Home
/
Korenix
/
JetNet 5228G Series
/
User Manual

Korenix JetNet 5228G Series, User Manual

Share

Page: 139 / 658

Korenix JetNet 5228G Series User Manual Download Page 139

Client Security

3-93

3

Web Authentication

Web authentication allows stations to authenticate and access the network in
situations where 802.1X or Network Access authentication are infeasible or
impractical. The web authentication feature allows unauthenticated hosts to request
and receive a DHCP assigned IP address and perform DNS queries. All other traffic,
except for HTTP protocol traffic, is blocked. The switch intercepts HTTP protocol
traffic and redirects it to a switch-generated web page that facilitates username and
password authentication via RADIUS. Once authentication is successful, the web
browser is forwarded on to the originally requested web page.

Notes: 1.

RADIUS authentication must be activated and configured properly for the
web authentication feature to work properly. (See “Configuring Local/Remote
Logon Authentication” on page 3-58)

2.

Web authentication cannot be configured on trunk ports.

Configuring Web Authentication

Web authentication is configured on a per-port basis, however there are four
configurable parameters that apply globally to all ports on the switch.

Command Attributes

• System Authentication Control –

Enables Web Authentication for the switch.

(Default: Disabled)

• Session Timeout –

Configures how long an authenticated session stays active

before it must be re-authenticated. (Range: 300-3600 seconds; Default: 3600
seconds)

• Quiet Period –

Configures how long a host must wait to attempt authentication

again after it has exceeded the maximum allowable failed login attempts.
(Range: 1-180 seconds; Default: 60 seconds)

• Login Attempts –

Configures the number of times a supplicant may attempt and

fail authentication before it must wait the configured quiet period. (Range: 1-3
attempts; Default: 3 attempts)

Web

– Click Security, Web Authentication, Configuration. Set the required global

parameters, and click Apply.

Figure 3-54 Web Authentication Configuration

«
...
137
138
139
140
141
...
»

Summary of Contents for JetNet 5228G Series

Page 1: ...Korenix JetNet 5228G Series Rackmount Managed Ethernet Switch User Manual Version 1 1 Apr 2009 www korenix com...

Page 2: ...228G Series Rackmount Managed Ethernet Switch User s Manual Copyright Notice Copyright 2006 2009 Korenix Technology Co Ltd All rights reserved Reproduction in any form or by any means without permissi...

Page 3: ...www edge core com 2 24FE 4G Layer 2 4 Ethernet Switch Management Guide V1 1...

Page 4: ...Management Guide 24FE 4G Fast Ethernet Switch Standalone Layer 2 Switch with 24 100BASE TX RJ 45 Ports and 4 Gigabit Combination Ports RJ 45 SFP...

Page 5: ...1 and 2c clients 2 6 Trap Receivers 2 7 Configuring Access for SNMP Version 3 Clients 2 8 Managing System Files 2 8 Saving Configuration Settings 2 9 Chapter 3 Configuring the Switch 3 1 Using the Web...

Page 6: ...ss 3 45 Setting the Local Engine ID 3 45 Specifying a Remote Engine ID 3 46 Configuring SNMPv3 Users 3 47 Configuring Remote SNMPv3 Users 3 49 Configuring SNMPv3 Groups 3 51 Setting SNMPv3 Views 3 54...

Page 7: ...ard IP ACL 3 104 Configuring an Extended IP ACL 3 105 Configuring a MAC ACL 3 107 Binding a Port to an Access Control List 3 108 DHCP Snooping 3 109 Configuring DHCP Snooping 3 111 Configuring VLANs f...

Page 8: ...Ns VLAN Index 3 176 Adding Static Members to VLANs Port Index 3 178 Configuring VLAN Behavior for Interfaces 3 179 IEEE 802 1Q Tunneling 3 181 Enabling QinQ Tunneling on the Switch 3 185 Adding an Int...

Page 9: ...237 Layer 2 IGMP Snooping and Query 3 238 Configuring IGMP Snooping and Query Parameters 3 239 Enabling IGMP Immediate Leave 3 241 Displaying Interfaces Attached to a Multicast Router 3 242 Specifying...

Page 10: ...Commands 4 7 Command Line Processing 4 8 Command Groups 4 9 General Commands 4 10 enable 4 10 disable 4 11 configure 4 12 show history 4 12 reload 4 13 prompt 4 13 end 4 14 exit 4 14 quit 4 14 System...

Page 11: ...41 timeout login response 4 42 exec timeout 4 43 password thresh 4 44 silent time 4 44 databits 4 45 parity 4 46 speed 4 46 stopbits 4 47 disconnect 4 47 show line 4 48 Event Logging Commands 4 49 lo...

Page 12: ...server community 4 70 snmp server contact 4 71 snmp server location 4 72 snmp server host 4 72 snmp server enable traps 4 74 snmp server engine id 4 75 show snmp engine id 4 76 snmp server view 4 77...

Page 13: ...02 accounting commands 4 102 aaa authorization exec 4 103 authorization exec 4 104 show accounting 4 104 Web Server Commands 4 105 ip http port 4 105 ip http server 4 106 ip http secure server 4 106 i...

Page 14: ...5 mac authentication max mac count 4 135 network access dynamic vlan 4 136 network access guest vlan 4 136 mac authentication reauth time 4 137 clear network access 4 138 show network access 4 138 sho...

Page 15: ...cess list ip 4 164 MAC ACLs 4 164 access list mac 4 165 permit deny MAC ACL 4 166 show mac access list 4 167 mac access group 4 168 show mac access group 4 168 map access list mac 4 169 show map acces...

Page 16: ...ning tree forward time 4 203 spanning tree hello time 4 204 spanning tree max age 4 205 spanning tree priority 4 205 spanning tree pathcost method 4 206 spanning tree transmission limit 4 207 spanning...

Page 17: ...ort dot1q tunnel tpid 4 236 show dot1q tunnel 4 237 Configuring Private VLANs 4 237 private vlan 4 239 private vlan association 4 240 switchport mode private vlan 4 240 switchport private vlan host as...

Page 18: ...265 lldp dot1 tlv pvid 4 266 lldp dot1 tlv vlan name 4 266 lldp dot3 tlv link agg 4 267 lldp dot3 tlv mac phy 4 267 lldp dot3 tlv max frame 4 268 lldp dot3 tlv poe 4 268 lldp medtlv extpoe 4 269 lldp...

Page 19: ...vlan static 4 299 ip igmp snooping version 4 300 ip igmp snooping leave proxy 4 300 ip igmp snooping immediate leave 4 301 show ip igmp snooping 4 302 show mac address table multicast 4 302 IGMP Query...

Page 20: ...guration 4 317 show mvr 4 318 IP Interface Commands 4 321 ip address 4 321 ip default gateway 4 322 ip dhcp restart 4 323 show ip interface 4 323 show ip redirects 4 324 ping 4 324 Appendix A Software...

Page 21: ...able 3 18 Mapping CoS Values to Egress Queues 3 217 Table 3 19 CoS Priority Levels 3 217 Table 3 20 IP DSCP to CoS Queue Mapping 3 222 Table 3 21 Mapping IP Precedence Values to CoS Priority Queues 3...

Page 22: ...IP Filter Commands 4 128 Table 4 40 Client Security Commands 4 130 Table 4 41 Port Security Commands 4 131 Table 4 42 Network Access 4 132 Table 4 43 Web Authentication 4 140 Table 4 44 DHCP Snooping...

Page 23: ...ault CoS Priority Levels 4 280 Table 4 79 Priority Commands Layer 3 and 4 4 282 Table 4 80 Mapping IP DSCP to CoS Queues 4 282 Table 4 81 Mapping IP Precedence to CoS Queues 4 284 Table 4 82 Mapping I...

Page 24: ...Tables xx...

Page 25: ...ystem 3 35 Figure 3 21 SNTP Configuration 3 36 Figure 3 22 Setting the System Clock 3 37 Figure 3 23 Setting the Current Date and Time 3 38 Figure 3 1 Enabling the SNMP Agent 3 40 Figure 3 24 Configur...

Page 26: ...04 Figure 3 63 Configuring Extended IP ACLs 3 106 Figure 3 64 Configuring MAC ACLs 3 108 Figure 3 65 Configuring ACL Port Binding 3 109 Figure 3 66 DHCP Snooping Configuration 3 111 Figure 3 67 DHCP S...

Page 27: ...3 107 Private VLAN Port Information 3 191 Figure 3 108 Private VLAN Port Configuration 3 192 Figure 3 109 Protocol VLAN Configuration 3 195 Figure 3 110 Protocol VLAN Port Configuration 3 196 Figure 3...

Page 28: ...244 Figure 3 142 IP Multicast Registration Table 3 245 Figure 3 143 IGMP Member Port Table 3 246 Figure 3 144 Enabling IGMP Filtering and Throttling 3 247 Figure 3 145 IGMP Profile Configuration 3 24...

Page 29: ...nt Security AAA Authentication Authorization and Accounting Private VLANs Port Authentication IEEE 802 1X Port Security MAC address filtering Network Access MAC Address Authentication Web Authenticati...

Page 30: ...le Authentication Protocol over LANs EAPOL to request user credentials from the 802 1X client and then uses the EAP between the switch and the authentication server to verify the client s right to acc...

Page 31: ...ion Trunks can be manually set up or dynamically configured using IEEE 802 3 2005 formerly IEEE 802 3ad Link Aggregation Control Protocol LACP The additional ports dramatically increase the throughput...

Page 32: ...reconfiguring ports to STP compliant mode if they detect STP protocol messages from attached devices Multiple Spanning Tree Protocol MSTP IEEE 802 1s This protocol is a direct extension of RSTP It ca...

Page 33: ...ng Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real time delivery by setting the required priority leve...

Page 34: ...to simplify troubleshooting enhance network management and maintain an accurate network topology System Defaults The switch s system defaults are provided in the configuration file Factory_Default_Co...

Page 35: ...Disabled Port Trunking Static Trunks None LACP all ports Disabled Congestion Control Rate Limiting Disabled Storm Control Enabled all ports 5k octets per second Address Table Aging Time 300 seconds Sp...

Page 36: ...0 0 DHCP Client Enabled BOOTP Disabled Multicast Filtering IGMP Snooping Snooping Enabled Querier Disabled Multicast VLAN Registration Disabled System Log Status Enabled Messages Logged Levels 0 6 al...

Page 37: ...o the RS 232 serial console port on the switch or remotely by a Telnet or Secure Shell SSH connection over the network The switch s management agent also supports SNMP Simple Network Management Protoc...

Page 38: ...serial port on a terminal or a PC running terminal emulation software and tighten the captive retaining screws on the DB 9 connector 2 Connect the other end of the cable to the RS 232 serial port on t...

Page 39: ...vides access to basic configuration functions To access the full range of SNMP management functions you must use SNMP based network management software Basic Configuration Console Connection The CLI p...

Page 40: ...ss information for the switch to obtain management access through the network This can be done in either of the following ways Manual You have to input the information including IP address and subnet...

Page 41: ...ew minutes using exponential backoff until IP configuration information is obtained from a BOOTP or DHCP server BOOTP and DHCP values can include the IP address subnet mask and default gateway Note th...

Page 42: ...MP agent that supports SNMP version 1 2c and 3 clients To provide management access for version 1 or 2c clients you must specify a community string The switch provides a default MIB View i e an SNMPv3...

Page 43: ...are no community strings then SNMP management access from SNMP v1 and v2c clients is disabled Trap Receivers You can also specify SNMP stations that are to receive traps from the switch To configure a...

Page 44: ...types of files are Configuration This file type stores system configuration information and is created when configuration settings are saved Saved configuration files can be selected as a system start...

Page 45: ...the copy command New startup configuration files must have a name specified File names on the switch are case sensitive can be from 1 to 31 characters must not contain slashes or and the leading lett...

Page 46: ...onment temperature conforms to the specified operating temperature range z Mechanical Loading Do no place any equipment on top of the switch z Grounding Rack mounted equipment should be properly groun...

Page 47: ...n page 2 4 2 Set user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Set...

Page 48: ...tatistics The default user name and password for the administrator is admin Home Page When your web browser connects with the switch s web agent the home page is displayed as shown below The home page...

Page 49: ...lorer 7 x This option is available under Tools Internet Options General Browsing History Settings Temporary Internet Files 2 You may have to manually refresh the screen after making configuration chan...

Page 50: ...21 Delete Allows deletion of files from the flash memory 3 22 Set Start Up Sets the startup file 3 22 Line 3 26 Console Sets console port connection parameters 3 26 Telnet Sets Telnet connection para...

Page 51: ...ervices for billing or security purposes 3 66 Periodic Update Sets the interval at which accounting updates are sent to RADIUS AAA servers 3 66 802 1X Port Settings Applies the specified accounting me...

Page 52: ...addresses 3 102 Port Binding Binds a port to the specified ACL 3 108 IP Filter Sets IP addresses of clients allowed management access via the web SNMP and Telnet 3 88 Port 3 120 Port Information Disp...

Page 53: ...ration Configures individual port settings for STA 3 159 Trunk Configuration Configures individual trunk settings for STA 3 159 MSTP Multiple Spanning Tree Protocol 3 162 VLAN Configuration Configures...

Page 54: ...Configuration Maps a protocol group to a VLAN 3 196 LLDP Link Layer Discovery Protocol 3 201 Configuration Configures global LLDP timing parameters 3 202 Port Configuration Configures a port for rece...

Page 55: ...dence values to class of service queues 3 225 IP TOS Priority Status Globally enables IP ToS priority 3 227 IP TOS Priority Sets IP ToS priority mapping IP ToS values to class of service queues 3 227...

Page 56: ...interface type MVR operational and activity status and immediate leave status 3 254 Trunk Information Displays MVR interface type MVR operational and activity status and immediate leave status 3 254 G...

Page 57: ...r the switch 3 260 Member Configuration Adds switch Members to the cluster 3 261 Member Information Displays cluster Member switch information 3 262 Candidate Information Displays network Candidate sw...

Page 58: ...Contact Administrator responsible for the system System Up Time Length of time the management agent has been up These additional parameters are displayed for the CLI MAC Address The physical layer add...

Page 59: ...ole config snmp server contact Ted 4 71 Console config exit Console show system 4 30 System Description Layer2 Fast Ethernet Standalone Switch 24FE 4G System OID String 1 3 6 1 4 1 259 6 10 103 System...

Page 60: ...itch Number of Ports Number of built in RJ 45 ports Hardware Version Hardware version of the main board Internal Power Status Displays the status of the internal power supply Management Software EPLD...

Page 61: ...o display version information Console show version 4 31 Serial Number 0012CF422DC0 Service Tag Hardware Version R0B EPLD Version 0 00 Number of Ports 28 Main Power Status Up Loader Version 1 0 0 2 Boo...

Page 62: ...tering for unicast and multicast addresses Refer to Setting Static Addresses on page 3 143 VLAN Learning This switch uses Independent VLAN Learning IVL where each port maintains its own filtering data...

Page 63: ...Address Mode Specifies whether IP functionality is enabled via manual configuration Static Dynamic Host Configuration Protocol DHCP or Boot Protocol BOOTP If DHCP BOOTP is enabled IP will not functio...

Page 64: ...Static enter the IP address subnet mask and gateway then click Apply Figure 3 6 Manual IP Configuration CLI Specify the management interface IP address and default gateway Console config Console confi...

Page 65: ...le connection and enter show ip interface to determine the new switch address CLI Specify the management interface and set the IP address mode to DHCP or BOOTP and then enter the ip dhcp restart comma...

Page 66: ...quential data transfers by supporting jumbo frames up to 9216 bytes Compared to standard Ethernet frames that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead req...

Page 67: ...n the switch directory assigning it a new name file to tftp Copies a file from the switch to a TFTP server tftp to file Copies a file from a TFTP server to the switch TFTP Server IP Address The IP add...

Page 68: ...IP address of the TFTP server set the file type to opcode enter the file name of the software to download select a file on the switch to overwrite or specify a new file name then click Apply If you re...

Page 69: ...he file type then enter the source and destination file names When the file has finished downloading set the new file to start up the system and then restart the switch To start the new firmware enter...

Page 70: ...opies the running configuration to a TFTP server startup config to file Copies the startup configuration to a file on the switch startup config to running config Copies the startup config to the runni...

Page 71: ...Copy Operation Select tftp to startup config or tftp to file and enter the IP address of the TFTP server Specify the name of the file to download and select a file on the switch to overwrite or specif...

Page 72: ...ange 0 65535 seconds Default 600 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the syste...

Page 73: ...ord for the line connection When a connection is started on a line with password protection the system prompts for the password If you enter the correct password the system shows a prompt Default No p...

Page 74: ...the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is terminated Range 0 65535 seconds Default 600 seconds P...

Page 75: ...the connection parameters for Telnet access then click Apply Figure 3 15 Enabling Telnet CLI Enter Line Configuration mode for a virtual terminal then specify the connection parameters as required To...

Page 76: ...Enables disables the logging of debug or error messages to the logging process Default Enabled Flash Level Limits log messages saved to the switch s permanent flash memory for all levels up to the spe...

Page 77: ...to 23 The facility type is used by the syslog server to dispatch log messages to an appropriate service The attribute specifies the facility type tag sent in syslog messages See RFC 3164 This type ha...

Page 78: ...the facility type and set the logging trap Console config logging host 192 168 1 15 4 51 Console config logging facility 23 4 51 Console config logging trap 4 4 52 Console config end Console show logg...

Page 79: ...les the SMTP function Default Enabled Email Source Address Sets the email address used for the From field in alert messages You may use a symbolic email address that identifies the switch or the addre...

Page 80: ...New Email Destination Address text field and the Add Remove buttons to configure the list Web Click System Log SMTP To add an IP address to the Server IP List type the new IP address in the Server IP...

Page 81: ...rm that you want to reset the switch Note When restarting the system it will always run the Power On Self Test Console config logging sendmail host 192 168 1 4 4 55 Console config logging sendmail lev...

Page 82: ...p to three time server IP addresses The switch will attempt to poll each server in the configured sequence Configuring SNTP You can configure the switch to send time synchronization requests to time s...

Page 83: ...2 The number of hours before after UTC Minutes 0 59 The number of minutes before after UTC Direction Configures the time zone to be before east or after west UTC Web Select SNTP Clock Time Zone Set th...

Page 84: ...ar Set the current date and time using the fields provided Click Apply to start using the configured time Figure 3 23 Setting the Current Date and Time CLI This example sets the system clock time and...

Page 85: ...his agent continuously monitors the status of the switch hardware as well as the traffic passing through its ports A network management station can access this information using software such as HP Op...

Page 86: ...none none Community string only v1 noAuthNoPriv private read write defaultview defaultview none Community string only v1 noAuthNoPriv user defined user defined user defined user defined Community stri...

Page 87: ...permits access to the SNMP protocol Default strings public read only private read write Range 1 32 characters case sensitive Access Mode Specifies the access rights for the community string Read Only...

Page 88: ...an be used to ensure that critical information is received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs...

Page 89: ...for the SNMPv3 security model Trap Inform Notifications are sent as inform messages Note that this option is only available for version 2c and 3 hosts Default traps are used Timeout The number of seco...

Page 90: ...s trap inform settings for v2c v3 clients and then click Add Select the trap types required using the check boxes for Authentication and Link up down traps and then click Apply Figure 3 25 Configuring...

Page 91: ...bination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A local engine ID is automatically generated that is unique to the switch This is referred t...

Page 92: ...s to it See Specifying Trap Managers and Trap Types on page 3 42 and Configuring Remote SNMPv3 Users on page 3 49 A new engine ID can be specified by entering 10 to 64 hexadecimal characters If an odd...

Page 93: ...oAuthNoPriv There is no authentication or encryption used in SNMP communications This is the default for SNMPv3 AuthNoPriv SNMP communications use authentication but the data is not encrypted only ava...

Page 94: ...up of a user click Change Group in the Actions column of the users table and select the new group Figure 3 28 Configuring SNMPv3 Users CLI Use the snmp server user command to configure a new user name...

Page 95: ...ier for the SNMP agent on the remote device where the remote user resides Note that the remote engine identifier must be specified before you configure a remote user See Specifying a Remote Engine ID...

Page 96: ...lick Delete Figure 3 29 Configuring Remote SNMPv3 Users CLI Use the snmp server user command to configure a new user name and assign it to a group Console config snmp server user mark group r d remote...

Page 97: ...iew for write access Range 1 64 characters Notify View The configured view for notifications Range 1 64 characters Table 3 5 Supported Notification Messages Object Label Object ID Description RFC 1493...

Page 98: ...ol message that is not properly authenticated While all implementations of the SNMPv2 must be capable of generating this trap the snmpEnableAuthenTraps object indicates whether this trap will be gener...

Page 99: ...lick Delete Figure 3 30 Configuring SNMPv3 Groups CLI Use the snmp server group command to configure a new group specifying the security model and level and restricting MIB access to defined read and...

Page 100: ...MIB tree Wild cards can be used to mask a specific portion of the OID string Type Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view Web Clic...

Page 101: ...rver view ifEntry a 1 3 6 1 2 1 2 2 1 1 included 4 77 Console config exit Console show snmp view 4 78 View Name ifEntry a Subtree OID 1 3 6 1 2 1 2 2 1 1 View Type included Storage Type nonvolatile Ro...

Page 102: ...to the web SNMP or Telnet interface Configuring User Accounts The guest only has read access for most configuration parameters However the administrator has write access for all parameters governing...

Page 103: ...ser account and add it to the Account List To change the password for a specific user enter the user name and new password confirm the password by entering it again then click Apply Figure 3 32 Access...

Page 104: ...d you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol Local and remote logon authentication control management access via the console p...

Page 105: ...ngth 48 characters Number of Server Transmits Number of times the switch tries to authenticate logon access via the authentication server Range 1 30 Default 2 Timeout for a reply The number of seconds...

Page 106: ...ication Settings To configure local or remote authentication preferences specify the authentication sequence i e one to three methods fill in the parameters for RADIUS or TACACS authentication if sele...

Page 107: ...US Server Auth Port 181 Acct port 1813 Retransmit Times 5 Request Timeout 10 Radius server group Group Name Member Index radius 1 Console Console configure Console config authentication login tacacs 4...

Page 108: ...suports the following AAA features Accounting for IEEE 802 1X authenticated users that access the network through the switch Accounting for users that access management interfaces on the switch throug...

Page 109: ...r a RADIUS sever the server index must already be defined see Configuring Local Remote Logon Authentication on page 3 58 Web Click Security AAA Radius Group Settings Enter the RADIUS group name follow...

Page 110: ...he index number of a TACACS server to add it to the group AAA Accounting AAA accounting is a feature that enables the accounting of requested services for billing or security purposes Command Attribut...

Page 111: ...58 Any other group name refers to a server group configured on the RADIUS or TACACS Group Settings pages Web Click Security AAA Accounting Settings To configure a new accounting method specify a metho...

Page 112: ...te Enter the required update interval and click Apply Figure 3 37 AAA Accounting Update CLI This example sets the periodic accounting update interval at 10 minutes AAA Accounting 802 1X Port Settings...

Page 113: ...face AAA Accounting Exec Command Privileges This feature specifies a method name to apply to commands entered at specific CLI privilege levels Command Attributes Commands Privilege Level The CLI privi...

Page 114: ...Apply Figure 3 39 AAA Accounting Exec Command Privileges CLI Specify the accounting method to use for console and Telnet privilege levels Console config line console 4 40 Console config line accounti...

Page 115: ...mation recorded for user sessions Command Attributes AAA Accounting Summary Accounting Type Displays the accounting service Method List Displays the user defined or default accounting method Group Lis...

Page 116: ...rrently applied accounting methods and registered users Console show accounting 4 104 Accounting Type dot1x Method List default Group List radius Interface Method List tps method Group List tps radius...

Page 117: ...ocal Remote Logon Authentication on page 3 58 Any other group name refers to a server group configured on the TACACS Group Settings page Authorization is only supported for TACACS servers Web Click Se...

Page 118: ...ization Summary The Authorization Summary displays the configured authorization methods and the interfaces to which they are applied Command Attributes Authorization Type Displays the authorization se...

Page 119: ...in this way The client authenticates the server using the server s digital certificate The client and server negotiate a set of security protocols to use for the connection The client and server gener...

Page 120: ...te has not been signed by an approved certification authority If you want this warning to be replaced by a message confirming that the connection to the switch is secure you must obtain a unique certi...

Page 121: ...word and public key authentication If password authentication is specified by the SSH client then the password can be authenticated either locally or via a RADIUS or TACACS remote authentication serve...

Page 122: ...2 Clients a The client sends its password to the server b The switch compares the client s password to those stored in memory c If a match is found the connection is allowed Note To use SSH with only...

Page 123: ...ost Key The public key for the host RSA Version 1 The first field indicates the size of the host key e g 1024 the second field is the encoded public exponent e g 65537 and the last string is the encod...

Page 124: ...48320102524878965977592168322225584652387791546479807396314033 86925793105105765212243052807865885485789272602937866089236841423275912127 60325919683697053439336438445223335188287173896894511729290510...

Page 125: ...seconds Default 120 seconds SSH Authentication Retries Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentica...

Page 126: ...POL identity request The client provides its identity such as a user name in an EAPOL response to the switch which it forwards to the RADIUS server The RADIUS server verifies the client identity and s...

Page 127: ...the switch requires the following The switch must have an IP address assigned RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified 802 1X must be enab...

Page 128: ...d Web Select Security 802 1X Configuration Enable 802 1X globally for the switch and click Apply Figure 3 49 802 1X Global Configuration CLI This example enables 802 1X globally for the switch Console...

Page 129: ...be re authenticated after the interval specified by the Re authentication Period Re authentication can be used to detect if a new device is plugged into a switch port Default Disabled Max Request Set...

Page 130: ...nt Indicates the MAC address of a connected client Trunk Indicates if the port is configured as a trunk port Web Click Security 802 1X Port Configuration Modify the parameters required and click Apply...

Page 131: ...4 124 Global 802 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 enabled Single Host auto...

Page 132: ...of EAP Resp Id frames that have been received by this Authenticator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx...

Page 133: ...802 1X Port Statistics CLI This example displays the 802 1X statistics for port 4 Console show dot1x statistics interface ethernet 1 4 4 124 Eth 1 4 Rx EAPOL EAPOL EAPOL EAPOL EAP EAP EAP Start Logof...

Page 134: ...es either individual addresses or address ranges When entering addresses for the same group i e SNMP web or Telnet the switch will not accept overlapping address ranges When entering addresses for dif...

Page 135: ...filter list Figure 3 52 Creating an IP Filter List CLI This example allows SNMP access for a specific client Console config management snmp client 10 1 2 3 4 128 Console config end Console show manage...

Page 136: ...e secure addresses for individual ports 802 1X Use IEEE 802 1X port authentication to control access to specific ports See Configuring 802 1X Port Authentication on page 3 80 Web Authentication Allows...

Page 137: ...esses the selected port will stop learning The MAC addresses already in the address table will be retained and will not age out Any other device that attempts to use the port will be prevented from ac...

Page 138: ...click Apply Figure 3 53 Configuring Port Security CLI This example selects the target port sets the port security action to send a trap and disable the port sets the maximum MAC addresses allowed on t...

Page 139: ...ation on page 3 58 2 Web authentication cannot be configured on trunk ports Configuring Web Authentication Web authentication is configured on a per port basis however there are four configurable para...

Page 140: ...Counts Indicates how many authenticated hosts are connected to the port Web Click Security Web Authentication Port Configuration Set the status box to enabled for any port that requires web authentic...

Page 141: ...atus of each connected host Remaining Session Time seconds Indicates the remaining time until the current authorization session for a host expires Web Click Security Web Authentication Port Informatio...

Page 142: ...P Indicates the IP address of the host selected for re authentication Web Click Security Web Authentication Re authentication Figure 3 57 Web Authentication Port Re authentication CLI This example for...

Page 143: ...r the switch port When enabled on a port the authentication process sends a Password Authentication Protocol PAP request to a configured RADIUS server The username and password are both equal to the M...

Page 144: ...uthenticated When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server During the reauthentication process traffic through the port remains unaffecte...

Page 145: ...uthentication intrusion action must be set for Guest VLAN see Configuring Port Settings for 802 1X on page 3 83 Dynamic VLAN Enables dynamic VLAN assignment for an authenticated port When enabled any...

Page 146: ...mac count 10 4 134 Console config if mac authentication max mac count 24 4 135 Console config if network access dynamic vlan 4 136 Console config if network access guest vlan 4 136 Console config if...

Page 147: ...ddresses Address Table Sort Key Sorts the information displayed based on MAC address or port interface Unit Port The port interface associated with a secure MAC address MAC Address The authenticated M...

Page 148: ...ce IP address Extended IP ACL mode EXT ACL filters packets based on source or destination IP address as well as protocol type and protocol port number If the TCP protocol is specified packets can also...

Page 149: ...otocol type and protocol port number If the TCP protocol is specified then you can also filter packets based on the TCP control code MAC MAC ACL mode that filters packets based on the source or destin...

Page 150: ...ate match and 0 bits to indicate ignore The mask is bitwise ANDed with the specified source IP address and compared with the address for each IP packet entering the port s to which this ACL has been a...

Page 151: ...7 DSCP DSCP priority level Range 0 63 Protocol Specifies the protocol type to match as TCP UDP or Others where others indicates a specific protocol number 0 255 Options TCP UDP Others Default TCP Sour...

Page 152: ...g packets if the source address is in subnet 10 7 1 x For example if the rule is matched i e the rule 10 7 1 0 255 255 255 0 equals the masked address 10 7 1 2 255 255 255 0 the packet passes through...

Page 153: ...the Address and Bitmask fields Options Any Host MAC Default Any Source Destination MAC Address Source or destination MAC address Source Destination Bit Mask Hexadecimal mask for source or destination...

Page 154: ...icate with all destination mac addresses on VLAN 12 and another permit rule for source mac address to communicate with all destination mac addresses Binding a Port to an Access Control List After conf...

Page 155: ...IP address back to a physical port Command Usage Network traffic may be disrupted when malicious DHCP messages are received from an outside source DHCP snooping is used to filter DHCP messages receiv...

Page 156: ...in the binding table If the DHCP packet is from a client such as a DISCOVER REQUEST INFORM DECLINE or RELEASE message the packet is forwarded if MAC address verification is disabled However if MAC add...

Page 157: ...uration CLI This example first enables DHCP Snooping and then enables DHCP Snooping MAC Address Verification Configuring VLANs for DHCP Snooping Enables DHCP snooping on the specified VLAN Command Usa...

Page 158: ...so an effective tool in preventing malicious network attacks from attached clients on DHCP services such as IP Spoofing Client Identifier Spoofing MAC Address Spoofing and Address Exhaustion Command U...

Page 159: ...or a zero relay address In some cases the switch may receive DHCP packets from a client that already includes DHCP Option 82 information The switch can be configured to set the action policy for thes...

Page 160: ...enabled both globally and on a VLAN DHCP packet filtering will be performed on any untrusted ports within the VLAN When an untrusted port is changed to a trusted port all the dynamic DHCP snooping bi...

Page 161: ...use the IP address of a neighbor to access the network This section describes commands used to configure IP Source Guard Configuring Ports for IP Source Guard IP Source Guard is used to filter traffic...

Page 162: ...mber and source MAC address for the sip mac option If a matching entry is found in the binding table and the entry type is static IP source guard binding the packet will be forwarded If the DHCP snoop...

Page 163: ...e guard binding table are automatically configured with an infinite lease time Dynamic entries learned via DHCP snooping are configured by the DHCP server itself of which static entries include a manu...

Page 164: ...1 28 VLAN ID ID of a configured VLAN Range 1 4094 MAC Address A valid unicast MAC address IP Address A valid unicast IP address including classful types A B or C Web Click IP Source Guard Static Confi...

Page 165: ...ic Binding Table Counts Displays the number of IP addresses in the source guard binding table Current Dynamic Binding Table Displays the IP addresses in the source guard binding table Web Click IP Sou...

Page 166: ...e is enabled or disabled Oper Status Indicates if the link is Up or Down Speed Duplex Status Shows the current speed and duplex mode Auto or fixed choice Flow Control Status Indicates the type of flow...

Page 167: ...bps full duplex operation 1000full Supports 1000 Mbps full duplex operation Sym Transmits and receives pause frames for flow control FC Supports flow control Broadcast Storm Shows if broadcast storm c...

Page 168: ...interface You can disable an interface due to abnormal behavior e g excessive collisions and then reenable it after the problem has been resolved You may also disable an interface for security reason...

Page 169: ...speed mode and flow control The following capabilities are supported 10half Supports 10 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 100half Supports 100 Mbps half duplex...

Page 170: ...standby mode Should one link in the trunk fail one of the standby ports will automatically be activated to replace it Command Usage Besides balancing the load across each port in the trunk the other...

Page 171: ...manufacturer s implementation However note that the static trunks on this switch are Cisco EtherChannel compatible To avoid creating a loop in the network be sure you add a static trunk via the config...

Page 172: ...an LACP trunk must be configured for full duplex and auto negotiation Trunks dynamically established through LACP will also be shown in the Member List on the Trunk Membership menu see page 3 125 Con...

Page 173: ...on another switch to form a trunk Console config interface ethernet 1 1 4 172 Console config if lacp 4 186 Console config if exit Console config interface ethernet 1 6 Console config if lacp Console c...

Page 174: ...Priority LACP system priority is used to determine link aggregation group LAG membership and to identify this device to other switches during LAG negotiations Range 0 65535 Default 32768 Ports must b...

Page 175: ...can optionally configure these settings for the Port Partner Be aware that these settings only affect the administrative state of the partner and will not take effect until the next time an aggregate...

Page 176: ...d 4 191 Port Channel System Priority System MAC Address 1 3 00 12 CF 31 31 31 2 3 00 12 CF 31 31 31 3 3 00 12 CF 31 31 31 4 3 00 12 CF 31 31 31 5 3 00 16 B6 F0 3B EC 6 3 00 16 B6 F0 3B EC 7 3 00 16 B6...

Page 177: ...rnet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type Marker Illegal Pkts Number of frames that carry...

Page 178: ...nformation administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be e...

Page 179: ...LACP configuration settings and operational state for the local side of port channel 1 Console show lacp 1 internal 4 191 Port channel 1 Oper Key 120 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP S...

Page 180: ...signed by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggrega...

Page 181: ...e Level Multiplied by one another the scale and level set the broadcast threshold For example to set a threshold of 500 Kbytes per second choose 100K under Scale and 5 under Level Scale Range 1 10 100...

Page 182: ...2 Console config if switchport broadcast 4 178 Console config if end Console show interfaces switchport ethernet 1 1 4 182 Information of Eth 1 1 Broadcast Threshold Enabled scale 100K level 5 octets...

Page 183: ...t whose traffic will be monitored Range 1 28 Type Allows you to select which traffic to mirror to the target port Rx receive or Tx transmit Default Rx Target Port The port that will mirror the traffic...

Page 184: ...without any changes Rate Limit Configuration Use the rate limit configuration pages to apply rate limiting Command Usage Input and output rate limits can be enabled or disabled for individual interfa...

Page 185: ...otal number of octetts received on the interface including framing characters Received Unicast Packets The number of subnetwork unicast packets delivered to a higher layer protocol Received Multicast...

Page 186: ...de frames received with frame too long or frame too short error Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions This counter d...

Page 187: ...he number of CRC alignment errors FCS or alignment errors Undersize Frames The total number of frames received that were less than 64 octets long excluding framing bits but including FCS octets and we...

Page 188: ...ng the Switch 3 142 3 Web Click Port Port Statistics Select the required interface and click Query You can also use the Refresh button at the bottom of the page to update the screen Figure 3 84 Port S...

Page 189: ...dress of a device mapped to this interface VLAN ID of configured VLAN 1 4094 Console show interfaces counters ethernet 1 13 4 181 Ethernet 1 13 Iftable stats Octets input 868453 Octets output 3492122...

Page 190: ...for inbound traffic is found in the database the packets intended for that address are forwarded directly to the associated port Otherwise the traffic is flooded to all ports Command Attributes Interf...

Page 191: ...method of sorting the displayed addresses and then click Query Figure 3 86 Configuring a Dynamic Address Table CLI This example also displays the address table entries for port 1 Console show mac add...

Page 192: ...sables the function Aging Time The time after which a learned entry is discarded Range 10 98301 seconds Default 300 seconds Web Click Address Table Address Aging Specify the new aging time click Apply...

Page 193: ...gned as designated ports After determining the lowest cost spanning tree it enables all root ports and designated ports and disables all other ports Network packets are therefore only forwarded betwee...

Page 194: ...MST Configuration Identifiers including the Region Name Revision Level and Configuration Digest see Configuring Multiple Spanning Trees on page 3 162 An MST Region may contain multiple MSTP Instances...

Page 195: ...s at which the root device transmits a configuration message Forward Delay The maximum time in seconds the root device will wait before changing states i e discarding to learning to forwarding This de...

Page 196: ...w root port is selected from among the device ports attached to the network References to ports in this section means interfaces which includes both ports and trunks Root Forward Delay The maximum tim...

Page 197: ...Root Forward Delay sec 15 Max Hops 20 Remaining Hops 20 Designated Root 32768 0 0016B6F03BEC Current Root Port 0 Current Root Cost 0 Number of Topology Changes 0 Last Topology Change Time sec 4291 Tr...

Page 198: ...that port Multiple Spanning Tree Protocol To allow multiple spanning trees to operate over the network you must configure a related set of bridges with the same MSTP configuration allowing them to pa...

Page 199: ...oth ports and trunks Default 20 Minimum The higher of 6 or 2 x Hello Time 1 Maximum The lower of 40 or 2 x Forward Delay 1 Forward Delay The maximum time in seconds this device will wait before changi...

Page 200: ...o MST ID mapping table In other words this key is a mapping of all VLANs to the CIST Region Revision The revision for this MSTI Range 0 65535 Default 0 Region Name The name for this MSTI Maximum lengt...

Page 201: ...Spanning Tree Algorithm Configuration 3 155 3 Web Click Spanning Tree STA Configuration Modify the required attributes and click Apply Figure 3 89 Configuring Spanning Tree...

Page 202: ...s and the other is discarding All ports are discarding when the switch is booted then some of them change state to learning and then to forwarding Forward Transitions The number of times this port has...

Page 203: ...e Roles are assigned according to whether the port is part of the active topology connecting the bridge to the root bridge i e root port connecting a LAN through the bridge to the root bridge i e desi...

Page 204: ...cepted as the root device Fast forwarding This field provides the same information as Admin Edge port and is only included for backward compatibility with earlier products Admin Edge Port You can enab...

Page 205: ...for additional information Discarding Port receives STA configuration messages but does not forward packets Learning Port has transmitted configuration messages for an interval set by the Forward Del...

Page 206: ...kes precedence over port priority Range 0 for auto configuration 1 65535 for the short path cost method11 1 200 000 000 for the long path cost method By default the system automatically detects the sp...

Page 207: ...of frame flooding required to rebuild address tables during reconfiguration events does not cause the spanning tree to initiate reconfiguration when the interface changes state and also overcomes oth...

Page 208: ...ich cover the same general area of your network However remember that you must configure all bridges within the same MSTI Region page 3 133 with the same set of instances and the same instance on each...

Page 209: ...Instance VLANs assigned to this instance MST ID Instance identifier to configure Range 0 57 Default 0 VLAN ID VLAN to assign to this selected MST instance Range 1 4094 The other global attributes are...

Page 210: ...ay sec 15 Root Hello Time sec 2 Root Max Age sec 20 Root Forward Delay sec 15 Max Hops 20 Remaining Hops 20 Designated Root 4096 1 0012CF7D25BC Current Root Port 0 Current Root Cost 0 Number of Topolo...

Page 211: ...trunks in the selected MST instance Command Attributes MST Instance ID Instance identifier to configure Default 0 Note The other attributes are described under Displaying Interface Settings on page 3...

Page 212: ...20 Root Forward Delay sec 15 Max Hops 20 Remaining Hops 20 Designated Root 32768 0 0012CF7D25BC Current Root Port 0 Current Root Cost 0 Number of Topology Changes 0 Last Topology Change Time sec 2188...

Page 213: ...h are the same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spa...

Page 214: ...02 1Q VLAN is a group of ports that can be located anywhere in the network but communicate as though they belong to the same physical segment VLANs help to simplify network management by allowing you...

Page 215: ...ork devices along the path that will carry this traffic to the same VLAN s either manually or dynamically using GVRP However if you want a port on this switch to participate in one or more VLANs but n...

Page 216: ...the specified VLANs and then forward the message to all other ports When the message arrives at another switch that supports GVRP it will also place the receiving port in the specified VLANs and pass...

Page 217: ...VLAN tag before forwarding the frame When the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag However when this switch receives an untagged frame from...

Page 218: ...tch Maximum Number of Supported VLANs Maximum number of VLANs that can be configured on this switch Web Click VLAN 802 1Q VLAN Basic Information Figure 3 96 Displaying Basic VLAN Information CLI Enter...

Page 219: ...for one or two switches you can disable tagging Command Attributes Web VLAN ID ID of configured VLAN 1 4094 Up Time at Creation Time this VLAN was created i e System Up Time Status Shows how this VLA...

Page 220: ...be defined VLAN 1 is the default untagged VLAN VLAN 4093 is reserved for switch clustering and is not user configurable or removable New Allows you to specify the name and numeric identifier for a new...

Page 221: ...end Console show vlan 4 233 Vlan ID 1 Type Static Name DefaultVlan Status Active Ports Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 9 S Eth1 10 S Eth1 11...

Page 222: ...f the VLAN 1 to 32 characters Status Enables or disables the specified VLAN Enable VLAN is operational Disable VLAN is suspended i e does not pass packets Port Port identifier Membership Type Select V...

Page 223: ...gure 3 99 Configuring a VLAN Static Table CLI The following example adds tagged and untagged ports to VLAN 2 Console config interface ethernet 1 1 4 172 Console config if switchport allowed vlan add 2...

Page 224: ...p by Port Select an interface from the scroll down box Port or Trunk Click Query to display membership information for the interface Select a VLAN ID and then click Add to add the interface as a tagge...

Page 225: ...d or untagged frames or only tagged frames When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Options All Tagged Default All Ingress Filtering D...

Page 226: ...1000 Mode Indicates VLAN membership mode for an interface Default Hybrid Access Sets the port to operate as an untagged interface All frames are sent untagged General Specifies a hybrid VLAN interface...

Page 227: ...stomers is segregated within the service provider s network even when they use the same customer specific VLAN IDs QinQ tunneling expands VLAN space by using a VLAN in VLAN hierarchy preserving the cu...

Page 228: ...already have The ingress process constructs and inserts the outer tag SPVLAN into the packet based on the default VLAN ID and Tag Protocol Identifier TPID that is the ether type of the tag This outer...

Page 229: ...ther type of an incoming packet single or double tagged is equal to the TPID of the uplink port no new VLAN tag is added If the uplink port is not the member of the outer VLAN of the incoming packets...

Page 230: ...bridge protocol data unit BPDU filtering is automatically disabled on a tunnel port General Configuration Guidelines for QinQ 1 Configure the switch to QinQ mode see Enabling QinQ Tunneling on the Sw...

Page 231: ...t is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames Command Usage Use the 802 1Q Tunnel Configuration screen to set the switch to QinQ mode before configuring a tunnel port see...

Page 232: ...preserve customer VLAN IDs for traffic crossing the service provider network 802 1Q Tunnel Uplink Configures IEEE 802 1Q tunneling QinQ for an uplink port to another device within the service provider...

Page 233: ...ly within the same switch To configure primary secondary associated groups follow these steps 1 Use the Private VLAN Configuration menu page 3 189 to designate one or more community VLANs and the prim...

Page 234: ...VLAN Then assign the promiscuous port and all host ports to an isolated VLAN Displaying Current Private VLANs The Private VLAN Information page displays information on the private VLANs configured on...

Page 235: ...Community VLANs Conveys traffic between community ports and to their promiscuous ports in the associated primary VLAN Current Displays a list of the currently configured VLANs Web Click VLAN Private V...

Page 236: ...mmunity VLANs 6 and 7 with primary VLAN 5 Displaying Private VLAN Interface Information Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interfaces associa...

Page 237: ...raffic between the isolated ports and a lone promiscuous port Trunk Shows if a port is a member or a trunk Web Click VLAN Private VLAN Port Information Figure 3 107 Private VLAN Port Information CLI T...

Page 238: ...es within a private VLAN Primary VLAN Conveys traffic between promiscuous ports and between promiscuous ports and community ports within the associated secondary VLANs If PVLAN type is Promiscuous the...

Page 239: ...not mandatory we suggest configuring a separate VLAN for each major protocol running on your network Do not add port members at this time 2 Create a protocol group for each of the protocols you want...

Page 240: ...ixed protocol types have been preconfigured For these Protocol VLAN groups the frame type of network traffic is not considered all frame types are accepted IP 0x0800 IPX 0x8137 Apple talk 0x809B Progr...

Page 241: ...protocol type Click Apply Figure 3 109 Protocol VLAN Configuration CLI This example configures Protocol Group 1 with the fixed preconfigured IP parameters and configures Protocol Group 2 with user def...

Page 242: ...and the protocol type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the default VLAN for this interfac...

Page 243: ...packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the switch automatically assigns the port as a tagged member the Voice VLAN...

Page 244: ...d member to the Voice VLAN when VoIP traffic is detected on the port You must select a method for detecting VoIP traffic either OUI or 802 1ab LLDP When OUI is selected be sure to configure the MAC ad...

Page 245: ...on See Link Layer Discovery Protocol on page 3 201 for more information on LLDP Priority Defines a CoS priority for port traffic on the Voice VLAN The priority of any received VoIP packet is overwrit...

Page 246: ...e first three octets Other masks restrict the MAC address range Selecting FF FF FF FF FF FF specifies a single MAC address Default FF FF FF 00 00 00 Description User defined text that identifies the V...

Page 247: ...clude details such as device identification capabilities and configuration settings LLDP also defines how to store and maintain information gathered about the neighboring network nodes it discovers Li...

Page 248: ...delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables Range 1 8192 seconds Default 2 seconds The transmit delay is used to prevent a series of s...

Page 249: ...all Service Web Click LLDP Configuration Enable LLDP modify any of the timing parameters as required and click Apply Figure 3 114 LLDP Configuration CLI This example sets several attributes which cont...

Page 250: ...eck the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification events missed due to throttling or transmission loss TLV Type Configures the information included in the...

Page 251: ...Connectivity Devices to efficiently discover which LLDP MED related TLVs are supported on the switch Network Policy This option advertises network policy configuration information aiding in the disco...

Page 252: ...lldp medNotification 4 261 Console config if lldp basic tlv port description 4 263 Console config if lldp basic tlv system description 4 264 Console config if lldp basic tlv management ip address 4 26...

Page 253: ...Displaying System Information on page 3 12 System Description A textual description of the network entity This field is also displayed by the show system command System Capabilities Supported The cap...

Page 254: ...U or for the port sending this advertisement Interface Settings The attributes listed below apply to both port and trunk interface types When a trunk is listed the descriptions apply to the first port...

Page 255: ...be used for this field System Name An string that indicates the system s administratively assigned name Console show lldp info local device 4 273 LLDP Local System Information Chassis Type MAC Address...

Page 256: ...e identified and a chassis ID subtype is used to indicate the type of component being referenced by the chassis ID field See Table 3 15 Chassis ID Subtype on page 207 Chassis ID An octet string indica...

Page 257: ...ystem which are currently enabled Refer to the preceding table See Table 3 16 System Capabilities on page 207 Management Address The IPv4 address of the remote device If no management address is avail...

Page 258: ...of times which the local remote database dropped an LLDPDU because of insufficient resources Neighbor Entries Age out Count The number of times that a neighbor s information has been deleted from the...

Page 259: ...ected directly to this switch switch show lldp info statistics 4 275 LLDP Device Statistics Neighbor Entries List Last Updated 2450279 seconds New Neighbor Entries Count 1 Neighbor Entries Deleted Cou...

Page 260: ...f all LLDPDUs received with one or more detectable errors Frames Received Number of LLDP PDUs received Frames Sent Number of LLDP PDUs transmitted TLVs Unrecognized A count of all TLVs not recognized...

Page 261: ...witch All untagged packets entering the switch are tagged with the specified default port priority and then sorted into the appropriate priority queue at the output port Command Usage This switch prov...

Page 262: ...d traffic Console config interface ethernet 1 3 4 172 Console config if switchport priority default 5 4 278 Console config if end Console show interfaces switchport ethernet 1 3 4 182 Information of E...

Page 263: ...ollowing table However you can map the priority levels to the switch s output queues in any way that benefits application traffic for your own network Command Attributes Interface Selects the port or...

Page 264: ...igure 3 122 Traffic Classes CLI The following example shows how to change the CoS assignments Console config interface ethernet 1 1 4 172 Console config if queue cos map 0 0 4 279 Console config if qu...

Page 265: ...viced according to it s weighting This prevents the head of line blocking that can occur with strict priority queuing Hybrid mode uses strict priority queuing for the highest priority queue queue 3 pr...

Page 266: ...ntly affects the response time for software applications assigned a specific priority value Command Usage WRR controls bandwidth sharing at the egress port by defining scheduling weights for allocated...

Page 267: ...ces Code Point DSCP service When these services are enabled the priorities are mapped to a Class of Service output queue Because different priority information may be contained in the traffic the swit...

Page 268: ...output queue Note that queue 0 represents low priority and 3 represent high priority Note IP DSCP priority settings apply to all interfaces Web Click Priority IP DSCP Priority Status Mark the Enabled...

Page 269: ...TP 21 Telnet 23 and POP3 110 Command Attributes IP Port Priority Status Enables or disables the IP port priority IP Port Priority Table Shows the IP port to CoS queue map IP Port Number TCP UDP Set a...

Page 270: ...n click Apply Figure 3 128 IP Port Priority CLI The following example globally enables IP Port Priority service on the switch maps HTTP traffic to CoS queue 0 and then displays all the IP Port Priorit...

Page 271: ...sables the IP Precedence priority IP Precedence Priority Table Shows the IP Precedence to CoS map Class of Queue Service Value Maps an IP Precedence value to a CoS queue Note that queue 0 represents l...

Page 272: ...recedence to Class of Service Queues CLI The following example globally enables IP Precedence priority on the switch maps IP Precedence value 2 to CoS queue 0 and then displays all the IP Precedence s...

Page 273: ...he defined IP TOS values and the default mapping to CoS queues on the switch All the TOS values not defined are mapped to CoS queue 0 Command Attributes IP TOS Priority Status Enables or disables the...

Page 274: ...ing IP TOS to Class of Service Queues CLI The following example globally enables IP TOS priority on the switch maps IP TOS value 2 to CoS queue 2 and then displays all the IP TOS settings Console conf...

Page 275: ...mand Attributes Port Port identifier Name Name of a configured ACL Type Type of ACL IP or MAC CoS Values CoS values used for packets matching the ACL rule Range 0 7 Web Click Priority ACL CoS Priority...

Page 276: ...rioritize the resources allocated to different traffic classes The manner in which an individual device handles traffic in the DiffServ architecture is called per hop behavior All devices along a path...

Page 277: ...characters for the name 1 64 characters for the description Edit Rules Opens the Match Class Settings page for the selected class entry Modify the criteria used to classify ingress traffic on this pag...

Page 278: ...ules to change the rules of an existing class Figure 3 135 Configuring Class Maps CLI This example creates a class map call rd_class and sets it to match packets matching the access list rd Console co...

Page 279: ...CL IPv6 Standard ACL and IPv6 Extended ACL Also note that the maximum number of classes that can be applied to a policy map is 16 Policing is based on a token bucket where bucket depth i e the maximum...

Page 280: ...specified rate will be dropped Remove Class Deletes a class Policy Options Class Name Name of class map Action Configures the service provided to ingress traffic by setting a CoS or DSCP value in a ma...

Page 281: ...235 3 Web Click QoS DiffServ Policy Map to display the list of existing policy maps To add a new policy map click Add Policy To configure the policy rule settings click Edit Classes Figure 3 136 Conf...

Page 282: ...and Attributes Ports Specifies a port Ingress Applies the rule to ingress traffic Enabled Check this to enable a policy map on the specified port Policy Map Select the appropriate policy map from the...

Page 283: ...the ports that want to join a multicast group and set its filters accordingly If there is no multicast router attached to the local subnet multicast traffic and query messages may not be received by...

Page 284: ...In this case traffic is filtered from sources in the Exclude list and forwarded from all other available sources Notes 1 When the switch is configured to use IGMPv3 snooping the snooping version may...

Page 285: ...ble is already full the switch will continue flooding the traffic into the VLAN IGMP Querier A router or multicast enabled switch can periodically ask their hosts if they want to receive multicast tra...

Page 286: ...he interface which had been receiving query packets to have expired Range 300 500 seconds Default 300 IGMP Version Sets the protocol version for compatibility with other devices on the network Range 1...

Page 287: ...ed to the interface Therefore immediate leave should only be enabled on an interface if it is connected to only one IGMP enabled device either a service host or a neighbor running IGMP snooping Immedi...

Page 288: ...ss the Internet These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch You can use the Multicast Router Port Information page to display the por...

Page 289: ...if the IGMP querier is a known multicast router switch connected over the network to an interface port or trunk on your switch you can manually configure the interface and a specified VLAN to join all...

Page 290: ...in VLAN 1 Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service Command Attributes VLAN ID Selects the VLAN for which to...

Page 291: ...d in Configuring IGMP snooping and Query Parameters on page 3 133 For certain applications that require tighter control you may need to statically configure a multicast service on the switch First add...

Page 292: ...TV service based on a specific subscription plan The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port and IGMP throttling limits...

Page 293: ...IGMP filtering and throttling on the switch you must first enable the feature globally and create IGMP profile numbers Command Attributes IGMP Filter Enables IGMP filtering and throttling globally fo...

Page 294: ...nd Attributes Profile ID Selects an existing profile number to configure After selecting an ID number click the Query button to display the current configuration Access Mode Sets the access mode of th...

Page 295: ...e configured IGMP profiles you can assign them to interfaces on the switch Also you can set the IGMP throttling number to limit the number of multicast groups an interface can join at the same time Co...

Page 296: ...t the same time Range 0 255 Default 255 Current Multicast Groups Displays the current number of multicast groups the interface has joined Throttling Action Mode Sets the action to take when the maximu...

Page 297: ...r a wide part of the network without having to use any multicast routing protocol MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into...

Page 298: ...ng term and be associated with a stable set of hosts you can statically bind the multicast group to the participating interfaces see Assigning Static Multicast Groups to Interfaces on page 3 257 Confi...

Page 299: ...orts should be configured as members of the MVR VLAN see Adding Static Members to VLANs VLAN Index on page 3 176 but MVR receiver ports should not be manually configured as members of this VLAN Range...

Page 300: ...there are subscribers receiving multicast traffic from one of the MVR groups or a multicast group has been statically assigned to an interface Immediate Leave Shows if immediate leave is enabled or di...

Page 301: ...ided through the MVR VLAN Web Click MVR Group IP Information Figure 3 149 MVR Group IP Information CLI This example following shows information about the interfaces associated with multicast groups as...

Page 302: ...h have been statically assigned see Assigning Static Multicast Groups to Interfaces on page 3 257 Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed f...

Page 303: ...ver port and then enables immediate leave on the receiver port Assigning Static Multicast Groups to Interfaces For multicast streams that will run for a long term and be associated with a stable set o...

Page 304: ...ows the IP addresses for all MVR multicast groups which have not been statically assigned to the selected interface Web Click MVR Group Member Configuration Select a port or trunk from the Interface f...

Page 305: ...esses There can be up to 36 Member switches in one cluster and Cluster switches must be in the same IP subnet Once a switch has been configured to be a cluster Commander it automatically discovers oth...

Page 306: ...abled Role Indicates the current role of the switch in the cluster either Commander Member or Candidate Default Candidate Cluster IP Pool An internal IP address pool that is used to assign IP addresse...

Page 307: ...lected Candidate switch Range 1 36 MAC Address Select a discoverd switch MAC address from the Candidate Table or enter a specific MAC address of a known switch Web Click Cluster Member Configuration F...

Page 308: ...r switch MAC Address The MAC address of the Member switch Description The system description string of the Member switch Web Click Cluster Member Information Figure 3 155 Cluster Member Information CL...

Page 309: ...the network MAC Address The MAC address of the Candidate switch Description The system description string of the Candidate switch Web Click Cluster Candidate Information Figure 3 156 Cluster Candidat...

Page 310: ...Configuring the Switch 3 264 3...

Page 311: ...the console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered...

Page 312: ...solated network then you can use any IP address that matches the network segment to which you are attached After you configure the switch with an IP address you can open a Telnet session by performing...

Page 313: ...ow startup config To enter commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username ad...

Page 314: ...P log Login records logging Logging setting mac MAC access list mac address table Shows the MAC address table management Show management information map Maps priority mvr Show mvr interface informatio...

Page 315: ...em messages to a host server To disable logging specify the no logging command This guide describes the negation effect for all applicable commands Using Command History The CLI maintains a history of...

Page 316: ...Only a limited number of the commands are available in this mode You can access all commands only from the Privileged Exec command mode or administrator mode To access Privilege Exec mode open a new c...

Page 317: ...nds configure settings for the selected multiple spanning tree instance Policy Map Configuration Creates a DiffServ policy map for multiple interfaces VLAN Configuration Includes the command to create...

Page 318: ...n database Console config vlan 4 225 Console config interface ethernet 1 5 Console config if exit Console config Table 4 3 Command Line Processing Keystroke Function Ctrl A Shifts cursor to start of c...

Page 319: ...address or Ethernet type 4 157 Interface Configures the connection parameters for all Ethernet ports aggregated links and VLANs 4 172 Link Aggregation Statically groups multiple ports into a single lo...

Page 320: ...tanding Command Modes on page 4 6 Syntax enable level level Privilege level to log into the device The device has two predefined privilege levels 0 Normal Exec 15 Privileged Exec Enter level 15 to acc...

Page 321: ...word 4 85 disable This command returns to Normal Exec mode from privileged mode In normal access mode you can only display basic information on the switch s configuration or Ethernet statistics To gai...

Page 322: ...6 Default Setting None Command Mode Privileged Exec Example Related Commands end 4 14 show history This command shows the contents of the command history buffer Default Setting None Command Mode Norm...

Page 323: ...Self Test It will also retain all configuration information stored in non volatile memory by the copy running config startup config command Default Setting None Command Mode Privileged Exec Command Us...

Page 324: ...ration mode exit This command returns to the previous configuration mode or exit the configuration program Default Setting None Command Mode Any Example This example shows how to return to the Privile...

Page 325: ...nation Configures information that uniquely identifies this switch 4 16 Banner Information Configures administrative contact device identification and location 4 16 System Status Displays system confi...

Page 326: ...nformation is only available via the CLI and is automatically displayed before login as soon as a console or telnet connection has been established Table 4 7 Device Designation Commands Command Functi...

Page 327: ...the backspace key during script mode is not supported If for example a mistake is made in the company name it can be corrected with the banner configure company command banner configure equipment info...

Page 328: ...or clarity Console config banner configure Company Edge corE Responsible department R D Dept Name and telephone to Contact the management people Manager1 name Sr Network Admin phone number 123 555 121...

Page 329: ...command attribute is 32 characters Input strings cannot contain spaces The banner configure dc power info command interprets spaces as data input boundaries The use of underscores _ or other unobtrusi...

Page 330: ...ow row id rack rack id shelf rack sr id manufacturer mfr name no banner configure equipment info floor manufacturer manufacturer id rack row shelf rack mfr id The name of the device model number floor...

Page 331: ...ta input boundaries The use of underscores _ or other unobtrusive non letter characters is suggested for situations where whitespace is necessary for clarity Example banner configure ip lan This comma...

Page 332: ...ner Use the no form to restore the default setting Syntax banner configure lp number lp num no banner configure lp number lp num The LP number Maximum length 32 characters Default Setting None Command...

Page 333: ...d manager Default Setting None Command Mode Global Configuration Command Usage Maximum string length for each command attribute is 32 characters Input strings cannot contain spaces The banner configur...

Page 334: ...e note info Miscellaneous information that does not fit in the other banner categories or any other information of importance to users of the switch CLI Maximum length 150 characters Default Setting N...

Page 335: ...3 15 24 48V id_3 15 24 2 Number of LP 4 Position MUX telco 9734212kx_PVC 1 23 IP LAN 216 241 132 3 255 255 255 0 Note ROUTINE_MAINTENANCE_firmware upgrade_0100 0500_GMT 0500_20071022 _20min_network_i...

Page 336: ...settings for key command modes Each mode group is separated by symbols and includes the configuration mode command and corresponding commands This command displays the following information Switch s...

Page 337: ...name admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d25...

Page 338: ...y command modes Each mode group is separated by symbols and includes the configuration mode command and corresponding commands This command displays the following information Switch s MAC address SNTP...

Page 339: ...unity private rw username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enab...

Page 340: ...ileged Exec Command Usage The session used to execute this command is indicated by a symbol next to the Line i e session index number Console show system System Description Layer2 Fast Ethernet Standa...

Page 341: ...nts Username Privilege Public Key admin 15 None guest 0 None steve 15 RSA Online users Line Username Idle time h m s Remote IP addr 0 console admin 0 14 14 1 VTY 0 admin 0 00 00 192 168 1 19 2 SSH 1 s...

Page 342: ...ncapsulation fields To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switch...

Page 343: ...settings can be uploaded and downloaded to and from a TFTP server The configuration file can be later downloaded to restore switch settings The configuration file can be downloaded under a new file na...

Page 344: ...ialization tftp Keyword that allows you to copy to from a TFTP server https certificate Copies an HTTPS certificate from an TFTP server to the switch public key Keyword that allows you to copy a SSH k...

Page 345: ...The following example shows how to upload the configuration settings to a file on the TFTP server The following example shows how to copy the running configuration to a startup file Console copy tftp...

Page 346: ...on file or image name Command Mode Privileged Exec Console copy tftp startup config TFTP server ip address 10 1 0 99 Source configuration file name startup 01 Startup configuration file name startup W...

Page 347: ...splay includes boot rom Boot ROM or diagnostic image file config Switch configuration file opcode Run time operation code image file filename Name of the configuration file or code image Default Setti...

Page 348: ...filename The type of file or image to set as a default includes boot rom Boot ROM config Configuration file opcode Run time operation code filename Name of the configuration file or code image The co...

Page 349: ...es a password on a line LC 4 41 timeout login response Sets the interval that the system waits for a user to log into the CLI LC 4 42 exec timeout Sets the interval that the command interpreter waits...

Page 350: ...een displays such as show users However the serial communication parameters e g databits do not affect Telnet or SSH connections Example To enter console line mode enter the following command Related...

Page 351: ...s no authentication When using this method the management interface starts in Normal Exec NE mode This command controls login authentication via the switch itself To configure user names and passwords...

Page 352: ...you to manually configure encrypted passwords Example Related Commands login 4 40 password thresh 4 44 timeout login response This command sets the interval that the system waits for a user to log int...

Page 353: ...timeout Telnet 10 minutes Command Mode Line Configuration Command Usage If user input is detected within the timeout interval the session is kept open otherwise the session is terminated This command...

Page 354: ...and to set this interval When this threshold is reached for Telnet the Telnet logon interface shuts down This command applies to both the local console and Telnet connections Example To set the passwo...

Page 355: ...ta bits per character 8 Eight data bits per character Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on i...

Page 356: ...ty enter this command speed This command sets the terminal line s baud rate This command sets both the transmit to terminal and receive from terminal speeds Use the no form to restore the default sett...

Page 357: ...command disconnect This command terminates an SSH Telnet or console connection Syntax disconnect session id session id The session identifier for an SSH Telnet or console connection Range 0 4 Command...

Page 358: ...onsole access i e Telnet Default Setting Shows all lines Command Mode Normal Exec Privileged Exec Example To show all lines enter this command Console show line Console Configuration Password Threshol...

Page 359: ...rol the type of error messages that are sent to specified syslog servers Example Related Commands logging history 4 50 logging trap 4 52 clear log 4 52 Table 4 14 Event Logging Commands Command Functi...

Page 360: ...ode Global Configuration Command Usage The message level specified for flash memory must be a higher priority i e numerically lower than that specified for RAM Example Table 4 15 Logging Levels Level...

Page 361: ...ility type for remote logging of syslog messages Use the no form to return the type to the default Syntax no logging facility type type A number that indicates the facility used by the syslog server t...

Page 362: ...etting Enabled Level 7 0 Command Mode Global Configuration Command Usage Using this command with a specified level enables remote logging and sets the minimum severity level to be saved Using this com...

Page 363: ...lt Setting None Command Mode Privileged Exec Example The following example shows that system logging is enabled the message level for flash memory is errors i e default level 3 0 the message level for...

Page 364: ...able REMOTELOG status disable REMOTELOG facility type local use 7 REMOTELOG level type Debugging messages REMOTELOG server IP address 1 2 3 4 REMOTELOG server IP address 0 0 0 0 REMOTELOG server IP ad...

Page 365: ...each server To send email alerts the switch first opens a connection sends all the email alerts waiting in the queue one by one and finally closes the connection Console show log ram 1 00 00 38 2001 0...

Page 366: ...he selected level down to level 0 Range 0 7 Default 7 Default Setting Level 7 Command Mode Global Configuration Command Usage The specified level indicates an event threshold All events at this level...

Page 367: ...il address email address The source email address used in alert messages Range 1 41 characters Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipient...

Page 368: ...ing sendmail Console config Console show logging sendmail SMTP servers 1 192 168 1 200 SMTP minimum severity level 4 SMTP destination email addresses 1 geoff acme com SMTP source email address john ac...

Page 369: ...the time starting from the factory default set at the last bootup i e 00 00 00 Jan 1 2001 This command enables client time requests to time servers specified via the sntp servers command It issues ti...

Page 370: ...dates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issues time synchronization requests based on the interval set via the s...

Page 371: ...for the switch s internal clock Syntax clock timezone name hour hours minute minutes before utc after utc name Name of timezone usually an acronym Range 1 29 characters hours Number of hours before af...

Page 372: ...ork or if you have not configured the switch to receive signals from a time server Syntax calendar set hour min sec day month year month day year hour Hour in 24 hour format Range 0 23 min Minute Rang...

Page 373: ...ers other cluster enabled switches in the network These Candidate switches only become cluster Members when manually selected by the administrator through the management station Note Cluster Member sw...

Page 374: ...witches are limited to the same Ethernet broadcast domain There can be up to 100 candidates and 36 member switches in one cluster A switch can only be a Member of one cluster Configured switch cluster...

Page 375: ...ration Command Usage An internal IP address pool is used to assign IP addresses to Member switches in the cluster Internal cluster IP addresses are in the form 10 x x member ID Only the base IP addres...

Page 376: ...number of switch Candidates is 100 Example rcommand This command provides access to a cluster Member CLI for configuration Syntax rcommand id member id member id The ID number of the Member switch Ran...

Page 377: ...ode Privileged Exec Example Console show cluster Role commander Interval heartbeat 30 Heartbeat loss count 3 Number of Members 1 Number of Candidates 2 Console Console show cluster members Cluster Mem...

Page 378: ...orm to disable the server Syntax no snmp server Default Setting Enabled Table 4 21 SNMP Commands Command Function Mode Page snmp server Enables the SNMPv3 server GC 4 68 show snmp Displays the status...

Page 379: ...Default Setting None Command Mode Normal Exec Privileged Exec Command Usage This command provides information on the community access strings counter information for SNMP input and output protocol dat...

Page 380: ...cts rw Specifies read write access Authorized management stations are able to both retrieve and modify MIB objects Console show snmp SNMP Agent enabled SNMP traps Authentication enable Link up down en...

Page 381: ...erver contact This command sets the system contact string Use the no form to remove the system contact information Syntax snmp server contact string no snmp server contact string String that describes...

Page 382: ...address of the host the targeted recipient Maximum host addresses 5 trap destination IP address entries inform Notifications are sent as inform messages Note that this option is only available for ver...

Page 383: ...host to receive notifications at least one snmp server enable traps command and the snmp server host command for that host must be enabled Some notification types cannot be controlled with the snmp se...

Page 384: ...the community string is interpreted as an SNMP user name If you use the V3 auth or priv options the user name must first be defined with the snmp server user command Otherwise the authentication passw...

Page 385: ...down traps are legacy notifications and therefore when used for SNMP Version 3 hosts they must be enabled in conjunction with the corresponding entries in the Notify View assigned by the snmp server g...

Page 386: ...nt is the remote agent You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it A local engine ID is automatically generated that is unique...

Page 387: ...up command to restrict user access to specified portions of the MIB tree The predefined view defaultview includes access to the entire MIB tree Examples This view includes MIB 2 This view includes the...

Page 388: ...Console show snmp view View Name mib 2 Subtree OID 1 2 2 3 6 2 1 View Type included Storage Type permanent Row Status active View Name defaultview Subtree OID 1 View Type included Storage Type volati...

Page 389: ...w for notifications 1 64 characters Default Setting Default groups public19 read only private20 read write readview Every object belonging to the Internet OID space 1 3 6 1 writeview Nothing is define...

Page 390: ...s active Group Name public Security Model v1 Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name public Security Model v2c Read View defaultview W...

Page 391: ...2c or 3 encrypted Accepts the password as encrypted input auth Uses SNMPv3 with authentication md5 sha Uses MD5 or SHA authentication auth password Authentication password Enter as plain text if the e...

Page 392: ...mote user will fail SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remote...

Page 393: ...user associated with an SNMP engine on a remote device Table 4 26 Authentication Commands Command Group Function Page User Accounts Configures the basic user names and passwords for management access...

Page 394: ...e of the user Maximum length 8 characters case sensitive Maximum users 16 access level level Specifies the user level The device has two predefined privilege levels 0 Normal Exec 15 Privileged Exec no...

Page 395: ...level Level 15 for Privileged Exec Levels 0 14 are not used 0 7 0 means plain password 7 means encrypted password password password for this privilege level Maximum length 8 characters plain text 32 e...

Page 396: ...e that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a...

Page 397: ...ts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege...

Page 398: ...erver auth_port RADIUS server UDP port used for authentication messages Range 1 65535 acct_port RADIUS server UDP port used for accounting messages Range 1 65535 timeout Number of seconds the switch w...

Page 399: ...ault Setting 1812 Command Mode Global Configuration Example radius server acct port This command sets the RADIUS server port used for accounting messages Use the no form to restore the default Syntax...

Page 400: ...Mode Global Configuration Example radius server retransmit This command sets the number of retries Use the no form to restore the default Syntax radius server retransmit number_of_retries no radius s...

Page 401: ...S server Use the no form to restore the default Syntax radius server timeout number_of_seconds no radius server timeout number_of_seconds Number of seconds the switch waits for a reply before resendin...

Page 402: ...ius server Global Settings Communication Key with RADIUS Server Auth Port 1812 Acct port 1813 Retransmit Times 2 Request Timeout 5 Server 1 Server IP Address 10 1 2 3 Communication Key with RADIUS Ser...

Page 403: ...ge 1 540 seconds retransmit Number of times the switch will resend an authentication request to the TACACS server Range 1 30 key Encryption key used to authenticate logon access for client Do not use...

Page 404: ...mmand Mode Global Configuration Example tacacs server retransmit This command sets the number of retries Use the no form to restore the default Syntax tacacs server retransmit number_of_retries no tac...

Page 405: ...erver Use the no form to restore the default Syntax tacacs server timeout number_of_seconds no tacacs server timeout number_of_seconds Number of seconds the switch waits for a reply before resending a...

Page 406: ...Server IP address 1 2 3 4 Communication key with TACACS server Server port number 49 Retransmit Times 2 Request Times 5 Tacacs server group Group Name Member Index tacacs 1 Console Table 4 32 AAA Com...

Page 407: ...m to remove the associated server from the group Syntax no server index ip address index Specifies a server index and the sequence to use for the group Range RADIUS 1 5 TACACS 1 ip address Specifies t...

Page 408: ...dius tacacs server group no aaa accounting dot1x default method name default Specifies the default accounting method for service requests method name Specifies an accounting method for service request...

Page 409: ...nting from starting point and stopping point group Specifies the server group to use radius Specifies all RADIUS hosts configure with the radius server host command described on page 4 88 tacacs Speci...

Page 410: ...up to use tacacs Specifies all TACACS hosts configure with the tacacs server host command described on page 4 93 server group Specifies the name of a server group configured with the aaa group server...

Page 411: ...accounting records for all users on the system Using the command without specifying an interim interval enables updates but does not change the current interval setting Example accounting dot1x This c...

Page 412: ...n accounting method to entered CLI commands Use the no form to disable accounting for entered commands Syntax accounting commands level default list name no accounting commands level level The privile...

Page 413: ...4 93 server group Specifies the name of a server group configured with the aaa group server command described on 4 97 Range 1 255 characters Default Setting Authorization is not enabled No servers ar...

Page 414: ...ngs per function and per port Syntax show accounting commands level dot1x statistics username user name interface exec statistics statistics commands Displays accounting information for CLI commands e...

Page 415: ...t Setting 80 Command Mode Global Configuration Console show accounting Accounting type dot1x Method list default Group list radius Interface Method list tps Group list radius Interface eth 1 2 Account...

Page 416: ...command enables the secure hypertext transfer protocol HTTPS over the Secure Socket Layer SSL providing secure access i e an encrypted connection to the switch s web interface Use the no form to disab...

Page 417: ...HTTPS To specify a secure site certificate see Replacing the Default Secure site Certificate on page 3 74 Also refer to the copy command on page 4 34 Example Related Commands ip http secure port 4 10...

Page 418: ...CP port number used by the Telnet interface Use the no form without the port keyword to disable this function Use the no from with the port keyword to use the default port Syntax ip telnet server port...

Page 419: ...nsole config ip telnet server Console config ip telnet port 123 Console config Table 4 36 Secure Shell Commands Command Function Mode Page ip ssh server Enables the SSH server on the switch GC 4 111 i...

Page 420: ...the User Accounts page as described on page 3 56 The clients are subsequently authenticated using these keys The current firmware only accepts public key files based on standard UNIX format as shown i...

Page 421: ...vate key corresponds to an authorized public key and the client is authenticated Authenticating SSH v2 Clients a The client first queries the switch to determine if DSA public key authentication using...

Page 422: ...store the default setting Syntax ip ssh timeout seconds no ip ssh timeout seconds The timeout for client response during SSH negotiation Range 1 120 Default Setting 10 seconds Command Mode Global Conf...

Page 423: ...guration Example Related Commands show ip ssh 4 116 ip ssh server key size This command sets the SSH server key size Use the no form to restore the default setting Syntax ip ssh server key size key si...

Page 424: ...rsa RSA Version 1 key type Default Setting Generates both the DSA and RSA key pairs Command Mode Privileged Exec Command Usage This command stores the host key pair in memory i e RAM Use the ip ssh sa...

Page 425: ...the host key from volatile memory RAM Use the no ip ssh save host key command to clear the host key from flash memory The SSH server must be disabled before you can execute this command Example Relate...

Page 426: ...ey dsa Console Console show ip ssh SSH Enabled version 1 99 Negotiation timeout 120 secs Authentication retries 3 Server key size 768 bits Console Console show ssh Connection Version State Username En...

Page 427: ...ed by SSH is based on the Digital Signature Standard DSS and the last string is the encoded modulus Encryption The encryption method is automatically negotiated between the client and server Options f...

Page 428: ...ZfcFRu41bS2KV5LAwecsigF DjKGWtPNIQqabKgYCw2 o dVzX4Gg yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 w0W Console Table 4 38 802 1X Port Authentication Commands Command Function Mode P...

Page 429: ...t settings to their default values Command Mode Global Configuration Example dot1x max req This command sets the maximum number of times the switch port will retransmit an EAP request identity packet...

Page 430: ...ration Example dot1x operation mode This command allows single or multiple hosts clients to connect to an 802 1X authorized port Use the no form with no keywords to restore the default to single host...

Page 431: ...forces re authentication on all ports or a specific interface Syntax dot1x re authenticate interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 Command Mode Privi...

Page 432: ...or the user assigned to the Guest VLAN see dot1x intrusion action on page 4 124 The connected client is re authenticated after the interval specified by the dot1x timeout re authperiod command The def...

Page 433: ...e on the switch waits during an authentication session before re transmitting an EAP packet Use the no form to reset to the default value Syntax dot1x timeout tx period seconds no dot1x timeout tx per...

Page 434: ...ration Command Usage For guest VLAN assignment to be successful the VLAN must be configured and set as active see vlan database on page 4 225 and assigned as the guest VLAN for the port see network ac...

Page 435: ...uthentication session before re transmitting EAP packet page 4 123 supplicant timeout Supplicant timeout server timeout Server timeout reauth max Maximum number of reauthentication attempts max req Ma...

Page 436: ...se success fail timeout idle initialize Request Count Number of EAP Request packets sent to the Supplicant without receiving a response Identifier Server Identifier carried in the most recent EAP Succ...

Page 437: ...2 1X is disabled on port 1 1 802 1X is enabled on port 1 2 reauth enabled Enable reauth period 1800 quiet period 30 tx period 40 supplicant timeout 30 server timeout 10 reauth max 2 max req 5 Status A...

Page 438: ...ement interface on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be confi...

Page 439: ...mp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group Command Mode Privileged Exec Example Console config management all client 192 168 1 19 Console confi...

Page 440: ...te VLANs Configures private VLANs including uplink and downlink ports 4 237 Port Security The priority of execution for these filtering commands is Port Security Port Authentication Network Access Web...

Page 441: ...e the no form without any keywords to disable port security Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number...

Page 442: ...iolation to issue a trap message Related Commands shutdown 4 177 mac address table static 4 197 show mac address table 4 199 Network Access MAC Address Authentication Network Access authentication con...

Page 443: ...mum number of secure MAC addresses supported for the switch system is 1024 Configured static MAC addresses are added to the secure address table when seen on a switch port Static addresses are treated...

Page 444: ...count Use this command to set the maximum number of MAC addresses that can be authenticated on a port via all forms of authentication Use the no form of this command to restore the default Syntax netw...

Page 445: ...max mac count Use this command to set the maximum number of MAC addresses that can be authenticated on a port via 802 1X authentication or MAC authentication Use the no form of this command to restor...

Page 446: ...treated as an authentication failure If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration the authentication is still treated as a success and the host...

Page 447: ...is command to restore the default value Syntax mac authentication reauth time seconds no mac authentication reauth time seconds The reauthentication time period Range 120 1000000 seconds Default Setti...

Page 448: ...terface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 28 Default Setting None Command Mode Privileged Exec Example show network access Use this command to...

Page 449: ...umber Range 1 28 sort Sorts displayed entries by either MAC address or interface Default Setting Displays all filters Command Mode Privileged Exec Command Usage When using a bit mask to filter display...

Page 450: ...1 00 00 01 02 03 05 172 155 120 17 Dynamic 00d06h33m20s 1 1 00 00 01 02 03 06 172 155 120 17 Static 00d06h35m10s 1 3 00 00 01 02 03 07 172 155 120 17 Dynamic 00d06h34m20s Console Table 4 43 Web Authe...

Page 451: ...gin attempts Command Mode Global Configuration Example web auth quiet period This command defines the amount of time a host must wait after exceeding the limit for failed login attempts before it may...

Page 452: ...ed session remains valid Range 300 3600 seconds Default Setting 3600 seconds Command Mode Global Configuration Example web auth system auth control This command globally enables web authentication for...

Page 453: ...led for web authentication to be active Example web auth re authenticate Port This command ends all web authentication sessions connected to the port and forces the users to re authenticate Syntax web...

Page 454: ...t This is unit 1 port Port number Range 1 28 ip IPv4 formatted IP address Default Setting None Command Mode Privileged Exec Example show web auth This command displays global web authentication parame...

Page 455: ...None Command Mode Privileged Exec Command Usage The session timeout displayed by this command is expressed in seconds Example show web auth summary This command displays a summary of web authenticati...

Page 456: ...nabled 8 1 3 Disabled 0 1 4 Disabled 0 1 5 Disabled 0 Table 4 44 DHCP Snooping Commands Command Function Mode Page ip dhcp snooping Enables DHCP snooping globally GC 4 146 ip dhcp snooping vlan Enable...

Page 457: ...all DHCP packets are forwarded for a trusted port If the received packet is a DHCP ACK message a dynamic DHCP snooping entry is also added to the binding table If DHCP snooping is enabled globally an...

Page 458: ...les DHCP snooping on the specified VLAN Use the no form to restore the default setting Syntax no ip dhcp snooping vlan vlan id vlan id ID of a configured VLAN Range 1 4094 Default Setting Disabled Com...

Page 459: ...to trusted and all other ports outside the local network or firewall to untrusted When DHCP snooping ia enabled globally using the ip dhcp snooping command page 4 146 and enabled on a VLAN with ip dhc...

Page 460: ...rification is enabled and the source MAC address in the Ethernet header of the packet is not same as the client s hardware address in the DHCP packet the packet is dropped Example This example enables...

Page 461: ...ng is disabled The request packet contains a valid relay agent address field DHCP reply packets are flooded onto all attached VLANs other than the inbound management VLAN under the following situation...

Page 462: ...n Example Related Commands ip dhcp snooping information option 4 150 ip dhcp snooping 4 146 show ip dhcp snooping This command shows the DHCP snooping configuration settings Command Mode Privileged Ex...

Page 463: ...IP address and corresponding MAC address Use the no form to disable this function Syntax ip source guard sip sip mac no ip source guard sip Filters traffic based on IP addresses stored in the binding...

Page 464: ...automatically configured with an infinite lease time Dynamic entries learned via DHCP snooping are configured by the DHCP server itself static entries include a manually configured lease time If the...

Page 465: ...figuration Command Usage Table entries include a MAC address IP address lease time entry type Static IP SG Binding Dynamic DHCP Binding VLAN identifier and port identifier All static entries are confi...

Page 466: ...bled or disabled on each interface Command Mode Privileged Exec Example show ip source guard binding This command shows the source guard binding table Syntax show ip source guard binding dhcp snooping...

Page 467: ...d Groups Function Page IP ACLs Configures ACLs based on IP addresses TCP UDP port number and protocol type 4 157 MAC ACLs Configures ACLs based on hardware addresses packet format and Ethernet type 4...

Page 468: ...ria acl_name Name of the ACL Maximum length 16 characters Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL...

Page 469: ...es are appended to the end of the list Address bitmasks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and...

Page 470: ...cific protocol number Range 0 255 source Source IP address destination Destination IP address address bitmask Decimal number representing the address bits to match host Keyword followed by a specific...

Page 471: ...address 10 7 1 2 255 255 255 0 the packet passes through This allows TCP packets from class C addresses 192 168 1 0 to any destination address when set for destination TCP port 80 i e HTTP This permit...

Page 472: ...ing None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace...

Page 473: ...the ACL Maximum length 16 characters cos value CoS value Range 0 7 Default Setting None Command Mode Interface Configuration Ethernet Command Usage You must configure an ACL before you can map CoS val...

Page 474: ...ining the required permit or deny rules and then bind the access list to one or more ports Console show map access list ip Access list to COS of Eth 1 4 Access list ALS1 cos 0 Console Table 4 49 MAC A...

Page 475: ...and Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one...

Page 476: ...ny 802 3 any host source source address bitmask any host destination destination address bitmask cos cos value vid vid vid bitmask tagged eth2 Tagged Ethernet II packets untagged eth2 Untagged Etherne...

Page 477: ...This rule permits packets from any source MAC address to the destination address 00 e0 29 94 34 de where the Ethernet type is 0800 Related Commands access list mac 4 165 show mac access list This com...

Page 478: ...ation Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one Exampl...

Page 479: ...mum length 16 characters cos queue Port CoS queue Range 0 3 Default Setting None Command Mode Interface Configuration Ethernet Command Usage You must configure an ACL before you can map a CoS queue to...

Page 480: ...ue determines the output queue for packets matching an ACL rule Syntax show map access list mac interface interface ethernet unit port unit This is unit 1 port Port number Command Mode Privileged Exec...

Page 481: ...assigned to each port PE 4 171 Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 16 0 255 255 240 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 a...

Page 482: ...erface configuration IC 4 173 speed duplex Configures the speed and duplex operation of a given interface when autonegotiation is disabled IC 4 173 negotiation Enables autonegotiation of a given inter...

Page 483: ...following example adds a description to port 24 speed duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled Use the no form to restore the def...

Page 484: ...selected interface When using the negotiation command to enable auto negotiation the optimal settings will be determined by the capabilities command To set the speed duplex mode under auto negotiation...

Page 485: ...t parameters to restore the default values Syntax no capabilities 1000full 100full 100half 10full 10half flowcontrol symmetric 1000full Supports 1000 Mbps full duplex operation 100full Supports 100 Mb...

Page 486: ...n Ethernet Port Channel Command Usage Flow control can eliminate frame loss by blocking traffic from end stations or segments connected directly to the switch when its buffers fill When enabled back p...

Page 487: ...rt a disabled interface use the no form Syntax no shutdown Default Setting All interfaces are enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This command allows you t...

Page 488: ...d The scale and level are multiplied by one another to set the broadcast threshold For example to set a threshold of 500 Kbytes per second choose 100K for the scale and 5 for the level The specified t...

Page 489: ...k unit Range 1 port Port number Range 1 28 port channel channel id Range 1 12 Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset This com...

Page 490: ...displayed by this command see Displaying Connection Status on page 3 120 Example Console show interfaces status ethernet 1 5 Information of Eth 1 5 Basic Information Port Type 100TX Mac Address 00 12...

Page 491: ...unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 12 Default Setting Shows the counters for all interfaces Command Mode Normal Exec Privileged Exec Command Usage If n...

Page 492: ...t 0 Error input 0 Error output 0 Unknown protos input 0 QLen output 0 Extended iftable stats Multi cast input 0 Multi cast output 3064 Broadcast input 262 Broadcast output 1 Ether like stats Alignment...

Page 493: ...mit Shows if ingress rate limiting is enabled and the current rate limit page 4 196 Egress Rate Limit Shows if egress rate limiting is enabled and the current rate limit page 4 196 VLAN Membership Mod...

Page 494: ...Status Shows if 802 1Q tunnel is enabled on this interface page 4 235 802 1Q tunnel Mode Shows the tunnel mode as Normal 802 1Q Tunnel or 802 1Q Tunnel Uplink page 4 235 802 1Q tunnel TPID Shows the T...

Page 495: ...p admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the...

Page 496: ...ll duplex and auto negotiation A trunk formed with another switch using LACP will automatically be assigned the next available port channel ID If the target switch has also enabled LACP on the connect...

Page 497: ...ership and to identify this device to other switches during LAG negotiations Range 0 65535 Default Setting 32768 Console config interface ethernet 1 11 Console config if lacp Console config if exit Co...

Page 498: ...ey Use the no form to restore the default setting Syntax lacp actor partner admin key key no lacp actor partner admin key actor The local side an aggregate link partner The remote side of an aggregate...

Page 499: ...during local LACP setup on this switch Range 0 65535 Default Setting 0 Command Mode Interface Configuration Port Channel Command Usage Ports are only allowed to join the same LAG if 1 the LACP system...

Page 500: ...ates a higher effective priority If an active port link goes down the backup port with the highest priority is selected to replace the downed link However if two or more ports have the same LACP port...

Page 501: ...er Sent 0 Marker Received 0 LACPDUs Unknown Pkts 0 LACPDUs Illegal Pkts 0 Table 4 55 show lacp counters display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this...

Page 502: ...ate Defaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner Distributing If false distribution of outgoing frames on this l...

Page 503: ...signed by the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partn...

Page 504: ...ed the default mirroring is for both received and transmitted packets Console show lacp sysid Port Channel System Priority System MAC Address 1 32768 00 12 CF 8F 2C A7 2 32768 00 12 CF 8F 2C A7 3 3276...

Page 505: ...le mirror sessions but all sessions must share the same destination port However you should avoid sending too much traffic to the destination port from multiple source ports Example The following exam...

Page 506: ...mmand define the rate limit for a specific interface Use the no form to restore the default status of disabled Syntax rate limit input output scale 1k 10k 100k 1m 10m level level no rate limit input o...

Page 507: ...interface vlan vlan id action no mac address table static mac address vlan vlan id mac address MAC address interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel...

Page 508: ...ce link is down Static addresses are bound to the assigned interface and will not be moved When a static address is seen on another interface the address will be ignored and will not be written to the...

Page 509: ...C addresses associated with each interface Note that the Type field may include the following types Learned Dynamic address entries Permanent Static entry Delete on reset Static entry to be deleted wh...

Page 510: ...301 seconds 0 to disable aging Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information Example show mac...

Page 511: ...ng tree instance MST 4 208 name Configures the name for the multiple spanning tree MST 4 209 revision Configures the revision number for the multiple spanning tree MST 4 210 max hops Configures the ma...

Page 512: ...in your network to ensure that only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes down Example This example s...

Page 513: ...P BPDU after the migration delay expires RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port Multiple Spanning Tree Protocol To allow multiple spanning trees to operate ov...

Page 514: ...loops might result Example spanning tree hello time This command configures the spanning tree bridge hello time globally for this switch Use the no form to restore the default Syntax spanning tree hel...

Page 515: ...t for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message becomes the designated port for the...

Page 516: ...t method long short no spanning tree pathcost method long Specifies 32 bit based values that range from 1 200 000 000 This method is based on the IEEE 802 1w Rapid Spanning Tree Protocol short Specifi...

Page 517: ...bal Configuration Command Usage This command limits the maximum transmission rate for BPDUs Example spanning tree mst configuration This command changes to Multiple Spanning Tree MST configuration mod...

Page 518: ...ssigned to the Internal Spanning Tree MSTI 0 that connects all bridges and LANs within the MST region This switch supports up to 58 instances You should try to group VLANs which cover the same general...

Page 519: ...cifying a priority of 16384 Example name This command configures the name for the multiple spanning tree region in which this switch is located Use the no form to clear the name Syntax name name name...

Page 520: ...in the same region must be configured with the same MST instances Example Related Commands name 4 209 max hops This command configures the maximum number of hops in the region before a BPDU is discard...

Page 521: ...he spanning tree algorithm for port 5 spanning tree cost This command configures the spanning tree path cost for the specified interface Use the no form to restore the default Syntax spanning tree cos...

Page 522: ...igher values assigned to ports with slower media Path cost takes precedence over port priority When the spanning tree pathcost method page 4 206 is set to short the maximum value for path cost is 65 5...

Page 523: ...e link in the spanning tree Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Example Related Commands spanning tree cost 4 211 spanning...

Page 524: ...ommand is used to enable disable the fast spanning tree mode for the selected port In this mode ports skip the Discarding and Learning states and proceed straight to Forwarding Since end nodes cannot...

Page 525: ...l Command Usage Specify a point to point link if the interface can only be connected to exactly one other bridge or a shared link if it can be connected to two or more bridges When automatic detection...

Page 526: ...ate auto configuration mode When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is set to 65 535 The default path co...

Page 527: ...interface in the multiple spanning tree If the path cost for all interfaces on a switch are the same the interface with the highest priority that is lowest value will be configured as an active link i...

Page 528: ...t Range 1 port Port number Range 1 28 port channel channel id Range 1 12 instance_id Instance identifier of the multiple spanning tree Range 0 4094 no leading zeroes Default Setting None Command Mode...

Page 529: ...ated Root 32768 0 0000ABCD0000 Current root port 1 Current root cost 10000 Number of topology changes 1 Last topology changes time sec 22 Transmission limit 3 Path Cost Method long Eth 1 1 information...

Page 530: ...Page GVRP and Bridge Extension Configures GVRP settings that permit automatic VLAN learning shows the configuration for bridge extension MIB 4 221 Editing VLAN Groups Sets up VLAN groups including na...

Page 531: ...hange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration and to support VLANs which extend beyond the...

Page 532: ...and enables GVRP for a port Use the no form to disable it Syntax no switchport gvrp Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Example Console show bridge ext...

Page 533: ...sets the values for the join leave and leaveall timers Use the no form to restore the timers default values Syntax garp timer join leave leaveall timer_value no garp timer join leave leaveall join le...

Page 534: ...ANs Timer values must meet the following restrictions leave 2 x join leaveall leave Note Set GVRP timers on all Layer 2 devices connected in the same network to the same values Otherwise GVRP may not...

Page 535: ...to define the port membership mode and add or remove ports from a VLAN The results of these commands are written to the running configuration file and you can display this file by entering the show ru...

Page 536: ...suspended Suspended VLANs do not pass packets Default Setting By default only VLAN 1 exists and is active Command Mode VLAN Database Configuration Command Usage no vlan vlan id deletes the VLAN no vla...

Page 537: ...erface configuration mode for a specified VLAN GC 4 227 switchport mode Configures VLAN membership mode for an interface IC 4 228 switchport acceptable frame types Configures frame types to be accepte...

Page 538: ...e also transmitted as tagged frames private vlan For an explanation of this command see switchport mode private vlan on page 4 240 Default Setting All ports are in hybrid mode with the PVID set to VLA...

Page 539: ...has ingress filtering permanently set to enabled Therefore trying to disable the filtering with the no switchport ingress filtering command will produce this error message Note Failed to ingress filt...

Page 540: ...Command Usage Setting the native VLAN for a port can only be performed when the port is a member of the VLAN and the VLAN is untagged The no switchport native vlan command will set the native VLAN of...

Page 541: ...port mode set to trunk i e 1Q Trunk then you can only assign an interface to VLAN groups as a tagged member Frames are always tagged within the switch The tagged untagged parameter used when adding a...

Page 542: ...o designate a range of IDs Do not enter leading zeros Range 1 4094 Default Setting No VLANs are included in the forbidden list Command Mode Interface Configuration Ethernet Port Channel Command Usage...

Page 543: ...le 4 70 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE PE 4 233 show interfaces status vlan Displays status for the specified VLAN interface NE PE 4 180 show interfa...

Page 544: ...Configure the QinQ tunnel access port to join the SPVLAN as an untagged member switchport allowed vlan page 4 231 6 Configure the SPVLAN ID as the native VID on the QinQ tunnel access port switchport...

Page 545: ...t1q tunnel 4 237 show interfaces switchport 4 182 switchport dot1q tunnel mode This command configures an interface as a QinQ tunnel port Use the no form to disable QinQ on the interface Syntax switch...

Page 546: ...lation This identifier is used to select a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is 0x8100 Range 0800 FFFF hexadecimal Default Setting 0x8100 Comma...

Page 547: ...all cases the promiscuous ports are designed to provide open access to an external network such as the Internet while the community or isolated ports provide restricted access to local users Multiple...

Page 548: ...will contain a single promiscuous port and one or more isolated ports 2 Use the switchport mode private vlan command to configure one port as promiscuous i e having access to all ports in the isolate...

Page 549: ...ate with the promiscuous port within their own VLAN Default Setting None Command Mode VLAN Configuration Command Usage Private VLANs are used to restrict traffic to ports within the same community or...

Page 550: ...for group members The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN e g servers configured with promiscuous ports and to resources o...

Page 551: ...secondary vlan id no switchport private vlan host association secondary vlan id ID of secondary i e community VLAN Range 1 4094 no leading zeroes Default Setting None Command Mode Interface Configurat...

Page 552: ...ces outside of the group via a promiscuous port Example switchport private vlan mapping Use this command to map an interface to a primary VLAN Use the no form to remove this mapping Syntax switchport...

Page 553: ...VLAN along with the assigned promiscuous interface and host interfaces The Primary and Secondary fields both display the isolated VLAN ID primary Displays all primary VLANs along with any assigned pr...

Page 554: ...an protocol group command General Configuration mode 3 Then map the protocol for each interface to the appropriate VLAN using the protocol vlan protocol group command Interface Configuration mode prot...

Page 555: ...t Port Channel Command Usage When creating a protocol based VLAN only assign interfaces via this command If you assign interfaces using any of the other VLAN commands such as the vlan command on page...

Page 556: ...ng All protocol groups are displayed Command Mode Privileged Exec Example This example shows many protocol groups configured for various protocol types and frame types Console config interface etherne...

Page 557: ...on switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the switch automatically...

Page 558: ...can be detected on switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the swit...

Page 559: ...configures the Voice VLAN aging time as 3000 minutes voice vlan mac address This command specifies MAC address ranges to add to the OUI Telephony list Use the no form to remove an entry from the list...

Page 560: ...s a MAC OUI to the OUI Telephony list switchport voice vlan This command specifies the Voice VLAN mode for ports Use the no form to disable the Voice VLAN feature on the port Syntax switchport voice v...

Page 561: ...e Telephony OUI list see the voice vlan mac address command on page 4 249 MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a...

Page 562: ...page 4 249 Example The following example enables security filtering on port 1 switchport voice vlan priority This command specifies a CoS priority for VoIP traffic on a port Use the no form to restore...

Page 563: ...voice vlan status Global Voice VLAN Status Voice VLAN Status Enabled Voice VLAN ID 1234 Voice VLAN aging time 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority Eth 1 1 Auto Enable...

Page 564: ...TL value sent in LLDP advertisements GC 4 256 medFastStartCount Configures how many medFastStart packets are transmitted GC 4 257 lldp notification interval Configures the allowed interval for sending...

Page 565: ...ldp medtlv extpoe Configures an LLDP MED enabled port to advertise its extended Pover over Ethernet configuration and usage information IC 4 269 lldp medtlv inventory Configures an LLDP MED enabled po...

Page 566: ...ng Syntax lldp holdtime multiplier value no lldp holdtime multiplier value Calculates the TTL in seconds based on holdtime multiplier refresh interval 65536 Range 2 10 Default Setting Holdtime multipl...

Page 567: ...tical to the timely startup of LLDP and therefore integral to the rapid availability of Emergency Call Service Example lldp notification interval This command configures the allowed interval for sendi...

Page 568: ...yntax lldp refresh interval seconds no lldp refresh delay seconds Specifies the periodic interval at which LLDP advertisements are sent Range 5 32768 seconds Default Setting 30 seconds Command Mode Gl...

Page 569: ...ing Syntax lldp tx delay seconds no lldp tx delay seconds Specifies the transmit delay Range 1 8192 seconds Default Setting 2 seconds Command Mode Global Configuration Command Usage The transmit delay...

Page 570: ...sable LLDP notifications Syntax no lldp notification Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option sends out SNMP trap notifications to d...

Page 571: ...ons at the interval specified by the lldp notification interval command page 4 257 Trap notifications include information about state changes in the LLDP MIB IEEE 802 1AB the LLDP MED MIB ANSI TIA 105...

Page 572: ...rdware component or protocol entity associated with this address The interface number and OID are included to assist SNMP applications to perform network discovery by indicating enterprise specific or...

Page 573: ...asic tlv system capabilities This command configures an LLDP enabled port to advertise its system capabilities Use the no form to disable this feature Syntax no lldp basic tlv system capabilities Defa...

Page 574: ...stem and networking software Example lldp basic tlv system name This command configures an LLDP enabled port to advertise the system name Use the no form to disable this feature Syntax no lldp basic t...

Page 575: ...s an LLDP enabled port to advertise port related VLAN information Use the no form to disable this feature Syntax no lldp dot1 tlv proto vid Default Setting Enabled Command Mode Interface Configuration...

Page 576: ...dot1 tlv vlan name This command configures an LLDP enabled port to advertise its VLAN name Use the no form to disable this feature Syntax no lldp dot1 tlv vlan name Default Setting Enabled Command Mo...

Page 577: ...aggregation member Example lldp dot3 tlv mac phy This command configures an LLDP enabled port to advertise its MAC and physical layer capabilities Use the no form to disable this feature Syntax no ll...

Page 578: ...ts Power over Ethernet PoE capabilities Use the no form to disable this feature Syntax no lldp dot3 tlv poe Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command...

Page 579: ...erating from primary or backup power the Endpoint Device could use this information to decide to enter power conservation mode Note that this device does not support PoE capabilities Example lldp medt...

Page 580: ...nfigures an LLDP MED enabled port to advertise its Media Endpoint Device capabilities Use the no form to disable this feature Syntax no lldp medtlv med cap Default Setting Enabled Command Mode Interfa...

Page 581: ...tion mismatches on a port Improper network policy configurations frequently result in voice quality degradation or complete service disruption Example show lldp config This command shows LLDP configur...

Page 582: ...1 3 Tx Rx True Eth 1 4 Tx Rx True Eth 1 5 Tx Rx True Console show lldp config detail ethernet 1 1 LLDP Port Configuration Detail Port Eth 1 1 Admin Status Tx Rx Notification Enabled True Basic TLVs Ad...

Page 583: ...Name System Description Layer2 Fast Ethernet Standalone Switch 24FE 4G System Capabilities Support Bridge System Capabilities Enable Bridge Management Address 192 168 0 101 IPv4 LLDP Port Information...

Page 584: ...12 Command Mode Privileged Exec Example Console show lldp info remote device LLDP Remote Devices Information Interface ChassisId PortId SysName Eth 1 1 00 01 02 03 04 05 00 01 02 03 04 06 Console show...

Page 585: ...ch show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated 2450279 seconds New Neighbor Entries Count 1 Neighbor Entries Deleted Count 0 Neighbor Entries Dropped Count 0 Ne...

Page 586: ...2 Configures default priority for untagged frames sets queue weights and maps class of service tags to hardware queues 4 276 Priority Layer 3 and 4 Maps IP port and IP DSCP Precedence and TOS values...

Page 587: ...figuration Command Usage The switch can be set to service the port queues based on strict priority WRR or a combination of strict and weighted queueing Strict priority requires all traffic in a higher...

Page 588: ...priority does not apply to IEEE 802 1Q VLAN tagged frames If the incoming frame is an IEEE 802 1Q VLAN tagged frame the IEEE 802 1p User Priority bits will be used This switch provides eight priority...

Page 589: ...Queue weights must be configured in ascendant manner assigning more weight to each higher numbered queue that is Q0 Q1 Q2 Q3 Example This example shows how to assign WRR weights to priority queues 0 2...

Page 590: ...egress port Example The following example shows how to change the CoS assignments Related Commands show queue cos map 4 281 show queue mode This command shows the current queue mode Default Setting N...

Page 591: ...ows the class of service priority map Syntax show queue cos map interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 12 Default Se...

Page 592: ...3 and 4 Command Function Mode Page map ip dscp Configures IP DSCP to CoS queue mapping GC 4 282 map ip port Configures TCP port to CoS queue mapping GC 4 283 map ip precedence Configures IP precedence...

Page 593: ...ble the feature on the switch map ip port Use this command to enable and set IP port priority mapping i e TCP UDP port priority mapping Use the no form to disable the feature or remove a settting Synt...

Page 594: ...he default priority mapping Command Mode Global Configuration Command Usage The command map ip precedence enables the feature on the switch The command map ip precedence precedence value cos cos queue...

Page 595: ...are defined in the following table All the TOS values not defined are mapped to CoS queue 0 Command Mode Global Configuration Command Usage The command map ip tos enables the feature on the switch The...

Page 596: ...the IP ACL Maximum length 16 characters cos queue Port CoS queue Range 0 3 Default Setting None Command Mode Interface Configuration Ethernet Command Usage You must configure an ACL before you can ma...

Page 597: ...map Syntax show map ip dscp Command Mode Privileged Exec Example Related Commands map ip dscp 4 282 show map ip port Use this command to show the IP port priority map Syntax show map ip port Command M...

Page 598: ...tax show map ip precedence Command Mode Privileged Exec Example Related Commands map ip precedence 4 284 show map ip tos Use this command to show the IP ToS priority map Syntax show map ip tos Command...

Page 599: ...cess list ip mac interface ip Specifies IP ACLs mac Specifies MAC ACLs interface ethernet unit port unit This is device 1 port Port number Command Mode Privileged Exec Example Console show map ip tos...

Page 600: ...the set command to modify the QoS value for matching traffic class and use the policer command to monitor the average flow and burst rate and drop any traffic that exceeds the specified rate or just...

Page 601: ...a class map class map name Name of the class map Range 1 16 characters Default Setting None Command Mode Global Configuration Command Usage First enter this command to designate a class map and enter...

Page 602: ...specify the fields within ingress packets that must match to qualify for this class map Only one match command can be entered per class map Example This example creates a class map call rd_class 3 an...

Page 603: ...ssification upon which a policy can act and enters Policy Map Class configuration mode Use the no form to delete a class map and return to Policy Map configuration mode Syntax no class class map name...

Page 604: ...ge 0 7 new dscp New Differentiated Service Code Point DSCP value Range 0 63 new precedence New IP Precedence value Range 0 7 Default Setting None Command Mode Policy Map Class Configuration Example Th...

Page 605: ...tandard ACL and Extended ACL Policing is based on a token bucket where bucket depth i e the maximum burst before the bucket overflows is by specified the burst byte field and the average rate at which...

Page 606: ...Port Channel Command Usage You can only assign one policy map to an interface You must first define a class map then define a policy map and finally use the service policy command to bind the policy...

Page 607: ...d Mode Privileged Exec Example show policy map interface This command displays the service policy assigned to the specified interface Syntax show policy map interface interface input interface etherne...

Page 608: ...oping and query settings and displays the multicast service and group members 4 298 IGMP Query Configures IGMP query parameters for multicast filtering at Layer 2 4 303 Static Multicast Routing Config...

Page 609: ...x no ip igmp snooping vlan vlan id static ip address interface vlan id VLAN ID Range 1 4094 ip address IP address for multicast group interface ethernet unit port unit Stack unit Range 1 port Port num...

Page 610: ...are legacy devices in your network that only support Version 1 you will also have to configure this switch to use Version 1 Some commands are only enabled for IGMPv2 and or v3 including ip igmp snoop...

Page 611: ...D 1 to 4094 Default Setting Disabled Command Mode Interface Configuration VLAN Command Usage If immediate leave is not used a multicast router or querier will send a group specific query message when...

Page 612: ...n multicast addresses Syntax show mac address table multicast vlan vlan id user igmp snooping vlan id VLAN ID 1 to 4094 user Display only the user configured multicast entries igmp snooping Display on...

Page 613: ...o ip igmp snooping querier Default Setting Enabled Command Mode Global Configuration Console show mac address table multicast vlan 1 igmp snooping VLAN M cast IP addr Member ports Type 1 224 1 2 3 Eth...

Page 614: ...client from the multicast group Range 2 10 Default Setting 2 times Command Mode Global Configuration Command Usage The query count defines how long the querier waits for a response from a multicast cl...

Page 615: ...igmp snooping query max response time seconds no ip igmp snooping query max response time seconds The report delay advertised in IGMP queries Range 5 25 Default Setting 10 seconds Command Mode Global...

Page 616: ...e the switch waits after the previous querier stops before it considers the router port i e the interface which had been receiving query packets to have expired Range 300 500 Default Setting 300 secon...

Page 617: ...gured Command Mode Global Configuration Command Usage Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore if the IGMP querier is a known mul...

Page 618: ...iltering feature fulfills this requirement by restricting access to specified multicast services on a switch port and IGMP throttling limits the number of simultaneous multicast groups a port can join...

Page 619: ...ed multicast group is denied the IGMP join report is dropped IGMP filtering and throttling only applies to dynamically learned multicast groups it does not apply to statically configured groups The IG...

Page 620: ...access mode either permit or deny When the access mode is set to permit IGMP join reports are processed when a multicast group falls within the controlled range When the access mode is set to deny IGM...

Page 621: ...67295 Default Setting None Command Mode Interface Configuration Command Usage The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an int...

Page 622: ...r replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast gr...

Page 623: ...nd displays the global and interface settings for IGMP filtering Syntax show ip igmp filter interface interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port ch...

Page 624: ...and displays the interface settings for IGMP throttling Syntax show ip igmp throttle interface interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel c...

Page 625: ...he no form of this command without any keywords to globally disable MVR Use the no form with the group keyword to remove a specific address or range of addresses Or use the no form with the vlan keywo...

Page 626: ...witchport allowed vlan command page 4 231 and switchport native vlan command page 4 230 but MVR receiver ports should not be statically configured as members of this VLAN IGMP snooping must be enabled...

Page 627: ...r of any configured multicast group Command Mode Interface Configuration Ethernet Port Channel Command Usage A port which is not configured as an MVR receiver or source port can use IGMP snooping to j...

Page 628: ...3 hosts can issue multicast join or leave messages Example The following configures one source port and several receiver ports on the switch enables immediate leave on one of the receiver ports and s...

Page 629: ...s 10 Console Table 4 90 show mvr display description Field Description MVR Status Shows if MVR is globally enabled on the switch MVR running status Indicates whether or not all necessary conditions in...

Page 630: ...0 2 INACTIVE None 225 0 0 3 INACTIVE None 225 0 0 4 INACTIVE None 225 0 0 5 INACTIVE None 225 0 0 6 INACTIVE None 225 0 0 7 INACTIVE None 225 0 0 8 INACTIVE None 225 0 0 9 INACTIVE None 225 0 0 10 IN...

Page 631: ...dress from BOOTP dhcp Obtains IP address from DHCP Default Setting DHCP Command Mode Interface Configuration VLAN Command Usage You must assign an IP address to this device to gain management access o...

Page 632: ...riginal IP address and this becomes the new management VLAN Example In the following example the device is assigned an address in VLAN 1 Related Commands ip dhcp restart 4 323 ip default gateway This...

Page 633: ...the client will be based on this new domain Example In the following example the device is reassigned the same address Related Commands ip address 4 321 show ip interface This command displays the se...

Page 634: ...ed because the router adds header information Default Setting count 5 size 32 Command Mode Normal Exec Privileged Exec Command Usage Use the ping command to see if another site on the network can be r...

Page 635: ...9 by 5 32 byte payload ICMP packets timeout is 5 seconds response time 10 ms response time 10 ms response time 10 ms response time 10 ms response time 10 ms Ping statistics for 10 1 0 9 5 packets tran...

Page 636: ...Command Line Interface 4 326 4...

Page 637: ...SE SX LX LH 1000 Mbps at full duplex SFP Flow Control Full Duplex IEEE 802 3 2005 Half Duplex Back pressure Broadcast Storm Control Traffic throttled above a critical threshold Port Mirroring Multiple...

Page 638: ...MON Remote Monitoring groups 1 2 3 9 SMTP Email Alerts Switch Clustering Management Features In Band Management Telnet web based HTTP HTTPS SNMP manager or Secure Shell Out of Band Management RS 232 D...

Page 639: ...350 Management Information Bases Bridge MIB RFC 1493 Differentiated Services MIB RFC 3289 Entity MIB RFC 2737 Ether like MIB RFC 3635 Extended Bridge MIB RFC 2674 Extensible SNMP Agents MIB RFC 2742 F...

Page 640: ...RFC 3411 SNMP MPD MIB RFC 3412 SNMP Target MIB SNMP Notification MIB RFC 3413 SNMP User Based SM MIB RFC 3414 SNMP View Based ACM MIB RFC 3415 SNMPv2 IP MIB RFC 2011 TACACS Authentication Client MIB...

Page 641: ...of concurrent Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurre...

Page 642: ...messages reported to include all categories 3 Designate the SNMP host that is to receive the error messages 4 Repeat the sequence of commands or other actions that lead up to the error 5 Make a list...

Page 643: ...DSCP uses a six bit tag to provide for up to 64 different forwarding behaviors Based on network policies different kinds of traffic can be marked for different kinds of forwarding The DSCP bits are ma...

Page 644: ...s to register and propagate multicast group membership information in a switched environment so that multicast data frames are propagated only to those parts of a switched LAN containing registered en...

Page 645: ...packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members Internet Group Management Protocol IGMP A protocol through which hosts can registe...

Page 646: ...ntended for use with 32 bit machines and is safer than the MD4 algorithm which has been broken MD5 is a one way hash function meaning that it takes a message and converts it into a fixed string of dig...

Page 647: ...bines several lower speed physical links Private VLANs Private VLANs provide port based security and isolation between ports within the assigned VLAN Data traffic on downlink ports can only be forward...

Page 648: ...fers network management services Simple Network Time Protocol SNTP SNTP allows a device to set its internal clock based on periodic updates from a Network Time Protocol NTP server Updates can be reque...

Page 649: ...e access to IP like services UDP packets are delivered just like IP packets connection less datagrams that may be discarded before reaching their targets UDP is useful when TCP would be too complex to...

Page 650: ...Glossary Glossary 8...

Page 651: ...port required connections 2 2 CoS configuring 3 180 4 246 4 260 DSCP 3 187 IP precedence 3 190 layer 3 4 priorities 3 186 4 252 queue mapping 3 182 4 249 queue mode 3 184 4 246 traffic class weights...

Page 652: ...uery Layer 2 3 210 4 280 snooping 3 208 4 275 snooping configuring 3 209 4 275 ingress filtering 3 153 4 227 IP address BOOTP DHCP 3 17 4 297 4 299 4 317 4 318 setting 2 4 3 15 4 297 4 317 4 318 IP pr...

Page 653: ...g 3 180 4 246 4 260 default ingress 3 180 4 247 STA 3 133 4 211 port security configuring 3 72 4 97 port statistics 3 118 4 158 ports autonegotiation 3 101 4 152 broadcast storm threshold 3 114 4 156...

Page 654: ...resses setting 3 122 4 175 statistics port 3 118 4 158 STP 3 129 4 201 STP Also see STA switchport dot1q ethertype 4 234 switchport mode dot1q tunnel 4 233 system clock setting 3 33 4 62 system logs 3...

Page 655: ...Index 5 Index W Web interface access requirements 3 1 configuration buttons 3 3 home page 3 2 menu list 3 4 panel display 3 3...

Page 656: ...Index 6 Index...

Page 657: ......

Page 658: ......

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands