Edge-Core ES3510MA Management Manual Download Page 343

Page: 343 / 984

HAPTER

| Security Measures

DHCP Snooping

– 343 –

◆

The rate limit for the number of DHCP messages that can be processed

by the switch is 100 packets per second. Any DHCP packets in excess of

this limit are dropped.

◆

When DHCP snooping is enabled, DHCP messages entering an

untrusted interface are filtered based upon dynamic entries learned via

DHCP snooping.

◆

Filtering rules are implemented as follows:

■

If the global DHCP snooping is disabled, all DHCP packets are

forwarded.

■

If DHCP snooping is enabled globally, and also enabled on the VLAN

where the DHCP packet is received, all DHCP packets are forwarded

for a

trusted

port. If the received packet is a DHCP ACK message, a

dynamic DHCP snooping entry is also added to the binding table.

■

If DHCP snooping is enabled globally, and also enabled on the VLAN

where the DHCP packet is received, but the port is

not trusted

, it is

processed as follows:

■

If the DHCP packet is a reply packet from a DHCP server

(including OFFER, ACK or NAK messages), the packet is

dropped.

■

If the DHCP packet is from a client, such as a DECLINE or

RELEASE message, the switch forwards the packet only if the

corresponding entry is found in the binding table.

■

If the DHCP packet is from a client, such as a DISCOVER,

REQUEST, INFORM, DECLINE or RELEASE message, the packet

is forwarded if MAC address verification is disabled. However, if

MAC address verification is enabled, then the packet will only be

forwarded if the client’s hardware address stored in the DHCP

packet is the same as the source MAC address in the Ethernet

header.

■

If the DHCP packet is not a recognizable type, it is dropped.

■

If a DHCP packet from a client passes the filtering criteria above, it

will only be forwarded to trusted ports in the same VLAN.

■

If a DHCP packet is from server is received on a trusted port, it will

be forwarded to both trusted and untrusted ports in the same VLAN.

■

If the DHCP snooping is globally disabled, all dynamic bindings are

removed from the binding table.

■

Additional considerations when the switch itself is a DHCP client

–

The port(s) through which the switch submits a client request to the

DHCP server must be configured as trusted. Note that the switch

will not add a dynamic entry for itself to the binding table when it

receives an ACK message from a DHCP server. Also, when the

switch sends out DHCP client packets for itself, no filtering takes

place. However, when the switch receives any messages from a

Summary of Contents for ES3510MA

Page 1: ...Management Guide www edge core com 8 Port Layer 2 Fast Ethernet Switch...

Page 2: ...MANAGEMENT GUIDE ES3510MA FAST ETHERNET SWITCH Layer 2 Switch with 8 10 100BASE TX RJ 45 Ports and 2 Gigabit Combination Ports RJ 45 SFP ES3510MA E032010 ST R01 149100000046A...

Page 3: ...our attention to related features or instructions CAUTION Alerts you to a potential hazard that could cause loss of data or damage the system or equipment WARNING Alerts you to a potential hazard that...

Page 4: ...ABOUT THIS GUIDE 4...

Page 5: ...and Restore 50 Authentication 50 Access Control Lists 51 Port Configuration 51 Port Mirroring 51 Port Trunking 51 Rate Limiting 51 Storm Control 51 Static Addresses 51 IEEE 802 1D Bridge 52 Store and...

Page 6: ...cting to the Web Interface 73 Navigating the Web Browser Interface 74 Home Page 74 Configuration Options 75 Panel Display 75 Main Menu 76 4 BASIC MANAGEMENT TASKS 89 Displaying System Information 89 D...

Page 7: ...forming Cable Diagnostics 132 Trunk Configuration 133 Configuring a Static Trunk 134 Configuring a Dynamic Trunk 137 Displaying LACP Port Counters 143 Displaying LACP Settings and Status for the Local...

Page 8: ...gs for STA 197 Displaying Global Settings for STA 202 Configuring Interface Settings for STA 203 Displaying Interface Settings for STA 207 Configuring Multiple Spanning Trees 209 Configuring Interface...

Page 9: ...Settings for Web Authentication 276 Network Access MAC Address Authentication 277 Configuring Global Settings for Network Access 279 Configuring Network Access for Ports 280 Configuring Port Link Det...

Page 10: ...332 Displaying 802 1X Statistics 334 IP Source Guard 337 Configuring Ports for IP Source Guard 337 Configuring Static Bindings for IP Source Guard 339 Displaying Information for Dynamic IP Source Gua...

Page 11: ...figuring General Settings for Clusters 406 Cluster Member Configuration 408 Managing Cluster Members 409 16 IP CONFIGURATION 411 Using the Ping Function 411 Setting the Switch s IP Address IP Version...

Page 12: ...ng and Throttling for Interfaces 462 Multicast VLAN Registration 463 Configuring Global MVR Settings 465 Configuring MVR Interface Status 466 Assigning Static Multicast Groups to Interfaces 468 Displa...

Page 13: ...e 495 banner configure company 496 banner configure dc power info 497 banner configure department 497 banner configure equipment info 498 banner configure equipment location 499 banner configure ip la...

Page 14: ...Line 520 line 520 databits 521 exec timeout 522 login 522 parity 523 password 524 password thresh 525 silent time 526 speed 526 stopbits 527 timeout login response 527 disconnect 528 show line 529 Eve...

Page 15: ...ow calendar 544 Time Range 545 time range 545 absolute 546 periodic 546 show time range 547 Switch Clustering 548 cluster 549 cluster commander 549 cluster ip pool 550 cluster member 551 rcommand 551...

Page 16: ...nt 577 rmon collection history 578 rmon collection stats 579 show rmon alarm 580 show rmon event 580 show rmon history 580 show rmon statistics 581 24 AUTHENTICATION COMMANDS 583 User Accounts 583 ena...

Page 17: ...server 600 accounting dot1x 601 accounting exec 601 authorization exec 602 show accounting 602 Web Server 603 ip http port 604 ip http server 604 ip http secure server 605 ip http secure port 606 Teln...

Page 18: ...e authperiod 625 dot1x timeout supp timeout 625 dot1x timeout tx period 626 dot1x re authenticate 626 dot1x identity profile 627 dot1x max start 628 dot1x pae supplicant 628 dot1x timeout auth period...

Page 19: ...show network access mac address table 653 show network access mac filter 654 Web Authentication 654 web auth login attempts 655 web auth quiet period 656 web auth session timeout 656 web auth system...

Page 20: ...ection trust 679 show ip arp inspection configuration 680 show ip arp inspection interface 680 show ip arp inspection log 681 show ip arp inspection statistics 681 show ip arp inspection vlan 681 26 A...

Page 21: ...708 show interfaces brief 708 show interfaces counters 709 show interfaces status 710 show interfaces switchport 711 test cable diagnostics 713 show cable diagnostics 714 power save 714 show power sav...

Page 22: ...m clear 747 snmp server enable port traps atc broadcast alarm fire 748 snmp server enable port traps atc broadcast control apply 748 snmp server enable port traps atc broadcast control release 749 snm...

Page 23: ...link type 771 spanning tree loopback detection 772 spanning tree loopback detection release mode 772 spanning tree loopback detection trap 773 spanning tree mst cost 774 spanning tree mst port priorit...

Page 24: ...system tunnel control 797 switchport dot1q tunnel mode 798 switchport dot1q tunnel tpid 799 show dot1q tunnel 799 Configuring Port based Traffic Segmentation 800 traffic segmentation 800 show traffic...

Page 25: ...ority default 820 show queue mode 821 show queue weight 821 Priority Commands Layer 3 and 4 822 qos map cos dscp 822 qos map dscp mutation 824 qos map phb queue 825 qos map trust mode 826 show qos map...

Page 26: ...rsion exclusive 857 ip igmp snooping vlan general query suppression 858 ip igmp snooping vlan immediate leave 859 ip igmp snooping vlan last memb query count 860 ip igmp snooping vlan last memb query...

Page 27: ...lldp reinit delay 886 lldp tx delay 887 lldp admin status 887 lldp basic tlv management ip address 888 lldp basic tlv port description 889 lldp basic tlv system capabilities 889 lldp basic tlv system...

Page 28: ...client class id 912 ip dhcp restart client 912 ipv6 dhcp restart client vlan 913 show ipv6 dhcp duid 914 show ipv6 dhcp vlan 915 41 IP INTERFACE COMMANDS 917 IPv4 Interface 917 Basic IPv4 Configurati...

Page 29: ...3 ipv6 nd ns interval 944 ipv6 nd reachable time 945 clear ipv6 neighbors 946 show ipv6 neighbors 946 SECTION IV APPENDICES 949 A SOFTWARE SPECIFICATIONS 951 Software Features 951 Management Features...

Page 30: ...CONTENTS 30...

Page 31: ...rs 106 Figure 15 Setting the Time Zone 107 Figure 16 Console Port Settings 108 Figure 17 Telnet Connection Settings 110 Figure 18 Displaying CPU Utilization 111 Figure 19 Displaying Memory Utilization...

Page 32: ...nks 142 Figure 48 Displaying Connection Parameters for Dynamic Trunks 142 Figure 49 Displaying LACP Port Counters 144 Figure 50 Displaying LACP Port Internal Information 146 Figure 51 Displaying LACP...

Page 33: ...Time 189 Figure 86 Displaying the Dynamic MAC Address Table 190 Figure 87 Clearing Entries in the Dynamic MAC Address Table 191 Figure 88 Mirroring Packets Based on the Source MAC Address 192 Figure...

Page 34: ...DSCP Internal Mapping 234 Figure 120 Configuring a Class Map 237 Figure 121 Showing Class Maps 238 Figure 122 Adding Rules to a Class Map 238 Figure 123 Showing the Rules for a Class Map 239 Figure 12...

Page 35: ...Network Access 280 Figure 155 Configuring Interface Settings for Network Access 282 Figure 156 Configuring Link Detection for Network Access 283 Figure 157 Configuring a MAC Address Filter for Network...

Page 36: ...rt Supplicant 337 Figure 193 Setting the Filter Type for IP Source Guard 339 Figure 194 Configuring Static Bindings for IP Source Guard 340 Figure 195 Displaying Static Bindings for IP Source Guard 34...

Page 37: ...NMPv3 Users 389 Figure 228 Showing Remote SNMPv3 Users 389 Figure 229 Configuring Trap Managers SNMPv1 393 Figure 230 Configuring Trap Managers SNMPv2c 393 Figure 231 Configuring Trap Managers SNMPv3...

Page 38: ...8 Figure 266 Showing Static Entries in the DNS Table 438 Figure 267 Showing Entries in the DNS Cache 439 Figure 268 Multicast Filtering Concept 441 Figure 269 Configuring General Settings for IGMP Sno...

Page 39: ...gure 287 Configuring Interface Settings for MVR 468 Figure 288 Assigning Static MVR Groups to a Port 469 Figure 289 Showing the Static MVR Groups Assigned to a Port 469 Figure 290 Displaying MVR Recei...

Page 40: ...FIGURES 40...

Page 41: ...re Queues 226 Table 15 Default Mapping of DSCP Values to Internal PHB Drop Values 230 Table 16 Default Mapping of CoS CFI to Internal PHB Drop Precedence 233 Table 17 Dynamic QoS Profiles 278 Table 18...

Page 42: ...cription 535 Table 48 show logging trap display description 536 Table 49 Event Logging Commands 536 Table 50 Time Commands 540 Table 51 Time Range Commands 545 Table 52 Switch Cluster Commands 548 Tab...

Page 43: ...Commands 690 Table 84 ARP ACL Commands 695 Table 85 ACL Information Commands 698 Table 86 Interface Commands 699 Table 87 show interfaces switchport display description 712 Table 88 Link Aggregation...

Page 44: ...824 Table 119 Mapping Internal Per hop Behavior to Hardware Queues 825 Table 120 Quality of Service Commands 831 Table 121 Multicast Filtering Commands 849 Table 122 IGMP Snooping Commands 849 Table 1...

Page 45: ...v6 interface display description 935 Table 141 show ipv6 mtu display description 937 Table 142 show ipv6 traffic display description 938 Table 143 show ipv6 neighbors display description 947 Table 144...

Page 46: ...TABLES 46...

Page 47: ...view of the switch and introduces some basic concepts about network switches It also describes the basic settings required to access the management interface This section includes these chapters Intro...

Page 48: ...SECTION I Getting Started 48...

Page 49: ...dress filtering General Security Measures Private VLANs Port Authentication Port Security DHCP Snooping IP Source Guard Access Control Lists Supports up to 512 rules 64 ACLs and a maximum of 32 rules...

Page 50: ...ocally or can be verified via a remote authentication server i e RADIUS or TACACS Port based authentication is also supported via the IEEE 802 1X protocol This protocol uses Extensible Authentication...

Page 51: ...bined into an aggregate connection Trunks can be manually set up or dynamically configured using Link Aggregation Control Protocol LACP IEEE 802 3 2005 The additional ports dramatically increase the t...

Page 52: ...physical paths between segments this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network This prevents the creation o...

Page 53: ...restrict traffic to specified interfaces based on protocol type IEEE 802 1Q TUNNELING QINQ This feature is designed for service providers carrying traffic for multiple customers across their networks...

Page 54: ...uarantee real time delivery by setting the required priority level for the designated VLAN The switch uses IGMP Snooping and Query to manage multicast group registration SYSTEM DEFAULTS The switch s s...

Page 55: ...nabled Flow Control Disabled Port Trunking Static Trunks None LACP all ports Disabled Congestion Control Rate Limiting Disabled Storm Control Broadcast Enabled 64 kbits sec Multicast Disabled Unknown...

Page 56: ...signed Subnet Mask 255 255 255 0 Default Gateway 0 0 0 0 DHCP Client Enabled DNS Proxy service Disabled BOOTP Disabled Multicast Filtering IGMP Snooping Layer 2 Snooping Enabled Querier Disabled IGMP...

Page 57: ...rd web browser such as Internet Explorer 5 x or above Netscape 6 2 or above and Mozilla Firefox 2 0 0 0 or above The switch s web management interface can be accessed from any computer attached to the...

Page 58: ...provides an RS 232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch A null modem console cable is provided with the switch Attach a VT100 compatible...

Page 59: ...rotocol An IPv4 address for this switch is obtained via DHCP by default To manually configure this address or enable dynamic address assignment via DHCP see Setting an IP Address on page 61 NOTE This...

Page 60: ...enter admin 3 At the Password prompt also enter admin The password characters are not displayed on the console screen 4 The session is opened and the CLI displays the Console prompt indicating you hav...

Page 61: ...ou can manually assign an IP address to the switch You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment Valid I...

Page 62: ...6 on page 415 Link Local Address All link local addresses must be configured with a prefix of FE80 Remember that this address type makes the switch accessible over IPv6 for all devices attached to the...

Page 63: ...v6 global unicast address for the switch complete the following steps 1 From the global configuration mode prompt type interface vlan 1 to access the interface configuration mode Press Enter 2 From th...

Page 64: ...ote that the ip dhcp restart client command can also be used to start broadcasting service requests for all VLANs configured to obtain address assignments through BOOTP or DHCP It may be necessary to...

Page 65: ...To generate an IPv6 link local address for the switch complete the following steps 1 From the Global Configuration mode prompt type interface vlan 1 to access the interface configuration mode Press En...

Page 66: ...1000 milliseconds Console ENABLING SNMP MANAGEMENT ACCESS The switch can be configured to accept management commands from Simple Network Management Protocol SNMP applications You can configure the sw...

Page 67: ...d mode is rw read write or ro read only Press Enter Note that the default mode is read only 2 To remove an existing string simply type no snmp server community string where string is the community acc...

Page 68: ...he password greenpeace for authentication and the password einstien for encryption Console config snmp server view mib 2 1 3 6 1 2 1 included Console config snmp server view 802 1d 1 3 6 1 2 1 17 incl...

Page 69: ...the start up configuration file is loaded Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings If you download directly to the...

Page 70: ...e to FLASH finish Success Console To restore configuration settings from a backup server enter the following command 1 From the Privileged Exec mode prompt type copy tftp startup config and press Ente...

Page 71: ...Interface Configuration on page 117 VLAN Configuration on page 155 Address Table Settings on page 185 Spanning Tree Algorithm on page 193 Rate Limit Configuration on page 217 Storm Control Configurat...

Page 72: ...SECTION II Web Configuration 72...

Page 73: ...ateway using an out of band serial connection BOOTP or DHCP protocol See Setting an IP Address on page 61 2 Set user names and passwords using an out of band serial connection Access to the web agent...

Page 74: ...nistrator has Read Write access to all configuration parameters and statistics The default user name and password for the administrator is admin HOME PAGE When your web browser connects with the switc...

Page 75: ...or item Check for newer versions of stored pages should be Every visit to the page NOTE When using Internet Explorer 5 0 you may have to manually refresh the screen after making configuration changes...

Page 76: ...ade Automatically upgrades operation code if a newer version is found on the server 99 Time 103 Configure General Manual Manually sets the current time 103 SNTP Configures SNTP polling interval 104 Co...

Page 77: ...aggregation group members on the local side 137 Partner Configures parameters for link aggregation group members on the remote side 137 Show Information 143 Counters Displays statistics for LACP prot...

Page 78: ...ynamic VLAN 165 Show VLAN Shows the VLANs this switch has joined through GVRP 165 Show VLAN Member Shows the interfaces assigned to a VLAN through GVRP 165 Tunnel IEEE 802 1Q QinQ Tunneling 168 Config...

Page 79: ...gure Configures global bridge settings for STP RSTP and MSTP 197 Show Information Displays STA values used for the bridge 202 Configure Interface Configure Configures interface settings for STA 203 Sh...

Page 80: ...Creates a class map for a type of traffic 236 Show Shows configured class maps 236 Modify Modifies the name of a class map 236 Add Rule Configures the criteria used to classify ingress traffic 236 Sh...

Page 81: ...service types 265 Configure Service Sets the accounting method applied to specific interfaces for 802 1X CLI command privilege levels for the console port and for Telnet 265 Show Information 265 Summ...

Page 82: ...Copy Certificate Replaces the default secure site certificate 288 SSH Secure Shell 289 Configure Global Configures SSH server settings 292 Configure Host Key 293 Generate Generates the host key pair...

Page 83: ...obal Enables authentication and EAPOL pass through 326 Configure Interface Sets authentication parameters for individual ports 328 Show Statistics Displays protocol statistics for the selected port 33...

Page 84: ...ows configured engine ID for remote devices 375 Configure View 376 Add View Adds an SNMP v3 view of the OID MIB 376 Show View Shows configured SNMP v3 views 376 Add OID Subtree Specifies a part of the...

Page 85: ...Global Globally enables clustering for the switch sets Commander status 406 Configure Member Adds switch Members to the cluster 408 Show Member Shows cluster switch member managed switch members 409...

Page 86: ...ion Protocol Snooping 342 Configure Global Enables DHCP snooping globally MAC address verification information option and sets the information policy 345 Configure VLAN Enables DHCP snooping on a VLAN...

Page 87: ...Range Shows multicast groups assigned to a profile 459 Configure Interface Assigns IGMP filter profiles to port interfaces and sets throttling action 462 MVR Multicast VLAN Registration 463 Configure...

Page 88: ...CHAPTER 3 Using the Web Interface Navigating the Web Browser Interface 88...

Page 89: ...tem start up files Setting the System Clock Sets the current time manually or through specified SNTP servers Console Port Settings Sets console port connection parameters Telnet Settings Sets Telnet c...

Page 90: ...stem Location Specifies the system location System Contact Administrator responsible for the system WEB INTERFACE To configure general system information 1 Click System General 2 Specify the system na...

Page 91: ...us Displays the status of the internal power supply Management Software Information Role Shows that this switch is operating as Master or Slave EPLD Version Version number of EEPROM Programmable Logic...

Page 92: ...Management Commands on page 493 USAGE GUIDELINES To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is opera...

Page 93: ...t addresses Refer to Setting Static Addresses on page 187 VLAN Version Number Based on IEEE 802 1Q 1 indicates Bridges that support only single spanning tree SST operation and 2 indicates Bridges that...

Page 94: ...R HTTP Use the System File Copy page to upload download firmware or configuration settings using FTP TFTP or HTTP By backing up a file to an FTP TFTP server or management station that file can later b...

Page 95: ...er Name The user name for FTP server access Password The password for FTP server access File Type Specify Operation Code to copy firmware File Name The file name should not contain slashes or the lead...

Page 96: ...rrently used for startup and want to start using the new file reboot the system via the System Reset menu SAVING THE RUNNING CONFIGURATION TO A LOCAL FILE Use the System File Copy page to save the cur...

Page 97: ...ory space WEB INTERFACE To save the running configuration file 1 Click System then File 2 Select Copy from the Action list 3 Select Running Config from the Copy Type list 4 Select the current startup...

Page 98: ...art using the new firmware or configuration settings reboot the system via the System Reset menu SHOWING SYSTEM FILES Use the System File Show page to show the files in the system directory or to dele...

Page 99: ...he host portion of the upgrade file location URL must be a valid IPv4 IP address DNS host names are not recognized Valid IP addresses consist of four numbers 0 to 255 separated by periods The path to...

Page 100: ...ready stored on the switch s file system then the non startup image is deleted before the upgrade image is transferred The automatic upgrade process will take place in the background without impeding...

Page 101: ...s the password for the FTP connection To differentiate the password from the user name and host portions of the URL a colon must precede the password and an at symbol must follow the password If the p...

Page 102: ...e FTP root directory ftp switches upgrade 192 168 0 1 The user name is switches and the password is upgrade The image file is in the FTP root ftp switches upgrade 192 168 0 1 switches opcode The user...

Page 103: ...or event entries You can also manually set the clock If the clock is not set manually or via SNTP the switch will only record the time from the factory default set at the last bootup When the SNTP cli...

Page 104: ...ing the System Clock CONFIGURING SNTP Use the System Time Configure General SNTP page to configure the switch to send time synchronization requests to time servers Set the SNTP polling interval SNTP s...

Page 105: ...m Time Configure Time Server page to specify the IP address for up to three SNTP time servers CLI REFERENCES sntp server on page 542 PARAMETERS The following parameters are displayed SNTP Server IP Ad...

Page 106: ...west after of UTC You can choose one of the 80 predefined time zone definitions or your can manually configure the parameters for your local time zone PARAMETERS The following parameters are displaye...

Page 107: ...stem waits for a user to log into the CLI If a login attempt is not detected within the timeout interval the connection is terminated for the session Range 0 300 seconds Default 0 seconds Exec Timeout...

Page 108: ...aud rate for transmit to terminal and receive from terminal Set the speed to match the baud rate of the device connected to the serial port Range 9600 19200 or 38400 baud Default 115200 baud NOTE The...

Page 109: ...Default 300 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is terminated Range...

Page 110: ...age to display information on CPU utilization CLI REFERENCES show process cpu on page 504 PARAMETERS The following parameters are displayed Time Interval The interval at which to update the displayed...

Page 111: ...utilization parameters CLI REFERENCES show memory on page 504 PARAMETERS The following parameters are displayed Free Size The amount of memory currently free for use Used Size The amount of memory al...

Page 112: ...512 PARAMETERS The following parameters are displayed System Reload Configuration Reset Mode Restarts the switch immediately or at the specified time s Immediately Restarts the system immediately In...

Page 113: ...Daily Every day Weekly Day of the week at which to reload Range Sunday Saturday Monthly Day of the month at which to reload Range 1 31 WEB INTERFACE To restart the switch 1 Click System then Restart 2...

Page 114: ...CHAPTER 4 Basic Management Tasks Resetting the System 114 Figure 21 Restarting the Switch In Figure 22 Restarting the Switch At...

Page 115: ...CHAPTER 4 Basic Management Tasks Resetting the System 115 Figure 23 Restarting the Switch Regularly...

Page 116: ...CHAPTER 4 Basic Management Tasks Resetting the System 116...

Page 117: ...of the cable used to connect to other devices Traffic Segmentation Configures the uplinks and down links to a segmented group of ports VLAN Trunking Configures a tunnel across one or more intermediat...

Page 118: ...an interface due to abnormal behavior e g excessive collisions and then re enable it after the problem has been resolved You may also disable an interface for security reasons Media Type Configures t...

Page 119: ...lem Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub Default Autonegotiation enabled Advertised capabilities for 100Base TX 10half 10full 100...

Page 120: ...e 117 CLI REFERENCES Interface Commands on page 699 WEB INTERFACE To configure port connection parameters 1 Click Interface Port General 2 Select Configure by Port Range from the Action List 3 Enter t...

Page 121: ...n Media Type Media type used Options RJ 45 Copper Forced SFP Copper Forced SFP Forced or SFP Preferred Auto Default RJ 45 Copper Forced SFP SFP Preferred Auto Autonegotiation Shows if auto negotiation...

Page 122: ...ch or exceed source port speed otherwise traffic may be dropped from the monitor port When mirroring port traffic the target port must be included in the same VLAN as the source port when using MSTP s...

Page 123: ...Select Add from the Action List 3 Specify the source port 4 Specify the monitor port 5 Specify the traffic type to be mirrored 6 Click Apply Figure 28 Configuring Local Port Mirroring To display the c...

Page 124: ...ion port on the same switch local port mirroring as described in Configuring Local Port Mirroring on page 122 or from one or more source ports on remote switches to a destination port on this switch r...

Page 125: ...nnot be used as the destination for RSPAN traffic Spanning Tree If the spanning tree is disabled BPDUs will not be flooded onto the RSPAN VLAN MAC address learning is not supported on RSPAN uplink por...

Page 126: ...Only one uplink port can be configured on a source switch but there is no limitation on the number of uplink ports configured on an intermediate or destination switch Only destination and uplink port...

Page 127: ...session 1 Click Interface RSPAN 2 Set the Switch Role to None Source Intermediate or Destination 3 Configure the required settings for each switch participating in the RSPAN VLAN 4 Click Apply Figure...

Page 128: ...statistics including a total count of different frame types and sizes passing through each port All values displayed have been accumulated since the last system reboot and are shown as counts per seco...

Page 129: ...el protocols requested be transmitted and which were addressed to a broadcast address at this sub layer including those that were discarded or not sent Received Unknown Packets The number of packets r...

Page 130: ...Received Octets Total number of octets of data received on the network This statistic can be used as a reasonable indication of Ethernet utilization Received Packets The total number of packets bad br...

Page 131: ...tatistics 1 Click Interface Port Chart 2 Select the statistics mode to display Interface Etherlike RMON or All 3 If Interface Etherlike RMON statistics mode is chosen select a port from the drop down...

Page 132: ...akes approximately 5 seconds The switch displays the results of the test immediately upon completion including common cable failures as well as the status and approximate length to a fault Potential c...

Page 133: ...switch supports both static trunking and dynamic Link Aggregation Control Protocol LACP Static trunks have to be manually configured at both ends of the link and the switches must comply with the Cis...

Page 134: ...k ports When configuring static trunks on switches of different types they must be compatible with the Cisco EtherChannel standard The ports at both ends of a trunk must be configured in an identical...

Page 135: ...ing the ports and also disconnect the ports before removing a static trunk via the configuration interface PARAMETERS These parameters are displayed Trunk ID Trunk identifier Range 1 5 Member The init...

Page 136: ...port for an additional trunk member 6 Click Apply Figure 39 Adding Static Trunks Members To configure connection parameters for a static trunk 1 Click Interface Trunk Static 2 Select Configure General...

Page 137: ...Configuring Dynamic Trunks CLI REFERENCES Link Aggregation Commands on page 717 COMMAND USAGE To avoid creating a loop in the network be sure you enable LACP before connecting the ports and also disc...

Page 138: ...ic link aggregation group LAG during local LACP setup on the switch Range 0 65535 Configure Aggregation Port General Port Port identifier Range 1 10 LACP Status Enables or disables LACP on a port Conf...

Page 139: ...ort NOTE Configuring the port partner sets the remote side of an aggregate link i e the ports on the attached device The command attributes have the same meaning as those used for the port actor WEB I...

Page 140: ...40 To enable LACP for a port 1 Click Interface Trunk Dynamic 2 Select Configure Aggregation Port from the Step list 3 Select Configure from the Action list 4 Click General 5 Enable LACP on the require...

Page 141: ...st 3 Select Configure from the Action list 4 Click Actor or Partner 5 Configure the required settings 6 Click Apply Figure 45 Configuring LACP Parameters on a Port To show the active members of a dyna...

Page 142: ...4 Modify the required interface settings See Configuring by Port List on page 117 for a description of the interface settings 5 Click Apply Figure 47 Configuring Connection Settings for Dynamic Trunk...

Page 143: ...Table 6 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group LACPDUs Received Number of valid LACPDUs received on this channel group Marker...

Page 144: ...te for the local side of a link aggregation CLI REFERENCES show lacp on page 723 PARAMETERS These parameters are displayed Table 7 LACP Internal Configuration Information Parameter Description LACP Sy...

Page 145: ...lecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received pro...

Page 146: ...FOR THE REMOTE SIDE Use the Interface Trunk Dynamic Configure Aggregation Port Show Information Neighbors page to display the configuration settings and operational state for the remote side of a lin...

Page 147: ...o this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port Oper Priority Priority value assigned to this...

Page 148: ...e is detected the switch automatically turns off the transmitter and most of the receive circuitry entering Sleep Mode In this mode the low power energy detection circuit continuously checks for energ...

Page 149: ...ving Status Adjusts the power provided to ports based on the length of the cable used to connect to other devices Only sufficient power is used to maintain connection requirements Default Enabled on G...

Page 150: ...downlink ports is only forwarded to and from uplink ports ENABLING TRAFFIC SEGMENTATION Use the Interface Traffic Segmentation Configure Global page to enable traffic segmentation CLI REFERENCES Confi...

Page 151: ...nfiguring Port based Traffic Segmentation on page 800 PARAMETERS These parameters are displayed Interface Displays a list of ports or trunks Port Port Identifier Range 1 10 Trunk Trunk Identifier Rang...

Page 152: ...he path connecting VLANs 1 and 2 you only need to create these VLAN groups in switches A and B Switches C D and E automatically allow frames with VLAN group tags 1 and 2 groups that are unknown to tho...

Page 153: ...bled on Gigabit ports Trunk Trunk Identifier Range 1 5 VLAN Trunking Status Enables VLAN trunking on the selected interface WEB INTERFACE To enable VLAN trunking on a port or trunk 1 Click Interface V...

Page 154: ...CHAPTER 5 Interface Configuration VLAN Trunking 154...

Page 155: ...each subnet into separate domains This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains VLANs confine broadcast traffi...

Page 156: ...a tagged port if you want it to carry traffic for one or more VLANs and any intermediate network devices or the host at the other end of the connection supports VLANs Then assign ports on the other V...

Page 157: ...assigned If an end station or its network adapter supports the IEEE 802 1Q VLAN protocol it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join When t...

Page 158: ...must first strip off the VLAN tag before forwarding the frame When the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag However when this switch receiv...

Page 159: ...nfigured VLAN VLAN Name Name of the VLAN Status Operational status of configured VLAN Remote VLAN Shows if RSPAN is enabled on this VLAN see Configuring Remote Port Mirroring on page 124 WEB INTERFACE...

Page 160: ...atic 2 Select Show from the Action list Figure 61 Showing Static VLANs ADDING STATIC MEMBERS TO VLANS Use the VLAN Static page to configure port members for the selected VLAN index interface or a rang...

Page 161: ...annot be set to access mode and vice versa Hybrid Specifies a hybrid VLAN interface The port may transmit tagged or untagged frames 1Q Trunk Specifies a port as an end point for a VLAN trunk A trunk i...

Page 162: ...transmitted by the port will be tagged that is carry a tag and therefore carry VLAN or CoS information Untagged Interface is a member of the VLAN All packets transmitted by the port will be untagged...

Page 163: ...page WEB INTERFACE To configure static members by the VLAN index 1 Click VLAN Static 2 Select Edit Member by VLAN from the Step list 3 Set the Interface type to display as Port or Trunk 4 Modify the s...

Page 164: ...LAN Members by Interface To configure static members by interface range 1 Click VLAN Static 2 Select Edit Member by Interface Range from the Step list 3 Set the Interface type to display as Port or Tr...

Page 165: ...re dynamically configured based on join messages issued by host devices and propagated throughout the network GVRP must be enabled to permit automatic VLAN registration and to support VLANs which exte...

Page 166: ...terval should be considerably larger than the Leave Time to minimize the amount of traffic generated by nodes rejoining the group Range 500 18000 centiseconds Default 1000 Show Dynamic VLAN Show VLAN...

Page 167: ...s or timers for any interface 5 Click Apply Figure 66 Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch 1 Click VLAN Dynamic 2 Select Show Dynamic VLAN from the Step lis...

Page 168: ...VLAN limit of 4096 QinQ tunneling uses a single Service Provider VLAN SPVLAN for customers who have multiple VLANs Customer VLAN IDs are preserved and traffic from different customers is segregated w...

Page 169: ...entering a QinQ tunnel port are processed in the following manner 1 New SPVLAN tags are added to all incoming packets no matter how many tags they already have The ingress process constructs and inse...

Page 170: ...native tag is added to the packet This outer tag is used for learning and switching packets within the service provider s network The TPID must be configured on a per port basis and the verification...

Page 171: ...provider network There are some inherent incompatibilities between Layer 2 and Layer 3 switching Tunnel ports do not support IP Access Control Lists Layer 3 Quality of Service QoS and other QoS featur...

Page 172: ...abled Ethernet Type The Tag Protocol Identifier TPID specifies the ethertype of incoming packets on a tunnel port Range hexadecimal 0800 FFFF Default 8100 Use this field to set a custom 802 1Q etherty...

Page 173: ...the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames Then use the Configure Interface page to set the access interface on the edge switch to Tunnel mode and se...

Page 174: ...nfiguration deprives users of the basic benefits of VLANs including security and easy accessibility To avoid these problems you can configure this switch with protocol based VLANs that divide the phys...

Page 175: ...rame type used by this protocol Protocol Type Specifies the protocol type to match The available options are IP ARP RARP and IPv6 If LLC Other is chosen for the Frame Type the only available Protocol...

Page 176: ...rom the Action list 4 Select an entry from the Frame Type list 5 Select an entry from the Protocol Type list 6 Enter an identifier for the protocol group 7 Click Apply Figure 72 Configuring Protocol V...

Page 177: ...e associated VLAN When a frame enters a port that has been assigned to a protocol VLAN it is processed in the following manner If the frame is tagged it will be processed according to the standard rul...

Page 178: ...lect a port or trunk 5 Enter the identifier for a protocol group 6 Enter the corresponding VLAN to which the protocol traffic will be forwarded 7 Click Apply Figure 74 Assigning Interfaces to Protocol...

Page 179: ...to only one VLAN ID An IP subnet consists of an IP address and a mask When an untagged frame is received by a port the source IP address is checked against the IP subnet to VLAN mapping table and if a...

Page 180: ...field 4 Enter a mask in the Subnet Mask field 5 Enter the identifier in the VLAN field Note that the specified VLAN need not already be configured 6 Enter a value to assign to untagged frames in the...

Page 181: ...VLANs on page 808 COMMAND USAGE The MAC to VLAN mapping applies to all ports on the switch Source MAC addresses can be mapped to only one VLAN ID Configured MAC addresses cannot be broadcast or multic...

Page 182: ...s in the MAC Address field 4 Enter an identifier in the VLAN field Note that the specified VLAN need not already be configured 5 Enter a value to assign to untagged frames in the Priority field 6 Clic...

Page 183: ...led the target port can receive a mirrored packet twice once from the source mirror port and again from the source mirrored VLAN The target port receives traffic from all monitored source VLANs and ca...

Page 184: ...mirroring 1 Click VLAN Mirror 2 Select Add from the Action list 3 Select the source VLAN and select a target port 4 Click Apply Figure 80 Configuring VLAN Mirroring To show the VLANs to be mirrored 1...

Page 185: ...ed source address to a target port CONFIGURING MAC ADDRESS LEARNING Use the MAC Address Learning Status page to enable or disable MAC address learning on an interface CLI REFERENCES mac learning on pa...

Page 186: ...ity Status see Configuring Port Security on page 323 is enabled on the same interface PARAMETERS These parameters are displayed Interface Displays a list of ports or trunks Port Port Identifier Range...

Page 187: ...ress is seen on another interface the address will be ignored and will not be written to the address table Static addresses will not be removed from the address table when a given interface link is do...

Page 188: ...dresses CHANGING THE AGING TIME Use the MAC Address Dynamic Configure Aging page to set the aging time for entries in the dynamic address table The aging time is used to age out dynamically learned fo...

Page 189: ...source address for traffic entering the switch When the destination address for inbound traffic is found in the database the packets intended for that address are forwarded directly to the associated...

Page 190: ...ng the Dynamic MAC Address Table CLEARING THE DYNAMIC ADDRESS TABLE Use the MAC Address Dynamic Clear Dynamic MAC page to remove any learned entries from the forwarding database CLI REFERENCES clear m...

Page 191: ...ive manner CLI REFERENCES Local Port Mirroring Commands on page 727 COMMAND USAGE When mirroring traffic from a MAC address ingress traffic with the specified source address entering any port in the s...

Page 192: ...rt The port that will mirror the traffic from the source port Range 1 10 WEB INTERFACE To mirror packets based on a MAC address 1 Click MAC Address Mirror 2 Select Add from the Action list 3 Specify t...

Page 193: ...nt switch bridge or router in your network to ensure that only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes...

Page 194: ...seconds compared to 30 seconds or more for STP by reducing the number of state changes before active ports start learning predefining an alternate route that can be used when a node or port fails and...

Page 195: ...cations with STP or RSTP nodes in the global network Figure 92 Common Internal Spanning Tree Common Spanning Tree Internal Spanning Tree MSTP connects all bridges and LAN segments with a single Common...

Page 196: ...eceive it s own BPDUs in a forward delay interval NOTE If loopback detection is not enabled and an interface receives it s own BPDU then the interface will drop the loopback BPDU according to IEEE Sta...

Page 197: ...MAND USAGE Spanning Tree Protocol1 Uses RSTP for the internal state machine but sends only 802 1D BPDUs This creates one spanning tree instance for the entire network If multiple VLANs are implemented...

Page 198: ...bridges that have compatible VLAN instance assignments Be careful when switching between spanning tree modes Changing modes stops all spanning tree instances for the previous mode and restarts the sy...

Page 199: ...The maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messa...

Page 200: ...his MSTI Maximum length 32 characters switch s MAC address Maximum Hop Count The maximum number of hops allowed in the MST region before a BPDU is discarded Range 1 40 Default 20 WEB INTERFACE To conf...

Page 201: ...CHAPTER 8 Spanning Tree Algorithm Configuring Global Settings for STA 201 Figure 95 Configuring Global Settings for STA RSTP Figure 96 Configuring Global Settings for STA MSTP...

Page 202: ...d MAC address where the address is taken from the switch system Designated Root The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device Root Po...

Page 203: ...57 PARAMETERS These parameters are displayed Interface Displays a list of ports or trunks Spanning Tree Enables disables STA on this interface Default Enabled Priority Defines the priority used for th...

Page 204: ...ines if the interface is attached to a point to point link or to shared media This is the default setting 3 Refer to Configuring Global Settings for STA on page 197 for information on setting the path...

Page 205: ...that Edge Port should only be enabled for ports connected to an end node device Default Disabled Enabled Manually configures a port as an Edge Port Disabled Disables the Edge Port setting Auto The por...

Page 206: ...on configured edge ports that are connected to end nodes By default STA sends BPDUs to all ports regardless of whether administrative edge is enabled on a port BDPU filtering is configured on a per p...

Page 207: ...esses The rules defining port status are A port on a network segment with no other STA compliant bridging device is always forwarding If two ports of a switch are connected to the same segment and the...

Page 208: ...er bridge is attached to this port Port Role Roles are assigned according to whether the port is part of the active topology connecting the bridge to the root bridge i e root port connecting a LAN thr...

Page 209: ...multiple pathways across the network thereby balancing the traffic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new top...

Page 210: ...ame MSTI settings PARAMETERS These parameters are displayed MST ID Instance identifier to configure Range 0 4094 VLAN ID VLAN to assign to this MST instance Range 1 4093 Priority The priority of a spa...

Page 211: ...nstance To show the MSTP instances 1 Click Spanning Tree MSTP 2 Select Configure Global from the Step list 3 Select Show from the Action list The attributes displayed on this page are described under...

Page 212: ...ect an MST instance from the MST ID list 5 Enter the VLAN group to add to the instance in the VLAN ID field Note that the specified member does not have to be a configured VLAN 6 Click Apply Figure 10...

Page 213: ...port in the Spanning Tree Protocol If the path cost for all ports on a switch are the same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree...

Page 214: ...INTERFACE To configure MSTP parameters for a port or trunk 1 Click Spanning Tree MSTP 2 Select Configure Interface from the Step list 3 Select Configure from the Action list 4 Enter the priority and p...

Page 215: ...CHAPTER 8 Spanning Tree Algorithm Configuring Interface Settings for MSTP 215 Figure 106 Displaying MSTP Interface Settings...

Page 216: ...CHAPTER 8 Spanning Tree Algorithm Configuring Interface Settings for MSTP 216...

Page 217: ...can be applied to individual ports When an interface is configured with this feature the traffic rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped conformin...

Page 218: ...uration 218 WEB INTERFACE To configure rate limits 1 Click Traffic Rate Limit 2 Enable the Rate Limit Status for the required ports 3 set the rate limit for the individual ports 4 Click Apply Figure 1...

Page 219: ...t packet rate on page 707 COMMAND USAGE Broadcast Storm Control is enabled by default Broadcast control does not effect IP multicast traffic PARAMETERS These parameters are displayed Interface Display...

Page 220: ...nfigure broadcast storm control 1 Click Traffic Storm Control 2 Set the Status field to enable or disable storm control 3 Set the required threshold beyond which the switch will start dropping packets...

Page 221: ...cessing LAYER 2 QUEUE SETTINGS This section describes how to configure the default priority for untagged frames set the queue mode set the weights assigned to each queue and map class of service tags...

Page 222: ...k Apply Figure 109 Setting the Default Port Priority SELECTING THE QUEUE MODE Use the Traffic Priority Queue page to set the queue mode for the egress queues on any interface The switch can be set to...

Page 223: ...rvice is used for the high priority queues and weighted service for the remaining queues The queues assigned to use strict priority should be specified using the Strict Mode field parameter A weight c...

Page 224: ...ht Sets a weight for each queue which is used by the SDWRR scheduler Range 1 255 Default Weights 1 2 4 6 are assigned to queues 0 3 respectively WEB INTERFACE To configure the queue mode 1 Click Traff...

Page 225: ...eight separate traffic priorities are defined in IEEE 802 1p Default priority levels are assigned according to recommendations in the IEEE 802 1p standard as shown in Table 12 The following table indi...

Page 226: ...the highest CoS priority queue WEB INTERFACE To map internal PHB to hardware queues 1 Click Traffic Priority PHB to Queue 2 Select Add from the Action list 3 Set the queue mode 4 Map an internal PHB...

Page 227: ...tings 227 Figure 113 Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map 1 Click Traffic Priority PHB to Queue 2 Select Show from the Action list 3 Select an interface F...

Page 228: ...ine the hardware queues used for egress traffic not to replace the priority values These defaults are designed to optimize priority services for the majority of network applications It should not be n...

Page 229: ...Apply Figure 115 Setting the Trust Mode MAPPING INGRESS DSCP VALUES TO INTERNAL DSCP VALUES Use the Traffic Priority DSCP to DSCP page to map DSCP values in incoming packets to per hop behavior and dr...

Page 230: ...value in ingress packets Range 0 63 PHB Per hop behavior or the priority used for this router hop Range 0 7 Drop Precedence Drop precedence used for Random Early Detection in controlling traffic conge...

Page 231: ...ity DSCP to DSCP 2 Select Add from the Action list 3 Set the PHB and drop precedence for any DSCP value 4 Click Apply Figure 116 Configuring DSCP to DSCP Internal Mapping To show the DSCP to internal...

Page 232: ...for per hop behavior PHB which determines the queue to which a packet is sent and two bits for drop precedence namely color which is used by Random Early Detection RED to control traffic congestion R...

Page 233: ...ority CoS to DSCP 2 Select Add from the Action list 3 Set the PHB and drop precedence for any of the CoS CFI combinations 4 Click Apply Figure 118 Configuring CoS to DSCP Internal Mapping Table 16 Def...

Page 234: ...ayer 3 4 Priority Settings 234 To show the CoS CFI to internal PHB drop precedence map 1 Click Traffic Priority CoS to DSCP 2 Select Show from the Action list 3 Select an interface Figure 119 Showing...

Page 235: ...t kinds of traffic can be marked for different kinds of forwarding All switches or routers that access the Internet rely on class information to provide the same forwarding treatment to packets in the...

Page 236: ...ured to monitor the maximum throughput and burst rate Then specify the action to take for conforming traffic or the action to take for a policy violation 5 Use the Configure Interface page to assign a...

Page 237: ...e lone match command ACL List Name of an access control list Any type of ACL can be specified including standard or extended IP ACLs and MAC ACLs IP DSCP A DSCP value Range 0 63 IP Precedence An IP Pr...

Page 238: ...aps To edit the rules for a class map 1 Click Traffic DiffServ 2 Select Configure Class from the Step list 3 Select Add Rule from the Action list 4 Select the name of a class map 5 Specify type of tra...

Page 239: ...ich indicates how to match the inbound packets according to an access list a DSCP or IP Precedence value or a member of specific VLAN A policy map is then configured which indicates the boundary param...

Page 240: ...Early Detection A packet is marked green if it doesn t exceed the committed information rate and committed burst size yellow if it does exceed the committed information rate and committed burst size b...

Page 241: ...roughput peak information rate PIR and their associated burst sizes committed burst size BC or burst rate and peak burst size BP Action may taken for traffic conforming to the maximum throughput excee...

Page 242: ...red or if Tp t B 0 the packet is red else if the packet has been precolored as yellow or if Tc t B 0 the packet is yellow and Tp is decremented by B else the packet is green and both Tp and Tc are dec...

Page 243: ...edence on page 233 Set PHB Configures the service provided to ingress traffic by setting the internal per hop behavior for a matching packet as specified in rule settings for a class map Range 0 7 See...

Page 244: ...the maximum throughput but within the excess burst size or exceeding the excess burst size In addition to the actions defined by this command to transmit remark the DSCP service value or drop a packe...

Page 245: ...committed burst size BC or burst rate and peak burst size BP and the action to take for traffic conforming to the maximum throughput exceeding the maximum throughput but within the peak information ra...

Page 246: ...level Transmit Transmits in conformance traffic without any change to the DSCP service level Exceed Specifies whether traffic that exceeds the maximum rate CIR but is within the peak information rate...

Page 247: ...onfigure Policy from the Step list 3 Select Add from the Action list 4 Enter a policy name 5 Enter a description 6 Click Add Figure 124 Configuring a Policy Map To show the configured policy maps 1 Cl...

Page 248: ...behavior for matching packets to specify the quality of service to be assigned to the matching traffic class Use one of the metering options to define parameters such as the maximum throughput and bur...

Page 249: ...raffic DiffServ Configure Interface page to bind a policy map to an ingress port CLI REFERENCES Quality of Service Commands on page 831 COMMAND USAGE First define a class map define a policy map and b...

Page 250: ...o bind a policy map to a port 1 Click Traffic DiffServ 2 Select Configure Interface from the Step list 3 Check the box under the Ingress field to enable a policy map for a port 4 Select a policy map f...

Page 251: ...isolating the VoIP traffic from other data traffic End to end QoS policies and high priority can be applied to VoIP VLAN traffic across the network guaranteeing the bandwidth it needs VLAN isolation...

Page 252: ...ted on the switch Range 1 4093 Voice VLAN Aging Time The time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port Range 5 43200 minutes Default 1440 m...

Page 253: ...rs are displayed Telephony OUI Specifies a MAC address range to add to the list Enter the MAC address in format 01 23 45 67 89 AB Mask Identifies a range of MAC addresses Selecting a mask of FF FF FF...

Page 254: ...nterface page to configure ports for VoIP traffic you need to set the mode Auto or Manual specify the discovery method to use and set the traffic priority You can also enable security filtering to ens...

Page 255: ...the port Default OUI OUI Traffic from VoIP devices is detected by the Organizationally Unique Identifier OUI of the source MAC address OUI numbers are assigned to manufacturers and form the first thr...

Page 256: ...CHAPTER 13 VoIP Traffic Configuration Configuring VoIP Traffic Ports 256 Figure 132 Configuring Port Settings for a Voice VLAN...

Page 257: ...are infeasible or impractical Network Access Configure MAC authentication intrusion response dynamic VLAN assignment and dynamic QoS assignment HTTPS Provide a secure web connection SSH Provide a sec...

Page 258: ...ers in the network The security servers can be defined as sequential groups that are applied as a method for controlling user access to specified services For example when the switch attempts to authe...

Page 259: ...e on page 586 COMMAND USAGE By default management access is always checked against the authentication database stored on the local switch If a remote authentication server is used you must specify the...

Page 260: ...e logon authentication protocols that use software running on a central server to control access to RADIUS aware or TACACS aware devices on the network An authentication server contains a database of...

Page 261: ...gest 5 TLS Transport Layer Security or TTLS Tunneled Transport Layer Security PARAMETERS These parameters are displayed Configure Server RADIUS Global Provides globally applicable RADIUS settings Serv...

Page 262: ...CS server used for authentication messages Range 1 65535 Default 49 Set Key Mark this box to set or modify the encryption key Authentication Key Encryption key used to authenticate logon access for cl...

Page 263: ...globally to all specified servers or select a specific Server Index to specify the parameters that apply to a specific server 5 To set or modify the authentication key mark the Set Key box enter the...

Page 264: ...Step list 3 Select Add from the Action list 4 Select RADIUS or TACACS server type 5 Enter the group name followed by the index of the server to use for each priority level 6 Click Apply Figure 137 Co...

Page 265: ...ters are displayed Configure Global Periodic Update Specifies the interval at which the local accounting service updates information for all users on the system to the accounting server Range 0 214748...

Page 266: ...ed in the Configure Method page Range 1 255 characters Exec Console Method Name Specifies a user defined method name to apply to console connections Telnet Method Name Specifies a user defined method...

Page 267: ...lick Apply Figure 139 Configuring Global Settings for AAA Accounting To configure the accounting method applied to various service types and the assigned server group 1 Click Security AAA Accounting 2...

Page 268: ...e Action list Figure 141 Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces console commands entered at specific privilege levels and local console Telnet...

Page 269: ...ecified service types 1 Click Security AAA Accounting 2 Select Show Information from the Step list 3 Click Summary Figure 144 Displaying a Summary of Applied AAA Accounting Methods To display basic ac...

Page 270: ...Method Name Specifies an authorization method for service requests The default method is used for a requested service if no other methods have been defined Range 1 255 characters Server Group Name Spe...

Page 271: ...the Exec service type and the assigned server group 1 Click Security AAA Authorization 2 Select Configure Method from the Step list 3 Specify the name of the authorization method and server group name...

Page 272: ...Configure Service from the Step list 3 Enter the required authorization method 4 Click Apply Figure 148 Configuring AAA Authorization Methods for Exec Service To display a the configured authorization...

Page 273: ...rameters are displayed User Name The name of the user Maximum length 32 characters maximum number of users 16 Access Level Specifies the user level Options 0 Normal 15 Privileged Normal privilege leve...

Page 274: ...on are infeasible or impractical The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries All other traffic except for HTTP...

Page 275: ...e enabled for any port where required under the Configure Interface menu Session Timeout Configures how long an authenticated session stays active before it must re authenticate itself Range 300 3600...

Page 276: ...ress Indicates the IP address of each connected host Remaining Session Time Indicates the remaining time until the current authorization session for the host expires Apply Enables web authentication i...

Page 277: ...n trunk ports CLI REFERENCES Network Access MAC Address Authentication on page 641 COMMAND USAGE MAC address authentication controls access to the network by authenticating the MAC address of each hos...

Page 278: ...e Group ID attribute The VLAN list can contain multiple VLAN identifiers in the format 1u 2t 3u where u indicates an untagged VLAN and t a tagged VLAN The RADIUS server may optionally return dynamic Q...

Page 279: ...itch restores the original QoS configuration for the port When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same po...

Page 280: ...0000 seconds WEB INTERFACE To configure aging status and reauthentication time for MAC address authentication 1 Click Security Network Access 2 Select Configure Global from the Step list 3 Enable or d...

Page 281: ...ment for an authenticated port When enabled any VLAN identifiers returned by the RADIUS server are applied to the port providing the VLANs have already been created on the switch GVRP is not used to c...

Page 282: ...NMP trap and or shut down a port when a link event occurs CLI REFERENCES Network Access MAC Address Authentication on page 641 PARAMETERS These parameters are displayed Link Detection Status Configure...

Page 283: ...age to designate specific MAC addresses or MAC address ranges as exempt from authentication MAC addresses present in MAC Filter tables activated on a port are treated as pre authenticated on that port...

Page 284: ...a MAC address filter for MAC authentication 1 Click Security Network Access 2 Select Configure MAC Filter from the Step list 3 Select Add from the Action list 4 Enter a filter ID MAC address and opti...

Page 285: ...Specifies a port interface Attribute Displays static or dynamic addresses Authenticated MAC Address List MAC Address The authenticated MAC address Interface The port interface associated with a secur...

Page 286: ...CES Web Server on page 603 COMMAND USAGE Both the HTTP and HTTPS service can be enabled independently on the switch However you cannot configure both services to use the same UDP port HTTP can only be...

Page 287: ...he HTTPS server feature on the switch Default Enabled HTTPS Port Specifies the UDP port number used for HTTPS connection to the switch s web interface Default Port 443 WEB INTERFACE To configure HTTPS...

Page 288: ...se the default certificate for the switch is not unique to the hardware you have purchased When you have obtained these place them on your TFTP server and transfer them to the switch to replace the de...

Page 289: ...l and rcp remote copy are not secure from hostile attacks The Secure Shell SSH includes server client applications intended as a secure replacement for the older Berkeley remote access tools SSH can a...

Page 290: ...ear similar to the following example 10 1 0 54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 7654680172627257...

Page 291: ...1 5 Clients a The client sends its RSA public key to the switch b The switch compares the client s public key to those stored in memory c If a match is found the switch uses its secret key to generate...

Page 292: ...SSH Server Status Allows you to enable disable the SSH server on the switch Default Disabled Version The Secure Shell version number Version 2 0 is displayed but the switch supports management access...

Page 293: ...After generating this key pair you must provide the host public key to SSH clients and import the client s public key to the switch as described in the section Importing User Public Keys on page 295...

Page 294: ...emory to flash memory Otherwise the host key pair is stored to RAM by default Note that you must select this item prior to generating the host key pair Default Disabled WEB INTERFACE To generate the S...

Page 295: ...or the user to be able to log in using the public key authentication mechanism If the user s public key does not exist on the switch SSH will revert to the interactive password authentication mechanis...

Page 296: ...on 2 for SSHv2 clients TFTP Server IP Address The IP address of the TFTP server that contains the public key file you wish to import Source File Name The public key file to upload WEB INTERFACE To cop...

Page 297: ...or any frames based on MAC address or Ethernet type To filter incoming packets first create an access list add the required rules and then bind the list to a specific port Configuring Access Control L...

Page 298: ...uring which ACL functions are applied CLI REFERENCES Time Range on page 545 PARAMETERS These parameters are displayed Add Time Range Name Name of a time range Range 1 30 characters Add Rule Time Range...

Page 299: ...etting the Name of a Time Range To show a list of time ranges 1 Click Security ACL 2 Select Configure Time Range from the Step list 3 Select Show from the Action list Figure 168 Showing a List of Time...

Page 300: ...for the selected mode 7 Click Apply Figure 169 Add a Rule to a Time Range To show the rules configured for a time range 1 Click Security ACL 2 Select Configure Time Range from the Step list 3 Select...

Page 301: ...or traps For example when binding an ACL to a port each rule in an ACL will use two PCEs and when setting an IP Source Guard filter rule for a port the system will also use two PCEs PARAMETERS These...

Page 302: ...filter modes are supported IP Standard IPv4 ACL mode filters packets based on the source IPv4 address IP Extended IPv4 ACL mode filters packets based on the source or destination IPv4 address as well...

Page 303: ...CL 2 Select Configure ACL from the Step list 3 Select Add from the Action list 4 Fill in the ACL Name field and select the ACL type 5 Click Apply Figure 172 Creating an ACL To show a list of ACLs 1 Cl...

Page 304: ...Address and Subnet Mask fields Options Any Host IP Default Any Source IP Address Source IP address Source Subnet Mask A subnet mask containing four integers from 0 to 255 each separated by a period Th...

Page 305: ...s matching the selected type Action An ACL can contain any combination of permit or deny rules Source Destination Address Type Specifies the source or destination IP address Use Any to include all pos...

Page 306: ...yte 14 of the TCP header Range 0 63 Control Code Bit Mask Decimal number representing the code bits to match Range 0 63 The control bit mask is a decimal number for an equivalent binary bit mask that...

Page 307: ...nded IP from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the address type Any Host or IP 8 If you select Host enter a specific address...

Page 308: ...e with the Address and Bit Mask fields Options Any Host MAC Default Any Source Destination MAC Address Source or destination MAC address Source Destination Bit Mask Hexadecimal mask for source or dest...

Page 309: ...Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the address type Any Host or MAC 8 If you select Host enter a specific address e g 11 22 33 44...

Page 310: ...fault Request Source Destination IP Address Type Specifies the source or destination IPv4 address Use Any to include all possible addresses Host to specify a specific host address in the Address field...

Page 311: ...e Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the packet type Request Response All 8 Select the address type Any Host or IP 9 If you selec...

Page 312: ...t CLI REFERENCES ip access group on page 688 show ip access group on page 689 mac access group on page 693 show mac access group on page 694 Time Range on page 545 COMMAND USAGE This switch supports A...

Page 313: ...e middle attacks This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropr...

Page 314: ...not affect the ARP Inspection configuration of any VLANs When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for individual VLANs These configuration changes will...

Page 315: ...e controlled basis After the system message is generated the entry is cleared from the log buffer Each log entry contains flow information such as the receiving VLAN the port number the source and des...

Page 316: ...ARP Inspection 2 Select Configure General from the Step list 3 Enable ARP inspection globally enable any of the address validation options and adjust any of the logging parameters if required 4 Click...

Page 317: ...RS These parameters are displayed ARP Inspection VLAN ID Selects any configured VLAN Default 1 ARP Inspection VLAN Status Enables ARP Inspection for the selected VLAN Default Disabled ARP Inspection A...

Page 318: ...re subject to ARP packet rate limiting and all trusted ports are exempt from ARP packet rate limiting Packets arriving on trusted interfaces bypass all ARP Inspection and ARP Inspection Validation che...

Page 319: ...us reasons CLI REFERENCES show ip arp inspection statistics on page 681 PARAMETERS These parameters are displayed Table 19 ARP Inspection Statistics Parameter Description Received ARP packets before A...

Page 320: ...AN port and address components CLI REFERENCES show ip arp inspection log on page 681 PARAMETERS These parameters are displayed ARP packets dropped by additional validation Src MAC Count of packets tha...

Page 321: ...to all IP addresses by default Once you add an entry to a filter list access to that interface is restricted to the specified addresses If anyone tries to access a management interface on the switch...

Page 322: ...rt address and end address PARAMETERS These parameters are displayed Mode Web Configures IP address es for the web group SNMP Configures IP address es for the SNMP group Telnet Configures IP address e...

Page 323: ...ess table will be authorized to access the network through that port If a device with an unauthorized MAC address attempts to use the switch port the intrusion will be detected and the switch can auto...

Page 324: ...played Port Port number Action Indicates the action to be taken when a port security violation is detected None No action should be taken This is the default Trap Send an SNMP trap message Shutdown Di...

Page 325: ...enticator responds with an EAPOL identity request The client provides its identity such as a user name in an EAPOL response to the switch which it forwards to the RADIUS server The RADIUS server verif...

Page 326: ...nd client also have to support the same EAP authentication type MD5 PEAP TLS or TTLS Native support for these encryption methods is provided in Windows XP and in Windows 2000 with Service Pack 4 To su...

Page 327: ...le User Name The dot1x supplicant user name Range 1 8 characters The global supplicant user name and password are used to identify this switch as a supplicant when responding to an MD5 challenge from...

Page 328: ...s attached to the switch and the authentication server configure the parameters for the exchange of EAP messages between the authenticator and clients on the Authenticator configuration page When devi...

Page 329: ...s the port to deny access to all clients either dot1x aware or otherwise Operation Mode Allows single or multiple hosts clients to connect to an 802 1X authorized port Default Single Host Single Host...

Page 330: ...thentication information It may also send other EAP request frames to the client during an active connection as required for reauthentication Server Timeout Sets the time that a switch port waits for...

Page 331: ...kets sent to the Supplicant without receiving a response Identifier Server Identifier carried in the most recent EAP Success Failure or Request packet received from the Authentication Server Reauthent...

Page 332: ...t page to configure 802 1X port settings for supplicant requests issued from a port to an authenticator on another device When 802 1X is enabled and the control mode is set to Force Authorized see Con...

Page 333: ...displayed Port Port number PAE Supplicant Enables PAE supplicant mode Default Disabled If the attached client must be authenticated through another device in the network supplicant status must be enab...

Page 334: ...STATISTICS Use the Security Port Authentication Configure Interface page to display statistics for dot1x protocol exchanges for any port CLI REFERENCES show dot1x on page 630 PARAMETERS These paramete...

Page 335: ...OL frames that have been received by this Supplicant in which the frame type is not recognized Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Supplicant Rx...

Page 336: ...rt Authentication 336 WEB INTERFACE To display port authenticator statistics for 802 1X 1 Click Security Port Authentication 2 Select Show Statistics from the Step list 3 Click Authenticator Figure 19...

Page 337: ...nooping on page 342 IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network This section describes commands used to co...

Page 338: ...see page 345 IP source guard will check the VLAN ID source IP address port number and source MAC address for the SIP MAC option If a matching entry is found in the binding table and the entry type is...

Page 339: ...All static entries are configured with an infinite lease time which is indicated with a value of zero in the table CLI REFERENCES ip source guard binding on page 669 COMMAND USAGE Static addresses en...

Page 340: ...port to which a static entry is bound VLAN ID of a configured VLAN Range 1 4093 MAC Address A valid unicast MAC address IP Address A valid unicast IP address including classful types A B or C WEB INTE...

Page 341: ...ed interface CLI REFERENCES show ip dhcp snooping binding on page 668 PARAMETERS These parameters are displayed Query by Port A port on this switch VLAN ID of a configured VLAN Range 1 4093 MAC Addres...

Page 342: ...ion to a DHCP server This information can be useful in tracking an IP address back to a physical port COMMAND USAGE DHCP Snooping Process Network traffic may be disrupted when malicious DHCP messages...

Page 343: ...only if the corresponding entry is found in the binding table If the DHCP packet is from a client such as a DISCOVER REQUEST INFORM DECLINE or RELEASE message the packet is forwarded if MAC address ve...

Page 344: ...by the switch and in reply packets sent back from the DHCP server This information may specify the MAC address or IP address of the requesting device that is the switch in this context By default the...

Page 345: ...information relay Default Disabled DHCP Snooping Information Option Policy Specifies how to handle DHCP client request packets which already contain Option 82 information Drop Drops the client s reque...

Page 346: ...e DHCP snooping is globally disabled DHCP snooping can still be configured for specific VLANs but the changes will not take effect until DHCP snooping is globally re enabled When DHCP snooping is glob...

Page 347: ...erface that is configured to receive only messages from within the network An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall When DHCP...

Page 348: ...RMATION Use the IP Service DHCP Snooping Show Information page to display entries in the binding table CLI REFERENCES show ip dhcp snooping binding on page 668 PARAMETERS These parameters are displaye...

Page 349: ...n the switch is reset However note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid Clear Removes all dynamically learned snooping entries...

Page 350: ...CHAPTER 14 Security Measures DHCP Snooping 350...

Page 351: ...it over a group of switches connected to the same local network CONFIGURING EVENT LOGGING The switch allows you to control the logging of error messages including the type of events that are recorded...

Page 352: ...fault 7 NOTE The Flash Level must be equal to or less than the RAM Level WEB INTERFACE To configure the logging of error messages to system memory 1 Click Administration Log System 2 Select Configure...

Page 353: ...andom access memory RAM i e memory flushed on power reset and up to 4096 entries in permanent flash memory Figure 202 Showing Error Messages Looged to System Memory REMOTE LOG CONFIGURATION Use the Ad...

Page 354: ...ng or storing messages in the corresponding database Range 16 23 Default 23 Logging Trap Level Limits log messages that are sent to the remote syslog server for all levels up to the specified level Fo...

Page 355: ...s level or higher will be sent to the configured email recipients For example using Level 7 will report all events from level 7 to level 0 Default Level 7 Email Source Address Sets the email address u...

Page 356: ...ification capabilities and configuration settings LLDP also defines how to store and maintain information gathered about the neighboring network nodes it discovers SETTING LLDP TIMING ATTRIBUTES Use t...

Page 357: ...t multiple rather than single changes are reported in each transmission This attribute must comply with the rule 4 Delay Interval Transmission Interval Reinitialization Delay Configures the delay befo...

Page 358: ...Data Units Options Tx only Rx only TxRx Disabled Default TxRx SNMP Notification Enables the transmission of SNMP trap notifications about LLDP and LLDP MED changes Default Enabled This option sends ou...

Page 359: ...ry management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VL...

Page 360: ...tion included in the TLV field of advertised messages Link Aggregation The link aggregation capabilities aggregation status of the link and the IEEE 802 3 aggregated port identifier if this interface...

Page 361: ...the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent There are several ways in which a chassis may be identified and a chassis ID subtype is used to indicate the...

Page 362: ...the local system Interface Settings The attributes listed below apply to both port and trunk interface types When a trunk is listed the descriptions apply to the first port of the trunk Port Trunk Des...

Page 363: ...e switch s ports which are advertising information through LLDP or to display detailed information about an LLDP enabled device connected to a specific port on the local switch CLI REFERENCES show lld...

Page 364: ...identifier that is listed in the Port ID field Port Description A string that indicates the port s description If RFC 2863 is implemented the ifDescr object should be used for this field Port ID A str...

Page 365: ...Remote VLAN Name List VLAN names associated with a port Remote Protocol Identity List Information about particular protocols that are accessible through a port This object represents an arbitrary loc...

Page 366: ...airs only are in use Remote Power MDI Supported Shows whether MDI power is supported on the given port associated with the remote system Remote Power Pair Controlable Indicates whether the pair select...

Page 367: ...ggregation state and or it does not support link aggregation this value should be zero Port Details 802 3 Extension Frame Information Remote Max Frame Size An integer value indicating the maximum supp...

Page 368: ...tocol messages transmitted or received on all local interfaces CLI REFERENCES show lldp info statistics on page 898 PARAMETERS These parameters are displayed General Statistics on Remote Devices Neigh...

Page 369: ...m to the general validation rules as well as any specific usage rules defined for the particular TLV Frames Invalid A count of all LLDPDUs received with one or more detectable errors Frames Received N...

Page 370: ...LLDP Device Statistics General Figure 212 Displaying LLDP Device Statistics Port SIMPLE NETWORK MANAGEMENT PROTOCOL Simple Network Management Protocol SNMP is a communication protocol designed specifi...

Page 371: ...rity models with each model having it s own security levels There are three security models defined SNMPv1 SNMPv2c and SNMPv3 Users are assigned to groups that are defined by a security model and spec...

Page 372: ...your management station Configuring SNMPv3 Management Access 1 Use the Administration SNMP Configure Global page to enable SNMP on the switch and to enable trap messages 2 Use the Administration SNMP...

Page 373: ...ation message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process Default Enabled Link up and Link down Traps5 Issues a notifi...

Page 374: ...e to the switch This is referred to as the default engine ID If the local engine ID is deleted or changed all SNMP users will be cleared You will need to reconfigure all existing users PARAMETERS Thes...

Page 375: ...mp server engine id on page 563 COMMAND USAGE SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore nee...

Page 376: ...Apply Figure 215 Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs 1 Click Administration SNMP 2 Select Configure Engine from the Step list 3 Select Show Remote Engine from t...

Page 377: ...SNMP views configured in the Add View page OID Subtree Adds an additional object identifier of a branch within the MIB tree to the selected View Wild cards can be used to mask a specific portion of t...

Page 378: ...ure 218 Showing SNMP Views To add an object identifier to an existing SNMP view of the switch s MIB database 1 Click Administration SNMP 2 Select Configure View from the Step list 3 Select Add OID Sub...

Page 379: ...ricting them to specific read write and notify views You can use the pre defined default groups or create new groups to map a set of SNMP users to SNMP views CLI REFERENCES show snmp group on page 568...

Page 380: ...nitializing itself and that its configuration may have been altered warmStart 1 3 6 1 6 3 1 1 5 2 A warmStart trap signifies that the SNMPv2 entity acting in an agent role is reinitializing itself suc...

Page 381: ...storm is detected as normal traffic this trap is fired swAtcBcastStormTcApplyTrap 1 3 6 1 4 1 259 8 1 11 2 1 0 72 When ATC is activated this trap is fired swAtcBcastStormTcReleaseTrap 1 3 6 1 4 1 259...

Page 382: ...singThresholdNotifica tion 1 3 6 1 4 1 259 8 1 11 2 1 0 109 This notification indicates that the memory utilization has risen from memoryUtiFallingThreshold to memoryUtiRisingThreshold swMemoryUtiFall...

Page 383: ...ider removing the default strings CLI REFERENCES snmp server community on page 557 PARAMETERS These parameters are displayed Community String A community string that acts like a password and permits a...

Page 384: ...lect Add Community from the Action list 4 Add new community strings as required and select the corresponding access rights from the Access Mode list 5 Click Apply Figure 223 Setting Community Access S...

Page 385: ...ters Group Name The name of the SNMP group to which the user is assigned Range 1 32 characters Security Model The user security model SNMP v1 v2c or v3 Security Level The following security levels are...

Page 386: ...ame and assign it to a group If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv then an authentication protocol and password must be specified If the security leve...

Page 387: ...e user resides The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and the remote user See Specifying Trap Managers on pa...

Page 388: ...Privacy Password A minimum of eight plain text characters is required WEB INTERFACE To configure a remote SNMPv3 user 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Ad...

Page 389: ...anagement Protocol 389 Figure 227 Configuring Remote SNMPv3 Users To show remote SNMPv3 users 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Show SNMPv3 Remote User fr...

Page 390: ...received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider t...

Page 391: ...tification message i e the targeted recipient Version Specifies whether to send notifications as SNMP v1 v2c or v3 traps Notification Type Traps Notifications are sent as trap messages Inform Notifica...

Page 392: ...0 255 Default 3 Local User Name The name of a local user which is used to identify the source of SNMPv3 trap messages sent from the local switch Range 1 32 characters If an account for the specified u...

Page 393: ...onfigure trap managers 1 Click Administration SNMP 2 Select Configure Trap from the Step list 3 Select Add from the Action list 4 Fill in the required parameters based on the selected SNMP version 5 C...

Page 394: ...o specified events on an independent basis This switch is an RMON capable device which can independently perform a wide range of tasks significantly reducing network management traffic It can continuo...

Page 395: ...ed again until the statistical value crosses the opposite bounding threshold and then back across the trigger threshold CLI REFERENCES Remote Monitoring Commands on page 575 COMMAND USAGE If an alarm...

Page 396: ...ated After a falling event has been generated another such event will not be generated until the sampled value has risen above the falling threshold reaches the rising threshold and again moves back d...

Page 397: ...Monitoring 397 Figure 233 Configuring an RMON Alarm To show configured RMON alarms 1 Click Administration RMON 2 Select Configure Global from the Step list 3 Select Show from the Action list 4 Click...

Page 398: ...played Index Index to this entry Range 1 65535 Type Specifies the type of event to initiate None No event is generated Log Generates an RMON log entry when the event is triggered Log messages are proc...

Page 399: ...N 2 Select Configure Global from the Step list 3 Select Add from the Action list 4 Click Event 5 Enter an index number the type of event to initiate the community string to send with trap messages the...

Page 400: ...hich may reveal problems associated with high traffic levels broadcast storms or other unusual events It can also be used to predict network growth and plan for expansion before your network becomes t...

Page 401: ...number of buckets granted are displayed on the Show page Owner Name of the person who created this entry Range 1 127 characters WEB INTERFACE To periodically sample statistics on a port 1 Click Admini...

Page 402: ...elect Show from the Action list 4 Select a port from the list 5 Click History Figure 238 Showing Configured RMON History Samples To show collected RMON history samples 1 Click Administration RMON 2 Se...

Page 403: ...COMMAND USAGE If statistics collection is already enabled on an interface the entry must be deleted before any changes can be made The information collected for each entry includes input octets packe...

Page 404: ...om the Action list 4 Click Statistics 5 Select a port from the list as the data source 6 Enter an index number and the name of the owner for this entry 7 Click Apply Figure 240 Configuring an RMON Sta...

Page 405: ...d RMON Statistical Samples To show collected RMON statistical samples 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select Show Details from the Action list 4 Select a...

Page 406: ...ates or active Members through VLAN 4093 Once a switch has been configured to be a cluster Commander it automatically discovers other cluster enabled switches in the network These Candidate switches o...

Page 407: ...tween 1 and 36 Note that you cannot change the cluster IP pool when the switch is currently in Commander mode Commander mode must first be disabled Default 10 254 254 1 Role Indicates the current role...

Page 408: ...Address Select a discovered switch MAC address from the Candidate Table or enter a specific MAC address of a known switch WEB INTERFACE To configure cluster members 1 Click Administration Cluster 2 S...

Page 409: ...CLUSTER MEMBERS Use the Administration Cluster Show Member page to manage another switch in the cluster CLI REFERENCES Switch Clustering on page 548 PARAMETERS These parameters are displayed Member ID...

Page 410: ...g 410 Operate Remotely manage a cluster member WEB INTERFACE To manage a cluster member 1 Click Administration Cluster 2 Select Show Member from the Step list 3 Select an entry from the Cluster Member...

Page 411: ...IPv4 Configuration Sets an IPv4 address for management access IPv6 Configuration Sets an IPv6 address for management access USING THE PING FUNCTION Use the IP General Ping page to send ICMP echo requ...

Page 412: ...8 Pnging a Network Device SETTING THE SWITCH S IP ADDRESS IP VERSION 4 Use the System IP page to configure an IPv4 address for the switch An IPv4 address is obtained via DHCP by default for VLAN 1 To...

Page 413: ...BOOTP is enabled IP will not function until a reply has been received from the server Requests will be broadcast periodically by the switch for an IP address DHCP BOOTP responses can include the IP ad...

Page 414: ...he IP Address Mode to Static enter the IP address subnet mask and gateway 3 Click Apply Figure 249 Configuring a Static IPv4 Address To obtain an dynamic address through DHCP BOOTP for the switch 1 Cl...

Page 415: ...via the web interface You can only restart DHCP service via the web interface if the current address is still available SETTING THE SWITCH S IP ADDRESS IP VERSION 6 This section describes how to conf...

Page 416: ...ip default gateway on page 919 PARAMETERS These parameters are displayed Default Gateway Sets the IPv6 address of the default next hop router An IPv6 default gateway must be defined if the management...

Page 417: ...iscover each other s presence to determine each other s link layer addresses to find routers and to maintain reachability information about the paths to active neighbors The key parameters used to fac...

Page 418: ...ines if a new unicast IPv6 address already exists on the network before it is assigned to an interface Duplicate address detection is stopped on any interface that has been suspended see Configuring V...

Page 419: ...figuration of IP address prefixes is not supported in the current software release If the router advertisements have the other stateful configuration flag set the switch will attempt to acquire other...

Page 420: ...e full address with the network prefix FE80 To connect to a larger network with multiple subnets you must configure a global unicast address There are several alternatives to configuring this address...

Page 421: ...t the value specified in the IPv6 Address field may include some of the high order host bits if the specified prefix length is less than 64 bits If the specified prefix length exceeds 64 bits then the...

Page 422: ...fy the VLAN to configure select the address type and then enter an IPv6 address and prefix length 4 Click Apply Figure 253 Configuring an IPv6 Address SHOWING IPV6 ADDRESSES Use the IP IPv6 Configurat...

Page 423: ...ow A node is also required to compute and join the associated solicited node multicast addresses for every unicast and anycast address it is assigned IPv6 addresses that differ only in the high order...

Page 424: ...PV6 NEIGHBOR CACHE Use the IP IPv6 Configuration Show IPv6 Neighbor Cache page to display the IPv6 addresses detected for neighbor devices CLI REFERENCES show ipv6 neighbors on page 946 PARAMETERS The...

Page 425: ...path was functioning While in STALE state the device takes no action until a packet is sent DELAY More than the ReachableTime interval has elapsed since the last positive confirmation was received th...

Page 426: ...buffering capacity to forward a datagram and when the gateway can direct the host to send traffic on a shorter route ICMP is also used by routers to feed back information about more suitable routes t...

Page 427: ...r some of the fragments Reassembled Succeeded The number of IPv6 datagrams successfully reassembled Note that this counter is incremented at the interface to which these datagrams were addressed which...

Page 428: ...Parameter Problem Messages The number of ICMP Parameter Problem messages received by the interface Echo Request Messages The number of ICMP Echo request messages received by the interface Echo Reply...

Page 429: ...f ICMP Router Advertisement messages sent by the interface Redirect Messages The number of Redirect messages sent For a host this object will always be zero since hosts do not send redirects Group Mem...

Page 430: ...Address IP Version 6 430 WEB INTERFACE To show the IPv6 statistics 1 Click IP IPv6 Configuration 2 Select Show Statistics from the Action list 3 Click IPv6 ICMPv6 or UDP Figure 256 Showing IPv6 Statis...

Page 431: ...acket too big message along with an acceptable MTU to this switch CLI REFERENCES show ipv6 mtu on page 936 PARAMETERS These parameters are displayed Table 31 Show MTU display description Field Descrip...

Page 432: ...ration Setting the Switch s IP Address IP Version 6 432 WEB INTERFACE To show the MTU reported from other devices 1 Click IP IPv6 Configuration 2 Select Show MTU from the Action list Figure 259 Showin...

Page 433: ...resses configure default domain names or specify one or more name servers to use for domain name to address translation CONFIGURING GENERAL DNS SERVICE PARAMETERS Use the IP Service DNS General Config...

Page 434: ...s page to define a list of domain names that can be appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation If there is no domain list the def...

Page 435: ...domain name Range 1 68 characters WEB INTERFACE To create a list domain names 1 Click IP Service DNS 2 Select Add Domain Name from the Action list 3 Enter one domain name at a time 4 Click Apply Figur...

Page 436: ...r is specified the servers are queried in the specified sequence until a response is received or the end of the list is reached with no response If all name servers are deleted DNS will automatically...

Page 437: ...o manually configure static entries in the DNS table that are used to map domain names to IP addresses CLI REFERENCES ip host on page 904 show hosts on page 908 COMMAND USAGE Static entries may be use...

Page 438: ...vice DNS Static Host Table 2 Select Add from the Action list 3 Enter a host name and the corresponding address 4 Click Apply Figure 265 Configuring Static Entries in the DNS Table To show static entri...

Page 439: ...er a DNS client can try each address in succession until it establishes a connection with the target device PARAMETERS These parameters are displayed No The entry number for each resource record Flag...

Page 440: ...CHAPTER 17 IP Services Displaying the DNS Cache 440...

Page 441: ...udio A multicast server does not have to establish a separate connection with each client It merely broadcasts its service to the network and any hosts that want to receive the multicast register with...

Page 442: ...need to forward multicast traffic IGMP Snooping conserves bandwidth on network segments where no node has expressed interest in receiving a specific multicast service For switches that do not support...

Page 443: ...d throughout the VLAN if unregistered flooding is enabled see Configuring IGMP Snooping and Query Parameters on page 444 Static IGMP Router Interface If IGMP snooping cannot locate the IGMP querier yo...

Page 444: ...t the VLAN if unregistered flooding is enabled see Unregistered Data Flood in the Command Attributes section IGMP Querier A router or multicast enabled switch can periodically ask their hosts if they...

Page 445: ...ology has stabilized and the new locations of all multicast receivers are learned If a topology change notification TCN is received and all the uplink ports are subsequently deleted a time out mechani...

Page 446: ...arries the Router Alert option 2 Also when the switch is acting in the role of a multicast host such as when using proxy routing it should ignore version 2 or 3 queries that do not contain the Router...

Page 447: ...ast traffic This feature is not supported for IGMPv3 snooping Default Disabled WEB INTERFACE To configure general settings for IGMP Snooping and Query 1 Click Multicast IGMP Snooping General 2 Adjust...

Page 448: ...ies the interface attached to a multicast router WEB INTERFACE To specify a static interface attached to a multicast router 1 Click Multicast IGMP Snooping Multicast Router 2 Select Add Static Multica...

Page 449: ...CES TO MULTICAST SERVICES Use the Multicast IGMP Snooping IGMP Member Add Static Member page to statically assign a multicast service to an interface Multicast filtering can be dynamically configured...

Page 450: ...group Multicast IP The IP address for a specific multicast service WEB INTERFACE To statically assign an interface to a multicast service 1 Click Multicast IGMP Snooping IGMP Member 2 Select Add Stat...

Page 451: ...2 Select Current Member from the Action list 3 Select the VLAN for which to display this information Figure 275 Showing Current Interfaces Assigned to a Multicast Service SETTING IGMP SNOOPING STATUS...

Page 452: ...ast Router Discovery uses the following three message types to discover multicast routers Multicast Router Advertisement Advertisements are sent by routers to advertise that IP multicast forwarding is...

Page 453: ...see page 444 the per VLAN interface settings for IGMP snooping take precedence When IGMP snooping is disabled globally snooping can still be configured per VLAN interface but the interface settings w...

Page 454: ...TR 101 April 2006 including last leave and query suppression Last leave sends out a proxy query when the last member leaves a multicast group and query suppression means that neither specific queries...

Page 455: ...rate more burst traffic This attribute will take effect only if IGMP snooping proxy reporting is enabled see page 444 Last Member Query Count The number of IGMP proxy group specific or group and sourc...

Page 456: ...ticast IGMP Snooping Interface 2 Select Configure from the Action list 3 Select the VLAN to configure and update the required parameters 4 Click Apply Figure 276 Configuring IGMP Snooping on an Interf...

Page 457: ...led on the switch see page 444 PARAMETERS These parameters are displayed VLAN An interface on the switch that is forwarding traffic to downstream ports for the specified multicast group address Group...

Page 458: ...join IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port An IGMP filter profile can contain one or more addresses...

Page 459: ...and throttling on the switch 1 Click Multicast IGMP Snooping Filtering 2 Select Configure General from the Action list 3 Enable IGMP Filter Status 4 Click Apply Figure 279 Enabling IGMP Filtering and...

Page 460: ...ontrolled range Add Multicast Group Range Profile ID Selects an IGMP profile to configure Start Multicast IP Address Specifies the starting address of a range of multicast groups End Multicast IP Addr...

Page 461: ...Profiles Created To add a range of multicast groups to an IGMP filter profile 1 Click Multicast IGMP Snooping Filtering 2 Select Add Multicast Group Range from the Action list 3 Select the profile to...

Page 462: ...rottling on page 868 COMMAND USAGE IGMP throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can...

Page 463: ...Action list 3 Select a profile to assign to an interface then set the maximum number of allowed multicast groups and the throttling response 4 Click Apply Figure 284 Configuring IGMP Filtering and Thr...

Page 464: ...or receiver ports see Configuring MVR Interface Status on page 466 3 For multicast streams that will run for a long term and be associated with a stable set of hosts you can statically bind the multi...

Page 465: ...he VLAN that serves as the channel for streaming multicast services using MVR MVR source ports should be configured as members of the MVR VLAN see Adding Static Members to VLANs on page 160 but MVR re...

Page 466: ...vices you can enable the immediate leave function CLI REFERENCES Multicast VLAN Registration on page 875 COMMAND USAGE A port configured as an MVR receiver or source port can join or leave multicast g...

Page 467: ...ticast groups which have been statically assigned to a port PARAMETERS These parameters are displayed Port Port identifier Type The following interface types are supported Source An uplink port that c...

Page 468: ...pate in the MVR protocol as a source port or receiver port and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached 4 Click Apply Figure 287 Configuring Inte...

Page 469: ...VLAN and port member to receive the multicast stream and then enter the multicast group address 5 Click Apply Figure 288 Assigning Static MVR Groups to a Port To show the static MVR groups assigned t...

Page 470: ...cast service or displays an asterisk if the group address has been statically assigned VLAN Indicates the MVR VLAN receiving the multicast service Forwarding Port Shows the interfaces with subscribers...

Page 471: ...nds on page 555 Remote Monitoring Commands on page 575 Authentication Commands on page 583 General Security Measures on page 637 Access Control Lists on page 683 Interface Commands on page 699 Link Ag...

Page 472: ...TION III Command Line Interface 472 Multicast Filtering Commands on page 849 LLDP Commands on page 883 Domain Name Service Commands on page 901 DHCP Commands on page 911 IP Interface Commands on page...

Page 473: ...console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the...

Page 474: ...254 Console config If your corporate network is connected to another network outside your office or to the Internet you need to apply for a registered IP address However if you are attached to an iso...

Page 475: ...nit port You can enter commands as follows To enter a simple command enter the command keyword To enter multiple commands enter each command in the required order For example to enable Privileged Exec...

Page 476: ...nformation dot1q tunnel dot1q tunnel dot1x 802 1X content garp GARP properties gvrp GVRP interface information history Shows history information hosts Host information interfaces Shows interface infor...

Page 477: ...witchport information Console PARTIAL KEYWORD LOOKUP If you terminate a partial keyword with a question mark alternatives that match the initial letters are provided Remember not to leave a space betw...

Page 478: ...and prompt Only a limited number of the commands are available in this mode You can access all commands only from the Privileged Exec command mode or administrator mode To access Privilege Exec mode o...

Page 479: ...ame and snmp server community Access Control List Configuration These commands are used for packet filtering Class Map Configuration Creates a DiffServ class map for a specified traffic type IGMP Prof...

Page 480: ...figuration mode and then return to Privileged Exec mode Console config interface ethernet 1 5 Console config if exit Console config Table 33 Configuration Command Modes Mode Command Prompt Page Line l...

Page 481: ...tart of command line Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor...

Page 482: ...nd replies and discarding invalid ARP responses 637 Access Control List Provides filtering for IPv4 frames based on address protocol TCP UDP port number or TCP control code or non IP frames based on M...

Page 483: ...atabase Configuration Multicast Filtering Configures IGMP multicast filtering query profile and proxy parameters specifies ports attached to a multicast router also configures multicast VLAN registrat...

Page 484: ...CHAPTER 19 Using the Command Line Interface CLI Command Groups 484...

Page 485: ...arts the system at a specified time after a specified delay or at a periodic interval GC enable Activates privileged mode NE quit Exits a CLI session NE PE show history Shows the command history buffe...

Page 486: ...hich to reload Range 0 23 minute The minute at which to reload Range 0 59 month The month at which to reload january december day The day of the month at which to reload Range 1 31 year The year at wh...

Page 487: ...e you sure to reboot the system at the specified time y n enable This command activates Privileged Exec mode In privileged mode additional commands are available and certain commands display additiona...

Page 488: ...Exec COMMAND USAGE The quit and exit commands can both exit the configuration program EXAMPLE This example shows how to quit a CLI session Console quit Press ENTER to start session User Access Verific...

Page 489: ...tory buffer when you are in any of the configuration modes In this example the 2 command repeats the second command in the Execution history buffer config Console 2 Console config Console config confi...

Page 490: ...indicate that the system is in normal access mode EXAMPLE Console disable Console RELATED COMMANDS enable 487 reload Privileged Exec This command restarts the system NOTE When the system is restarted...

Page 491: ...ays 0 hours 29 minutes 52 seconds Console end This command returns to Privileged Exec mode DEFAULT SETTING None COMMAND MODE Global Configuration Interface Configuration Line Configuration VLAN Databa...

Page 492: ...EXAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console config exit Console exit Press ENTER to start session Use...

Page 493: ...version information Frame Size Enables support for jumbo frames File Management Manages code image or switch configuration files Line Sets communication parameters for the serial port including baud...

Page 494: ...is automatically displayed before login as soon as a console or telnet connection has been established Table 39 Banner Commands Command Function Mode banner configure Configures the banner informatio...

Page 495: ...rted If for example a mistake is made in the company name it can be corrected with the banner configure company command EXAMPLE Console config banner configure Company EdgeCore Networks Responsible de...

Page 496: ...company information displayed in the banner Use the no form to remove the company name from the banner display SYNTAX banner configure company name no banner configure company name The name of the co...

Page 497: ...COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The banner configure dc power info command interprets spaces as data input boundaries The use of underscores _ or o...

Page 498: ...YNTAX banner configure equipment info manufacturer id mfr id floor floor id row row id rack rack id shelf rack sr id manufacturer mfr name no banner configure equipment info floor manufacturer manufac...

Page 499: ...None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The banner configure equipment location command interprets spaces as data input boundaries The use of underscor...

Page 500: ...igure lp number This command is used to configure the LP number information displayed in the banner Use the no form to restore the default setting SYNTAX banner configure lp number lp num no banner co...

Page 501: ...mber The phone number of the third manager Maximum length of each parameter 32 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The b...

Page 502: ...e no form to restore the default setting SYNTAX banner configure note note info no banner configure note note info Miscellaneous information that does not fit the other banner categories or any other...

Page 503: ...0100 0500_GMT 0500_20071022 _20min_network_ Console SYSTEM STATUS This section describes commands used to display system information Table 40 System Status Commands Command Function Mode show access l...

Page 504: ...CL to a port each rule in an ACL will use two PCEs and when setting an IP Source Guard filter rule for a port the system will also use two PCEs EXAMPLE Console show access list tcam utilization Total...

Page 505: ...levels and encrypted passwords VLAN database VLAN ID name and state VLAN configuration settings for each interface Multiple spanning tree instances name and interfaces IP address configured for manag...

Page 506: ...he show running config command to compare the information in running memory to the information stored in non volatile memory This command displays settings for key command modes Each mode group is sep...

Page 507: ...ription ES3510MA System OID String 1 3 6 1 4 1 259 8 1 11 System Information System Up Time 0 days 7 hours 20 minutes and 43 30 seconds System Name System Location System Contact MAC Address Unit 1 00...

Page 508: ...168 1 19 admin 0 00 00 Console show version This command displays hardware and software version information for the system COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE See Displaying Hardwa...

Page 509: ...s that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields To use jumbo frames both the source and destination end...

Page 510: ...er downloaded to restore switch settings The configuration file can be downloaded under a new file name and then set as the startup file or the current startup configuration file can be specified as t...

Page 511: ...g Configuration file opcode Run time operation code filename Name of configuration file or code image The colon is required DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE A colon...

Page 512: ...rtificate Keyword that allows you to copy the HTTPS secure site certificate public key Keyword that allows you to copy a SSH key from a TFTP server See Secure Shell on page 609 running config Keyword...

Page 513: ...the default user name EXAMPLE The following example shows how to download new firmware from a TFTP server Console copy tftp file TFTP server ip address 10 1 0 19 Choose file type 1 config 2 opcode 1...

Page 514: ...certificate Source private file name SS private Private password Success Console reload System will be restarted continue y n y This example shows how to copy a public key used by SSH from an TFTP se...

Page 515: ...LE This example shows how to delete the test2 cfg configuration file from flash memory Console delete test2 cfg Console RELATED COMMANDS dir 515 delete public key 614 dir This command displays a list...

Page 516: ...08 44 35 11354752 Factory_Default_Config cfg Config N 2009 12 16 08 44 35 455 startup1 cfg Config Y 2009 12 16 08 44 42 2297 Free space for compressed user config files 1052672 Console whichboot This...

Page 517: ...OMMAND MODE Global Configuration COMMAND USAGE This command is used to enable or disable automatic upgrade of the operational code When the switch starts up and automatic image upgrade is enabled by t...

Page 518: ...upgrade succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart upgrade opcode path This command specifies an TFTP server and directory in whi...

Page 519: ...to the directory containing the new image ftp username password 192 168 0 1 filedir If the user name is omitted Anonymous will be used for the connection If the password is omitted a null string will...

Page 520: ...tion method to local console Telnet or SSH connections LC databits Sets the number of data bits per character that are interpreted and generated by hardware LC exec timeout Sets the interval that the...

Page 521: ...ommand sets the number of data bits per character that are interpreted and generated by the console port Use the no form to restore the default value SYNTAX databits 7 8 no databits 7 Seven data bits...

Page 522: ...he timeout interval the session is kept open otherwise the session is terminated This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using t...

Page 523: ...ment interface starts in Normal Exec NE or Privileged Exec PE mode depending on the user s privilege level 0 or 15 respectively no login selects no authentication When using this method the management...

Page 524: ...th 32 characters plain text or encrypted case sensitive DEFAULT SETTING No password is specified COMMAND MODE Line Configuration COMMAND USAGE When a connection is started on a line with password prot...

Page 525: ...f allowed password attempts Range 1 120 0 no threshold DEFAULT SETTING The default value is three attempts COMMAND MODE Line Configuration COMMAND USAGE When the logon attempt threshold is reached the...

Page 526: ...silent time to 60 seconds enter this command Console config line silent time 60 Console config line RELATED COMMANDS password thresh 525 speed This command sets the terminal line s baud rate This com...

Page 527: ...ore the default setting SYNTAX stopbits 1 2 no stopbits 1 One stop bit 2 Two stop bits DEFAULT SETTING 1 stop bit COMMAND MODE Line Configuration EXAMPLE To specify 2 stop bits enter this command Cons...

Page 528: ...o set the timeout to two minutes enter this command Console config line timeout login response 120 Console config line disconnect This command terminates an SSH Telnet or console connection SYNTAX dis...

Page 529: ...abled Baud Rate Auto Data Bits 8 Parity None Stop Bits 1 VTY Configuration Password Threshold 3 times Inactive Timeout 600 sec Login Timeout 300 sec Console EVENT LOGGING This section describes comman...

Page 530: ...ULT SETTING 23 COMMAND MODE Global Configuration COMMAND USAGE The command specifies the facility type tag sent in syslog messages See RFC 3164 This type has no effect on the kind of messages reported...

Page 531: ...ash errors level 3 0 RAM debugging level 7 0 COMMAND MODE Global Configuration COMMAND USAGE The message level specified for flash memory must be a higher priority i e numerically lower than that spec...

Page 532: ...s five EXAMPLE Console config logging host 10 1 0 3 Console config logging on This command controls logging of error messages sending debug or error messages to a logging process The no form disables...

Page 533: ...le on page 531 Messages sent include the selected level through level 0 DEFAULT SETTING Disabled Level 7 COMMAND MODE Global Configuration COMMAND USAGE Using this command with a specified level enabl...

Page 534: ...ry stored in flash memory i e permanent memory ram Event history stored in temporary RAM i e memory flushed on power reset DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE The following examp...

Page 535: ...system logging is enabled the message level for flash memory is errors i e default level 3 0 and the message level for RAM is debugging i e default level 7 0 Console show logging flash Syslog logging...

Page 536: ...been enabled via the logging trap command REMOTELOG facility type The facility type for remote logging of syslog messages as specified in the logging facility command REMOTELOG level type The severity...

Page 537: ...g DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE You can specify up to three SMTP servers for event handing However you must enter a separate command to specify each server To se...

Page 538: ...D MODE Global Configuration COMMAND USAGE The specified level indicates an event threshold All events at this level or higher will be sent to the configured email recipients For example using Level 7...

Page 539: ...e default value SYNTAX logging sendmail source email email address no logging sendmail source email email address The source email address used in alert messages Range 1 41 characters DEFAULT SETTING...

Page 540: ...ommand enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp server command Use the no form to disable SNTP client requests SYNTAX no sntp client...

Page 541: ...rver 10 1 0 19 Console config sntp poll 60 Console config sntp client Console config end Console show sntp Current Time Dec 23 02 52 44 2002 Poll Interval 60 Current Mode unicast SNTP Status Enabled S...

Page 542: ...d specifies time servers from which the switch will poll for time updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issu...

Page 543: ...s before UTC 0 13 hours after UTC minutes Number of minutes before after UTC Range 0 59 minutes before utc Sets the local time zone before east of UTC after utc Sets the local time zone after west of...

Page 544: ...Range 1 31 month january february march april may june july august september october november december year Year 4 digit Range 2001 2100 DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE...

Page 545: ...1 30 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE This command sets a time range for use by other functions such as Access Control Lists EXAMPLE Console config time...

Page 546: ...e Range Configuration COMMAND USAGE If a time range is already configured you must use the no form of this command to remove the current entry prior to configuring a new time range EXAMPLE This exampl...

Page 547: ...ple configures a time range for the periodic occurrence of an event Console config time range sales Console config time range periodic daily 1 1 to 2 1 Console config time range show time range This c...

Page 548: ...Candidates or active Members through VLAN 4093 Once a switch has been configured to be a cluster Commander it automatically discovers other cluster enabled switches in the network These Candidate swit...

Page 549: ...k Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander Switch clusters are limited to the same Ethernet broad...

Page 550: ...pool ip address no cluster ip pool ip address The base IP address for IP addresses assigned to cluster Members The IP address must start 10 x x x DEFAULT SETTING 10 254 254 1 COMMAND MODE Global Confi...

Page 551: ...tion COMMAND USAGE The maximum number of cluster Members is 36 The maximum number of cluster Candidates is 100 EXAMPLE Console config cluster member mac address 00 12 34 56 78 9a id 5 Console config r...

Page 552: ...Privileged Exec EXAMPLE Console show cluster Role commander Interval Heartbeat 30 Heartbeat Loss Count 3 seconds Number of Members 1 Number of Candidates 2 Console show cluster members This command s...

Page 553: ...ws the discovered Candidate switches in the network COMMAND MODE Privileged Exec EXAMPLE Console show cluster candidates Cluster Candidates Role MAC Address Description Active member 00 E0 0C 00 00 FE...

Page 554: ...CHAPTER 21 System Management Commands Switch Clustering 554...

Page 555: ...Command Function Mode General SNMP Commands snmp server Enables the SNMP agent GC snmp server community Sets up the community access string to permit access to SNMP commands GC snmp server contact Se...

Page 556: ...ast control apply Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires IC Port snmp server enable port traps atc broadcast control re...

Page 557: ...ations are only able to retrieve MIB objects rw Specifies read write access Authorized management stations are able to both retrieve and modify MIB objects DEFAULT SETTING public Read only access Auth...

Page 558: ...ocation Maximum length 255 characters DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE Console config snmp server location WC 19 Console config RELATED COMMANDS snmp server contact 557 s...

Page 559: ...s 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging Disabled Console snmp server enable traps This command enables this device to send Simple Network Management Protocol traps or informs i e S...

Page 560: ...r host This command specifies the recipient of a Simple Network Management Protocol notification operation Use the no form to remove the specified host SYNTAX snmp server host host addr inform retry r...

Page 561: ...host The snmp server host command is used in conjunction with the snmp server enable traps command Use the snmp server enable traps command to enable the sending of traps or informs and to specify whi...

Page 562: ...5 Allow the switch to send SNMP traps i e notifications page 559 6 Specify the target host that will receive inform messages with the snmp server host command as described in this section The switch c...

Page 563: ...authenticating and encrypting SNMPv3 packets A remote engine ID is required when using SNMPv3 informs See the snmp server host command The remote engine ID is used to compute the security digest for...

Page 564: ...the view for write access 1 32 characters notifyview Defines the view for notifications 1 32 characters DEFAULT SETTING Default groups public6 read only private7 read write readview Every object belon...

Page 565: ...device ip address The Internet address of the remote device v1 v2c v3 Use SNMP version 1 2c or 3 encrypted Accepts the password as encrypted input auth Uses SNMPv3 with authentication md5 sha Uses MD5...

Page 566: ...er will fail SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remote agent s...

Page 567: ...nfig This view includes the MIB 2 interfaces table and the mask selects all index entries Console config snmp server view ifEntry a 1 3 6 1 2 1 2 2 1 1 included Console config show snmp engine id This...

Page 568: ...tile Row Status active Group Name public Security Model v2c Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name private Security Model v1 Read Vie...

Page 569: ...eld Description groupname Name of an SNMP group security model The SNMP version readview The associated read view writeview The associated write view notifyview The associated notify view storage type...

Page 570: ...n log SYNTAX no nlm filter name filter name Notification log name Range 1 32 characters DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE Notification logging is enabled by defau...

Page 571: ...remote host parameter is only required to complete mandatory fields in the SNMP Notification MIB DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Systems that support SNMP often n...

Page 572: ...entries and the entry aging time is 1440 minutes Information recorded in a notification log and the entry aging time can only be configured using SNMP from a network management station When a trap hos...

Page 573: ...ileged Exec EXAMPLE This example displays the configured notification logs and associated target hosts Note that the last entry is a default filter created when a trap host is initially created Consol...

Page 574: ...CHAPTER 22 SNMP Commands 574...

Page 575: ...Event and Alarm groups When RMON is enabled the system gradually builds up information about its physical interfaces storing this information in the relevant RMON database group A management agent the...

Page 576: ...ue and the difference is then compared to the thresholds threshold An alarm threshold for the sampled variable Range 1 65535 event index The index of the event to use if an alarm is triggered If there...

Page 577: ...Log messages are processed based on the current configuration settings for event logging see Event Logging on page 529 trap Sends a trap message to all configured trap managers see snmp server host o...

Page 578: ...rmon collection history index index Index to this entry Range 1 65535 number The number of buckets requested for this entry Range 1 65536 seconds The polling interval Range 1 3600 seconds name Name o...

Page 579: ...on who created this entry Range 1 127 characters DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE By default each index number equates to a port on the swich but can...

Page 580: ...mon event This command shows the settings for all configured events COMMAND MODE Privileged Exec EXAMPLE Console show rmon event event Index 1 Description RMON_TRAP_LOG Event type log trap Event commu...

Page 581: ...istics group COMMAND MODE Privileged Exec EXAMPLE Console show rmon statistics rmon collection index 1 stats ifindex 1 input packets 00 bytes 00 dropped 00 multicast packets 00 output packets 00 bytes...

Page 582: ...CHAPTER 23 Remote Monitoring Commands 582...

Page 583: ...thentication Commands Command Group Function User Accounts Configures the basic user names and passwords for management access Authentication Sequence Defines logon authentication method and precedenc...

Page 584: ...l Maximum length 32 characters plain text or encrypted case sensitive DEFAULT SETTING The default is level 15 The default password is super COMMAND MODE Global Configuration COMMAND USAGE You cannot s...

Page 585: ...encrypted password password password The authentication password for the user Maximum length 32 characters plain text or encrypted case sensitive DEFAULT SETTING The default access level is Normal Ex...

Page 586: ...fers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RAD...

Page 587: ...connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and...

Page 588: ...ting messages Use the no form to restore the default SYNTAX radius server acct port port number no radius server acct port port number RADIUS server UDP port used for accounting messages Range 1 65535...

Page 589: ...restore the default values SYNTAX no radius server index host host ip address auth port auth port acct port acct_port key key retransmit retransmit timeout timeout index Allows you to specify up to f...

Page 590: ...erver key key string no radius server key key string Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters DEFAULT SETTING None...

Page 591: ...radius server timeout number of seconds no radius server timeout number of seconds Number of seconds the switch waits for a reply before resending a request Range 1 65535 DEFAULT SETTING 5 COMMAND MOD...

Page 592: ...er and other optional parameters Use the no form to remove the server or to restore the default values SYNTAX tacacs server index host host ip address key key port port number no tacacs server index i...

Page 593: ...er host host ip address IP address of a TACACS server DEFAULT SETTING 10 11 12 13 COMMAND MODE Global Configuration EXAMPLE Console config tacacs server host 192 168 1 25 Console config tacacs server...

Page 594: ...hentication messages Range 1 65535 DEFAULT SETTING 49 COMMAND MODE Global Configuration EXAMPLE Console config tacacs server port 181 Console config show tacacs server This command displays the curren...

Page 595: ...nge 1 255 characters start stop Records accounting from starting point and stopping point Table 65 AAA Commands Command Function Mode aaa accounting commands Enables accounting of Exec mode commands G...

Page 596: ...nting method s configured on the specified TACACS server and do not actually send any information to the server about the methods to use EXAMPLE Console config aaa accounting commands 15 default start...

Page 597: ...counting method s configured on the specified RADIUS or TACACS servers and do not actually send any information to the servers about the methods to use EXAMPLE Console config aaa accounting dot1x defa...

Page 598: ...ethod name fields are only used to describe the accounting method s configured on the specified RADIUS or TACACS servers and do not actually send any information to the servers about the methods to us...

Page 599: ...1 255 characters group Specifies the server group to use tacacs Specifies all TACACS hosts configured with the tacacs server command server group Specifies the name of a server group configured with t...

Page 600: ...XAMPLE Console config aaa group server radius tps Console config sg radius server This command adds a security server to an AAA server group Use the no form to remove the associated server from the gr...

Page 601: ...d list name Specifies a method list created with the aaa accounting dot1x command DEFAULT SETTING None COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 2 Console config...

Page 602: ...ame Specifies a method list created with the aaa authorization exec command DEFAULT SETTING None COMMAND MODE Line Configuration EXAMPLE Console config line console Console config line authorization e...

Page 603: ...ace Method list tps Group list radius Interface eth 1 2 Accounting type Exec Method list default Group list radius Interface vty Console WEB SERVER This section describes commands used to configure we...

Page 604: ...nge 1 65535 DEFAULT SETTING 80 COMMAND MODE Global Configuration EXAMPLE Console config ip http port 769 Console config RELATED COMMANDS ip http server 604 show system 507 ip http server This command...

Page 605: ...tablished in this way The client authenticates the server using the server s digital certificate The client and server negotiate a set of security protocols to use for the connection The client and se...

Page 606: ...S connection to the switch s web interface Use the no form to restore the default port SYNTAX ip http secure port port_number no ip http secure port port_number The UDP port used for HTTPS Range 1 655...

Page 607: ...o ip telnet max sessions session count The maximum number of allowed Telnet session Range 0 4 DEFAULT SETTING 4 sessions COMMAND MODE Global Configuration COMMAND USAGE A maximum of four sessions can...

Page 608: ...CP port number to be used by the browser interface Range 1 65535 DEFAULT SETTING 23 COMMAND MODE Global Configuration EXAMPLE Console config ip telnet port 123 Console config ip telnet server This com...

Page 609: ...authentication retries Specifies the number of retries allowed by a client GC ip ssh server Enables the SSH server on the switch GC ip ssh server key size Sets the SSH server key size GC ip ssh timeo...

Page 610: ...ts file would appear similar to the following example 10 1 0 54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233...

Page 611: ...ents that have a private key corresponding to the public keys stored on the switch can access it The following exchanges take place during this process Authenticating SSH v1 5 Clients a The client sen...

Page 612: ...ssh authentication retries This command configures the number of times the SSH server attempts to reauthenticate a user Use the no form to restore the default setting SYNTAX ip ssh authentication retr...

Page 613: ...er EXAMPLE Console ip ssh crypto host key generate dsa Console configure Console config ip ssh server Console config RELATED COMMANDS ip ssh crypto host key generate 615 show ssh 618 ip ssh server key...

Page 614: ...e switch will wait for a response from the client during the SSH negotiation phase Once an SSH session has been established the timeout for user input is controlled by the exec timeout command for vty...

Page 615: ...v1 5 clients and DSA Version 2 for SSHv2 clients This command stores the host key pair in memory i e RAM Use the ip ssh save host key command to save the host key pair to flash memory Some SSH client...

Page 616: ...emory RAM Use the no ip ssh save host key command to clear the host key from flash memory The SSH server must be disabled before you can execute this command EXAMPLE Console ip ssh crypto zeroize dsa...

Page 617: ...leged Exec COMMAND USAGE If no parameters are entered all keys are displayed If the user keyword is entered but no user name is specified then the public keys for all users are displayed When an RSA k...

Page 618: ...27s6TLdtny1wRq ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF DjKGWtPNIQqabKgYCw2 o dVzX4Gg yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S...

Page 619: ...osts on an dot1x port IC dot1x port control Sets dot1x mode for a port interface IC dot1x re authentication Enables re authentication for all ports IC dot1x timeout quiet period Sets the time that a s...

Page 620: ...g as intermediate node in the network and does not need to perform dot1x authentication the dot1x eapol pass through command can be used to forward EAPOL frames from other switches on to the authentic...

Page 621: ...t1x system auth control Console config dot1x intrusion action This command sets the port s response to a failed authentication either to block all traffic or to assign all traffic for the port to a gu...

Page 622: ...ole config if dot1x max req 2 Console config if dot1x operation mode This command allows hosts clients to connect to an 802 1X authorized port Use the no form with no keywords to restore the default t...

Page 623: ...ss to a port operating in this mode is limited only by the available space in the secure address table i e up to 1024 addresses EXAMPLE Console config interface eth 1 2 Console config if dot1x operati...

Page 624: ...the process is handled transparently by the dot1x client software Only if re authentication fails is the port blocked The connected client is re authenticated after the interval specified by the dot1x...

Page 625: ...t1x timeout re authperiod seconds The number of seconds Range 1 65535 DEFAULT 3600 seconds COMMAND MODE Interface Configuration EXAMPLE Console config interface eth 1 2 Console config if dot1x timeout...

Page 626: ...erface eth 1 2 Console config if dot1x timeout supp timeout 300 Console config if dot1x timeout tx period This command sets the time that an interface on the switch waits during an authentication sess...

Page 627: ...s SYNTAX dot1x identity profile username username password password no dot1x identity profile username password username Specifies the supplicant user name Range 1 8 characters password Specifies the...

Page 628: ...icant mode on a port SYNTAX no dot1x pae supplicant DEFAULT Disabled COMMAND MODE Interface Configuration COMMAND USAGE When devices attached to a port must submit requests to another authenticator on...

Page 629: ...o dot1x timeout auth period seconds The number of seconds Range 1 65535 DEFAULT 30 seconds COMMAND MODE Interface Configuration COMMAND USAGE This command sets the time that the supplicant waits for a...

Page 630: ...NTAX dot1x timeout start period seconds no dot1x timeout start period seconds The number of seconds Range 1 65535 DEFAULT 30 seconds COMMAND MODE Interface Configuration EXAMPLE Console config interfa...

Page 631: ...authentication page 624 Reauth Period Time after which a connected client must be re authenticated page 625 Quiet Period Time a port waits after Max Request Count is exceeded before attempting to acqu...

Page 632: ...le show dot1x Global 802 1X Parameters System auth control Enabled Authenticator Parameters EAPOL Pass Through Disabled Supplicant Parameters Identity Profile Username steve 802 1X Port Summary Port N...

Page 633: ...o form to restore the default setting SYNTAX no management all client http client snmp client telnet client start address end address all client Adds IP address es to all groups http client Adds IP ad...

Page 634: ...ou cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses You can delete an address range just by specifying the start address or by spec...

Page 635: ...Filter HTTP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 SNMP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 16...

Page 636: ...CHAPTER 24 Authentication Commands Management IP Filter 636...

Page 637: ...y of execution for these filtering commands is Port Security Port Authentication Network Access Web Authentication Access Control Lists DHCP Snooping and then IP Source Guard Configures secure address...

Page 638: ...ally take action by disabling the port and sending a trap message mac learning This command enables MAC address learning on the selected interface Use the no form to disable MAC address learning SYNTA...

Page 639: ...o restore the default settings for a response to security violation or for the maximum number of allowed addresses SYNTAX port security action shutdown trap trap and shutdown max mac count address cou...

Page 640: ...mand to disable port security and reset the maximum number of addresses to the default You can also manually add secure addresses with the mac address table static command A secure port has the follow...

Page 641: ...s guest vlan Specifies the guest VLAN IC network access link detection Enables the link detection feature IC network access link detection link down Configures the link detection feature to detect and...

Page 642: ...ured by the MAC Address Authenticataion process described in this section as well as to any secure MAC addresses authenticated by 802 1X regardless of the 802 1X Operation Mode Single Host Multi Host...

Page 643: ...g network access mac filter 1 mac address 11 22 33 44 55 66 Console config mac authentication reauth time Use this command to set the time period after which a connected MAC address must be re authent...

Page 644: ...QoS configuration for the port When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port the user is denied acce...

Page 645: ...or they are treated as an authentication failure If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration the authentication is still treated as a success a...

Page 646: ...e effective see the dot1x intrusion action command EXAMPLE Console config interface ethernet 1 1 Console config if network access guest vlan 25 Console config if network access link detection Use this...

Page 647: ...isable the port DEFAULT SETTING Disabled COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 1 Console config if network access link detection link down action trap Consol...

Page 648: ...onse to take when port security is violated shutdown Disable port only trap Issue SNMP trap message only trap and shutdown Issue SNMP trap message and disable the port DEFAULT SETTING Disabled COMMAND...

Page 649: ...n enabled on a port the authentication process sends a Password Authentication Protocol PAP request to a configured RADIUS server The user name and password are both equal to the MAC address being aut...

Page 650: ...ype attribute set to 802 EXAMPLE Console config if network access mode mac authentication Console config if network access port mac filter Use this command to enable the specified MAC address filter U...

Page 651: ...e Con figuration EXAMPLE Console config if mac authentication intrusion action block traffic Console config if mac authentication max mac count Use this command to set the maximum number of MAC addres...

Page 652: ...port unit Unit identifier Range 1 port Port number Range 1 10 DEFAULT SETTING Displays the settings for all interfaces COMMAND MODE Privileged Exec EXAMPLE Console show network access interface ether...

Page 653: ...ange 1 port Port number Range 1 10 sort Sorts displayed entries by either MAC address or interface DEFAULT SETTING Displays all filters COMMAND MODE Privileged Exec COMMAND USAGE When using a bit mask...

Page 654: ...perform DNS queries All other traffic except for HTTP protocol traffic is blocked The switch intercepts HTTP protocol traffic and redirects it to a switch generated web page that facilitates user name...

Page 655: ...ole config web auth system auth control Enables web authentication globally for the switch GC web auth Enables web authentication for an interface IC web auth re authenticate Port Ends all web authent...

Page 656: ...MODE Global Configuration EXAMPLE Console config web auth quiet period 120 Console config web auth session timeout This command defines the amount of time a web authentication session remains valid W...

Page 657: ...and web auth for an interface must be enabled for the web authentication feature to be active EXAMPLE Console config web auth system auth control Console config web auth This command enables web auth...

Page 658: ...ged Exec EXAMPLE Console web auth re authenticate interface ethernet 1 2 Failed to reauth Console web auth re authenticate IP This command ends the web authentication session associated with the desig...

Page 659: ...mpts 3 Console show web auth interface This command displays interface specific web authentication parameters and statistics SYNTAX show web auth interface interface interface Specifies a port interfa...

Page 660: ...tion Mode ip dhcp snooping Enables DHCP snooping globally GC ip dhcp snooping database flash Writes all dynamically learned snooping entries to flash memory GC ip dhcp snooping information option Enab...

Page 661: ...tered based upon dynamic entries learned via DHCP snooping Table entries are only learned for trusted interfaces Each entry includes a MAC address IP address lease time VLAN identifier and port identi...

Page 662: ...trusted ports in the same VLAN If a DHCP packet is from server is received on a trusted port it will be forwarded to both trusted and untrusted ports in the same VLAN If the DHCP snooping is globally...

Page 663: ...n option DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server Known...

Page 664: ...ying it keep Retains the Option 82 information in the client request and forwards the packets to trusted ports replace Replaces the Option 82 information circuit id and remote id fields in the client...

Page 665: ...acket is dropped EXAMPLE This example enables MAC address verification Console config ip dhcp snooping verify mac address Console config RELATED COMMANDS ip dhcp snooping 661 ip dhcp snooping vlan 665...

Page 666: ...d Use the no form to restore the default setting SYNTAX no ip dhcp snooping trust DEFAULT SETTING All interfaces are untrusted COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE...

Page 667: ...lient request to the DHCP server must be configured as trusted EXAMPLE This example sets port 5 to untrusted Console config interface ethernet 1 5 Console config if no ip dhcp snooping trust Console c...

Page 668: ...le DHCP Snooping Information Policy replace DHCP Snooping is configured on the following VLANs 1 Verify Source Mac Address enable Interface Trusted Eth 1 1 No Eth 1 2 No Eth 1 3 No Eth 1 4 No Eth 1 5...

Page 669: ...no ip source guard binding mac address vlan vlan id mac address A valid unicast MAC address vlan id ID of a configured VLAN Range 1 4093 ip address A valid unicast IP address including classful types...

Page 670: ...an entry with same VLAN ID and MAC address and the type of the entry is dynamic DHCP snooping binding then the new entry will replace the old one and the entry type will be changed to static IP sourc...

Page 671: ...9 are automatically configured with an infinite lease time Dynamic entries learned via DHCP snooping are configured by the DHCP server itself If the IP source guard is enabled an inbound packet s IP a...

Page 672: ...bled or disabled on each interface COMMAND MODE Privileged Exec EXAMPLE Console show ip source guard Interface Filter type Eth 1 1 DISABLED Eth 1 2 DISABLED Eth 1 3 DISABLED Eth 1 4 DISABLED Eth 1 5 S...

Page 673: ...hosts with statically configured IP addresses This section describes commands used to configure ARP Inspection Table 80 ARP Inspection Commands Command Function Mode ip arp inspection Enables ARP Ins...

Page 674: ...ction is enabled When ARP Inspection is disabled all ARP request and reply packets bypass the ARP Inspection engine and their manner of switching matches that of all other packets Disabling and then r...

Page 675: ...not checked DEFAULT SETTING ARP ACLs are not bound to any VLAN Static mode is not enabled COMMAND MODE Global Configuration COMMAND USAGE ARP ACLs are configured with the commands described on page 31...

Page 676: ...ogging is active for ARP Inspection and cannot be disabled When the switch drops a packet it places an entry in the log buffer Each entry contains flow information such as the receiving VLAN the port...

Page 677: ...e target IP addresses are checked only in ARP responses src mac Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP...

Page 678: ...ine and their manner of switching matches that of all other packets Disabling and then re enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs When ARP Inspect...

Page 679: ...arp inspection trust This command sets a port as trusted and thus exempted from ARP Inspection Use the no form to restore the default setting SYNTAX no ip arp inspection trust DEFAULT SETTING Untruste...

Page 680: ...ge Interval 10 s Log Message Number 1 Need Additional Validation s Yes Additional Validation Type Destination MAC address Console show ip arp inspection interface This command shows the trust status a...

Page 681: ...st IP Address Src MAC Address Dst MAC Address Console show ip arp inspection statistics ARP packets received before rate limit 150 ARP packets dropped due to rate limt 5 Total ARP packets processed by...

Page 682: ...HAPTER 25 General Security Measures ARP Inspection 682 COMMAND MODE Privileged Exec EXAMPLE Console show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status 1 disabled sales static Console...

Page 683: ...Function IPv4 ACLs Configures ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code MAC ACLs Configures ACLs based on hardware addresses packet format and Ethernet type...

Page 684: ...er more specific criteria acl name Name of the ACL Maximum length 16 characters no spaces or other special characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE When you crea...

Page 685: ...one COMMAND MODE Standard IPv4 ACL COMMAND USAGE New rules are appended to the end of the list Address bit masks are similar to a subnet mask containing four integers from 0 to 255 each separated by a...

Page 686: ...it deny tcp any source address bitmask host source any destination address bitmask host destination precedence precedence tos tos dscp dscp source port sport bitmask destination port dport port bitmas...

Page 687: ...tmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned You can specify both Precedenc...

Page 688: ...0 255 255 255 0 any destination port 80 Console config ext acl This permits all TCP packets from class C addresses 192 168 1 0 with the TCP control code set to SYN Console config ext acl permit tcp 1...

Page 689: ...ccess list 689 Time Range 545 show ip access group This command shows the ports assigned to IP ACLs COMMAND MODE Privileged Exec EXAMPLE Console show ip access group Interface ethernet 1 2 IP access l...

Page 690: ...no form to remove the specified ACL SYNTAX no access list mac acl name acl name Name of the ACL Maximum length 16 characters no spaces or other special characters DEFAULT SETTING None COMMAND MODE Gl...

Page 691: ...tion address bitmask vid vid vid bitmask ethertype protocol protocol bitmask time range time range name no permit deny any host source source address bitmask any host destination destination address b...

Page 692: ...ermit deny untagged 802 3 any host source source address bitmask any host destination destination address bitmask tagged eth2 Tagged Ethernet II packets untagged eth2 Untagged Ethernet II packets tagg...

Page 693: ...ermit any host 00 e0 29 94 34 de ethertype 0800 Console config mac acl RELATED COMMANDS access list mac 690 Time Range 545 mac access group This command binds a MAC ACL to a port Use the no form to re...

Page 694: ...eged Exec EXAMPLE Console show mac access group Interface ethernet 1 5 MAC access list M5 in Console RELATED COMMANDS mac access group 693 show mac access list This command displays the rules for conf...

Page 695: ...OMMAND MODE Global Configuration COMMAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To cr...

Page 696: ...esponse ip any host source ip source ip ip address bitmask any host destination ip destination ip ip address bitmask mac any host source mac source mac mac address bitmask any host destination mac des...

Page 697: ...mac any any Console config mac acl RELATED COMMANDS access list arp 695 show arp access list This command displays the rules for configured ARP ACLs SYNTAX show arp access list acl name acl name Name...

Page 698: ...c EXAMPLE Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 0 0 255 255 15 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 2...

Page 699: ...led IC switchport packet rate Enabling hardware level storm control with this command on a port will disable software level automatic storm control on the same port if configured by the auto traffic c...

Page 700: ...ort Port number Range 1 10 port channel channel id Range 1 5 vlan vlan id Range 1 4093 DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE To specify port 4 enter the following command Cons...

Page 701: ...tric 1000full Supports 1 Gbps full duplex operation 100full Supports 100 Mbps full duplex operation 100half Supports 100 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 10half...

Page 702: ...cription to an interface Use the no form to remove the description SYNTAX description string no description string Comment or a description to help you remember what is attached to this interface Rang...

Page 703: ...low control on or off with the flowcontrol or no flowcontrol command use the no negotiation command to disable auto negotiation on the selected interface When using the negotiation command to enable a...

Page 704: ...Ports 9 10 EXAMPLE This forces the switch to use the built in RJ 45 port for the combination port 10 Console config interface ethernet 1 10 Console config if media type copper forced Console config if...

Page 705: ...ig if RELATED COMMANDS capabilities 701 speed duplex 706 shutdown This command disables an interface To restart a disabled interface use the no form SYNTAX no shutdown DEFAULT SETTING All interfaces a...

Page 706: ...00BASE T standard does not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T port or trunk If not used the success of the link process cannot be...

Page 707: ...tion Ethernet COMMAND USAGE When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic packets exceeding the threshold are dropped until the rate falls back do...

Page 708: ...t interface the statistics displayed will show the absolute value accumulated since the last power reset EXAMPLE The following example clears statistics on port 5 Console clear counters ethernet 1 5 C...

Page 709: ...Port or Trunk Statistics on page 128 EXAMPLE Console show interfaces counters ethernet 1 1 Ethernet 1 1 IF table Stats 2166458 Octets Input 14734059 Octets Output 14707 Unicast Input 19806 Unicast Out...

Page 710: ...s the status for an interface SYNTAX show interfaces status interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 port channel channel id Range 1 5 vlan vlan...

Page 711: ...w interfaces switchport This command displays the administrative and operational status of the specified interfaces SYNTAX show interfaces switchport interface interface ethernet unit port unit Unit i...

Page 712: ...has been enabled or disabled page 719 Ingress Egress Rate Limit Shows if rate limiting is enabled and the current rate limit page 737 VLAN Membership Mode Indicates membership mode as Trunk or Hybrid...

Page 713: ...test immediately upon completion including common cable failures as well as the status and approximate length of each cable pair Potential conditions which may be listed by the diagnostics include OK...

Page 714: ...hernet COMMAND USAGE IEEE 802 3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters Enabling power saving mode can reduce power used for...

Page 715: ...n can be reduced since signal attenuation is proportional to cable length When power savings mode is enabled the switch analyzes cable length to determine whether or not it can reduce the signal ampli...

Page 716: ...CHAPTER 27 Interface Commands 716 EXAMPLE Console show power save interface ethernet 1 10 Power Saving Status Enabled Console...

Page 717: ...A trunk can have up to 8 ports The ports at both ends of a connection must be configured as trunk ports All ports in a trunk must be configured in an identical manner including communication mode i e...

Page 718: ...it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group However if the port channel admin key...

Page 719: ...with another switch using LACP will automatically be assigned the next available port channel ID If the target switch has also enabled LACP on the connected ports the trunk will be activated automatic...

Page 720: ...r partner admin key actor The local side an aggregate link partner The remote side of an aggregate link key The port admin key must be set to the same value for ports that belong to the same link aggr...

Page 721: ...TING 32768 COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Setting a lower value indicates a higher effective priority If an active port link goes down the backup port with the highest pri...

Page 722: ...switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a link has been established LACP...

Page 723: ...he interfaces that joined the group Note that when the LAG is no longer used the port channel admin key is reset to 0 EXAMPLE Console config interface port channel 1 Console config if lacp admin key 3...

Page 724: ...is channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group LACPDUs Unknown Pkts Number of f...

Page 725: ...mation Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in re...

Page 726: ...signed to this aggregation port by the partner Admin Key Current administrative value of the Key for the protocol partner Oper Key Current operational value of the Key for the protocol partner Admin S...

Page 727: ...lan id mac address mac address no port monitor interface interface ethernet unit port source port unit Unit identifier Range 1 port Port number Range 1 10 rx Mirror received packets tx Mirror transmit...

Page 728: ...monitor command to specify the source of the traffic to mirror When mirroring traffic from a port the mirror port and monitor port speeds should match otherwise traffic may be dropped from the monito...

Page 729: ...ernet 1 5 Console config if port monitor ethernet 1 6 Console config if end Console show port monitor Port Mirroring Destination Port listen port Eth1 5 Source Port monitored port Eth1 6 Mode RX TX Co...

Page 730: ...red as one type of RSPAN interface source destination or uplink Also note that the source port and destination port cannot be configured on the same switch Local Remote Mirror The destination of a loc...

Page 731: ...e mirroring for the specified type SYNTAX no rspan session session id source interface interface list rx tx both session id A number identifying this RSPAN session Range 1 2 Only two mirror sessions a...

Page 732: ...dentifying this RSPAN session Range 1 2 Only two mirror sessions are allowed including both local and remote mirroring If local mirroring is enabled with the port monitor command then there is only on...

Page 733: ...ror sessions are allowed including both local and remote mirroring If local mirroring is enabled with the port monitor command then there is only one session available for RSPAN vlan id ID of configur...

Page 734: ...n RSPAN VLAN but will only show configured RSPAN VLAN identifiers EXAMPLE The following example enables RSPAN on VLAN 2 specifies this device as an RSPAN destination switch and the uplink interface as...

Page 735: ...e allowed including both local and remote mirroring If local mirroring is enabled with the port monitor command then there is only one session available for RSPAN COMMAND MODE Privileged Exec EXAMPLE...

Page 736: ...CHAPTER 29 Port Mirroring Commands RSPAN Mirroring Commands 736...

Page 737: ...f disabled SYNTAX rate limit input output rate no rate limit input output input Input rate for specified interface output Output rate for specified interface rate Maximum value in Kbps Range 64 100000...

Page 738: ...control command It is therefore not advisable to use both of these commands on the same interface EXAMPLE Console config interface ethernet 1 1 Console config if rate limit input 64 Console config if...

Page 739: ...imer expires IC Port auto traffic control control release Manually releases a control response IC Port auto traffic control auto control release Automatically releases a control response PE SNMP Trap...

Page 740: ...eneath the lower threshold after a storm control response has been triggered and the release timer expires IC Port ATC Display Commands show auto traffic control Shows global configuration settings fo...

Page 741: ...nable the port FUNCTIONAL LIMITATIONS Automatic storm control is a software level control function Traffic storms can also be controlled at the hardware level using the switchport packet rate command...

Page 742: ...s the time at which to release the control response after ingress traffic has fallen beneath the lower threshold Use the no form to restore the default setting SYNTAX auto traffic control broadcast mu...

Page 743: ...ING Disabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Automatic storm control can be enabled for either broadcast or multicast traffic It cannot be enabled for both of these traffic...

Page 744: ...n only be manually re enabled DEFAULT SETTING rate control COMMAND MODE Interface Configuration Ethernet COMMAND USAGE When the upper threshold is exceeded and the apply timer expires a control respon...

Page 745: ...s COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Once the traffic rate falls beneath the lower threshold a trap message may be sent if configured by the snmp server enable port traps atc...

Page 746: ...figuration Ethernet COMMAND USAGE Once the upper threshold is exceeded a trap message may be sent if configured by the snmp server enable port traps atc broadcast alarm fire command or snmp server ena...

Page 747: ...trol for broadcast traffic multicast Specifies automatic storm control for multicast traffic COMMAND MODE Interface Configuration Ethernet COMMAND USAGE This command can be used to automatically stop...

Page 748: ...nmp server enable port traps atc broadcast alarm fire DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet EXAMPLE Console config interface ethernet 1 1 Console config if snmp server...

Page 749: ...server enable port traps atc broadcast control release DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet EXAMPLE Console config interface ethernet 1 1 Console config if snmp serve...

Page 750: ...nmp server enable port traps atc multicast alarm fire DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet EXAMPLE Console config interface ethernet 1 1 Console config if snmp server...

Page 751: ...expires Use the no form to disable this trap SYNTAX no snmp server enable port traps atc multicast control release DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet EXAMPLE Conso...

Page 752: ...unit port unit Unit identifier Range 1 port Port number Range 1 10 COMMAND MODE Privileged Exec EXAMPLE Console show auto traffic control interface ethernet 1 1 Eth 1 1 Information Storm Control Broad...

Page 753: ...DEFAULT SETTING 300 seconds COMMAND MODE Global Configuration COMMAND USAGE The aging time is used to age out dynamically learned forwarding information EXAMPLE Console config mac address table aging...

Page 754: ...The default mode is permanent COMMAND MODE Global Configuration COMMAND USAGE The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add sta...

Page 755: ...ddress interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 port channel channel id Range 1 5 vlan id VLAN ID Range 1 4093 sort Sort by address vlan or interface DEFAU...

Page 756: ...ss table Interface MAC Address VLAN Type Life Time Eth 1 1 00 E0 29 94 34 DE 1 Config Delete on Reset Eth 1 21 00 01 EC F8 D8 D9 1 Learn Delete on Timeout Console show mac address table aging time Thi...

Page 757: ...e maximum number of hops allowed in the region before a BPDU is discarded MST mst priority Configures the priority of a spanning tree instance MST mst vlan Adds VLANs to a spanning tree instance MST n...

Page 758: ...s down EXAMPLE This example shows how to enable the Spanning Tree Algorithm for the switch Console config spanning tree Console config spanning tree port priority Configures the spanning tree priority...

Page 759: ...evice must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to the discard...

Page 760: ...of 40 or 2 x forward time 1 DEFAULT SETTING 20 seconds COMMAND MODE Global Configuration COMMAND USAGE This command sets the maximum time in seconds a device can wait without receiving a configuration...

Page 761: ...P supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits as described below STP M...

Page 762: ...the IEEE 802 1w Rapid Spanning Tree Protocol short Specifies 16 bit based values that range from 1 65535 This method is based on the IEEE 802 1 Spanning Tree Protocol DEFAULT SETTING Long method COMMA...

Page 763: ...electing the root device root port and designated port The device with the highest priority i e lower numeric value becomes the STA root device However if all devices have the same priority the device...

Page 764: ...ole config spanning tree transmission limit 4 Console config max hops This command configures the maximum number of hops in the region before a BPDU is discarded Use the no form to restore the default...

Page 765: ...e Range 0 61440 in steps of 4096 Options 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440 DEFAULT SETTING 32768 COMMAND MODE MST Configuration COMMAND USAGE MS...

Page 766: ...allowing for faster convergence of a new topology for the failed instance By default all VLANs are assigned to the Internal Spanning Tree MSTI 0 that connects all bridges and LANs within the MST regi...

Page 767: ...on This command configures the revision number for this multiple spanning tree configuration of this switch Use the no form to restore the default SYNTAX revision number number Revision number of the...

Page 768: ...ng port connected to another switch or bridging device is mistakenly configured as an edge port and BPDU filtering is enabled on this port this might cause a loop in the spanning tree Before enabling...

Page 769: ...f spanning tree bpdu guard Console config if RELATED COMMANDS spanning tree edge port 770 spanning tree spanning disabled 777 spanning tree cost This command configures the spanning tree path cost for...

Page 770: ...refore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Path cost takes precedence over port priority When the path cost method p...

Page 771: ...panning tree edge port Console config if spanning tree link type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree Use the no form to restore the default SYNTAX...

Page 772: ...BPDU according to IEEE Standard 802 1W 2001 9 3 4 Note 1 Port Loopback Detection will not be active if Spanning Tree is disabled on the switch EXAMPLE Console config interface ethernet 1 5 Console co...

Page 773: ...BPDU according to IEEE Standard 802 1W 2001 9 3 4 Note 1 Port Loopback Detection will not be active if Spanning Tree is disabled on the switch When configured for manual release mode then a link down...

Page 774: ...th cost 0 is used to indicate auto configuration mode When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is set to...

Page 775: ...ple spanning tree If the path cost for all interfaces on a switch are the same the interface with the highest priority that is lowest value will be configured as an active link in the spanning tree Wh...

Page 776: ...ort Channel COMMAND USAGE A bridge with a lower bridge identifier or same identifier and lower MAC address can take over as the root bridge at any time When Root Guard is enabled and the switch receiv...

Page 777: ...PLE This example disables the spanning tree algorithm for port 5 Console config interface ethernet 1 5 Console config if spanning tree spanning disabled Console config if spanning tree loopback detect...

Page 778: ...t Port number Range 1 10 port channel channel id Range 1 5 COMMAND MODE Privileged Exec COMMAND USAGE If at any time the switch detects STP BPDUs including Configuration or Topology Change Notificatio...

Page 779: ...d for every interface in the tree Use the show spanning tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree CST Use the show spanning tre...

Page 780: ...Cost 100000 Priority 128 Designated Cost 100000 Designated Port 128 1 Designated Root 32768 0 0001ECF8D8C6 Designated Bridge 32768 0 123412341234 Fast Forwarding Disabled Forward Transitions 4 Admin E...

Page 781: ...ing name VID and state Configuring VLAN Interfaces Configures VLAN interface parameters including ingress and egress tagging mode ingress filtering PVID and GVRP Displaying VLAN Information Displays V...

Page 782: ...USAGE GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration...

Page 783: ...AGE Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are indepen...

Page 784: ...NG No VLANs are included in the forbidden list COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This command prevents a VLAN from being automatically added to the specified int...

Page 785: ...nsole show bridge ext Maximum Supported VLAN Numbers 4093 Maximum Supported VLAN ID 4093 Extended Multicast Filtering Services No Static Entry Individual Port Yes VLAN Learning IVL Configurable PVID T...

Page 786: ...ace interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 port channel channel id Range 1 5 DEFAULT SETTING Shows both global and interface specific configuration COMMA...

Page 787: ...mmand EXAMPLE Console config vlan database Console config vlan RELATED COMMANDS show vlan 795 vlan This command configures a VLAN Use the no form to restore the default settings or delete a VLAN SYNTA...

Page 788: ...TE The switch allows 256 user manageable VLANs EXAMPLE The following example adds a VLAN using VLAN ID 105 and name RD5 The VLAN is activated by default Console config vlan database Console config vla...

Page 789: ...ration commands and save the configuration settings To change a Layer 3 normal VLAN back to a Layer 2 VLAN use the no interface command EXAMPLE The following example shows how to set the interface con...

Page 790: ...gned to the default VLAN EXAMPLE The following example shows how to restrict the traffic received on port 1 to tagged frames Console config interface ethernet 1 1 Console config if switchport acceptab...

Page 791: ...he host at the other end of the connection supports VLANs the interface should be added to these VLANs as an untagged member Otherwise it is only necessary to add at most one VLAN as untagged and this...

Page 792: ...fig if switchport mode This command configures the VLAN membership mode for a port Use the no form to restore the default SYNTAX switchport mode access hybrid trunk no switchport mode access Specifies...

Page 793: ...d Default VLAN ID for a port Range 1 4093 no leading zeroes DEFAULT SETTING VLAN 1 COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE When using Access mode and an interface is a...

Page 794: ...LAN Trunking Without VLAN trunking you would have to configure VLANs 1 and 2 on all intermediate switches C D and E otherwise these switches would drop any frames with unknown VLAN group tags However...

Page 795: ...Console config interface ethernet 1 9 Console config if vlan trunking Console config if interface ethernet 1 10 Console config if vlan trunking Console config if DISPLAYING VLAN INFORMATION This secti...

Page 796: ...VLAN space by using a VLAN in VLAN hierarchy preserving the customer s original tagged packets and adding SPVLAN tags to each frame also called double tagging This section describes commands used to...

Page 797: ...n Limitations for QinQ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same However the same service VLANs can be set on both tunnel port types IGMP Snooping should n...

Page 798: ...ng the dot1q tunnel system tunnel control command before the switchport dot1q tunnel mode interface command can take effect When a tunnel uplink port receives a packet from a customer the customer tag...

Page 799: ...with third party switches that do not use the standard 0x8100 ethertype to identify 802 1Q tagged frames For example 0x1234 is set as the custom 802 1Q ethertype on a trunk port incoming frames conta...

Page 800: ...to the service provider port based traffic segmentation can be used to isolate traffic for individual clients traffic segmentation This command enables traffic segmentation globally or configures the...

Page 801: ...command without any parameters to enable traffic segmentation Then set the interface members for segmented groups Enter no traffic segmentation to disable traffic segmentation and clear the configura...

Page 802: ...e protocol based VLANs follow these steps 1 First configure VLAN groups for the protocols you want to use page 787 Although not mandatory we suggest configuring a separate VLAN for each major protocol...

Page 803: ...MAND MODE Global Configuration EXAMPLE The following creates protocol group 1 and specifies Ethernet frames with IP and ARP protocol types Console config protocol vlan protocol group 1 add frame type...

Page 804: ...ames If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the d...

Page 805: ...VLANs for the selected interfaces SYNTAX show interfaces protocol vlan protocol group interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 port channel chan...

Page 806: ...ask vlan vlan id priority priority no subnet vlan subnet ip address mask all ip address The IP address that defines the subnet Valid IP addresses consist of four decimal numbers 0 to 255 separated by...

Page 807: ...255 255 255 224 vlan 4 Console config show subnet vlan This command displays IP Subnet VLAN assignments COMMAND MODE Privileged Exec COMMAND USAGE Use this command to display subnet to VLAN mappings T...

Page 808: ...remove an assignment SYNTAX mac vlan mac address mac address vlan vlan id priority priority no mac vlan mac address mac address all mac address The source MAC address to be matched Configured MAC add...

Page 809: ...MAC address VLAN ID 00 00 00 11 22 33 10 Console CONFIGURING VOICE VLANS The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic VoIP traffic can be d...

Page 810: ...n switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the switch automatically a...

Page 811: ...gures the Voice VLAN aging time as 3000 minutes Console config voice vlan aging 3000 Console config voice vlan mac address This command specifies MAC address ranges to add to the OUI Telephony list Us...

Page 812: ...Telephony list Console config voice vlan mac address 00 12 34 56 78 90 mask ff ff ff 00 00 00 description A new phone Console config switchport voice vlan This command specifies the Voice VLAN mode fo...

Page 813: ...MMAND USAGE Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is ac...

Page 814: ...ing VoIP traffic Console config interface ethernet 1 1 Console config if switchport voice vlan rule oui Console config if switchport voice vlan security This command enables security filtering for VoI...

Page 815: ...LE Console show voice vlan status Global Voice VLAN Status Voice VLAN Status Enabled Voice VLAN ID 1234 Voice VLAN aging time 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority Eth...

Page 816: ...CHAPTER 34 VLAN Commands Configuring Voice VLANs 816...

Page 817: ...nfigures the queue mode queue weights and default priority for untagged frames Priority Commands Layer 3 and 4 Sets the default priority processing method CoS or DSCP maps priority tags for internal p...

Page 818: ...a strict queue DEFAULT SETTING Strict and WRR with Queue 3 using strict mode COMMAND MODE Global Configuration COMMAND USAGE The switch can be set to service the port queues based on strict priority S...

Page 819: ...ed at the egress ports by defining scheduling weights for SWDRR or for the queuing mode that uses a combination of strict and weighted queuing Service time is allocated to each queue by calculating a...

Page 820: ...ult priority id no switchport priority default default priority id The priority number for untagged ingress traffic The priority is a number from 0 to 7 Seven is the highest priority DEFAULT SETTING T...

Page 821: ...ted VLAN these frames are stripped of all VLAN tags prior to transmission EXAMPLE The following example shows how to set a default priority on port 3 to 5 Console config interface ethernet 1 3 Console...

Page 822: ...l format Range 0 1 Table 116 Priority Commands Layer 3 and 4 Command Function Mode qos map cos dscp Maps CoS CFI values in incoming packets to per hop behavior and drop precedence values for internal...

Page 823: ...riority tags in the original packet are not modified by this command The internal DSCP consists of three bits for per hop behavior PHB which determines the queue to which a packet is sent and two bits...

Page 824: ...DSCP by the qos map trust mode command and the ingress packet type is IPv4 Two QoS domains can have different DSCP definitions so the DSCP to PHB Drop Precedence mutation map can be used to modify one...

Page 825: ...rface ethernet 1 5 Console config if qos map dscp mutation 3 1 from 1 Console config if qos map phb queue This command determines the hardware output queues to use based on the internal per hop behavi...

Page 826: ...essing will be based on the DSCP value in the ingress packet If the QoS mapping mode is set to DSCP and a non IP packet is received the packet s CoS and CFI Canonical Format Indicator values are used...

Page 827: ...in the top row in other words ingress DSCP d1 10 d2 and the corresponding Internal DSCP and drop precedence is shown at the intersecting cell in the table Console show qos map dscp mutation interface...

Page 828: ...cos dscp This command shows ingress CoS CFI to internal DSCP map SYNTAX show qos map cos dscp interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10...

Page 829: ...map trust mode interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 port channel channel id Range 1 5 COMMAND MODE Privileged Exec EXAMPLE The foll...

Page 830: ...CHAPTER 35 Class of Service Commands Priority Commands Layer 3 and 4 830...

Page 831: ...of a policy map PM police flow Defines an enforcer for classified traffic based on a metered flow rate PM C police srtcm color Defines an enforcer for classified traffic based on a single rate three c...

Page 832: ...he matching traffic class and use one of the police commands to monitor parameters such as the average flow and burst rate and drop any traffic that exceeds the specified rate or just reduce the DSCP...

Page 833: ...ommands EXAMPLE This example creates a class map call rd class and sets it to match packets marked for DSCP service value 3 Console config class map rd class match any Console config cmap match ip dsc...

Page 834: ...mand to designate a class map and enter the Class Map configuration mode Then use match commands to specify the fields within ingress packets that must match to qualify for this class map If an ingres...

Page 835: ...onfig cmap rename This command redefines the name of a class map or policy map SYNTAX rename map name map name Name of the class map or policy map Range 1 16 characters COMMAND MODE Class Map Configur...

Page 836: ...rd policy Console config pmap class rd class Console config pmap c set cos 0 Console config pmap c police flow 10000 4000 conform action transmit violate action drop Console config pmap c class This c...

Page 837: ...Console config pmap c police flow This command defines an enforcer for classified traffic based on the metered flow rate Use the no form to remove a policer SYNTAX no police flow committed rate commi...

Page 838: ...e The token bucket C is initially full that is the token count Tc 0 BC Thereafter the token count Tc is updated CIR times per second as follows If Tc is less than BC Tc is incremented by one else Tc i...

Page 839: ...st Excess burst size BE in bytes Range 4000 1600000 at a granularity of 4k bytes conform action Action to take when rate is within the CIR and BC There are enough tokens in bucket BC to service the pa...

Page 840: ...ken count Tc 0 BC and the token count Te 0 BE Thereafter the token counts Tc and Te are updated CIR times per second as follows If Tc is less than BC Tc is incremented by one else if Te is less then B...

Page 841: ...color blind trtcm color aware committed rate committed burst peak rate peak burst conform action transmit exceed action drop new dscp violate action drop new dscp trtcm color blind Two rate three col...

Page 842: ...ol queue congestion A packet is marked red if it exceeds the PIR Otherwise it is marked either yellow or green depending on whether it exceeds or doesn t exceed the CIR The trTCM is useful for ingress...

Page 843: ...on other aspects of trTCM EXAMPLE This example creates a policy called rd policy uses the class command to specify the previously defined rd class uses the set phb command to classify the service that...

Page 844: ...Console config pmap c police flow 10000 4000 conform action transmit violate action drop Console config pmap c set phb This command services IP traffic by setting a per hop behavior value for a matchi...

Page 845: ...licy map defined by the policy map command to the ingress side of a particular interface Use the no form to remove this mapping SYNTAX no service policy input policy map name input Apply to the input...

Page 846: ...ss list rd access Match ip dscp 0 Class Map match any rd class 2 Match ip precedence 5 Class Map match any rd class 3 Match vlan 1 Console show policy map This command displays the QoS policy maps whi...

Page 847: ...le show policy map interface This command displays the service policy assigned to the specified interface SYNTAX show policy map interface interface input interface unit port unit Unit identifier Rang...

Page 848: ...CHAPTER 36 Quality of Service Commands 848...

Page 849: ...ic multicast router ports which forward all inbound multicast traffic to the attached VLANs IGMP Filtering and Throttling Configures IGMP filtering and throttling Multicast VLAN Registration Configure...

Page 850: ...g vlan last memb query count Configures the number of IGMP proxy query messages that are sent out before the system assumes there are no local members GC ip igmp snooping vlan last memb query intvl Co...

Page 851: ...o restore the default setting SYNTAX no ip igmp snooping proxy reporting ip igmp snooping vlan vlan id proxy reporting enable disable no ip igmp snooping vlan vlan id proxy reporting vlan id VLAN ID R...

Page 852: ...ation COMMAND USAGE IGMP snooping querier is not supported for IGMPv3 snooping see ip igmp snooping version If enabled the switch will serve as querier if elected The querier is responsible for asking...

Page 853: ...the switch is acting in the role of a multicast host such as when using proxy routing it should ignore version 2 or 3 queries that do not contain the Router Alert option EXAMPLE Console config ip igm...

Page 854: ...ived and all the uplink ports are subsequently deleted a time out mechanism is used to delete all of the currently learned multicast channels When a new uplink port starts up the switch sends unsolici...

Page 855: ...hen a switch receives this solicitation it floods it to all ports in the VLAN where the spanning tree change occurred When an upstream multicast router receives this solicitation it will also immediat...

Page 856: ...command specifies how often the upstream interface should transmit unsolicited IGMP reports when proxy reporting is enabled Use the no form to restore the default value SYNTAX ip igmp snooping unsolic...

Page 857: ...nd versions 2 and 3 are backward compatible so the switch can operate with other devices regardless of the snooping version employed If the IGMP snooping version is configured on a VLAN this setting t...

Page 858: ...oping vlan general query suppression This command suppresses general queries except for ports attached to downstream multicast hosts Use the no form to flood general queries to all ports except for th...

Page 859: ...sage is received The router querier stops forwarding traffic for that group only if no host replies to the query within the time out period The time out for this release is currently defined by Last M...

Page 860: ...ere are no more group members Range 1 255 DEFAULT SETTING 2 COMMAND MODE Global Configuration COMMAND USAGE This command will take effect only if IGMP snooping proxy reporting or IGMP querier is enabl...

Page 861: ...an id VLAN ID Range 1 4093 DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE Multicast Router Discovery MRD uses multicast router advertisement multicast router solicitation and...

Page 862: ...proxy address source address vlan id VLAN ID Range 1 4093 source address The source address used for proxied IGMP query and report and leave messages Any valid IP unicast address DEFAULT SETTING 0 0 0...

Page 863: ...nterval no ip igmp snooping vlan vlan id proxy query interval vlan id VLAN ID Range 1 4093 interval The interval between sending IGMP proxy general queries Range 10 31744 seconds DEFAULT SETTING 100 1...

Page 864: ...ths of a second DEFAULT SETTING 100 10 seconds COMMAND MODE Global Configuration COMMAND USAGE This command will take effect only if IGMP snooping proxy reporting is enabled page 851 EXAMPLE Console c...

Page 865: ...IGMP Snooping and Query Parameters on page 444 for a description of the displayed items EXAMPLE The following shows the current IGMP snooping configuration Console show ip igmp snooping IGMP snooping...

Page 866: ...D 1 4093 user Display only the user configured multicast entries igmpsnp Display only entries learned through IGMP snooping DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Member types...

Page 867: ...ic multicast router ports are configured COMMAND MODE Global Configuration COMMAND USAGE Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore...

Page 868: ...n switch applications the administrator may want to control the multicast services that are available to end users For example an IP TV service based on a specific subscription plan The IGMP filtering...

Page 869: ...ecked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP f...

Page 870: ...o many interfaces but only one profile can be assigned to one interface Each profile has only one access mode either permit or deny EXAMPLE Console config ip igmp profile 19 Console config igmp profil...

Page 871: ...p range DEFAULT SETTING None COMMAND MODE IGMP Profile Configuration COMMAND USAGE Enter this command multiple times to specify more than one multicast address or address range for a profile EXAMPLE C...

Page 872: ...max groups number no ip igmp max groups number The maximum number of multicast groups an interface can join at the same time Range 1 255 DEFAULT SETTING 255 COMMAND MODE Interface Configuration Ether...

Page 873: ...tch can take one of two actions either deny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing gr...

Page 874: ...profile profile number profile number An existing IGMP filter profile number Range 1 4294967295 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show ip igmp profile IGMP Profile 19...

Page 875: ...all subscribers This can significantly reduce to processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN Also note that MVR maintains the u...

Page 876: ...must be assigned vlan id MVR VLAN ID Range 1 4093 DEFAULT SETTING MVR is disabled No MVR group address is defined The default number of contiguous addresses is 0 MVR VLAN ID is 1 COMMAND MODE Global...

Page 877: ...t Port Channel COMMAND USAGE Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message When immediat...

Page 878: ...allow a receiver port to dynamically join or leave multicast groups sourced through the MVR VLAN Also note that VLAN membership for MVR receiver ports cannot be set to trunk mode see the switchport m...

Page 879: ...AULT SETTING No receiver port is a member of any configured multicast group COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE Multicast groups can be statically assigned to a re...

Page 880: ...Privileged Exec COMMAND USAGE Enter this command without any keywords to display the global settings for MVR Use the interface keyword to display information about interfaces attached to the MVR VLAN...

Page 881: ...mber of contiguous MVR group addresses Table 127 show mvr interface display description Field Description Port Shows interfaces attached to the MVR Type Shows the MVR port type Status Shows the MVR st...

Page 882: ...ssigned VLAN Indicates the MVR VLAN receiving the multicast service Forwarding Port Shows the interfaces with subscribers for multicast services provided through the MVR VLAN Also shows the VLAN throu...

Page 883: ...g to re initialize after LLDP ports are disabled or the link goes down GC lldp tx delay Configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB...

Page 884: ...ion capabilities IC lldp dot3 tlv mac phy Configures an LLDP enabled port to advertise its MAC and physical layer specifications IC lldp dot3 tlv max frame Configures an LLDP enabled port to advertise...

Page 885: ...ds no lldp notification interval seconds Specifies the periodic interval at which SNMP notifications are sent Range 5 3600 seconds DEFAULT SETTING 5 seconds COMMAND MODE Global Configuration COMMAND U...

Page 886: ...e following rule refresh interval holdtime multiplier 65536 EXAMPLE Console config lldp refresh interval 60 Console config lldp reinit delay This command configures the delay before attempting to re i...

Page 887: ...ent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects and to increase the probability that multiple rather than single changes are reported in...

Page 888: ...port sending this advertisement The management address TLV may also include information about the specific interface associated with this address and an object identifier indicating the type of hardwa...

Page 889: ...des information about the manufacturer the product name and the version of the interface hardware software EXAMPLE Console config interface ethernet 1 1 Console config if lldp basic tlv port descripti...

Page 890: ...RFC 3418 which includes the full name and version identification of the system s hardware type software operating system and networking software EXAMPLE Console config interface ethernet 1 1 Console...

Page 891: ...es the protocols that are accessible through this interface EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot1 tlv proto ident Console config if lldp dot1 tlv proto vid This...

Page 892: ...h which untagged or priority tagged frames are associated see the switchport native vlan command EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot1 tlv pvid Console config if...

Page 893: ...tatus of the link and the 802 3 aggregated port identifier if this interface is currently a link aggregation member EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot3 tlv lin...

Page 894: ...size for this switch EXAMPLE Console config interface ethernet 1 1 Console config if lldp dot3 tlv max frame Console config if lldp notification This command enables the transmission of SNMP trap noti...

Page 895: ...thernet 1 1 Console config if lldp notification Console config if show lldp config This command shows LLDP configuration settings for all ports SYNTAX show lldp config detail interface detail Shows co...

Page 896: ...show lldp info local device This command shows LLDP global and interface specific configuration settings for this device SYNTAX show lldp info local device detail interface detail Shows configuration...

Page 897: ...hernet Port on unit 1 port 1 Console show lldp info remote device This command shows LLDP global and interface specific configuration settings for remote devices attached to an LLDP enabled port SYNTA...

Page 898: ...port MAU type 6 Remote Power Via Mdi Remote power class PSE Remote power mdi supported Yes Remote power mdi enabled Yes Remote power pair controlable No Remote power pairs Spare Remote power classifi...

Page 899: ...ntries Dropped Count 0 Neighbor Entries Ageout Count 0 Interface NumFramesRecvd NumFramesSent NumFramesDiscarded Eth 1 1 10 11 0 Eth 1 2 0 0 0 Eth 1 3 0 0 0 Eth 1 4 0 0 0 Eth 1 5 0 0 0 switch show lld...

Page 900: ...CHAPTER 38 LLDP Commands 900...

Page 901: ...me Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 68 characters DEFAULT SETTING None Table 130 Address Table Commands Command Function Mode i...

Page 902: ...the default domain name is not used EXAMPLE This example adds two domain names to the current list and then displays the list Console config ip domain list sample com jp Console config ip domain list...

Page 903: ...03 ip name server 905 ip domain name This command defines the default domain name appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation Use...

Page 904: ...host name address name Name of an IPv4 host Range 1 100 characters address Corresponding IPv4 address DEFAULT SETTING No static entries COMMAND MODE Global Configuration COMMAND USAGE Use the no ip h...

Page 905: ...servers DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE The listed name servers are queried in the specified sequence until a response is received or the end of the list is reach...

Page 906: ...values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields DEFAULT SETTING No static entries COMMAND MODE Global Configuration...

Page 907: ...ear host command to clear dynamic entries or the no ip host command to clear static entries EXAMPLE This example clears all static entries from the DNS table Console config clear host Console config s...

Page 908: ...sole show hosts No Flag Type IP Address TTL Domain 0 2 Address 192 168 1 55 rd5 1 2 Address 2001 DB8 1 12 rd6 3 4 Address 209 131 36 158 65 www real wa1 b yahoo com 4 4 CNAME POINTER TO 3 65 www yahoo...

Page 909: ...tored in the cache Type This field includes Address which specifies the primary name for the owner and CNAME which specifies multiple domain names or aliases which are mapped to the same IP address as...

Page 910: ...CHAPTER 39 Domain Name Service Commands 910...

Page 911: ...cquire other non address configuration information such as a default gateway from a DHCPv6 server Table 133 DHCP Commands Command Group Function DHCP Client Allows interfaces to dynamically acquire IP...

Page 912: ...service the client or the type of information to return The general framework for this DHCP option is set out in RFC 2132 Opton 60 This information is used to convey configuration settings or other i...

Page 913: ...p dhcp restart client Console show ip interface Vlan 1 is Administrative Up Link Up Address is 12 34 12 34 12 34 bia 12 34 12 34 12 34 Index 1001 MTU 1500 Bandwidth 1g Address Mode is DHCP IP Address...

Page 914: ...s are then ranked based on their advertised preference value If the client needs to acquire prefixes from servers only servers that have advertised prefixes are considered EXAMPLE The following comman...

Page 915: ...ange of consecutive numbers separated by a hyphen or multiple numbers separated by commas Range 1 4093 no leading zeroes COMMAND MODE Privileged Exec EXAMPLE Console show ipv6 dhcp vlan 1 VLAN 1 is in...

Page 916: ...CHAPTER 40 DHCP Commands DHCP Client 916...

Page 917: ...segment IPV4 INTERFACE There are no IP addresses assigned to this switch by default You must manually configure a new address to manage the switch over your network or to connect the switch to existin...

Page 918: ...ific IP address can be manually configured or the switch can be directed to obtain an address from a BOOTP or DHCP server Valid IP addresses consist of four numbers 0 to 255 separated by periods Anyth...

Page 919: ...nt 912 ipv6 address 927 ip default gateway This command specifies the default gateway for destinations not found in the local routing tables Use the no form to remove a default gateway SYNTAX ip defau...

Page 920: ...ce This command displays the settings of an IPv4 interface COMMAND MODE Privileged Exec EXAMPLE Console show ip interface Vlan 1 is Administrative Up Link Up Address is 00 E0 0C 00 00 FD via 00 E0 0C...

Page 921: ...If the timer goes off before a response is returned the trace function prints a series of asterisks and the Request Timed Out message A long sequence of these messages terminating only when the maximu...

Page 922: ...ination is unreachable Network or host unreachable The gateway found no corresponding entry in the route table When pinging a host name be sure the DNS server has been enabled see page 902 If necessar...

Page 923: ...onfiguration COMMAND USAGE When a ARP entry expires it is deleted from the cache and an ARP request packet is sent to re establish the MAC address The aging time determines how long dynamic entries re...

Page 924: ...mal Exec Privileged Exec COMMAND USAGE This command displays information about the ARP cache The first line shows the cache timeout It also shows each cache entry including the IP address MAC address...

Page 925: ...e of the maximum transmission unit MTU for IPv6 packets sent on an interface IC show ipv6 default gateway Displays the current IPv6 default gateway NE PE show ipv6 interface Displays the usability and...

Page 926: ...dress to indicate the appropriate number of zeros required to fill the undefined fields The same link local address may be used by different interfaces nodes in different zones RFC 4007 Therefore when...

Page 927: ...te the appropriate number of zeros required to fill the undefined fields To connect to a larger network with multiple subnets you must configure a global unicast address This address can be manually c...

Page 928: ...64 form of the interface identifier i e the switch s MAC address Use the no form to remove the address generated by this command SYNTAX no ipv6 address autoconfig DEFAULT SETTING No IPv6 addresses are...

Page 929: ...l is 1000 milliseconds Console RELATED COMMANDS ipv6 address 927 show ipv6 interface 935 ipv6 address eui 64 This command configures an IPv6 address for an interface using an EUI 64 interface ID in th...

Page 930: ...address The EUI 64 specification is designed for devices that use an extended 8 byte MAC address For devices that still use a 6 byte MAC address also known as EUI 48 format it must be converted into...

Page 931: ...a specific address to remove it from the interface SYNTAX ipv6 address ipv6 address link local no ipv6 address ipv6 address link local ipv6 address The IPv6 address assigned to the interface DEFAULT...

Page 932: ...00 72 FF02 1 FF00 FD FF02 1 IPv6 link MTU is 1500 bytes ND DAD is enabled number of DAD attempts 3 ND retransmit interval is 1000 milliseconds Console RELATED COMMANDS ipv6 enable 932 show ipv6 interf...

Page 933: ...le show ipv6 interface Vlan 1 is up IPv6 is enable Link local address FE80 2E0 CFF FE00 FD 64 Global unicast address es 2001 DB8 2222 7273 72 96 subnet is 2001 DB8 2222 7273 96 Joined group address es...

Page 934: ...enabled on an interface before the MTU can be set EXAMPLE The following example sets the MTU for VLAN 1 to 1280 bytes Console config interface vlan 1 Console config if ipv6 mtu 1280 Console config if...

Page 935: ...work portion of the address COMMAND MODE Normal Exec Privileged Exec EXAMPLE This example displays all the IPv6 addresses configured for the switch Console show ipv6 interface Vlan 1 is up IPv6 is ena...

Page 936: ...interface local multicast address is only used for loopback transmission of multicast traffic Link local multicast addresses cover the same types as used by link local unicast addresses including all...

Page 937: ...ecived total received header errors too big errors no routes address errors unknown protocols truncated packets discards delivers reassembly request datarams reassembled succeeded reassembled failed I...

Page 938: ...show ipv6 traffic display description Field Description IPv6 Statistics IPv6 recived total received The total number of input datagrams received by the interface including those received in error hea...

Page 939: ...of discarded IPv6 fragments since some algorithms notably the algorithm in RFC 815 can lose track of the number of fragments by combining them as they are received This counter is incremented at the i...

Page 940: ...CMPv6 Group Membership Query messages received by the interface group membership response messages The number of ICMPv6 Group Membership Response messages received by the interface group membership re...

Page 941: ...er of Redirect messages sent For a host this object will always be zero since hosts do not send redirects group membership response messages The number of ICMPv6 Group Membership Response messages sen...

Page 942: ...bytes COMMAND MODE Privileged Exec COMMAND USAGE Use the ping6 command to see if another site on the network can be reached or to evaluate delays over the path The same link local address may be used...

Page 943: ...eady exists on the network before it is assigned to an interface Duplicate address detection is stopped on any interface that has been suspended see the vlan command While an interface is suspended al...

Page 944: ...address FE80 200 E8FF FE90 0 64 TENTATIVE Global unicast address es 2009 DB9 2229 79 subnet is 2009 DB9 2229 0 64 TENTATIVE Joined group address es FF01 1 16 FF02 1 16 FF02 1 FF00 79 104 FF02 1 FF90 0...

Page 945: ...4 Global unicast address es 2009 DB9 2229 79 subnet is 2009 DB9 2229 0 64 Joined group address es FF01 1 16 FF02 1 16 FF02 1 FF00 79 104 FF02 1 FF90 0 104 MTU is 1500 bytes ND DAD is enabled number of...

Page 946: ...ic entries in the IPv6 neighbor cache Console clear ipv6 neighbors Console show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache SYNTAX show ipv6 neighbors vlan vl...

Page 947: ...e neighbor was functioning While in REACH state the device takes no special action when sending packets STALE More than the ReachableTime interval has elapsed since the last positive confirmation was...

Page 948: ...CHAPTER 41 IP Interface Commands IPv6 Interface 948...

Page 949: ...949 SECTION IV APPENDICES This section provides additional information and includes these items Software Specifications on page 951 Troubleshooting on page 955 License Information on page 957...

Page 950: ...SECTION IV Appendices 950...

Page 951: ...uplex 1000 Mbps at full duplex 1000BASE SX LX LH 1000 Mbps at full duplex SFP FLOW CONTROL Full Duplex IEEE 802 3 2005 Half Duplex Back pressure STORM CONTROL Broadcast multicast or unicast traffic th...

Page 952: ...policy maps and service policies MULTICAST FILTERING IGMP Snooping Layer 2 Multicast VLAN Registration ADDITIONAL FEATURES BOOTP Client DHCP Client DNS Client Proxy LLDP Link Layer Discover Protocol...

Page 953: ...5 Ethernet Fast Ethernet Gigabit Ethernet Link Aggregation Control Protocol LACP Full duplex flow control ISO IEC 8802 3 IEEE 802 3ac VLAN tagging DHCP Client RFC 2131 HTTPS ICMP RFC 792 IGMP RFC 1112...

Page 954: ...B II RFC 1213 P Bridge MIB RFC 2674P Port Access Entity MIB IEEE 802 1X Port Access Entity Equipment MIB Power Ethernet MIB RFC 3621 Private MIB Q Bridge MIB RFC 2674Q Quality of Service MIB RADIUS Au...

Page 955: ...Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH...

Page 956: ...sages reported to include all categories 3 Enable SNMP 4 Enable SNMP traps 5 Designate the SNMP host that is to receive the error messages 6 Repeat the sequence of commands or other actions that lead...

Page 957: ...of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that yo...

Page 958: ...notices stating that you changed the files and the date of any change b You must cause any work that you distribute or publish that in whole or in part contains or is derived from the Program or any p...

Page 959: ...red to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These actions are prohibited by law if yo...

Page 960: ...bution conditions are different write to the author to ask for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exce...

Page 961: ...y prioritizing packets based on the required level of service and then placing them in the appropriate output queue Data is transmitted from the queues using weighted round robin service to enforce pr...

Page 962: ...and password is requested by the switch and then passed to an authentication server e g RADIUS for verification EAPOL is implemented as part of the IEEE 802 1X Port Authentication standard EUI Extend...

Page 963: ...Ns to communicate across switched networks IEEE 802 1P An IEEE standard for providing quality of service QoS in Ethernet networks The standard uses packet tags that define up to eight traffic classes...

Page 964: ...outing protocols in an simple tree that uses IGMP Proxy IGMP SNOOPING Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify...

Page 965: ...llows IGMP enabled devices to determine where to send multicast source and group membership messages MULTICAST SWITCHING A process whereby the switch filters incoming multicast frames for services for...

Page 966: ...ervice to selected traffic flows using features such as data prioritization queuing congestion avoidance and traffic shaping These features effectively provide preferential treatment to specific flows...

Page 967: ...ion protocol that uses software running on a central server to control access to TACACS compliant devices on the network TCP IP Transmission Control Protocol Internet Protocol Protocol suite that incl...

Page 968: ...of their physical location or connection point in the network A VLAN serves as a logical workgroup with no physical barriers and allows users to share information and resources as though located on t...

Page 969: ...configure lp number 500 banner configure manager info 501 banner configure mux 501 banner configure note 502 boot system 511 bridge ext gvrp 782 C calendar set 544 capabilities 701 channel group 718 c...

Page 970: ...870 ip igmp snooping 850 ip igmp snooping proxy reporting 851 ip igmp snooping querier 852 ip igmp snooping router alert option check 852 ip igmp snooping router port expire time 853 ip igmp snooping...

Page 971: ...st 537 logging sendmail level 538 logging sendmail source email 539 logging trap 533 login 522 M mac access group 693 mac address table aging time 753 mac address table static 754 mac authentication i...

Page 972: ...s map 846 show cluster 552 show cluster candidates 553 show cluster members 552 show dns 907 show dns cache 908 show dot1q tunnel 799 show dot1x 630 show garp timer 785 show gvrp configuration 786 sho...

Page 973: ...lent time 526 snmp server 556 snmp server community 557 snmp server contact 557 snmp server enable port traps atc broadcast alarm clear 747 snmp server enable port traps atc broadcast alarm fire 748 s...

Page 974: ...oice vlan priority 813 switchport voice vlan rule 813 switchport voice vlan security 814 T tacacs server 592 tacacs server host 593 tacacs server key 593 tacacs server port 594 test cable diagnostics...

Page 975: ...690 time range 298 545 address table 185 753 aging time 188 753 aging time displaying 188 756 aging time setting 188 753 administrative users displaying 507 ARP ACL 310 675 ARP configuration 923 ARP i...

Page 976: ...tion 833 classifying QoS traffic 236 834 color aware srTCM 244 839 color aware trTCM 245 841 color blind srTCM 244 839 color blind trTCM 245 841 committed burst size 244 246 837 839 841 committed info...

Page 977: ...oping query parameters 444 snooping configuring 444 849 snooping immediate leave 453 859 IGMP services displaying 457 IGMP snooping configuring 451 849 enabling per interface 451 453 850 forwarding en...

Page 978: ...74 logon authentication 273 583 encryption keys 262 590 593 RADIUS client 261 588 RADIUS server 261 588 sequence 259 586 587 settings 260 587 TACACS client 260 592 TACACS server 260 592 logon authenti...

Page 979: ...cs 709 unknown unicast storm threshold 219 707 power savings configuring 148 power savings configuring 714 power savings enabling per port 148 714 priority default port ingress 221 820 private key 289...

Page 980: ...540 542 specifying servers 105 542 software displaying version 90 508 downloading 94 512 version displaying 90 508 Spanning Tree Protocol See STA specifications software 951 srTCM police meter 244 83...

Page 981: ...aying port members 795 displaying port members by interface 164 displaying port members by interface range 165 displaying port members by VLAN index 163 dynamic assignment 281 645 egress mode 161 792...

Page 982: ...INDEX 982...

Page 983: ......

Page 984: ...ES3510MA E032010 ST R01 149100000046A...

Search results

Summary of Contents for ES3510MA

Reviews:

Related manuals for ES3510MA

Brands by name

Popular brands

Edge-Core ES3510MA, Management Manual

Search results

Summary of Contents for ES3510MA

Reviews:

Related manuals for ES3510MA

Brands by name

Popular brands