...

Page 361: ...isplay entries in the binding table CLI REFERENCES show ip dhcp snooping binding on page 681 PARAMETERS These parameters are displayed MAC Address Physical address associated with the entry IP Address...

Page 362: ...r a dynamic entry that has been restored from flash memory will no longer be valid Clear Removes all dynamically learned snooping entries from flash memory WEB INTERFACE To display the binding table f...

Page 363: ...it over a group of switches connected to the same local network CONFIGURING EVENT LOGGING The switch allows you to control the logging of error messages including the type of events that are recorded...

Page 364: ...efault 7 NOTE The Flash Level must be equal to or less than the RAM Level NOTE All log messages are retained in RAM and Flash after a warm restart i e power is reset through the command interface NOTE...

Page 365: ...memory and RAM 4 Click Apply Figure 205 Configuring Settings for System Memory Logs To show the error messages logged to system memory 1 Click Administration Log System 2 Select Show System Logs from...

Page 366: ...ropriate service The attribute specifies the facility type tag sent in syslog messages see RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the...

Page 367: ...function Default Enabled Severity Sets the syslog severity threshold level see table on page 364 used to trigger alert messages All events at this level or higher will be sent to the configured email...

Page 368: ...LAYER DISCOVERY PROTOCOL Link Layer Discovery Protocol LLDP is used to discover basic information about neighboring devices on the local broadcast domain LLDP is a Layer 2 protocol that uses periodic...

Page 369: ...ain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner TTL in seconds is based on the following rule Transmission Interval Holdtime Multiplier 6553...

Page 370: ...ss WEB INTERFACE To configure LLDP timing attributes 1 Click Administration LLDP 2 Select Configure Global from the Step list 3 Enable LLDP and modify any of the timing parameters as required 4 Click...

Page 371: ...gement address is available the address should be the MAC address for the CPU or for the port sending this advertisement The management address TLV may also include information about the specific inte...

Page 372: ...been assigned see IEEE 802 1Q VLANs on page 165 and Protocol VLANs on page 184 Port and Protocol VLAN ID The port based protocol VLANs configured on this interface see IEEE 802 1Q VLANs on page 165 an...

Page 373: ...ed Global Settings Chassis Type Identifies the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent There are several ways in which a chassis may be identified and a...

Page 374: ...ss is available the address should be the MAC address for the CPU or for the port sending this advertisement Interface Settings The attributes listed below apply to both port and trunk interface types...

Page 375: ...e Information for LLDP General Figure 212 Displaying Local Device Information for LLDP Port DISPLAYING LLDP REMOTE PORT INFORMATION Use the Administration LLDP Show Remote Device Information page to d...

Page 376: ...dentified and a chassis ID subtype is used to indicate the type of component being referenced by the chassis ID field See Table 25 Chassis ID Subtype on page 373 Chassis ID An octet string indicating...

Page 377: ...tails 802 1 Extension Information Remote Port VID The port s default VLAN identifier PVID indicates the VLAN with which untagged or priority tagged frames are associated Remote Port Protocol VLAN List...

Page 378: ...emote Power Pairs Signal means that the signal pairs only are in use and Spare means that the spare pairs only are in use Remote Power MDI Supported Shows whether MDI power is supported on the given p...

Page 379: ...e Link Aggregation Port ID This object contains the IEEE 802 3 aggregated port identifier aAggPortID IEEE 802 3 2002 30 7 2 1 1 derived from the ifNumber of the ifIndex for the port component associat...

Page 380: ...CHAPTER 15 Basic Administration Protocols Link Layer Discovery Protocol 380 Figure 214 Displaying Remote Device Information for LLDP Port Details...

Page 381: ...ch the remote database on this switch dropped an LLDPDU because of insufficient resources Neighbor Entries Age out Count The number of times that a neighbor s information has been deleted from the LLD...

Page 382: ...LLDP Device Statistics General Figure 216 Displaying LLDP Device Statistics Port SIMPLE NETWORK MANAGEMENT PROTOCOL Simple Network Management Protocol SNMP is a communication protocol designed specifi...

Page 383: ...rity models with each model having it s own security levels There are three security models defined SNMPv1 SNMPv2c and SNMPv3 Users are assigned to groups that are defined by a security model and spec...

Page 384: ...your management station Configuring SNMPv3 Management Access 1 Use the Administration SNMP Configure Global page to enable SNMP on the switch and to enable trap messages 2 Use the Administration SNMP...

Page 385: ...ation message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process Default Enabled Link up and Link down Traps5 Issues a notifi...

Page 386: ...e to the switch This is referred to as the default engine ID If the local engine ID is deleted or changed all SNMP users will be cleared You will need to reconfigure all existing users PARAMETERS Thes...

Page 387: ...mp server engine id on page 577 COMMAND USAGE SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore nee...

Page 388: ...Apply Figure 219 Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs 1 Click Administration SNMP 2 Select Configure Engine from the Step list 3 Select Show Remote Engine from t...

Page 389: ...SNMP views configured in the Add View page OID Subtree Adds an additional object identifier of a branch within the MIB tree to the selected View Wild cards can be used to mask a specific portion of t...

Page 390: ...ure 222 Showing SNMP Views To add an object identifier to an existing SNMP view of the switch s MIB database 1 Click Administration SNMP 2 Select Configure View from the Step list 3 Select Add OID Sub...

Page 391: ...ricting them to specific read write and notify views You can use the pre defined default groups or create new groups to map a set of SNMP users to SNMP views CLI REFERENCES show snmp group on page 582...

Page 392: ...ing itself such that its configuration is unaltered linkDown 1 3 6 1 6 3 1 1 5 3 A linkDown trap signifies that the SNMP entity acting in an agent role has detected that the ifOperStatus object for on...

Page 393: ...d swAtcMcastStormTcApplyTrap 1 3 6 1 4 1 259 10 1 17 2 1 0 76 When ATC is activated this trap is fired swAtcMcastStormTcReleaseTrap 1 3 6 1 4 1 259 10 1 17 2 1 0 77 When ATC is released this trap is f...

Page 394: ...re Group from the Step list 3 Select Add from the Action list 4 Enter a group name assign a security model and level and then select read write and notify views 5 Click Apply Figure 225 Creating an SN...

Page 395: ...ssword and permits access to the SNMP protocol Range 1 32 characters case sensitive Default strings public Read Only private Read Write Access Mode Specifies the access rights for the community string...

Page 396: ...be configured with a specific security level and assigned to a group The SNMPv3 group restricts users to a specific read write and notify view CLI REFERENCES snmp server user on page 579 PARAMETERS T...

Page 397: ...t DES is currently available Privacy Password A minimum of eight plain text characters is required WEB INTERFACE To configure a local SNMPv3 user 1 Click Administration SNMP 2 Select Configure User fr...

Page 398: ...d notify view CLI REFERENCES snmp server user on page 579 COMMAND USAGE To grant management access to an SNMPv3 user on a remote device you must first specify the engine identifier for the SNMP agent...

Page 399: ...minimum of eight plain text characters is required Privacy Protocol The encryption algorithm use for data privacy only 56 bit DES is currently available Privacy Password A minimum of eight plain text...

Page 400: ...anagement Protocol 400 Figure 231 Configuring Remote SNMPv3 Users To show remote SNMPv3 users 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Show SNMPv3 Remote User fr...

Page 401: ...received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider t...

Page 402: ...tification message i e the targeted recipient Version Specifies whether to send notifications as SNMP v1 v2c or v3 traps Notification Type Traps Notifications are sent as trap messages Inform Notifica...

Page 403: ...0 255 Default 3 Local User Name The name of a local user which is used to identify the source of SNMPv3 trap messages sent from the local switch Range 1 32 characters If an account for the specified u...

Page 404: ...onfigure trap managers 1 Click Administration SNMP 2 Select Configure Trap from the Step list 3 Select Add from the Action list 4 Fill in the required parameters based on the selected SNMP version 5 C...

Page 405: ...o specified events on an independent basis This switch is an RMON capable device which can independently perform a wide range of tasks significantly reducing network management traffic It can continuo...

Page 406: ...ed again until the statistical value crosses the opposite bounding threshold and then back across the trigger threshold CLI REFERENCES Remote Monitoring Commands on page 589 COMMAND USAGE If an alarm...

Page 407: ...ated After a falling event has been generated another such event will not be generated until the sampled value has risen above the falling threshold reaches the rising threshold and again moves back d...

Page 408: ...Monitoring 408 Figure 237 Configuring an RMON Alarm To show configured RMON alarms 1 Click Administration RMON 2 Select Configure Global from the Step list 3 Select Show from the Action list 4 Click...

Page 409: ...played Index Index to this entry Range 1 65535 Type Specifies the type of event to initiate None No event is generated Log Generates an RMON log entry when the event is triggered Log messages are proc...

Page 410: ...N 2 Select Configure Global from the Step list 3 Select Add from the Action list 4 Click Event 5 Enter an index number the type of event to initiate the community string to send with trap messages the...

Page 411: ...hich may reveal problems associated with high traffic levels broadcast storms or other unusual events It can also be used to predict network growth and plan for expansion before your network becomes t...

Page 412: ...number of buckets granted are displayed on the Show page Owner Name of the person who created this entry Range 1 127 characters WEB INTERFACE To periodically sample statistics on a port 1 Click Admini...

Page 413: ...elect Show from the Action list 4 Select a port from the list 5 Click History Figure 242 Showing Configured RMON History Samples To show collected RMON history samples 1 Click Administration RMON 2 Se...

Page 414: ...each entry includes input octets packets broadcast packets multicast packets undersize packets oversize packets CRC alignment errors jabbers fragments collisions drop events and frames of various siz...

Page 415: ...ct Configure Interface from the Step list 3 Select Show from the Action list 4 Select a port from the list 5 Click Statistics Figure 245 Showing Configured RMON Statistical Samples To show collected R...

Page 416: ...can use either Telnet or the web interface to communicate directly with the Commander through its IP address and then use the Commander to manage Member switches through the cluster s internal IP add...

Page 417: ...e displayed Cluster Status Enables or disables clustering on the switch Default Disabled Commander Status Enables or disables the switch as a cluster Commander Default Disabled IP Pool An internal IP...

Page 418: ...Clustering on page 563 PARAMETERS These parameters are displayed Member ID Specify a Member ID number for the selected Candidate switch Range 1 36 MAC Address Select a discovered switch MAC address f...

Page 419: ...1 Click Administration Cluster 2 Select Configure Member from the Step list 3 Select Show from the Action list Figure 249 Showing Cluster Members To show cluster candidates 1 Click Administration Clu...

Page 420: ...ange 1 36 Role Indicates the current status of the switch in the cluster IP Address The internal cluster IP address assigned to the Member switch MAC Address The MAC address of the Member switch Descr...

Page 421: ...de on the network Address Resolution Protocol Describes how to configure ARP aging time Also shows how to display the ARP cache IPv4 Configuration Sets an IPv4 address for management access IPv6 Confi...

Page 422: ...EB INTERFACE To ping another device on the network 1 Click IP General Ping 2 Specify the target device and ping parameters 3 Click Apply Figure 252 Pinging a Network Device ADDRESS RESOLUTION PROTOCOL...

Page 423: ...ng as this entry has not timed out the switch will be able forward traffic directly to the next hop for this destination without having to broadcast another ARP request Also if the switch receives a r...

Page 424: ...LAYING ARP ENTRIES Use the IP ARP Show Information page to display dynamic entries in the ARP cache The ARP cache contains entries for local interfaces including subnet host and broadcast addresses Th...

Page 425: ...fault gateway for the switch CLI REFERENCES ip default gateway on page 1029 PARAMETERS These parameters are displayed Gateway IP Address IP address of the gateway router between the switch and managem...

Page 426: ...tion Static Dynamic Host Configuration Protocol DHCP or Boot Protocol BOOTP If DHCP BOOTP is enabled IP will not function until a reply has been received from the server Requests will be broadcast per...

Page 427: ...o Static specify a primary or secondary address type then enter the IP address and subnet mask 5 Click Apply Figure 256 Configuring a Static IPv4 Address To obtain an dynamic IPv4 address through DHCP...

Page 428: ...eriod of time If the address expires or the switch is moved to another network segment you will lose management access to the switch In this case you can reboot the switch or submit a client request t...

Page 429: ...outside of the subnet A link local address is easy to set up and may be useful for simple networks or basic troubleshooting tasks However to connect to a larger network with multiple segments the swi...

Page 430: ...nk local address The switch s address auto configuration function will automatically create a link local address as well as an IPv6 global address if router advertisements are detected on the local in...

Page 431: ...rface Note that when an explicit address is assigned to an interface IPv6 is automatically enabled and cannot be disabled until all assigned addresses have been removed Default Disabled Disabling this...

Page 432: ...e is changed duplicate address detection is performed on the new link local address but not for any of the IPv6 global unicast addresses already associated with the interface ND NS Interval The interv...

Page 433: ...luding address auto configuration or explicitly enabling IPv6 see Configuring IPv6 Interface Settings on page 430 will also automatically generate a link local unicast address The prefix length for a...

Page 434: ...an be attached to a port belonging to any VLAN as long as that VLAN has been assigned an IP address Range 1 4093 Address Type Defines the address type configured for this interface Global Configures a...

Page 435: ...i e organizationally unique identifier or company identifier and the rest of the address resulting in a modified EUI 64 interface identifier of 2A 9F 18 FF FE 1C 82 35 This host addressing method allo...

Page 436: ...local multicast address is only used for loopback transmission of multicast traffic Link local multicast addresses cover the same types as used by link local unicast addresses including all nodes FF0...

Page 437: ...PV6 NEIGHBOR CACHE Use the IP IPv6 Configuration Show IPv6 Neighbor Cache page to display the IPv6 addresses detected for neighbor devices CLI REFERENCES show ipv6 neighbors on page 1056 PARAMETERS Th...

Page 438: ...path was functioning While in STALE state the device takes no action until a packet is sent DELAY More than the ReachableTime interval has elapsed since the last positive confirmation was received th...

Page 439: ...buffering capacity to forward a datagram and when the gateway can direct the host to send traffic on a shorter route ICMP is also used by routers to feed back information about more suitable routes t...

Page 440: ...or some of the fragments Reassembly Succeeded The number of IPv6 datagrams successfully reassembled Note that this counter is incremented at the interface to which these datagrams were addressed which...

Page 441: ...Parameter Problem Messages The number of ICMP Parameter Problem messages received by the interface Echo Request Messages The number of ICMP Echo request messages received by the interface Echo Reply...

Page 442: ...face Neighbor Advertisement Messages The number of ICMP Router Advertisement messages sent by the interface Redirect Messages The number of Redirect messages sent For a host this object will always be...

Page 443: ...Address IP Version 6 443 WEB INTERFACE To show the IPv6 statistics 1 Click IP IPv6 Configuration 2 Select Show Statistics from the Action list 3 Click IPv6 ICMPv6 or UDP Figure 264 Showing IPv6 Statis...

Page 444: ...w ipv6 mtu on page 1046 PARAMETERS These parameters are displayed WEB INTERFACE To show the MTU reported from other devices 1 Click IP IPv6 Configuration 2 Select Show MTU from the Action list Figure...

Page 445: ...esses configure default domain names or specify one or more name servers to use for domain name to address translation CONFIGURING GENERAL DNS SERVICE PARAMETERS Use the IP Service DNS General Configu...

Page 446: ...is page to define a list of domain names that can be appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation If there is no domain list the de...

Page 447: ...domain name Range 1 68 characters WEB INTERFACE To create a list domain names 1 Click IP Service DNS 2 Select Add Domain Name from the Action list 3 Enter one domain name at a time 4 Click Apply Figur...

Page 448: ...er is specified the servers are queried in the specified sequence until a response is received or the end of the list is reached with no response If all name servers are deleted DNS will automatically...

Page 449: ...manually configure static entries in the DNS table that are used to map domain names to IP addresses CLI REFERENCES ip host on page 1014 show hosts on page 1018 COMMAND USAGE Static entries may be us...

Page 450: ...vice DNS Static Host Table 2 Select Add from the Action list 3 Enter a host name and the corresponding address 4 Click Apply Figure 273 Configuring Static Entries in the DNS Table To show static entri...

Page 451: ...ver a DNS client can try each address in succession until it establishes a connection with the target device PARAMETERS These parameters are displayed No The entry number for each resource record Flag...

Page 452: ...CHAPTER 17 IP Services Displaying the DNS Cache 452...

Page 453: ...udio A multicast server does not have to establish a separate connection with each client It merely broadcasts its service to the network and any hosts that want to receive the multicast register with...

Page 454: ...service requests passing between multicast clients and servers and dynamically configure the switch ports which need to forward multicast traffic IGMP Snooping conserves bandwidth on network segments...

Page 455: ...d in the attached VLAN or flooded throughout the VLAN if unregistered flooding is enabled see Configuring IGMP Snooping and Query Parameters on page 456 Static IGMP Router Interface If IGMP snooping c...

Page 456: ...roughout the VLAN if unregistered flooding is enabled see Unregistered Data Flood in the Command Attributes section IGMP Querier A router or multicast enabled switch can periodically ask their hosts i...

Page 457: ...ology has stabilized and the new locations of all multicast receivers are learned If a topology change notification TCN is received and all the uplink ports are subsequently deleted a time out mechani...

Page 458: ...ting in the role of a multicast host such as when using proxy routing it should ignore version 2 or 3 queries that do not contain the Router Alert option Unregistered Data Flooding Floods unregistered...

Page 459: ...ures the IGMP report query version used by IGMP snooping Versions 1 3 are all supported and versions 2 and 3 are backward compatible so the switch can operate with other devices regardless of the snoo...

Page 460: ...CLI REFERENCES Static Multicast Routing on page 914 PARAMETERS These parameters are displayed VLAN Selects the VLAN which is to propagate all multicast traffic coming from the attached multicast rout...

Page 461: ...Interfaces Attached a Multicast Router ASSIGNING INTERFACES TO MULTICAST SERVICES Use the Multicast IGMP Snooping IGMP Member Add Static Member page to statically assign a multicast service to an inte...

Page 462: ...or Trunk Specifies the interface assigned to a multicast group Multicast IP The IP address for a specific multicast service WEB INTERFACE To statically assign an interface to a multicast service 1 Cli...

Page 463: ...Interfaces Assigned to a Multicast Service To show the all interfaces statically or dynamically assigned to a multicast service 1 Click Multicast IGMP Snooping IGMP Member 2 Select Show Current Membe...

Page 464: ...essages to discover multicast routers is insufficient due to query suppression MRD therefore provides a standardized way to identify multicast routers without relying on any particular multicast routi...

Page 465: ...herwise this kind of packet is only forwarded to known multicast routing ports PARAMETERS These parameters are displayed VLAN ID of configured VLANs Range 1 4093 IGMP Snooping Status When enabled the...

Page 466: ...y suppression is enabled then these messages are forwarded only to downstream ports which have joined a multicast service Proxy Reporting Enables IGMP Snooping with Proxy Reporting Default Based on gl...

Page 467: ...e to detect the loss of the last member of a group or source but may generate more burst traffic This attribute will take effect only if IGMP snooping proxy reporting is enabled see page 456 Last Memb...

Page 468: ...ticast IGMP Snooping Interface 2 Select Configure from the Action list 3 Select the VLAN to configure and update the required parameters 4 Click Apply Figure 284 Configuring IGMP Snooping on an Interf...

Page 469: ...led on the switch see page 456 PARAMETERS These parameters are displayed VLAN An interface on the switch that is forwarding traffic to downstream ports for the specified multicast group address Group...

Page 470: ...join IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port An IGMP filter profile can contain one or more addresses...

Page 471: ...ottling on the switch 1 Click Multicast IGMP Snooping Filter 2 Select Configure General from the Step list 3 Enable IGMP Filter Status 4 Click Apply Figure 287 Enabling IGMP Filtering and Throttling C...

Page 472: ...ts are only processed when the multicast group is not in the controlled range Add Multicast Group Range Profile ID Selects an IGMP profile to configure Start Multicast IP Address Specifies the startin...

Page 473: ...Figure 289 Showing the IGMP Filtering Profiles Created To add a range of multicast groups to an IGMP filter profile 1 Click Multicast IGMP Snooping Filter 2 Select Configure Profile from the Step list...

Page 474: ...st groups an interface can join at the same time CLI REFERENCES IGMP Filtering and Throttling on page 915 COMMAND USAGE IGMP throttling sets a maximum number of multicast groups that a port can join a...

Page 475: ...Default Deny Deny The new multicast group join report is dropped Replace The new multicast group replaces an existing group Throttling Status Indicates if the throttling action has been implemented on...

Page 476: ...cribers belong Even though common multicast streams are passed onto different VLAN groups from the MVR VLAN users in different IEEE 802 1Q or private VLANs cannot exchange any information except throu...

Page 477: ...ted source ports to all receiver ports that have registered to receive data from that multicast group Default Disabled MVR VLAN Identifier of the VLAN that serves as the channel for streaming multicas...

Page 478: ...ticast group address for required services CLI REFERENCES Multicast VLAN Registration on page 992 PARAMETERS These parameters are displayed Group IP Address IP address for an MVR multicast group Range...

Page 479: ...up address range 1 Click Multicast MVR 2 Select Configure Group Range from the Step list 3 Select Add from the Action list 4 Specify a multicast group that will stream traffic to participating hosts 5...

Page 480: ...gured as a member of the MVR VLAN If so configured its MVR status will be inactive One or more interfaces may be configured as MVR source ports A source port is able to both receive and send data for...

Page 481: ...tic Multicast Groups to Interfaces on page 482 Non MVR An interface that does not participate in the MVR VLAN This is the default type Oper Status Shows the link status MVR Status Shows the MVR status...

Page 482: ...vlan group on page 928 PARAMETERS These parameters are displayed Port Port identifier VLAN VLAN identifier Group IP Address Defines a multicast service sent to the selected port Multicast groups must...

Page 483: ...to display this information Figure 299 Showing the Static MVR Groups Assigned to a Port DISPLAYING MVR RECEIVER GROUPS Use the Multicast MVR Show Member page to display the interfaces assigned to the...

Page 484: ...ticast services provided through the MVR VLAN Also shows the VLAN through which the service is received Note that this may be different from the MVR VLAN if the group address has been statically assig...

Page 485: ...P Commands on page 569 Remote Monitoring Commands on page 589 Authentication Commands on page 597 General Security Measures on page 651 Access Control Lists on page 697 Interface Commands on page 719...

Page 486: ...Service Commands on page 877 Multicast Filtering Commands on page 895 LLDP Commands on page 933 CFM Commands on page 957 OAM Commands on page 1001 Domain Name Service Commands on page 1011 DHCP Comman...

Page 487: ...nsole prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CL...

Page 488: ...54 Console config If your corporate network is connected to another network outside your office or to the Internet you need to apply for a registered IP address However if you are attached to an isola...

Page 489: ...h command in the required order For example to enable Privileged Exec command mode and display the startup configuration enter Console enable Console show startup config To enter commands that require...

Page 490: ...r Display cluster dns DNS information dot1q tunnel dot1q tunnel dot1x 802 1X content efm Ethernet First Mile feature erps Displays ERPS configuration ethernet Specifies the ethernet garp GARP properti...

Page 491: ...e show interfaces brief Shows brief interface description counters Interface counters information protocol vlan Protocol VLAN information status Shows interface status switchport Shows interface switc...

Page 492: ...prompt to display a list of the commands available for the current mode The command classes and associated modes are displayed in the following table EXEC COMMANDS When you open a new console session...

Page 493: ...e use the copy running config startup config command The configuration commands are organized into different modes Global Configuration These commands modify the system level configuration and include...

Page 494: ...commands Console configure Console config To enter the other modes at the configuration prompt type one of the following commands Use the exit or end command to return to the Privileged Exec mode Tab...

Page 495: ...for command line processing Table 37 Keystroke Commands Keystroke Function Ctrl A Shifts cursor to start of command line Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current ta...

Page 496: ...HCP requests and replies and discarding invalid ARP responses 651 Access Control List Provides filtering for IPv4 frames based on address protocol TCP UDP port number or TCP control code IPv6 frames b...

Page 497: ...ering Configures IGMP multicast filtering query profile and proxy parameters specifies ports attached to a multicast router also configures multicast VLAN registration 895 Link Layer Discovery Protoco...

Page 498: ...CHAPTER 19 Using the Command Line Interface CLI Command Groups 498...

Page 499: ...arts the system at a specified time after a specified delay or at a periodic interval GC enable Activates privileged mode NE quit Exits a CLI session NE PE show history Shows the command history buffe...

Page 500: ...hich to reload Range 0 23 minute The minute at which to reload Range 0 59 month The month at which to reload january december day The day of the month at which to reload Range 1 31 year The year at wh...

Page 501: ...e you sure to reboot the system at the specified time y n enable This command activates Privileged Exec mode In privileged mode additional commands are available and certain commands display additiona...

Page 502: ...Exec COMMAND USAGE The quit and exit commands can both exit the configuration program EXAMPLE This example shows how to quit a CLI session Console quit Press ENTER to start session User Access Verific...

Page 503: ...tory buffer when you are in any of the configuration modes In this example the 2 command repeats the second command in the Execution history buffer config Console 2 Console config Console config confi...

Page 504: ...ed to the end of the prompt to indicate that the system is in normal access mode EXAMPLE Console disable Console RELATED COMMANDS enable 501 reload Privileged Exec This command restarts the system NOT...

Page 505: ...ays 0 hours 29 minutes 52 seconds Console end This command returns to Privileged Exec mode DEFAULT SETTING None COMMAND MODE Global Configuration Interface Configuration Line Configuration VLAN Databa...

Page 506: ...EXAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console config exit Console exit Press ENTER to start session Use...

Page 507: ...version information Frame Size Enables support for jumbo frames File Management Manages code image or switch configuration files Line Sets communication parameters for the serial port including baud...

Page 508: ...is automatically displayed before login as soon as a console or telnet connection has been established Table 42 Banner Commands Command Function Mode banner configure Configures the banner informatio...

Page 509: ...rted If for example a mistake is made in the company name it can be corrected with the banner configure company command EXAMPLE Console config banner configure Company EdgeCore Networks Responsible de...

Page 510: ...e company information displayed in the banner Use the no form to remove the company name from the banner display SYNTAX banner configure company name no banner configure company name The name of the c...

Page 511: ...COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The banner configure dc power info command interprets spaces as data input boundaries The use of underscores _ or o...

Page 512: ...YNTAX banner configure equipment info manufacturer id mfr id floor floor id row row id rack rack id shelf rack sr id manufacturer mfr name no banner configure equipment info floor manufacturer manufac...

Page 513: ...None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The banner configure equipment location command interprets spaces as data input boundaries The use of undersco...

Page 514: ...igure lp number This command is used to configure the LP number information displayed in the banner Use the no form to restore the default setting SYNTAX banner configure lp number lp num no banner co...

Page 515: ...mber The phone number of the third manager Maximum length of each parameter 32 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The b...

Page 516: ...e no form to restore the default setting SYNTAX banner configure note note info no banner configure note note info Miscellaneous information that does not fit the other banner categories or any other...

Page 517: ...section describes commands used to display system information Table 43 System Status Commands Command Function Mode show access list tcam utilization Shows utilization parameters for TCAM PE show memo...

Page 518: ...r traps For example when binding an ACL to a port each rule in an ACL will use two PCEs and when setting an IP Source Guard filter rule for a port the system will also use two PCEs EXAMPLE Console sho...

Page 519: ...keyword to display configuration data for the specified interface Use this command in conjunction with the show startup config command to compare the information in running memory to the information s...

Page 520: ...l 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database VLAN 1 name DefaultVlan media ethernet state active VLAN 4093 media ethernet state active spanning tree mst configuration interface ethernet 1 1 s...

Page 521: ...r the console port and Telnet EXAMPLE Refer to the example for the running configuration file RELATED COMMANDS show running config 519 show system This command displays system information DEFAULT SETT...

Page 522: ...program EXAMPLE Console show tech support show system System Description ES3510MA DC System OID String 1 3 6 1 4 1 259 10 1 17 System Information System Up Time 0 days 2 hours 17 minutes and 6 23 seco...

Page 523: ...168 1 19 admin 0 00 00 Console show version This command displays hardware and software version information for the system COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE See Displaying Hardwa...

Page 524: ...es that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields To use jumbo frames both the source and destination end...

Page 525: ...er downloaded to restore switch settings The configuration file can be downloaded under a new file name and then set as the startup file or the current startup configuration file can be specified as t...

Page 526: ...g Configuration file opcode Run time operation code filename Name of configuration file or code image The colon is required DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE A colon...

Page 527: ...certificate Keyword that allows you to copy the HTTPS secure site certificate public key Keyword that allows you to copy a SSH key from a TFTP server See Secure Shell on page 623 running config Keywor...

Page 528: ...the default user name EXAMPLE The following example shows how to download new firmware from a TFTP server Console copy tftp file TFTP server ip address 10 1 0 19 Choose file type 1 config 2 opcode 1...

Page 529: ...certificate Source private file name SS private Private password Success Console reload System will be restarted continue y n y This example shows how to copy a public key used by SSH from an TFTP se...

Page 530: ...LE This example shows how to delete the test2 cfg configuration file from flash memory Console delete test2 cfg Console RELATED COMMANDS dir 530 delete public key 628 dir This command displays a list...

Page 531: ...cfg Config N 2009 12 16 08 44 35 455 startup1 cfg Config Y 2010 10 29 12 09 47 1716 Free space for compressed user config files 1052672 Console whichboot This command displays which files were booted...

Page 532: ...d is used to enable or disable automatic upgrade of the operational code When the switch starts up and automatic image upgrade is enabled by this command the switch will follow these steps when it boo...

Page 533: ...mand specifies an TFTP server and directory in which the new opcode is stored Use the no form of this command to clear the current setting SYNTAX upgrade opcode path opcode dir url no upgrade opcode p...

Page 534: ...r If the user name is omitted Anonymous will be used for the connection If the password is omitted a null string will be used for the connection EXAMPLE This shows how to specify a TFTP server where n...

Page 535: ...tion method to local console Telnet or SSH connections LC databits Sets the number of data bits per character that are interpreted and generated by hardware LC exec timeout Sets the interval that the...

Page 536: ...ommand sets the number of data bits per character that are interpreted and generated by the console port Use the no form to restore the default value SYNTAX databits 7 8 no databits 7 Seven data bits...

Page 537: ...he timeout interval the session is kept open otherwise the session is terminated This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using t...

Page 538: ...ment interface starts in Normal Exec NE or Privileged Exec PE mode depending on the user s privilege level 0 or 15 respectively no login selects no authentication When using this method the management...

Page 539: ...th 32 characters plain text or encrypted case sensitive DEFAULT SETTING No password is specified COMMAND MODE Line Configuration COMMAND USAGE When a connection is started on a line with password prot...

Page 540: ...f allowed password attempts Range 1 120 0 no threshold DEFAULT SETTING The default value is three attempts COMMAND MODE Line Configuration COMMAND USAGE When the logon attempt threshold is reached the...

Page 541: ...Line Configuration EXAMPLE To set the silent time to 60 seconds enter this command Console config line silent time 60 Console config line RELATED COMMANDS password thresh 540 speed This command sets t...

Page 542: ...2 no stopbits 1 One stop bit 2 Two stop bits DEFAULT SETTING 1 stop bit COMMAND MODE Line Configuration EXAMPLE To specify 2 stop bits enter this command Console config line stopbits 2 Console config...

Page 543: ...o set the timeout to two minutes enter this command Console config line timeout login response 120 Console config line disconnect This command terminates an SSH Telnet or console connection SYNTAX dis...

Page 544: ...out Disabled Silent Time Disabled Baud Rate Auto Data Bits 8 Parity None Stop Bits 1 VTY Configuration Password Threshold 3 times Inactive Timeout 600 seconds Login Timeout 300 sec Silent Time Disable...

Page 545: ...uration COMMAND USAGE The command specifies the facility type tag sent in syslog messages See RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by...

Page 546: ...ash errors level 3 0 RAM debugging level 7 0 COMMAND MODE Global Configuration COMMAND USAGE The message level specified for flash memory must be a higher priority i e numerically lower than that spec...

Page 547: ...s five EXAMPLE Console config logging host 10 1 0 3 Console config logging on This command controls logging of error messages sending debug or error messages to a logging process The no form disables...

Page 548: ...le on page 546 Messages sent include the selected level through level 0 DEFAULT SETTING Disabled Level 7 COMMAND MODE Global Configuration COMMAND USAGE Using this command with a specified level enabl...

Page 549: ...NG None COMMAND MODE Privileged Exec COMMAND USAGE All log messages are retained in RAM and Flash after a warm restart i e power is reset through the command interface All log messages are retained in...

Page 550: ...ging is enabled the message level for flash memory is errors i e default level 3 0 and the message level for RAM is debugging i e default level 7 0 Console show logging flash Syslog logging Enabled Hi...

Page 551: ...he logging trap command REMOTELOG facility type The facility type for remote logging of syslog messages as specified in the logging facility command REMOTELOG level type The severity threshold for sys...

Page 552: ...g DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE You can specify up to three SMTP servers for event handing However you must enter a separate command to specify each server To se...

Page 553: ...D MODE Global Configuration COMMAND USAGE The specified level indicates an event threshold All events at this level or higher will be sent to the configured email recipients For example using Level 7...

Page 554: ...e default value SYNTAX logging sendmail source email email address no logging sendmail source email email address The source email address used in alert messages Range 1 41 characters DEFAULT SETTING...

Page 555: ...ommand enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp server command Use the no form to disable SNTP client requests SYNTAX no sntp client...

Page 556: ...rver 10 1 0 19 Console config sntp poll 60 Console config sntp client Console config end Console show sntp Current Time Dec 23 02 52 44 2002 Poll Interval 60 Current Mode unicast SNTP Status Enabled S...

Page 557: ...d specifies time servers from which the switch will poll for time updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issu...

Page 558: ...s before UTC 0 13 hours after UTC minutes Number of minutes before after UTC Range 0 59 minutes before utc Sets the local time zone before east of UTC after utc Sets the local time zone after west of...

Page 559: ...Range 1 31 month january february march april may june july august september october november december year Year 4 digit Range 2001 2100 DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE...

Page 560: ...1 30 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE This command sets a time range for use by other functions such as Access Control Lists EXAMPLE Console config time...

Page 561: ...e Range Configuration COMMAND USAGE If a time range is already configured you must use the no form of this command to remove the current entry prior to configuring a new time range EXAMPLE This exampl...

Page 562: ...le configures a time range for the periodic occurrence of an event Console config time range sales Console config time range periodic daily 1 1 to 2 1 Console config time range show time range This co...

Page 563: ...Candidates or active Members through VLAN 4093 Once a switch has been configured to be a cluster Commander it automatically discovers other cluster enabled switches in the network These Candidate swit...

Page 564: ...k Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander Switch clusters are limited to the same Ethernet broad...

Page 565: ...pool ip address no cluster ip pool ip address The base IP address for IP addresses assigned to cluster Members The IP address must start 10 x x x DEFAULT SETTING 10 254 254 1 COMMAND MODE Global Confi...

Page 566: ...tion COMMAND USAGE The maximum number of cluster Members is 36 The maximum number of cluster Candidates is 100 EXAMPLE Console config cluster member mac address 00 12 34 56 78 9a id 5 Console config r...

Page 567: ...OMMAND MODE Privileged Exec EXAMPLE Console show cluster Role commander Interval Heartbeat 30 Heartbeat Loss Count 3 seconds Number of Members 1 Number of Candidates 2 Console show cluster members Thi...

Page 568: ...tes This command shows the discovered Candidate switches in the network COMMAND MODE Privileged Exec EXAMPLE Console show cluster candidates Cluster Candidates Role MAC Address Description Active memb...

Page 569: ...Command Function Mode General SNMP Commands snmp server Enables the SNMP agent GC snmp server community Sets up the community access string to permit access to SNMP commands GC snmp server contact Se...

Page 570: ...ast control apply Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires IC Port snmp server enable port traps atc broadcast control re...

Page 571: ...ations are only able to retrieve MIB objects rw Specifies read write access Authorized management stations are able to both retrieve and modify MIB objects DEFAULT SETTING public Read only access Auth...

Page 572: ...ocation Maximum length 255 characters DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE Console config snmp server location WC 19 Console config RELATED COMMANDS snmp server contact 571 s...

Page 573: ...s 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging Disabled Console snmp server enable traps This command enables this device to send Simple Network Management Protocol traps or informs i e S...

Page 574: ...r host This command specifies the recipient of a Simple Network Management Protocol notification operation Use the no form to remove the specified host SYNTAX snmp server host host addr inform retry r...

Page 575: ...host The snmp server host command is used in conjunction with the snmp server enable traps command Use the snmp server enable traps command to enable the sending of traps or informs and to specify whi...

Page 576: ...5 Allow the switch to send SNMP traps i e notifications page 573 6 Specify the target host that will receive inform messages with the snmp server host command as described in this section The switch c...

Page 577: ...authenticating and encrypting SNMPv3 packets A remote engine ID is required when using SNMPv3 informs See the snmp server host command The remote engine ID is used to compute the security digest for...

Page 578: ...the view for write access 1 32 characters notifyview Defines the view for notifications 1 32 characters DEFAULT SETTING Default groups public6 read only private7 read write readview Every object belon...

Page 579: ...device ip address The Internet address of the remote device v1 v2c v3 Use SNMP version 1 2c or 3 encrypted Accepts the password as encrypted input auth Uses SNMPv3 with authentication md5 sha Uses MD5...

Page 580: ...er will fail SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remote agent s...

Page 581: ...nfig This view includes the MIB 2 interfaces table and the mask selects all index entries Console config snmp server view ifEntry a 1 3 6 1 2 1 2 2 1 1 included Console config show snmp engine id This...

Page 582: ...tile Row Status active Group Name public Security Model v2c Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name private Security Model v1 Read Vie...

Page 583: ...eld Description groupname Name of an SNMP group security model The SNMP version readview The associated read view writeview The associated write view notifyview The associated notify view storage type...

Page 584: ...n log SYNTAX no nlm filter name filter name Notification log name Range 1 32 characters DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE Notification logging is enabled by defau...

Page 585: ...rameter is only required to complete mandatory fields in the SNMP Notification MIB DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Systems that support SNMP often need a mechanism...

Page 586: ...contain up to 256 entries and the entry aging time is 1440 minutes Information recorded in a notification log and the entry aging time can only be configured using SNMP from a network management stat...

Page 587: ...s command displays the configured notification logs COMMAND MODE Privileged Exec EXAMPLE This example displays the configured notification logs and associated target hosts Console show snmp notify fil...

Page 588: ...CHAPTER 22 SNMP Commands 588...

Page 589: ...Event and Alarm groups When RMON is enabled the system gradually builds up information about its physical interfaces storing this information in the relevant RMON database group A management agent the...

Page 590: ...alue and the difference is then compared to the thresholds threshold An alarm threshold for the sampled variable Range 0 2147483647 event index The index of the event to use if an alarm is triggered I...

Page 591: ...ndex index Index to this entry Range 1 65535 log Generates an RMON log entry when the event is triggered Log messages are processed based on the current configuration settings for event logging see Ev...

Page 592: ...The number of buckets requested for this entry Range 1 65536 seconds The polling interval Range 1 3600 seconds name Name of the person who created this entry Range 1 127 characters DEFAULT SETTING 1...

Page 593: ...nge 1 127 characters DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE By default each index number equates to a port on the switch but can be changed to any number n...

Page 594: ...id owned by mike Description is urgent Event firing causes log and trap to community last fired 00 00 00 Console show rmon history This command shows the sampling parameters configured for each entry...

Page 595: ...tistics Interface 1 is valid and owned by Monitors 1 3 6 1 2 1 2 2 1 1 1 which has Received 164289 octets 2372 packets 120 broadcast and 2211 multicast packets 0 undersized and 0 oversized packets 0 f...

Page 596: ...CHAPTER 23 Remote Monitoring Commands 596...

Page 597: ...thentication Commands Command Group Function User Accounts Configures the basic user names and passwords for management access Authentication Sequence Defines logon authentication method and precedenc...

Page 598: ...l Maximum length 32 characters plain text or encrypted case sensitive DEFAULT SETTING The default is level 15 The default password is super COMMAND MODE Global Configuration COMMAND USAGE You cannot s...

Page 599: ...crypted password password password The authentication password for the user Maximum length 32 characters plain text or encrypted case sensitive DEFAULT SETTING The default access level is Normal Exec...

Page 600: ...fers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RAD...

Page 601: ...connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and...

Page 602: ...ting messages Use the no form to restore the default SYNTAX radius server acct port port number no radius server acct port port number RADIUS server UDP port used for accounting messages Range 1 65535...

Page 603: ...restore the default values SYNTAX no radius server index host host ip address acct port acct_port auth port auth port key key retransmit retransmit timeout timeout index Allows you to specify up to f...

Page 604: ...erver key key string no radius server key key string Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters DEFAULT SETTING None...

Page 605: ...imeout number of seconds no radius server timeout number of seconds Number of seconds the switch waits for a reply before resending a request Range 1 65535 DEFAULT SETTING 5 COMMAND MODE Global Config...

Page 606: ...e management access to a switch tacacs server host This command specifies the TACACS server and other optional parameters Use the no form to remove the server or to restore the default values SYNTAX t...

Page 607: ...on EXAMPLE Console config tacacs server host 192 168 1 25 Console config tacacs server key This command sets the TACACS encryption key Use the no form to restore the default SYNTAX tacacs server key k...

Page 608: ...tacacs server port 181 Console config show tacacs server This command displays the current settings for the TACACS server DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show tacacs...

Page 609: ...nge 1 255 characters start stop Records accounting from starting point and stopping point Table 68 AAA Commands Command Function Mode aaa accounting commands Enables accounting of Exec mode commands G...

Page 610: ...nting method s configured on the specified TACACS server and do not actually send any information to the server about the methods to use EXAMPLE Console config aaa accounting commands 15 default start...

Page 611: ...counting method s configured on the specified RADIUS or TACACS servers and do not actually send any information to the servers about the methods to use EXAMPLE Console config aaa accounting dot1x defa...

Page 612: ...ethod name fields are only used to describe the accounting method s configured on the specified RADIUS or TACACS servers and do not actually send any information to the servers about the methods to us...

Page 613: ...255 characters group Specifies the server group to use tacacs Specifies all TACACS hosts configured with the tacacs server host command server group Specifies the name of a server group configured wit...

Page 614: ...XAMPLE Console config aaa group server radius tps Console config sg radius server This command adds a security server to an AAA server group Use the no form to remove the associated server from the gr...

Page 615: ...list name Specifies a method list created with the aaa accounting dot1x command DEFAULT SETTING None COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 2 Console config i...

Page 616: ...name Specifies a method list created with the aaa authorization exec command DEFAULT SETTING None COMMAND MODE Line Configuration EXAMPLE Console config line console Console config line authorization...

Page 617: ...Eth 1 1 Method List tps Group List radius Interface Eth 1 2 Accounting Type EXEC Method List default Group List tacacs Interface vty Console WEB SERVER This section describes commands used to configur...

Page 618: ...nge 1 65535 DEFAULT SETTING 80 COMMAND MODE Global Configuration EXAMPLE Console config ip http port 769 Console config RELATED COMMANDS ip http server 618 show system 521 ip http server This command...

Page 619: ...tablished in this way The client authenticates the server using the server s digital certificate The client and server negotiate a set of security protocols to use for the connection The client and se...

Page 620: ...S connection to the switch s web interface Use the no form to restore the default port SYNTAX ip http secure port port_number no ip http secure port port_number The UDP port used for HTTPS Range 1 655...

Page 621: ...ip telnet max sessions session count The maximum number of allowed Telnet session Range 0 8 DEFAULT SETTING 4 sessions COMMAND MODE Global Configuration COMMAND USAGE A maximum of eight sessions can...

Page 622: ...CP port number to be used by the browser interface Range 1 65535 DEFAULT SETTING 23 COMMAND MODE Global Configuration EXAMPLE Console config ip telnet port 123 Console config ip telnet server This com...

Page 623: ...authentication retries Specifies the number of retries allowed by a client GC ip ssh server Enables the SSH server on the switch GC ip ssh server key size Sets the SSH server key size GC ip ssh timeo...

Page 624: ...ts file would appear similar to the following example 10 1 0 54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233...

Page 625: ...nts that have a private key corresponding to the public keys stored on the switch can access it The following exchanges take place during this process Authenticating SSH v1 5 Clients a The client send...

Page 626: ...sing any configured IPv4 or IPv6 interface address on the switch ip ssh authentication retries This command configures the number of times the SSH server attempts to reauthenticate a user Use the no f...

Page 627: ...ling the SSH server EXAMPLE Console ip ssh crypto host key generate dsa Console configure Console config ip ssh server Console config RELATED COMMANDS ip ssh crypto host key generate 629 show ssh 632...

Page 628: ...e switch will wait for a response from the client during the SSH negotiation phase Once an SSH session has been established the timeout for user input is controlled by the exec timeout command for vty...

Page 629: ...v1 5 clients and DSA Version 2 for SSHv2 clients This command stores the host key pair in memory i e RAM Use the ip ssh save host key command to save the host key pair to flash memory Some SSH client...

Page 630: ...emory RAM Use the no ip ssh save host key command to clear the host key from flash memory The SSH server must be disabled before you can execute this command EXAMPLE Console ip ssh crypto zeroize dsa...

Page 631: ...leged Exec COMMAND USAGE If no parameters are entered all keys are displayed If the user keyword is entered but no user name is specified then the public keys for all users are displayed When an RSA k...

Page 632: ...27s6TLdtny1wRq ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF DjKGWtPNIQqabKgYCw2 o dVzX4Gg yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S...

Page 633: ...osts on an dot1x port IC dot1x port control Sets dot1x mode for a port interface IC dot1x re authentication Enables re authentication for all ports IC dot1x timeout quiet period Sets the time that a s...

Page 634: ...g as intermediate node in the network and does not need to perform dot1x authentication the dot1x eapol pass through command can be used to forward EAPOL frames from other switches on to the authentic...

Page 635: ...t1x system auth control Console config dot1x intrusion action This command sets the port s response to a failed authentication either to block all traffic or to assign all traffic for the port to a gu...

Page 636: ...ole config if dot1x max req 2 Console config if dot1x operation mode This command allows hosts clients to connect to an 802 1X authorized port Use the no form with no keywords to restore the default t...

Page 637: ...ss to a port operating in this mode is limited only by the available space in the secure address table i e up to 1024 addresses EXAMPLE Console config interface eth 1 2 Console config if dot1x operati...

Page 638: ...the process is handled transparently by the dot1x client software Only if re authentication fails is the port blocked The connected client is re authenticated after the interval specified by the dot1x...

Page 639: ...t1x timeout re authperiod seconds The number of seconds Range 1 65535 DEFAULT 3600 seconds COMMAND MODE Interface Configuration EXAMPLE Console config interface eth 1 2 Console config if dot1x timeout...

Page 640: ...erface eth 1 2 Console config if dot1x timeout supp timeout 300 Console config if dot1x timeout tx period This command sets the time that an interface on the switch waits during an authentication sess...

Page 641: ...s SYNTAX dot1x identity profile username username password password no dot1x identity profile username password username Specifies the supplicant user name Range 1 8 characters password Specifies the...

Page 642: ...icant mode on a port SYNTAX no dot1x pae supplicant DEFAULT Disabled COMMAND MODE Interface Configuration COMMAND USAGE When devices attached to a port must submit requests to another authenticator on...

Page 643: ...dot1x timeout auth period seconds The number of seconds Range 1 65535 DEFAULT 30 seconds COMMAND MODE Interface Configuration COMMAND USAGE This command sets the time that the supplicant waits for a...

Page 644: ...NTAX dot1x timeout start period seconds no dot1x timeout start period seconds The number of seconds Range 1 65535 DEFAULT 30 seconds COMMAND MODE Interface Configuration EXAMPLE Console config interfa...

Page 645: ...re authentication page 638 Reauth Period Time after which a connected client must be re authenticated page 639 Quiet Period Time a port waits after Max Request Count is exceeded before attempting to...

Page 646: ...t1x Global 802 1X Parameters System Auth Control Enabled Authenticator Parameters EAPOL Pass Through Disabled Supplicant Parameters Identity Profile Username steve 802 1X Port Summary Port Type Operat...

Page 647: ...protocols Use the no form to restore the default setting SYNTAX no management all client http client snmp client telnet client start address end address all client Adds IP address es to all groups htt...

Page 648: ...address ranges You cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses You can delete an address range just by specifying the start a...

Page 649: ...Filter HTTP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 SNMP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 16...

Page 650: ...CHAPTER 24 Authentication Commands Management IP Filter 650...

Page 651: ...y of execution for these filtering commands is Port Security Port Authentication Network Access Web Authentication Access Control Lists DHCP Snooping and then IP Source Guard Configures secure address...

Page 652: ...configures port security Use the no form without any keywords to disable port security Use the no form with the appropriate keyword to restore the default settings for a response to security violation...

Page 653: ...t The specified maximum address count is effective when port security is enabled or disabled Use the no port security max mac count command to disable port security and reset the maximum number of add...

Page 654: ...network access link detection Enables the link detection feature IC network access link detection link down Configures the link detection feature to detect and act upon link down events IC network acc...

Page 655: ...ured by the MAC Address Authentication process described in this section as well as to any secure MAC addresses authenticated by 802 1X regardless of the 802 1X Operation Mode Single Host Multi Host o...

Page 656: ...g network access mac filter 1 mac address 11 22 33 44 55 66 Console config mac authentication reauth time Use this command to set the time period after which a connected MAC address must be re authent...

Page 657: ...on for the port When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port the user is denied access While a port...

Page 658: ...ing the VLANs have already been created on the switch GVRP is not used to create the VLANs The VLAN settings specified by the first authenticated MAC address are implemented for a port Other authentic...

Page 659: ...t VLAN must be defined and set as active See the vlan database command When used with 802 1X authentication the intrusion action must be set for guest vlan to be effective see the dot1x intrusion acti...

Page 660: ...isable the port DEFAULT SETTING Disabled COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 1 Console config if network access link detection link down action trap Consol...

Page 661: ...onse to take when port security is violated shutdown Disable port only trap Issue SNMP trap message only trap and shutdown Issue SNMP trap message and disable the port DEFAULT SETTING Disabled COMMAND...

Page 662: ...en enabled on a port the authentication process sends a Password Authentication Protocol PAP request to a configured RADIUS server The user name and password are both equal to the MAC address being au...

Page 663: ...ype attribute set to 802 EXAMPLE Console config if network access mode mac authentication Console config if network access port mac filter Use this command to enable the specified MAC address filter U...

Page 664: ...e Con figuration EXAMPLE Console config if mac authentication intrusion action block traffic Console config if mac authentication max mac count Use this command to set the maximum number of MAC addres...

Page 665: ...xx xx xx xx xx xx interface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 10 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console clear netwo...

Page 666: ...ce interface sort address interface static Specifies static address entries dynamic Specifies dynamic address entries mac address Specifies a MAC address entry Format xx xx xx xx xx xx mask Specifies...

Page 667: ...MODE Privileged Exec EXAMPLE Consoleshow network access mac filter Filter ID MAC Address MAC Mask 1 00 00 01 02 03 08 FF FF FF FF FF FF Console WEB AUTHENTICATION Web authentication allows stations t...

Page 668: ...eb auth login attempts Defines the limit for failed web authentication login attempts GC web auth quiet period Defines the amount of time to wait after the limit for failed login attempts is exceeded...

Page 669: ...ation again Range 1 180 seconds DEFAULT SETTING 60 seconds COMMAND MODE Global Configuration EXAMPLE Console config web auth quiet period 120 Console config web auth session timeout This command defin...

Page 670: ...system auth control for the switch and web auth for an interface must be enabled for the web authentication feature to be active EXAMPLE Console config web auth system auth control Console config web...

Page 671: ...ged Exec EXAMPLE Console web auth re authenticate interface ethernet 1 2 Failed to reauth Console web auth re authenticate IP This command ends the web authentication session associated with the desig...

Page 672: ...mpts 3 Console show web auth interface This command displays interface specific web authentication parameters and statistics SYNTAX show web auth interface interface interface Specifies a port interfa...

Page 673: ...on Mode ip dhcp snooping Enables DHCP snooping globally GC ip dhcp snooping database flash Writes all dynamically learned snooping entries to flash memory GC ip dhcp snooping information option Enable...

Page 674: ...tered based upon dynamic entries learned via DHCP snooping Table entries are only learned for trusted interfaces Each entry includes a MAC address IP address lease time VLAN identifier and port identi...

Page 675: ...trusted ports in the same VLAN If a DHCP packet is from server is received on a trusted port it will be forwarded to both trusted and untrusted ports in the same VLAN If the DHCP snooping is globally...

Page 676: ...e remote id when Option 82 information is generated by the switch Use the no form without any keywords to disable this function or the no form with the remote id keyword to set the remote ID to the sw...

Page 677: ...server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN DHCP snooping must be enabled for the DHCP Option 82 information to b...

Page 678: ...Global Configuration COMMAND USAGE When the switch receives DHCP packets from clients that already include DHCP Option 82 information the switch can be configured to set the action policy for these p...

Page 679: ...en DHCP snooping enabled globally using the ip dhcp snooping command and enabled on a VLAN with this command DHCP packet filtering will be performed on any untrusted ports within the VLAN as specified...

Page 680: ...nd all other ports outside the local network or fire wall to untrusted When DHCP snooping ia enabled globally using the ip dhcp snooping command and enabled on a VLAN with ip dhcp snooping vlan comman...

Page 681: ...sole show ip dhcp snooping Global DHCP Snooping status disable DHCP Snooping Information Option Status disable DHCP Snooping Information Policy replace DHCP Snooping is configured on the following VLA...

Page 682: ...ss interface ethernet unit port no ip source guard binding mac address vlan vlan id mac address A valid unicast MAC address vlan id ID of a configured VLAN Range 1 4093 ip address A valid unicast IP a...

Page 683: ...there is no entry with same VLAN ID and MAC address a new entry is added to binding table using the type of static IP source guard binding If there is an entry with same VLAN ID and MAC address and th...

Page 684: ...d port Use the sip option to check the VLAN ID source IP address and port number against all entries in the binding table Use the sip mac option to check these same parameters plus the source MAC addr...

Page 685: ...ard if enabled on an interface for which IP source bindings dynamically learned via DHCP snooping or manually configured are not yet configured the switch will drop all IP traffic on that port except...

Page 686: ...nding 1 Console config if show ip source guard This command shows whether source guard is enabled or disabled on each interface COMMAND MODE Privileged Exec EXAMPLE Console show ip source guard Interf...

Page 687: ...hosts with statically configured IP addresses This section describes commands used to configure ARP Inspection Table 83 ARP Inspection Commands Command Function Mode ip arp inspection Enables ARP Ins...

Page 688: ...ction is enabled When ARP Inspection is disabled all ARP request and reply packets bypass the ARP Inspection engine and their manner of switching matches that of all other packets Disabling and then r...

Page 689: ...not checked DEFAULT SETTING ARP ACLs are not bound to any VLAN Static mode is not enabled COMMAND MODE Global Configuration COMMAND USAGE ARP ACLs are configured with the commands described on page 32...

Page 690: ...ogging is active for ARP Inspection and cannot be disabled When the switch drops a packet it places an entry in the log buffer Each entry contains flow information such as the receiving VLAN the port...

Page 691: ...e target IP addresses are checked only in ARP responses src mac Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP...

Page 692: ...ine and their manner of switching matches that of all other packets Disabling and then re enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs When ARP Inspect...

Page 693: ...arp inspection trust This command sets a port as trusted and thus exempted from ARP Inspection Use the no form to restore the default setting SYNTAX no ip arp inspection trust DEFAULT SETTING Untruste...

Page 694: ...ge Interval 10 s Log Message Number 1 Need Additional Validation s Yes Additional Validation Type Destination MAC address Console show ip arp inspection interface This command shows the trust status a...

Page 695: ...st IP Address Src MAC Address Dst MAC Address Console show ip arp inspection statistics ARP packets received before rate limit 150 ARP packets dropped due to rate limt 5 Total ARP packets processed by...

Page 696: ...HAPTER 25 General Security Measures ARP Inspection 696 COMMAND MODE Privileged Exec EXAMPLE Console show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status 1 disabled sales static Console...

Page 697: ...Pv4 ACLs Configures ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code IPv6 ACLs Configures ACLs based on IPv6 addresses DSCP traffic class or next header MAC ACLs Con...

Page 698: ...her more specific criteria acl name Name of the ACL Maximum length 16 characters no spaces or other special characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE When you cre...

Page 699: ...one COMMAND MODE Standard IPv4 ACL COMMAND USAGE New rules are appended to the end of the list Address bit masks are similar to a subnet mask containing four integers from 0 to 255 each separated by a...

Page 700: ...it deny tcp any source address bitmask host source any destination address bitmask host destination precedence precedence tos tos dscp dscp source port sport bitmask destination port dport port bitmas...

Page 701: ...t mask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned You can specify both Preceden...

Page 702: ...0 255 255 255 0 any destination port 80 Console config ext acl This permits all TCP packets from class C addresses 192 168 1 0 with the TCP control code set to SYN Console config ext acl permit tcp 1...

Page 703: ...ccess list 703 Time Range 560 show ip access group This command shows the ports assigned to IP ACLs COMMAND MODE Privileged Exec EXAMPLE Console show ip access group Interface ethernet 1 2 IP access l...

Page 704: ...AX no access list ipv6 standard extended acl name standard Specifies an ACL that filters packets based on the source IP address extended Specifies an ACL that filters packets based on the destination...

Page 705: ...ard IPv6 ACL The rule sets a filter condition for packets emanating from the specified source Use the no form to remove a rule SYNTAX permit deny any host source ipv6 address source ipv6 address prefi...

Page 706: ...ce ipv6 address prefix lengLth any destination ipv6 address prefix length dscp dscp next header next header time range time range name no permit deny any host source ipv6 address source ipv6 address p...

Page 707: ...coded in separate headers that may be placed between the IPv6 header and the upper layer header in a packet There are a small number of such extension headers each identified by a distinct Next Header...

Page 708: ...v6 ACL acl name Name of the ACL Maximum length 16 characters COMMAND MODE Privileged Exec EXAMPLE Console show ipv6 access list standard IPv6 standard access list david permit host 2009 DB9 2229 79 pe...

Page 709: ...with the new one IPv6 ACLs can only be applied to ingress packets EXAMPLE Console config int eth 1 2 Console config if ipv6 access group standard david in Console config if RELATED COMMANDS show ipv6...

Page 710: ...al Configuration COMMAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To remove a rule use...

Page 711: ...ny host source source address bitmask any host destination destination address bitmask vid vid vid bitmask ethertype protocol protocol bitmask time range time range name no permit deny tagged eth2 any...

Page 712: ...ce MAC address destination Destination MAC address range with bitmask address bitmask10 Bitmask for MAC address in hexadecimal format vid VLAN ID Range 1 4093 vid bitmask10 VLAN bitmask Range 1 4095 p...

Page 713: ...access group acl name in time range time range name acl name Name of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets time range name Name of the time range...

Page 714: ...list M5 in Console RELATED COMMANDS mac access group 713 show mac access list This command displays the rules for configured MAC ACLs SYNTAX show mac access list acl name acl name Name of the ACL Maxi...

Page 715: ...OMMAND MODE Global Configuration COMMAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To cr...

Page 716: ...esponse ip any host source ip source ip ip address bitmask any host destination ip destination ip ip address bitmask mac any host source mac source mac mac address bitmask any host destination mac des...

Page 717: ...mac any any Console config mac acl RELATED COMMANDS access list arp 715 show arp access list This command displays the rules for configured ARP ACLs SYNTAX show arp access list acl name acl name Name...

Page 718: ...c EXAMPLE Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 0 0 255 255 15 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 2...

Page 719: ...terface IC speed duplex Configures the speed and duplex operation of a given interface when autonegotiation is disabled IC switchport packet rate Configures broadcast multicast and unknown unicast sto...

Page 720: ...e is a virtual interface that is always up and can be used to test the functionality of the switch s local IP interfaces including the IP interface of the primary VLAN or the craft port or devices att...

Page 721: ...ple adds an alias to port 4 Console config interface ethernet 1 4 Console config if alias finance Console config if capabilities This command advertises the port capabilities of a given interface duri...

Page 722: ...abled you must manually specify the link attributes with the speed duplex and flowcontrol commands EXAMPLE The following example configures Ethernet port 5 capabilities to include 100half and 100full...

Page 723: ...connection over any 1000BASE T port or trunk Flow control can eliminate frame loss by blocking traffic from end stations or segments connected directly to the switch when its buffers fill When enabled...

Page 724: ...he default mode SYNTAX media type mode no media type mode copper forced Always uses the built in RJ 45 port sfp forced Always uses the SFP port even if module not installed sfp preferred auto Uses SFP...

Page 725: ...ased on the capabilities command When auto negotiation is disabled you must manually specify the link attributes with the speed duplex and flowcontrol commands If auto negotiation is disabled auto MDI...

Page 726: ...n 10full Forces 10 Mbps full duplex operation 10half Forces 10 Mbps half duplex operation DEFAULT SETTING Auto negotiation is enabled by default When auto negotiation is disabled the default speed dup...

Page 727: ...s storm control for multicast traffic unicast Specifies storm control for unknown unicast traffic rate Threshold level as a rate i e kilobits per second Range 64 100000 Kbps for Fast Ethernet ports 64...

Page 728: ...t is therefore not advisable to use both of these commands on the same interface EXAMPLE The following shows how to configure broadcast storm control at 600 kilobits per second Console config interfac...

Page 729: ...h 1 2 Down 1 0 Auto 100TX None Eth 1 3 Down 1 0 Auto 100TX None Eth 1 4 Down 1 0 Auto 100TX None Eth 1 5 Down 1 0 Auto 100TX None Eth 1 6 Down 1 0 Auto 100TX None show interfaces counters This command...

Page 730: ...nsmissions 0 Late Collisions 0 Excessive Collisions 0 Internal Mac Transmit Errors 0 Internal Mac Receive Errors 0 Frames Too Long 0 Carrier Sense Errors 0 Symbol Errors RMON Stats 0 Drop Events 16900...

Page 731: ...aying Connection Status on page 131 EXAMPLE Console show interfaces status ethernet 1 1 Information of Eth 1 1 Basic Information Port Type 100TX MAC Address 00 E0 0C 00 00 FE Configuration Name Port A...

Page 732: ...hold Enabled 500 packets second Multicast Threshold Disabled Unknown Unicast Threshold Disabled LACP Status Disabled Ingress Rate Limit Disabled 1000M bits per second Egress Rate Limit Disabled 1000M...

Page 733: ...mode as Trunk or Hybrid page 836 Ingress Rule Shows if ingress filtering is enabled or disabled page 835 Acceptable Frame Type Shows if acceptable VLAN frames include all types or tagged frames only p...

Page 734: ...e 0x00 Eth Compliance Codes 1000BASE ZX Baud Rate 1300 MBd Vendor OUI 00 00 5F Vendor Name SumitomoElectric Vendor PN SCP6G94 FN BWH Vendor Rev Z Vendor SN SE08T712Z00006 Date Code 10 09 14 DDM Info T...

Page 735: ...d This message is displayed for any Fast Ethernet ports that are linked up or for any Gigabit Ethernet ports linked up at a speed lower than 1000 Mbps Impedance mismatch Terminating impedance is not i...

Page 736: ...nclude Power saving when there is no link partner Under normal operation the switch continuously auto negotiates to find a link partner keeping the MAC interface powered up even if no link connection...

Page 737: ...ng twisted pair cabling Power savings mode on a active link only works when connection speed is 1 Gbps and line length is less than 60 meters EXAMPLE Console config interface ethernet 1 10 Console con...

Page 738: ...CHAPTER 27 Interface Commands 738...

Page 739: ...h ends of a connection must be configured as trunk ports All ports in a trunk must be configured in an identical manner including communication mode i e speed and duplex mode VLAN assignments and CoS...

Page 740: ...thernet Interface used by the interfaces that joined the group However if the port channel admin key is set then the port admin key must be set to the same value for a port to be allowed to join a cha...

Page 741: ...r switch to router trunk links where the destination MAC address is the same for all traffic src dst ip All traffic with the same source and destination IP address is output on the same link in a trun...

Page 742: ...ve a port group from a trunk Use no interface port channel to remove a trunk from the switch EXAMPLE The following example creates trunk 1 and then adds port 10 Console config interface port channel 1...

Page 743: ...terfaces status port channel 1 command shows that Trunk1 has been established Console config interface ethernet 1 1 Console config if lacp Console config if interface ethernet 1 2 Console config if la...

Page 744: ...only allowed to join the same LAG if 1 the LACP system priority matches 2 the LACP port admin key matches and 3 the LACP port channel key matches if configured If the port channel admin key lacp admin...

Page 745: ...indicates a higher effective priority If an active port link goes down the backup port with the highest priority is selected to replace the downed link However if two or more ports have the same LACP...

Page 746: ...switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a link has been established LACP...

Page 747: ...he interfaces that joined the group Note that when the LAG is no longer used the port channel admin key is reset to 0 EXAMPLE Console config interface port channel 1 Console config if lacp admin key 3...

Page 748: ...his channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group LACPDUs Unknown Pkts Number of...

Page 749: ...mation Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in re...

Page 750: ...signed to this aggregation port by the partner Admin Key Current administrative value of the Key for the protocol partner Oper Key Current operational value of the Key for the protocol partner Admin S...

Page 751: ...lan id mac address mac address no port monitor interface interface ethernet unit port source port unit Unit identifier Range 1 port Port number Range 1 10 rx Mirror received packets tx Mirror transmit...

Page 752: ...monitor command to specify the source of the traffic to mirror When mirroring traffic from a port the mirror port and monitor port speeds should match otherwise traffic may be dropped from the monito...

Page 753: ...dress in the form of xx xx xx xx xx xx or xxxxxxxxxxxx DEFAULT SETTING Shows all sessions COMMAND MODE Privileged Exec COMMAND USAGE This command displays the currently configured source port destinat...

Page 754: ...to carry this traffic RSPAN Limitations The following limitations apply to the use of RSPAN on this switch RSPAN Ports Only ports can be configured as an RSPAN source destination or uplink static and...

Page 755: ...be configured to use it Port Security If port security is enabled on any port that port cannot be set as an RSPAN uplink port even though it can still be configured as an RSPAN source or destination...

Page 756: ...ethernet 1 3 Console config rspan destination Use this command to specify the destination port to monitor the mirrored traffic Use the no form to disable RSPAN on the specified port SYNTAX rspan sess...

Page 757: ...r destination and the uplink ports Use the no form to disable the RSPAN on the specified VLAN SYNTAX no rspan session session id remote vlan vlan id source intermediate destination uplink interface se...

Page 758: ...RSPAN VLAN with the switchport allowed vlan command Nor can GVRP dynamically add port members to an RSPAN VLAN Also note that the show vlan command will not display any members for an RSPAN VLAN but...

Page 759: ...ion session id session id A number identifying this RSPAN session Range 1 2 Only two mirror sessions are allowed including both local and remote mirroring If local mirroring is enabled with the port m...

Page 760: ...CHAPTER 29 Port Mirroring Commands RSPAN Mirroring Commands 760...

Page 761: ...disabled SYNTAX rate limit input output rate no rate limit input output input Input rate for specified interface output Output rate for specified interface rate Maximum value in Kbps Range 64 100000 K...

Page 762: ...control command It is therefore not advisable to use both of these commands on the same interface EXAMPLE Console config interface ethernet 1 1 Console config if rate limit input 64 Console config if...

Page 763: ...er expires IC Port auto traffic control auto control release Automatically releases a control response IC Port auto traffic control control release Manually releases a control response IC Port SNMP Tr...

Page 764: ...eneath the lower threshold after a storm control response has been triggered and the release timer expires IC Port ATC Display Commands show auto traffic control Shows global configuration settings fo...

Page 765: ...nable the port FUNCTIONAL LIMITATIONS Automatic storm control is a software level control function Traffic storms can also be controlled at the hardware level using the switchport packet rate command...

Page 766: ...s the time at which to release the control response after ingress traffic has fallen beneath the lower threshold Use the no form to restore the default setting SYNTAX auto traffic control broadcast mu...

Page 767: ...ING Disabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Automatic storm control can be enabled for either broadcast or multicast traffic It cannot be enabled for both of these traffic...

Page 768: ...n only be manually re enabled DEFAULT SETTING rate control COMMAND MODE Interface Configuration Ethernet COMMAND USAGE When the upper threshold is exceeded and the apply timer expires a control respon...

Page 769: ...s COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Once the traffic rate falls beneath the lower threshold a trap message may be sent if configured by the snmp server enable port traps atc...

Page 770: ...r the apply timer expires Range 1 255 kilo packets per second seconds DEFAULT SETTING 128 kilo packets per seconds COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Once the upper threshold...

Page 771: ...een triggered and the release timer has expired EXAMPLE Console config interface ethernet 1 1 Console config if auto traffic control broadcast auto control release Console config if auto traffic contr...

Page 772: ...nable port traps atc broadcast alarm clear Console config if RELATED COMMANDS auto traffic control action 768 auto traffic control alarm clear threshold 769 snmp server enable port traps atc broadcast...

Page 773: ...MMANDS auto traffic control alarm fire threshold 770 auto traffic control apply timer 765 snmp server enable port traps atc broadcast control release This command sends a trap when broadcast traffic f...

Page 774: ...nable port traps atc multicast alarm clear Console config if RELATED COMMANDS auto traffic control action 768 auto traffic control alarm clear threshold 769 snmp server enable port traps atc multicast...

Page 775: ...MMANDS auto traffic control alarm fire threshold 770 auto traffic control apply timer 765 snmp server enable port traps atc multicast control release This command sends a trap when multicast traffic f...

Page 776: ...and storm control status for the specified port SYNTAX show auto traffic control interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 COMMAND MODE...

Page 777: ...seconds COMMAND MODE Global Configuration COMMAND USAGE The aging time is used to age out dynamically learned forwarding information Table 102 Address Table Commands Command Function Mode mac address...

Page 778: ...switch is reset permanent Assignment is permanent DEFAULT SETTING No static addresses are defined The default mode is permanent COMMAND MODE Global Configuration COMMAND USAGE The static address for...

Page 779: ...classes of entries in the bridge forwarding database SYNTAX show mac address table address mac address mask interface interface vlan vlan id sort address vlan interface mac address MAC address mask Bi...

Page 780: ...00 00 00 00 00 00 means an exact match and a mask of FF FF FF FF FF FF means any The maximum number of address entries is 16K EXAMPLE Console show mac address table Interface MAC Address VLAN Type Lif...

Page 781: ...TAX show mac address table count interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 port channel channel id Range 1 5 DEFAULT SETTING None COMMAN...

Page 782: ...CHAPTER 32 Address Table Commands 782...

Page 783: ...mode GC spanning tree system bpdu flooding Floods BPDUs to all other ports or just to all other ports in the same VLAN when global spanning tree is disabled GC spanning tree transmission limit Configu...

Page 784: ...mst cost Configures the path cost of an instance in the MST IC spanning tree mst port priority Configures the priority of an instance in the MST IC spanning tree port bpdu flooding Floods BPDUs to ot...

Page 785: ...o IOS Release 12 2 25 SEC do not fully follow the IEEE standard causing some state machine procedures to function incorrectly The command forces the spanning tree protocol to function in a manner comp...

Page 786: ...E Console config spanning tree forward time 20 Console config spanning tree hello time This command configures the spanning tree bridge hello time globally for this switch Use the no form to restore t...

Page 787: ...onfigure All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message becom...

Page 788: ...delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives an RSTP BPDU after the mig...

Page 789: ...ath between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Note that path cost page 797 takes precedence over...

Page 790: ...the lowest MAC address will then become the root device EXAMPLE Console config spanning tree priority 40000 Console config spanning tree mst configuration This command changes to Multiple Spanning Tre...

Page 791: ...d by port s PVID DEFAULT SETTING Floods to all other ports in the same VLAN COMMAND MODE Global Configuration COMMAND USAGE The spanning tree system bpdu flooding command has no effect if BPDU floodin...

Page 792: ...tance within a region and the internal spanning tree IST that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU Each bridge decrements the ho...

Page 793: ...ance Use the no form to remove the specified VLANs Using the no form without any VLAN parameters to remove all VLANs SYNTAX no mst instance id vlan vlan range instance id Instance identifier of the sp...

Page 794: ...Use the no form to clear the name SYNTAX name name name Name of the spanning tree DEFAULT SETTING Switch s MAC address COMMAND MODE MST Configuration COMMAND USAGE The MST region name and revision num...

Page 795: ...able this feature SYNTAX no spanning tree bpdu filter DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This command filters all Bridge Protocol Data Un...

Page 796: ...end nodes which do not generate BPDUs If a BPDU is received on an edge port this indicates an invalid network configuration or that the switch may be under attack by a hacker If an interface is shut...

Page 797: ...is set to 65 535 COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This command is used by the Spanning Tree Algorithm to determine the best path between devices Therefore lowe...

Page 798: ...s at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Ports provides quicke...

Page 799: ...two or more bridges When automatic detection is selected the switch derives the link type from the duplex mode A full duplex interface is considered a point to point link while a half duplex interfac...

Page 800: ...detection release mode auto Allows a port to automatically be released from the discarding state when the loopback state ends manual The port can only be released from the discarding state manually D...

Page 801: ...onsole config interface ethernet 1 5 Console config if spanning tree loopback detection trap spanning tree mst cost This command configures the path cost on a spanning instance in the Multiple Spannin...

Page 802: ...d higher values assigned to interfaces with slower media Use the no spanning tree mst cost command to specify auto configuration mode Path cost takes precedence over interface priority EXAMPLE Console...

Page 803: ...mst cost 801 spanning tree port bpdu flooding This command floods BPDUs to other ports when spanning tree is disabled globally or disabled on a specific port Use the no form to restore the default set...

Page 804: ...port with the highest priority that is lowest value will be configured as an active link in the spanning tree Where more than one port is assigned the highest priority the port with lowest numeric id...

Page 805: ...t could also be used to form a border around part of the network where the root bridge is allowed When spanning tree is initialized globally on the switch or on an interface the switch will wait for 2...

Page 806: ...EXAMPLE Console spanning tree loopback detection release ethernet 1 1 Console spanning tree protocol migration This command re checks the appropriate BPDU format to send on the selected interface SYN...

Page 807: ...the spanning tree configuration for the switch for the Common Spanning Tree CST and for every interface in the tree Use the show spanning tree interface command to display the spanning tree configura...

Page 808: ...g Behavior To VLAN Cisco Prestandard Disabled Eth 1 1 information Admin Status Enabled Role Disabled State Discarding External Admin Path Cost 0 Internal Admin Path Cost 0 External Oper Path Cost 1000...

Page 809: ...nfiguration This command shows the configuration of the multiple spanning tree COMMAND MODE Privileged Exec EXAMPLE Console show spanning tree mst configuration Mstp Configuration Information Configur...

Page 810: ...CHAPTER 33 Spanning Tree Commands 810...

Page 811: ...ing links This particular link is called the ring protection link RPL and under normal conditions this link is blocked to traffic One designated node the RPL owner is responsible for blocking traffic...

Page 812: ...eviously blocked ports The ring is now returned to Idle state Figure 303 ERPS Ring Components Configuration Limitations for ERPS The following configuration limitations apply to ERPS One switch only s...

Page 813: ...g outdated R APS messages the holdoff timer command to filter out intermittent link faults and the wtr timer command to verify that the ring has stabilized before blocking the RPL after recovery from...

Page 814: ...the no erps command no ERPS rings will work 7 Enable an ERPS ring Before an ERPS ring can work it must be enabled using the enable command When configuration is completed and the ring enabled R APS me...

Page 815: ...MODE ERPS Configuration COMMAND USAGE Configure one control VLAN for each ERPS ring First create the VLAN to be used as the control VLAN vlan page 831 add the ring ports for the east and west interfa...

Page 816: ...ol vlan 2 Console config erps enable This command activates the current ERPS ring Use the no form to disable the current ring SYNTAX no enable DEFAULT SETTING Disabled COMMAND MODE ERPS Configuration...

Page 817: ...ximum expected forwarding delay for an R APS message to pass around the ring A side effect of the guard timer is that during its duration a node will be unaware of new or existing ring requests transm...

Page 818: ...kets Use the no form to remove the current setting SYNTAX major domain name no major domain name Name of the ERPS ring used for sending control packets Range 1 32 characters DEFAULT SETTING None COMMA...

Page 819: ...red for each local ring if there are many R APS PDUs passing through this switch EXAMPLE Console config erps meg level 00 12 CF 61 24 2D Console config erps node id This command sets the MAC address f...

Page 820: ...about this event to the major ring When the major ring receives this kind of message from a secondary ring it can clear the MAC addresses on its ring ports to help the second ay ring restore its conn...

Page 821: ...he ports connected are referred to as east and west ports Alternatively the closest neighbor to the east should be the next node in the ring in a clockwise direction and the closest neighbor to the we...

Page 822: ...ed to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure Range 5 12 minutes DEFAULT SETTING 5 minutes COMMAND MODE ERPS Configuration COMMAND USAGE If the...

Page 823: ...led on the switch Number of ERPS Domains Shows the number of ERPS rings configured on the switch Domain Displays the name of each ring followed by a brief list of status information State Shows the fo...

Page 824: ...APS messages is allowed Forwarding The transmission and reception of traffic is allowed transmission reception and forwarding of R APS messages is allowed Down The interface is not linked up Unknown T...

Page 825: ...ing name VID and state Configuring VLAN Interfaces Configures VLAN interface parameters including ingress and egress tagging mode ingress filtering PVID and GVRP Displaying VLAN Information Displays V...

Page 826: ...USAGE GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration...

Page 827: ...AGE Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are indepen...

Page 828: ...NG No VLANs are included in the forbidden list COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This command prevents a VLAN from being automatically added to the specified int...

Page 829: ...nsole show bridge ext Maximum Supported VLAN Numbers 4093 Maximum Supported VLAN ID 4093 Extended Multicast Filtering Services No Static Entry Individual Port Yes VLAN Learning IVL Configurable PVID T...

Page 830: ...face interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 port channel channel id Range 1 5 DEFAULT SETTING Shows both global and interface specific configuration COMM...

Page 831: ...mmand EXAMPLE Console config vlan database Console config vlan RELATED COMMANDS show vlan 839 vlan This command configures a VLAN Use the no form to restore the default settings or delete a VLAN SYNTA...

Page 832: ...TE The switch allows 256 user manageable VLANs EXAMPLE The following example adds a VLAN using VLAN ID 105 and name RD5 The VLAN is activated by default Console config vlan database Console config vla...

Page 833: ...and then assign an IP address to the VLAN Console config interface vlan 1 Console config if ip address 192 168 1 254 255 255 255 0 Console config if RELATED COMMANDS shutdown 725 interface 720 vlan 8...

Page 834: ...gned to the default VLAN EXAMPLE The following example shows how to restrict the traffic received on port 1 to tagged frames Console config interface ethernet 1 1 Console config if switchport acceptab...

Page 835: ...he host at the other end of the connection supports VLANs the interface should be added to these VLANs as an untagged member Otherwise it is only necessary to add at most one VLAN as untagged and this...

Page 836: ...fig if switchport mode This command configures the VLAN membership mode for a port Use the no form to restore the default SYNTAX switchport mode access hybrid trunk no switchport mode access Specifies...

Page 837: ...d Default VLAN ID for a port Range 1 4093 no leading zeroes DEFAULT SETTING VLAN 1 COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE When using Access mode and an interface is a...

Page 838: ...itches would drop any frames with unknown VLAN group tags However by enabling VLAN trunking on the intermediate switch ports along the path connecting VLANs 1 and 2 you only need to create these VLAN...

Page 839: ...ion show vlan This command shows VLAN information SYNTAX show vlan id vlan id name vlan name id Keyword to be followed by the VLAN ID vlan id ID of the configured VLAN Range 1 4093 no leading zeroes n...

Page 840: ...l Configuration Guidelines for QinQ 1 Configure the switch to QinQ mode dot1q tunnel system tunnel control 2 Create a SPVLAN vlan 3 Configure the QinQ tunnel access port to dot1Q tunnel access mode sw...

Page 841: ...l port types IGMP Snooping should not be enabled on a tunnel access port If the spanning tree protocol is enabled be aware that a tunnel access or tunnel uplink port may be disabled if the spanning tr...

Page 842: ...ontrol command before the switchport dot1q tunnel mode interface command can take effect When a tunnel uplink port receives a packet from a customer the customer tag regardless of whether there are on...

Page 843: ...the default VID of the edge router s ingress port This process is performed in a transparent manner as described under IEEE 802 1Q Tunneling on page 191 When priority bits are found in the inner tag t...

Page 844: ...ingress vlan translation Inject double tagged frame SVID 101 CVID 10 to Port 2 then Port 1 exits single tagged frame VID 10 switching 3 Port 1 switchport dot1q tunnel service 101 match cvid 10 remove...

Page 845: ...ed upon as untagged frames and assigned to the native VLAN of that port All ports on the switch will be set to the same ethertype EXAMPLE Console config interface ethernet 1 1 Console config if switch...

Page 846: ...ATED COMMANDS switchport dot1q tunnel mode 842 CONFIGURING PORT BASED TRAFFIC SEGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the loca...

Page 847: ...the same switch Traffic may pass freely between uplink ports in segmented groups and ports in normal VLANs Enter the traffic segmentation command without any parameters to enable traffic segmentation...

Page 848: ...o configure protocol based VLANs follow these steps 1 First configure VLAN groups for the protocols you want to use page 831 Although not mandatory we suggest configuring a separate VLAN for each majo...

Page 849: ...MAND MODE Global Configuration EXAMPLE The following creates protocol group 1 and specifies Ethernet frames with IP and ARP protocol types Console config protocol vlan protocol group 1 add frame type...

Page 850: ...ames If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the d...

Page 851: ...VLANs for the selected interfaces SYNTAX show interfaces protocol vlan protocol group interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 port channel chan...

Page 852: ...ask vlan vlan id priority priority no subnet vlan subnet ip address mask all ip address The IP address that defines the subnet Valid IP addresses consist of four decimal numbers 0 to 255 separated by...

Page 853: ...24 vlan 4 Console config show subnet vlan This command displays IP Subnet VLAN assignments COMMAND MODE Privileged Exec COMMAND USAGE Use this command to display subnet to VLAN mappings The last match...

Page 854: ...remove an assignment SYNTAX mac vlan mac address mac address vlan vlan id priority priority no mac vlan mac address mac address all mac address The source MAC address to be matched Configured MAC add...

Page 855: ...dress VLAN ID Priority 00 00 00 11 22 33 10 0 Console CONFIGURING VOICE VLANS The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic VoIP traffic can...

Page 856: ...n switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the switch automatically a...

Page 857: ...gures the Voice VLAN aging time as 3000 minutes Console config voice vlan aging 3000 Console config voice vlan mac address This command specifies MAC address ranges to add to the OUI Telephony list Us...

Page 858: ...Telephony list Console config voice vlan mac address 00 12 34 56 78 90 mask ff ff ff 00 00 00 description A new phone Console config switchport voice vlan This command specifies the Voice VLAN mode fo...

Page 859: ...MMAND USAGE Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is ac...

Page 860: ...ing VoIP traffic Console config interface ethernet 1 1 Console config if switchport voice vlan rule oui Console config if switchport voice vlan security This command enables security filtering for VoI...

Page 861: ...tatus Global Voice VLAN Status Voice VLAN Status Enabled Voice VLAN ID 1234 Voice VLAN aging time 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority Remaining Age minutes Eth 1 1 Au...

Page 862: ...CHAPTER 35 VLAN Commands Configuring Voice VLANs 862...

Page 863: ...ayer 2 Configures the queue mode queue weights and default priority for untagged frames Priority Commands Layer 3 and 4 Sets the default priority processing method CoS or DSCP maps priority tags for i...

Page 864: ...DEFAULT SETTING Strict and WRR with Queue 3 using strict mode COMMAND MODE Global Configuration COMMAND USAGE The switch can be set to service the port queues based on strict priority WRR or a combina...

Page 865: ...queue weight This command assigns weights to the four class of service CoS priority queues when using weighted queuing or one of the queuing modes that use a combination of strict and weighted queuing...

Page 866: ...mapping is IP DSCP and then default switchport priority The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged frame...

Page 867: ...default 5 Console config if RELATED COMMANDS show interfaces switchport 732 show queue mode This command shows the current queue mode COMMAND MODE Privileged Exec EXAMPLE Console show queue mode Queue...

Page 868: ...l format Range 0 1 Table 122 Priority Commands Layer 3 and 4 Command Function Mode qos map cos dscp Maps CoS CFI values in incoming packets to per hop behavior and drop precedence values for internal...

Page 869: ...riority tags in the original packet are not modified by this command The internal DSCP consists of three bits for per hop behavior PHB which determines the queue to which a packet is sent and two bits...

Page 870: ...DSCP by the qos map trust mode command and the ingress packet type is IPv4 Two QoS domains can have different DSCP definitions so the DSCP to PHB Drop Precedence mutation map can be used to modify one...

Page 871: ...rface ethernet 1 5 Console config if qos map dscp mutation 3 1 from 1 Console config if qos map phb queue This command determines the hardware output queues to use based on the internal per hop behavi...

Page 872: ...essing will be based on the DSCP value in the ingress packet If the QoS mapping mode is set to DSCP and a non IP packet is received the packet s CoS and CFI Canonical Format Indicator values are used...

Page 873: ...in the top row in other words ingress DSCP d1 10 d2 and the corresponding Internal DSCP and drop precedence is shown at the intersecting cell in the table Console show qos map dscp mutation interface...

Page 874: ...cos dscp This command shows ingress CoS CFI to internal DSCP map SYNTAX show qos map cos dscp interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10...

Page 875: ...map trust mode interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 port channel channel id Range 1 5 COMMAND MODE Privileged Exec EXAMPLE The foll...

Page 876: ...CHAPTER 36 Class of Service Commands Priority Commands Layer 3 and 4 876...

Page 877: ...classified traffic based on a metered flow rate PM C police srtcm color Defines an enforcer for classified traffic based on a single rate three color meter PM C police trtcm color Defines an enforcer...

Page 878: ...or set ip dscp command to modify the per hop behavior the class of service value in the VLAN tag or the priority bits in the IP header IP DSCP value for the matching traffic class and use one of the p...

Page 879: ...ss maps may be added to the policy map nor any changes made to the assigned class maps with the match or set commands EXAMPLE This example creates a class map call rd class and sets it to match packet...

Page 880: ...mand to designate a class map and enter the Class Map configuration mode Then use match commands to specify the fields within ingress packets that must match to qualify for this class map If an ingres...

Page 881: ...onfig cmap rename This command redefines the name of a class map or policy map SYNTAX rename map name map name Name of the class map or policy map Range 1 16 characters COMMAND MODE Class Map Configur...

Page 882: ...rd policy Console config pmap class rd class Console config pmap c set cos 0 Console config pmap c police flow 10000 4000 conform action transmit violate action drop Console config pmap c class This c...

Page 883: ...10000 4000 conform action transmit violate action drop Console config pmap c police flow This command defines an enforcer for classified traffic based on the metered flow rate Use the no form to remo...

Page 884: ...e The token bucket C is initially full that is the token count Tc 0 BC Thereafter the token count Tc is updated CIR times per second as follows If Tc is less than BC Tc is incremented by one else Tc i...

Page 885: ...st Excess burst size BE in bytes Range 4000 1600000 at a granularity of 4k bytes conform action Action to take when rate is within the CIR and BC There are enough tokens in bucket BC to service the pa...

Page 886: ...ken count Tc 0 BC and the token count Te 0 BE Thereafter the token counts Tc and Te are updated CIR times per second as follows If Tc is less than BC Tc is incremented by one else if Te is less then B...

Page 887: ...color blind trtcm color aware committed rate committed burst peak rate peak burst conform action transmit exceed action drop new dscp violate action drop new dscp trtcm color blind Two rate three col...

Page 888: ...ol queue congestion A packet is marked red if it exceeds the PIR Otherwise it is marked either yellow or green depending on whether it exceeds or doesn t exceed the CIR The trTCM is useful for ingress...

Page 889: ...on other aspects of trTCM EXAMPLE This example creates a policy called rd policy uses the class command to specify the previously defined rd class uses the set phb command to classify the service that...

Page 890: ...receive and then uses the police flow command to limit the average bandwidth to 100 000 Kbps the burst rate to 4000 bytes and configure the response to drop any violating packets Console config polic...

Page 891: ...action drop Console config pmap c set phb This command services IP traffic by setting a per hop behavior value for a matching packet as specified by the match command for internal processing Use the...

Page 892: ...licy map defined by the policy map command to the ingress side of a particular interface Use the no form to remove this mapping SYNTAX no service policy input policy map name input Apply to the input...

Page 893: ...ss list rd access Match ip dscp 0 Class Map match any rd class 2 Match ip precedence 5 Class Map match any rd class 3 Match vlan 1 Console show policy map This command displays the QoS policy maps whi...

Page 894: ...le show policy map interface This command displays the service policy assigned to the specified interface SYNTAX show policy map interface interface input interface unit port unit Unit identifier Rang...

Page 895: ...ard all inbound multicast traffic to the attached VLANs IGMP Filtering and Throttling Configures IGMP filtering and throttling Multicast VLAN Registration Configures a single network wide multicast VL...

Page 896: ...e the system assumes there are no local members GC ip igmp snooping vlan last memb query intvl Configures the last member query interval GC ip igmp snooping vlan mrd Sends multicast router solicitatio...

Page 897: ...nterface settings will not take effect until snooping is re enabled globally EXAMPLE The following example enables IGMP snooping globally Console config ip igmp snooping Console config ip igmp snoopin...

Page 898: ...e specified VLAN DEFAULT SETTING Global Enabled VLAN Based on global setting COMMAND MODE Global Configuration COMMAND USAGE When proxy reporting is enabled with this command the switch performs IGMP...

Page 899: ...o not include the Router Alert option Use the no form to ignore the Router Alert Option when receiving IGMP messages SYNTAX no ip igmp snooping router alert option check DEFAULT SETTING Disabled COMMA...

Page 900: ...ing router port expire time seconds The time the switch waits after the previous querier stops before it considers it to have expired Range 1 65535 Recommended Range 300 500 DEFAULT SETTING 300 second...

Page 901: ...ds unsolicited reports for all current learned channels out through the new uplink port By default the switch immediately enters into multicast flooding mode when a spanning tree topology change occur...

Page 902: ...l also immediately issues an IGMP general query The ip igmp snooping tcn query solicit command can be used to send a query solicitation whenever it notices a topology change even if the switch is not...

Page 903: ...no form to restore the default value SYNTAX ip igmp snooping unsolicited report interval seconds no ip igmp snooping version exclusive seconds The interval at which to issue unsolicited reports Range...

Page 904: ...nd versions 2 and 3 are backward compatible so the switch can operate with other devices regardless of the snooping version employed If the IGMP snooping version is configured on a VLAN this setting t...

Page 905: ...oping vlan general query suppression This command suppresses general queries except for ports attached to downstream multicast hosts Use the no form to flood general queries to all ports except for th...

Page 906: ...sage is received The router querier stops forwarding traffic for that group only if no host replies to the query within the time out period The time out for this release is currently defined by Last M...

Page 907: ...ere are no more group members Range 1 255 DEFAULT SETTING 2 COMMAND MODE Global Configuration COMMAND USAGE This command will take effect only if IGMP snooping proxy reporting or IGMP querier is enabl...

Page 908: ...an id VLAN ID Range 1 4093 DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE Multicast Router Discovery MRD uses multicast router advertisement multicast router solicitation and...

Page 909: ...proxy address source address vlan id VLAN ID Range 1 4093 source address The source address used for proxied IGMP query and report and leave messages Any valid IP unicast address DEFAULT SETTING 0 0 0...

Page 910: ...nterval no ip igmp snooping vlan vlan id proxy query interval vlan id VLAN ID Range 1 4093 interval The interval between sending IGMP proxy general queries Range 10 31744 seconds DEFAULT SETTING 100 1...

Page 911: ...ths of a second DEFAULT SETTING 100 10 seconds COMMAND MODE Global Configuration COMMAND USAGE This command will take effect only if IGMP snooping proxy reporting is enabled page 898 EXAMPLE Console c...

Page 912: ...See Configuring IGMP Snooping and Query Parameters on page 456 for a description of the displayed items EXAMPLE The following shows the current IGMP snooping configuration Console show ip igmp snoopin...

Page 913: ...user igmpsnp user igmpsnp vlan id VLAN ID 1 4093 user Display only the user configured multicast entries igmpsnp Display only entries learned through IGMP snooping DEFAULT SETTING None COMMAND MODE Pr...

Page 914: ...ic multicast router ports are configured COMMAND MODE Global Configuration COMMAND USAGE Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore...

Page 915: ...switch applications the administrator may want to control the multicast services that are available to end users For example an IP TV service based on a specific subscription plan The IGMP filtering...

Page 916: ...ecked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP f...

Page 917: ...o many interfaces but only one profile can be assigned to one interface Each profile has only one access mode either permit or deny EXAMPLE Console config ip igmp profile 19 Console config igmp profil...

Page 918: ...p range DEFAULT SETTING None COMMAND MODE IGMP Profile Configuration COMMAND USAGE Enter this command multiple times to specify more than one multicast address or address range for a profile EXAMPLE C...

Page 919: ...max groups number no ip igmp max groups number The maximum number of multicast groups an interface can join at the same time Range 1 255 DEFAULT SETTING 255 COMMAND MODE Interface Configuration Ether...

Page 920: ...tch can take one of two actions either deny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing gr...

Page 921: ...profile profile number profile number An existing IGMP filter profile number Range 1 4294967295 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show ip igmp profile IGMP Profile 19...

Page 922: ...the distribution tree for a normal multicast VLAN Also note that MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to w...

Page 923: ...nsole config mvr group This command statically configures MVR multicast group IP address es Use the no form of this command to remove a specific address or range of addresses SYNTAX no mvr group ip ad...

Page 924: ...onfig mvr group 228 1 23 1 10 Console config mvr priority This command assigns a priority to all multicast traffic in the MVR VLAN Use the no form of this command to restore the default setting SYNTAX...

Page 925: ...8 0 3 Console config mvr vlan This command specifies the VLAN through which MVR multicast data is received Use the no form of this command to restore the default MVR VLAN SYNTAX mvr vlan vlan id no mv...

Page 926: ...iately removed from the multicast group identified in the leave message When immediate leave is disabled the switch follows the standard rules by sending a group specific query to the receiver port an...

Page 927: ...also be used to allow a receiver port to dynamically join or leave multicast groups not sourced through the MVR VLAN Also note that VLAN membership for MVR receiver ports cannot be set to trunk mode...

Page 928: ...EFAULT SETTING No receiver port is a member of any configured multicast group COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE Multicast groups can be statically assigned to a...

Page 929: ...R multicast group Range 224 0 1 0 239 255 255 255 DEFAULT SETTING Displays global configuration settings for MVR when no keywords are used COMMAND MODE Privileged Exec COMMAND USAGE Enter this command...

Page 930: ...all MVR multicast traffic MVR Current Learned Groups The current number of MVR group addresses MVR Forwarding Priority Priority assigned to multicast traffic forwarded into the MVR VLAN MVR Upstream...

Page 931: ...Entry Count The number of multicast services currently being forwarded from the MVR VLAN Group Address Multicast groups assigned to the MVR VLAN Source Address Indicates the source address of the mult...

Page 932: ...CHAPTER 38 Multicast Filtering Commands Multicast VLAN Registration 932...

Page 933: ...Function Mode lldp Enables LLDP globally on the switch GC lldp holdtime multiplier Configures the time to live TTL value sent in LLDP advertisements GC lldp med fast start count Configures how many m...

Page 934: ...notification Enables the transmission of SNMP trap notifications about LLDP MED changes IC lldp med tlv inventory Configures an LLDP MED enabled port to advertise its inventory identification details...

Page 935: ...form to restore the default setting SYNTAX lldp holdtime multiplier value no lldp holdtime multiplier value Calculates the TTL in seconds based on holdtime multiplier refresh interval 65536 Range 2 1...

Page 936: ...ce EXAMPLE Console config lldp med fast start count 6 Console config lldp notification interval This command configures the allowed interval for sending SNMP notifications about LLDP MIB changes Use t...

Page 937: ...seconds Specifies the periodic interval at which LLDP advertisements are sent Range 5 32768 seconds DEFAULT SETTING 30 seconds COMMAND MODE Global Configuration COMMAND USAGE This attribute must compl...

Page 938: ...se the no form to restore the default setting SYNTAX lldp tx delay seconds no lldp tx delay seconds Specifies the transmit delay Range 1 8192 seconds DEFAULT SETTING 2 seconds COMMAND MODE Global Conf...

Page 939: ...figures an LLDP enabled port to advertise the management address for this device Use the no form to disable this feature SYNTAX no lldp basic tlv management ip address DEFAULT SETTING Enabled COMMAND...

Page 940: ...t address reported by this TLV EXAMPLE Console config interface ethernet 1 1 Console config if lldp basic tlv management ip address Console config if lldp basic tlv port description This command confi...

Page 941: ...LE Console config interface ethernet 1 1 Console config if lldp basic tlv system capabilities Console config if lldp basic tlv system description This command configures an LLDP enabled port to advert...

Page 942: ...nd is in turn based on the hostname command EXAMPLE Console config interface ethernet 1 1 Console config if lldp basic tlv system name Console config if lldp dot1 tlv proto ident This command configur...

Page 943: ...tocol based VLANs on page 848 EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot1 tlv proto vid Console config if lldp dot1 tlv pvid This command configures an LLDP enabled po...

Page 944: ...e 849 EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot1 tlv vlan name Console config if lldp dot3 tlv link agg This command configures an LLDP enabled port to advertise link...

Page 945: ...and operational Multistation Access Unit MAU type EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot3 tlv mac phy Console config if lldp dot3 tlv max frame This command config...

Page 946: ...cription of a location Range 1 32 characters DEFAULT SETTING Not advertised No description COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE Use this command without any keyword...

Page 947: ...ole config if lldp med location civic addr 4 West Irvine Console config if lldp med location civic addr 6 Exchange Console config if lldp med location civic addr 18 Avenue Console config if lldp med l...

Page 948: ...n An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification events missed due to throttling or transmission loss EXA...

Page 949: ...le config if lldp med tlv location Console config if lldp med tlv med cap This command configures an LLDP MED enabled port to advertise its Media Endpoint Device capabilities Use the no form to disabl...

Page 950: ...policy Console config if lldp notification This command enables the transmission of SNMP trap notifications about LLDP changes Use the no form to disable LLDP notifications SYNTAX no lldp notificatio...

Page 951: ...X show lldp config detail interface detail Shows configuration summary interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 port channel channel id Range 1 5 COMMAND M...

Page 952: ...ication Status Enabled MED Enabled TLVs Advertised med cap network policy location inventory MED Location Identification Location Data Format Civic Address LCI Civic Address Status Enabled Country Nam...

Page 953: ...dress 00 12 CF DA FC EC Ethernet Port on unit 0 port 4 Console show lldp info local device detail ethernet 1 1 LLDP Port Information Details Port Eth 1 1 Port Type MAC Address Port ID 00 12 CF DA FC E...

Page 954: ...unit 0 port 1 SystemCapSupported Bridge SystemCapEnabled Bridge Remote Management Address 192 168 0 5 IPv4 Remote Port VID 1 Remote Port Protocol VLAN VLAN 3 supported enabled Remote VLAN Name VLAN 1...

Page 955: ...E Console show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated 2450279 seconds New Neighbor Entries Count 1 Neighbor Entries Deleted Count 0 Neighbor Entries Dropped Cou...

Page 956: ...CHAPTER 39 LLDP Commands 956...

Page 957: ...on is supported using loop back messages and fault isolation with link trace messages Fault notification is also provided by SNMP alarms which are automatically generated by maintenance points when co...

Page 958: ...tenance Domain The figure below shows four maintenance associations contained within a hierarchical structure of maintenance domains At the innermost level there are two operator domains which include...

Page 959: ...MIPs to discover MEPs Connectivity faults are indicated when a known MEP stops sending CCMs or a remote MEP configured in a static list does not come up Configuration errors such as a cross connect be...

Page 960: ...ance domain sets the authorized maintenance level and enters CFM configuration mode also specifies the MIP creation method for MAs within this domain GC ethernet cfm enable Enables CFM processing glob...

Page 961: ...e starting the cross check operation GC snmp server enable traps ethernet cfm crosscheck Enables SNMP traps for CFM continuity check events in relation to the cross check operations between statically...

Page 962: ...ontinuity check operations with the ethernet cfm cc enable command 8 Enable cross check operations with the ethernet cfm mep crosscheck command Other configuration changes may be required for your par...

Page 963: ...rnet cfm ais level level id md domain name ma ma name no ethernet cfm ais level md domain name ma ma name level id Maintenance level at which AIS information will be sent Range 0 7 domain name Domain...

Page 964: ...SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE Frames with AIS information can be issued at the client s maintenance level by a MEP upon detecting defect conditions For example defec...

Page 965: ...cters DEFAULT SETTING 1 second COMMAND MODE Global Configuration EXAMPLE This example sets the interval for sending frames with AIS information at 60 seconds Console config ethernet cfm ais period 60...

Page 966: ...ss of continuity alarm generation upon detecting loss of continuity defect conditions in the absence of AIS messages EXAMPLE This example suppresses sending frames with AIS information Console config...

Page 967: ...the domain service access points DSAPs within each MA defined for a domain and are manually configured using the ethernet cfm mep command In contrast MIPs are interconnection points that make up all p...

Page 968: ...name voip level 3 mip creation explicit Console config ether cfm RELATED COMMANDS ma index name vlan 969 ethernet cfm enable This command enables CFM processing globally on the switch Use the no form...

Page 969: ...maintenance end point MEP is created at some lower MA Level none No MIP can be created for this MA DEFAULT SETTING 10 seconds COMMAND MODE CFM Domain Configuration COMMAND USAGE The maintenance domai...

Page 970: ...13 SG15 Y 1731 defined ICC based format Use the no form to restore the default setting SYNTAX ma index index name format character string icc based no ma index index name format index MA identifier Ra...

Page 971: ...is facing away from the switch and transmits CFM messages towards and receives them from the direction of the physical medium DEFAULT SETTING No MEPs are configured The MEP faces outward down COMMAND...

Page 972: ...terface When CFM is disabled hardware resources previously used for CFM processing on that interface are released and all CFM frames entering that interface are forwarded as normal data traffic EXAMPL...

Page 973: ...ce interface global Displays global settings including CFM global status cross check start delay and link trace parameters traps Displays the status of all continuity check and cross check traps inter...

Page 974: ...EP which as an expired entry in the archived database CC Mep Down Trap Sends a trap if this device loses connectivity with a remote MEP or connectivity has been restored to a remote MEP which has reco...

Page 975: ...old Time m 1 rd 0 default 100 Console show ethernet cfm ma This command displays the configured maintenance associations SYNTAX show ethernet cfm ma level level level Maintenance level Range 0 7 DEFAU...

Page 976: ...10 port channel channel id Range 1 5 level id Maintenance level for this domain Range 0 7 DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Use the mep keyword with this command to disp...

Page 977: ...port Port number Range 1 10 port channel channel id Range 1 5 level id Maintenance level for this domain Range 0 7 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE This example shows detaile...

Page 978: ...ID Level Maintenance level of the local maintenance point Direction The direction in which the MEP faces on the Bridge port up or down Interface The port to which this MEP is attached CC Status Shows...

Page 979: ...Interface State Up Crosscheck Status Enabled Console Table 140 show ethernet cfm maintenance points remote detail display Field Description MAC Address MAC address of the remote maintenance point If...

Page 980: ...Ms from any other MEPs in its MA a connectivity failure is registered The interval at which CCMs are issued should therefore be Port State Port states include Up The port is functioning normally Block...

Page 981: ...pecified maintenance association Use the no form to disable the transmission of these messages SYNTAX no ethernet cfm cc enable md domain name ma ma name domain name Domain name Range 1 43 alphanumeri...

Page 982: ...me MPID as its own but with a different source MAC address indicating that a CFM configuration error exists loop Sends a trap if this device receives a CCM with the same source MAC address and MPID as...

Page 983: ...535 minutes DEFAULT SETTING 100 minutes COMMAND MODE CFM Domain Configuration COMMAND USAGE A change to the hold time only applies to entries stored in the database after this command is entered EXAMP...

Page 984: ...his command clears continuity check errors logged for the specified maintenance domain or maintenance level SYNTAX clear ethernet cfm errors domain domain name level level id domain name Domain name R...

Page 985: ...IDs in this MA can pass through the bridge port no MEP is configured facing outward down on any bridge port for this MA and some other MA y at a higher maintenance level and associated with at least o...

Page 986: ...elay should be configured to a value greater than or equal to the continuity check message interval to avoid generating unnecessary traps EXAMPLE This example sets the maximum delay before starting th...

Page 987: ...tatic list A ma up trap is sent if cross checking is enabled and a CCM is received from all remote MEPs configured in the static list for this maintenance association EXAMPLE This example enables SNMP...

Page 988: ...vlan 1 Console config ether cfm mep crosscheck mpid 2 ma rd Console config ether cfm ethernet cfm mep crosscheck This command enables cross checking between the static list of MEPs assigned to other d...

Page 989: ...cfm maintenance points remote crosscheck domain domain name mpid mpid domain name Domain name Range 1 43 alphanumeric characters mpid Maintenance end point identifier Range 1 8191 DEFAULT SETTING None...

Page 990: ...along the path and from the target MEP Information stored in the cache includes the maintenance domain name MA name MEPID sequence number and TTL value EXAMPLE This example enables link trace caching...

Page 991: ...1 4095 entries DEFAULT SETTING 100 entries COMMAND MODE Global Configuration COMMAND USAGE Before setting the cache size the cache must first be enabled with the ethernet cfm linktrace cache command...

Page 992: ...1 255 hops DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Link trace messages can be targeted to MEPs not MIPs Before sending a link trace message be sure you have configured the tar...

Page 993: ...ged Exec EXAMPLE Console show ethernet cfm linktrace cache Hops MA IP Alias Ingress MAC Ing Action Relay Forwarded Egress MAC Egr Action 2 rd 192 168 0 6 00 12 CF 12 12 2D ingOk Hit Not Forwarded Cons...

Page 994: ...for example by an operationally Down MEP that has another Down MEP at a higher MD level on the same bridge port that is causing the bridge port s MAC_Operational parameter to be false IngBlocked The...

Page 995: ...her error report Loopback messages can also used to confirm the successful restoration or initiation of connectivity The receiving maintenance point should respond to the loop back message with a loop...

Page 996: ...een reset and repeat those steps until the fault is resolved Only the highest priority defect currently detected is reported in the fault alarm Priority defects include the following items Table 143 R...

Page 997: ...time The time that one or more defects must be present before a fault alarm is generated Range 3 10 seconds DEFAULT SETTING 3 seconds COMMAND MODE CFM Domain Configuration COMMAND USAGE A fault alarm...

Page 998: ...the reset time after which another fault alarm can be generated Console config ethernet cfm domain index 1 name voip level 3 Console config ether cfm mep fault notify reset time 7 Console config ether...

Page 999: ...45 alphanumeric characters count The number of times to retry sending the message if no response is received before the specified timeout Range 1 5 interval The transmission delay between delay measur...

Page 1000: ...th a frame with DM reply information with TxTimeStampf copied from the DM request information RxTimeStampf Timestamp at the time of receiving a frame with DM request information and TxTimeStampb Times...

Page 1001: ...efm oam link monitor frame window Sets the monitor period for errored frame link events IC efm oam mode Sets the OAM operational mode to active or passive IC clear efm oam counters Clears statistical...

Page 1002: ...ace ethernet 1 1 Console config if efm oam Console config if efm oam critical link event This command enables reporting of critical event or dying gasp Use the no form to disable this function SYNTAX...

Page 1003: ...s Use the no form to disable this function SYNTAX no efm oam link monitor frame DEFAULT SETTING Enabled COMMAND MODE Interface Configuration COMMAND USAGE An errored frame is a frame in which one or m...

Page 1004: ...he no form to restore the default setting SYNTAX no efm oam link monitor frame window size size The period of time in which to check the reporting threshold for errored frame link events Range 10 6553...

Page 1005: ...will initiate the OAM discovery process When in passive mode it can only respond to discovery messages EXAMPLE Console config interface ethernet 1 1 Console config if efm oam mode active Console conf...

Page 1006: ...ote loopback start command to start OAM remote loop back test mode on the specified port Afterwards use the efm oam remote loopback test command page 1007 to start sending test packets Then use the ef...

Page 1007: ...ommand to perform an OAM remote loopback test on the specified port The port that you specify to run this test must be connected to a peer OAM device capable of entering into OAM remote loopback mode...

Page 1008: ...ification 0 0 1 1 Loopback Control 1 0 1 1 Organization Specific 76 0 Console show efm oam event log interface This command displays the OAM event log for the specified port s or for all ports that ha...

Page 1009: ...o spaces use a hyphen to designate a range of ports Range 1 10 COMMAND MODE Normal Exec Privileged Exec EXAMPLE Console show efm oam remote loopback interface 1 1 Port OAM loopback Tx OAM loopback Rx...

Page 1010: ...e Loopback Gasp Event Frame 1 1 Enabled Active Disabled Enabled Enabled Enabled Console show efm oam status remote interface This command displays information about attached OAM enabled devices SYNTAX...

Page 1011: ...ame Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 68 characters DEFAULT SETTING None Table 147 Address Table Commands Command Function Mode...

Page 1012: ...the default domain name is not used EXAMPLE This example adds two domain names to the current list and then displays the list Console config ip domain list sample com jp Console config ip domain list...

Page 1013: ...13 ip name server 1015 ip domain name This command defines the default domain name appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation Use...

Page 1014: ...ip host name address name Name of an IPv4 host Range 1 100 characters address Corresponding IPv4 address DEFAULT SETTING No static entries COMMAND MODE Global Configuration COMMAND USAGE Use the no ip...

Page 1015: ...servers DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE The listed name servers are queried in the specified sequence until a response is received or the end of the list is reache...

Page 1016: ...values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields DEFAULT SETTING No static entries COMMAND MODE Global Configuration...

Page 1017: ...r host command to clear dynamic entries or the no ip host command to clear static entries EXAMPLE This example clears all dynamic entries from the DNS table Console config clear host Console config sh...

Page 1018: ...sole show hosts No Flag Type IP Address TTL Domain 0 2 Address 192 168 1 55 rd5 1 2 Address 2001 DB8 1 12 rd6 3 4 Address 209 131 36 158 65 www real wa1 b yahoo com 4 4 CNAME POINTER TO 3 65 www yahoo...

Page 1019: ...stored in the cache Type This field includes Address which specifies the primary name for the owner and CNAME which specifies multiple domain names or aliases which are mapped to the same IP address a...

Page 1020: ...CHAPTER 42 Domain Name Service Commands 1020...

Page 1021: ...acquire other non address configuration information such as a default gateway from a DHCPv6 server Table 150 DHCP Commands Command Group Function DHCP Client Allows interfaces to dynamically acquire I...

Page 1022: ...ation of the switch to the DHCP server which then uses this information to decide on how to service the client or the type of information to return The general framework for this DHCP option is set ou...

Page 1023: ...s Console config interface vlan 1 Console config if ip address dhcp Console config if exit Console ip dhcp restart client Console show ip interface Vlan 1 is Administrative Up Link Up Address is 12 34...

Page 1024: ...rs by sending a solicit message and collecting advertised message replies These servers are then ranked based on their advertised preference value If the client needs to acquire prefixes from servers...

Page 1025: ...ange of consecutive numbers separated by a hyphen or multiple numbers separated by commas Range 1 4093 no leading zeroes COMMAND MODE Privileged Exec EXAMPLE Console show ipv6 dhcp vlan 1 VLAN 1 is in...

Page 1026: ...CHAPTER 43 DHCP Commands DHCP Client 1026...

Page 1027: ...segment IPV4 INTERFACE There are no IP addresses assigned to this switch by default You must manually configure a new address to manage the switch over your network or to connect the switch to existin...

Page 1028: ...m DHCP DEFAULT SETTING DHCP COMMAND MODE Interface Configuration VLAN COMMAND USAGE An IP address must be assigned to this device to gain management access over the network or to connect the switch to...

Page 1029: ...enabled but will not function until a BOOTP or DHCP reply has been received Requests are broadcast periodically by the router in an effort to learn its IP address BOOTP and DHCP values can include th...

Page 1030: ...ED COMMANDS ip address 1028 ipv6 default gateway 1036 show ip default gateway This command shows the IPv4 default gateway configured for this device DEFAULT SETTING None COMMAND MODE Privileged Exec E...

Page 1031: ...ed The traceroute command first sends probe datagrams with the TTL value set at one This causes the first router to discard the datagram and return an error message The trace function then sends sever...

Page 1032: ...her site on the network can be reached The following are some results of the ping command Normal response The normal response occurs in one to ten seconds depending on network traffic Destination does...

Page 1033: ...SYNTAX arp timeout seconds no arp timeout seconds The time a dynamic entry remains in the ARP cache Range 300 86400 86400 seconds is one day DEFAULT SETTING 1200 seconds 20 minutes COMMAND MODE Global...

Page 1034: ...is command displays entries in the Address Resolution Protocol ARP cache COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE This command displays information about the ARP cache The first line sho...

Page 1035: ...ze of the maximum transmission unit MTU for IPv6 packets sent on an interface IC show ipv6 default gateway Displays the current IPv6 default gateway NE PE show ipv6 interface Displays the usability an...

Page 1036: ...ress to indicate the appropriate number of zeros required to fill the undefined fields The same link local address may be used by different interfaces nodes in different zones RFC 4007 Therefore when...

Page 1037: ...ate the appropriate number of zeros required to fill the undefined fields To connect to a larger network with multiple subnets you must configure a global unicast address This address can be manually...

Page 1038: ...I 64 form of the interface identifier i e the switch s MAC address Use the no form to remove the address generated by this command SYNTAX no ipv6 address autoconfig DEFAULT SETTING No IPv6 addresses a...

Page 1039: ...is 1000 milliseconds Console RELATED COMMANDS ipv6 address 1037 show ipv6 interface 1045 ipv6 address eui 64 This command configures an IPv6 address for an interface using an EUI 64 interface ID in t...

Page 1040: ...address The EUI 64 specification is designed for devices that use an extended 8 byte MAC address For devices that still use a 6 byte MAC address also known as EUI 48 format it must be converted into...

Page 1041: ...h a specific address to remove it from the interface SYNTAX ipv6 address ipv6 address link local no ipv6 address ipv6 address link local ipv6 address The IPv6 address assigned to the interface DEFAULT...

Page 1042: ...0 72 FF02 1 FF00 FD FF02 1 IPv6 link MTU is 1500 bytes ND DAD is enabled number of DAD attempts 3 ND retransmit interval is 1000 milliseconds Console RELATED COMMANDS ipv6 enable 1042 show ipv6 interf...

Page 1043: ...le show ipv6 interface Vlan 1 is up IPv6 is enable Link local address FE80 2E0 CFF FE00 FD 64 Global unicast address es 2001 DB8 2222 7273 72 96 subnet is 2001 DB8 2222 7273 96 Joined group address es...

Page 1044: ...ust use the same MTU in order to operate correctly IPv6 must be enabled on an interface before the MTU can be set EXAMPLE The following example sets the MTU for VLAN 1 to 1280 bytes Console config int...

Page 1045: ...twork portion of the address COMMAND MODE Normal Exec Privileged Exec EXAMPLE This example displays all the IPv6 addresses configured for the switch Console show ipv6 interface Vlan 1 is up IPv6 is en...

Page 1046: ...interface local multicast address is only used for loopback transmission of multicast traffic Link local multicast addresses cover the same types as used by link local unicast addresses including all...

Page 1047: ...received total received header errors too big errors no routes address errors unknown protocols truncated packets discards delivers reassembly request datagrams reassembly succeeded reassembly failed...

Page 1048: ...show ipv6 traffic display description Field Description IPv6 Statistics IPv6 recived total received The total number of input datagrams received by the interface including those received in error hea...

Page 1049: ...of discarded IPv6 fragments since some algorithms notably the algorithm in RFC 815 can lose track of the number of fragments by combining them as they are received This counter is incremented at the...

Page 1050: ...CMPv6 Group Membership Query messages received by the interface group membership response messages The number of ICMPv6 Group Membership Response messages received by the interface group membership re...

Page 1051: ...ber of Redirect messages sent For a host this object will always be zero since hosts do not send redirects group membership response messages The number of ICMPv6 Group Membership Response messages se...

Page 1052: ...bytes COMMAND MODE Privileged Exec COMMAND USAGE Use the ping6 command to see if another site on the network can be reached or to evaluate delays over the path The same link local address may be used...

Page 1053: ...eady exists on the network before it is assigned to an interface Duplicate address detection is stopped on any interface that has been suspended see the vlan command While an interface is suspended al...

Page 1054: ...cal address FE80 200 E8FF FE90 0 64 Global unicast address es 2009 DB9 2229 79 subnet is 2009 DB9 2229 0 64 Joined group address es FF01 1 16 FF02 1 16 FF02 1 FF00 79 104 FF02 1 FF90 0 104 IPv6 link M...

Page 1055: ...obal unicast address es 2009 DB9 2229 79 subnet is 2009 DB9 2229 0 64 Joined group address es FF01 1 16 FF02 1 16 FF02 1 FF00 79 104 FF02 1 FF90 0 104 IPv6 link MTU is 1500 bytes ND DAD is enabled num...

Page 1056: ...mic entries in the IPv6 neighbor cache Console clear ipv6 neighbors Console show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache SYNTAX show ipv6 neighbors vlan v...

Page 1057: ...eceived within the last ReachableTime interval that the forward path to the neighbor was functioning While in REACH state the device takes no special action when sending packets S Stale More than the...

Page 1058: ...CHAPTER 44 IP Interface Commands IPv6 Interface 1058...

Page 1059: ...1059 SECTION IV APPENDICES This section provides additional information and includes these items Software Specifications on page 1061 Troubleshooting on page 1067 License Information on page 1069...

Page 1060: ...SECTION IV Appendices 1060...

Page 1061: ...1000 Mbps at full duplex 1000BASE SX LX LH 1000 Mbps at full duplex SFP FLOW CONTROL Full Duplex IEEE 802 3 2005 Half Duplex Back pressure STORM CONTROL Broadcast multicast or unicast traffic throttl...

Page 1062: ...IGMP Snooping Layer 2 Multicast VLAN Registration ADDITIONAL FEATURES BOOTP Client DHCP Client DNS Client Proxy ERPS Ethernet Ring Protection Switching LLDP Link Layer Discover Protocol OAM Operation...

Page 1063: ...Q VLAN IEEE 802 1v Protocol based VLANs IEEE 802 1X Port Authentication IEEE 802 3 2005 Ethernet Fast Ethernet Gigabit Ethernet Link Aggregation Control Protocol LACP Full duplex flow control ISO IEC...

Page 1064: ...B RFC2054 Link Aggregation MIB IEEE 802 3ad MAU MIB RFC 3636 MIB II RFC 1213 P Bridge MIB RFC 2674P Port Access Entity MIB IEEE 802 1X Port Access Entity Equipment MIB Power Ethernet MIB RFC 3621 Priv...

Page 1065: ...APPENDIX A Software Specifications Management Information Bases 1065 Trap RFC 1215 UDP MIB RFC 2013...

Page 1066: ...APPENDIX A Software Specifications Management Information Bases 1066...

Page 1067: ...permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Tr...

Page 1068: ...Repeat the sequence of commands or other actions that lead up to the error 7 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 8 Set...

Page 1069: ...of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that yo...

Page 1070: ...notices stating that you changed the files and the date of any change b You must cause any work that you distribute or publish that in whole or in part contains or is derived from the Program or any...

Page 1071: ...ired to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These actions are prohibited by law if y...

Page 1072: ...ibution conditions are different write to the author to ask for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exc...

Page 1073: ...by prioritizing packets based on the required level of service and then placing them in the appropriate output queue Data is transmitted from the queues using weighted round robin service to enforce p...

Page 1074: ...and password is requested by the switch and then passed to an authentication server e g RADIUS for verification EAPOL is implemented as part of the IEEE 802 1X Port Authentication standard EUI Extend...

Page 1075: ...ANs to communicate across switched networks IEEE 802 1P An IEEE standard for providing quality of service QoS in Ethernet networks The standard uses packet tags that define up to eight traffic classes...

Page 1076: ...g to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members IN BAND MANAGEMENT Management of the network from a...

Page 1077: ...is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers This process allows IGMP enabled devices to determine where to send m...

Page 1078: ...to provide better service to selected traffic flows using features such as data prioritization queuing congestion avoidance and traffic shaping These features effectively provide preferential treatmen...

Page 1079: ...tion protocol that uses software running on a central server to control access to TACACS compliant devices on the network TCP IP Transmission Control Protocol Internet Protocol Protocol suite that inc...

Page 1080: ...s of their physical location or connection point in the network A VLAN serves as a logical workgroup with no physical barriers and allows users to share information and resources as though located on...

Page 1081: ...513 banner configure ip lan 513 banner configure lp number 514 banner configure manager info 515 banner configure mux 515 banner configure note 516 boot system 526 bridge ext gvrp 826 C calendar set 5...

Page 1082: ...che size 991 ethernet cfm loopback 994 ethernet cfm mep 971 ethernet cfm mep crosscheck 988 ethernet cfm mep crosscheck start delay 986 ethernet cfm port enable 972 exec timeout 537 exit 505 F flowcon...

Page 1083: ...nk local 1041 ipv6 default gateway 1036 ipv6 dhcp restart client vlan 1023 ipv6 enable 1042 ipv6 host 1016 ipv6 mtu 1043 ipv6 nd dad attempts 1053 ipv6 nd ns interval 1054 ipv6 nd reachable time 1055...

Page 1084: ...e mac authentication 662 network access port mac filter 663 nlm 584 no rspan session 758 node id 819 P parity 538 password 539 password thresh 540 periodic 561 permit deny 917 permit deny ARP ACL 716...

Page 1085: ...502 show hosts 1018 show interfaces brief 729 show interfaces counters 729 show interfaces protocol vlan protocol group 851 show interfaces status 731 show interfaces switchport 732 show interfaces tr...

Page 1086: ...broadcast control apply 773 snmp server enable port traps atc broadcast control release 773 snmp server enable port traps atc multicast alarm clear 774 snmp server enable port traps atc multicast ala...

Page 1087: ...voice vlan priority 859 switchport voice vlan rule 859 switchport voice vlan security 860 T tacacs server host 606 tacacs server key 607 tacacs server port 607 test cable diagnostics 734 timeout logi...

Page 1088: ...COMMAND LIST 1088...

Page 1089: ...312 318 704 705 MAC 313 321 710 Standard IP 704 time range 309 560 Address Resolution Protocol See ARP address table 195 777 aging time 197 777 aging time displaying 197 780 aging time setting 197 77...

Page 1090: ...980 981 CoS 231 872 configuring 231 863 default mapping to internal values 242 869 enabling 238 872 layer 3 4 priorities 238 868 priorities mapping to internal values 242 868 queue mapping 235 871 qu...

Page 1091: ...yption DSA 304 306 629 RSA 304 306 629 engine ID 386 387 577 ERPS configuration guidelines 813 control VLAN 815 domain configuration 815 domain enabling 816 global configuration 814 guard timer 817 ho...

Page 1092: ...306 527 ingress filtering 171 835 IP address BOOTP DHCP 426 1022 IP address setting 421 1027 IP filter for management access 334 647 IP source guard configuring static entries 352 682 setting filter...

Page 1093: ...agement Information Bases MIBs 1064 matching class settings classifying QoS traffic 247 880 media type 128 724 memory status 121 utilization showing 121 MEP archive CFM 983 mirror port configuring 132...

Page 1094: ...old 230 727 power savings configuring 156 power savings configuring 736 power savings enabling per port 156 736 priority default port ingress 231 866 private key 300 623 problems troubleshooting 1067...

Page 1095: ...ystem clock 114 555 557 specifying servers 115 557 software displaying version 100 523 downloading 104 527 version displaying 100 523 Spanning Tree Protocol See STA specifications software 1061 srTCM...

Page 1096: ...creating 168 831 description 165 displaying port members 839 displaying port members by interface 174 displaying port members by interface range 175 displaying port members by VLAN index 173 dynamic a...

Page 1097: ......

Page 1098: ...ES3510MA DC E122010 ST R01 150200000251A...

Search results

Summary of Contents for ES3510MA-DC

Reviews:

Edge-Core ES3510MA-DC, Management Manual, Page: 338 / 1098

Search results

Summary of Contents for ES3510MA-DC

Reviews: