manualshive.com logo in svg

LG-Ericsson iPECS ES-4526G, User Manual

The LG-Ericsson iPECS ES-4526G is a cutting-edge network switch designed for efficient data transfer. Ensure a hassle-free installation with the comprehensive Installation Manual available for free download at manualshive.com. Get the most out of this product by referring to the user manual, easily accessible on the same website.

Share
Download
background image

C

HAPTER

 14

  |  Security Measures

ARP Inspection

–  328  –

ES-4500G Series

with different MAC addresses are classified as invalid and are 

dropped.

IP – Checks the ARP body for invalid and unexpected IP addresses. 

These addresses include 0.0.0.0, 255.255.255.255, and all IP 

multicast addresses. Sender IP addresses are checked in all ARP 

requests and responses, while target IP addresses are checked only 

in ARP responses.

Source MAC – Checks the source MAC address in the Ethernet 

header against the sender MAC address in the ARP body. This check 

is performed on both ARP requests and responses. When enabled, 

packets with different MAC addresses are classified as invalid and 
are dropped.

ARP Inspection Logging

By default, logging is active for ARP Inspection, and cannot be disabled.

The administrator can configure the log facility rate.

When the switch drops a packet, it places an entry in the log buffer, 

then generates a system message on a rate-controlled basis. After the 

system message is generated, the entry is cleared from the log buffer.

Each log entry contains flow information, such as the receiving VLAN, 

the port number, the source and destination IP addresses, and the 

source and destination MAC addresses.

If multiple, identical invalid ARP packets are received consecutively on 

the same VLAN, then the logging facility will only generate one entry in 

the log buffer and one corresponding system message.

If the log buffer is full, the oldest entry will be replaced with the newest 

entry.

P

ARAMETERS

These parameters are displayed in the web interface:

ARP Inspection Status

 – Enables ARP Inspection globally. 

(Default: Disabled)

ARP Inspection Validation

 – Enables extended ARP Inspection 

Validation if any of the following options are enabled. 

(Default: Disabled)

Dst-MAC

 – Validates the destination MAC address in the Ethernet 

header against the target MAC address in the body of ARP 

responses.

IP

 – Checks the ARP body for invalid and unexpected IP addresses. 

Sender IP addresses are checked in all ARP requests and responses, 

while target IP addresses are checked only in ARP responses.

Summary of Contents for iPECS ES-4526G

Page 1: ...USER GUIDE User Manual ES 4550G ES 4526G Managed Layer 3 Stackable GE Switch ...

Page 2: ...Gigabit Combination Ports RJ 45 SFP 2 10 Gigabit Extender Module Slots and 2 Stacking Ports ES 4526G MANAGED 24 PORT L3 STACKABLE GE SWITCH Layer 3 Stackable Gigabit Ethernet Switch with 20 10 100 1000BASE T RJ 45 Ports 4 Gigabit Combination Ports RJ 45 SFP 2 10 Gigabit Extender Module Slots and 2 Stacking Ports ES 4526G ES 4550G E042011 ST R01 150200000149A ...

Page 3: ...mation NOTE Emphasizes important information or calls your attention to related features or instructions CAUTION Alerts you to a potential hazard that could cause loss of data or damage the system or equipment WARNING Alerts you to a potential hazard that could cause personal injury NOTICE OF CHANGES LG Ericsson reserves the right to change specifications at any time without notice RELATED PUBLICA...

Page 4: ...IDE 4 ES 4500G Series REVISION HISTORY This section summarizes the changes in each revision of this guide APRIL 2011 REVISION This is the first version of this guide This guide is valid for software release v1 2 2 0 ...

Page 5: ...ting to the Switch 71 Configuration Options 71 Required Connections 72 Remote Connections 73 Basic Configuration 73 Console Connection 73 Setting Passwords 74 Setting an IP Address 75 Enabling SNMP Management Access 80 Managing System Files 82 Saving or Restoring Configuration Settings 83 SECTION II WEB CONFIGURATION 85 3 USING THE WEB INTERFACE 87 Connecting to the Web Interface 87 Navigating the...

Page 6: ...tem Clock 117 Setting the Time Manually 118 Setting The SNTP Polling Interval 119 Specifying SNTP Time Servers 120 Setting the Time Zone 121 Console Port Settings 122 Telnet Settings 124 Displaying CPU Utilization 125 Displaying Memory Utilization 126 Renumbering the Stack 127 Resetting the System 128 5 INTERFACE CONFIGURATION 131 Port Configuration 131 Configuring by Port List 131 Configuring by ...

Page 7: ...e VLANs 176 Associating Private VLANs 178 Configuring Private VLAN Interfaces 179 IEEE 802 1Q Tunneling 181 Enabling QinQ Tunneling on the Switch 185 Adding an Interface to a QinQ Tunnel 186 Protocol VLANs 187 Configuring Protocol VLAN Groups 188 Mapping Protocol Groups to Interfaces 189 Configuring IP Subnet VLANs 192 Configuring MAC based VLANs 194 7 ADDRESS TABLE SETTINGS 197 Configuring MAC Ad...

Page 8: ...edence 241 Mapping IP Port Priority 242 12 QUALITY OF SERVICE 245 Overview 245 Configuring a Class Map 246 Creating QoS Policies 249 Attaching a Policy Map to a Port 259 13 VOIP TRAFFIC CONFIGURATION 261 Overview 261 Configuring VoIP Traffic 261 Configuring Telephony OUI 263 Configuring VoIP Traffic Ports 264 14 SECURITY MEASURES 267 AAA Authorization and Accounting 268 Configuring Local Remote Lo...

Page 9: ...TCAM Utilization 311 Setting the ACL Name and Type 312 Configuring a Standard IPv4 ACL 313 Configuring an Extended IPv4 ACL 315 Configuring a Standard IPv6 ACL 317 Configuring an Extended IPv6 ACL 319 Configuring a MAC ACL 321 Configuring an ARP ACL 323 Binding a Port to an Access Control List 325 ARP Inspection 326 Configuring Global Settings for ARP Inspection 327 Configuring VLAN Settings for A...

Page 10: ...ocol Alerts 363 Link Layer Discovery Protocol 364 Setting LLDP Timing Attributes 364 Configuring LLDP Interface Attributes 366 Displaying LLDP Local Device Information 369 Displaying LLDP Remote Port Information 371 Displaying Device Statistics 376 Simple Network Management Protocol 378 Configuring Global Settings for SNMP 380 Setting the Local Engine ID 381 Specifying a Remote Engine ID 382 Setti...

Page 11: ...IGMP Query used with Multicast Routing 437 Configuring IGMP Proxy Routing 438 Configuring IGMP Interface Parameters 440 Configuring Static IGMP Group Membership 443 Displaying Multicast Group Information 445 Multicast VLAN Registration 447 Configuring Global MVR Settings 449 Configuring the MVR Group Range 450 Configuring MVR Interface Status 451 Assigning Static Multicast Groups to Interfaces 454...

Page 12: ...utes 491 Displaying the Routing Table 493 Equal cost Multipath Routing 494 19 CONFIGURING ROUTER REDUNDANCY 497 Configuring VRRP Groups 498 Displaying VRRP Global Statistics 504 Displaying VRRP Group Statistics 505 20 IP SERVICES 507 Domain Name Service 507 Configuring General DNS Service Parameters 507 Configuring a List of Domain Names 508 Configuring a List of Name Servers 510 Configuring Stati...

Page 13: ...st Path First Protocol Version 2 548 Defining Network Areas Based on Addresses 550 Configuring General Protocol Settings 553 Displaying Administrative Settings and Statistics 556 Adding an NSSA or Stub 558 Configuring NSSA Settings 559 Configuring Stub Settings 562 Displaying Information on NSSA and Stub Areas 564 Configuring Area Ranges Route Summarization for ABRs 565 Redistributing External Rou...

Page 14: ...bally 608 Configuring PIM Interface Settings 609 Displaying Neighbor Information 612 SECTION III COMMAND LINE INTERFACE 615 23 USING THE COMMAND LINE INTERFACE 617 Accessing the CLI 617 Console Connection 617 Telnet Connection 618 Entering Commands 619 Keywords and Arguments 619 Minimum Abbreviation 619 Command Completion 619 Getting Help on Commands 620 Partial Keyword Lookup 621 Negating the Eff...

Page 15: ...ignation 637 hostname 638 switch all renumber 638 System Status 639 show access list tcam utilization 639 show memory 640 show process cpu 640 show running config 640 show startup config 642 show system 643 show tech support 644 show users 644 show version 645 Frame Size 646 jumbo frame 646 Fan Control 647 fan speed force full 647 File Management 647 boot system 648 copy 649 delete 652 dir 653 whi...

Page 16: ...acility 665 logging history 665 logging host 666 logging on 667 logging trap 667 clear log 668 show log 669 show logging 669 SMTP Alerts 671 logging sendmail 671 logging sendmail host 671 logging sendmail level 672 logging sendmail destination email 673 logging sendmail source email 673 show logging sendmail 674 Time 674 sntp client 675 sntp poll 676 sntp server 676 show sntp 677 clock timezone 67...

Page 17: ...d 691 snmp server group 692 snmp server user 693 snmp server view 694 show snmp engine id 695 show snmp group 696 show snmp user 697 show snmp view 698 nlm 698 snmp server notify filter 699 show nlm oper status 700 show snmp notify filter 701 27 REMOTE MONITORING COMMANDS 703 rmon alarm 704 rmon event 705 rmon collection history 706 rmon collection rmon1 707 show rmon alarms 708 show rmon events 7...

Page 18: ...cation login 721 RADIUS Client 722 radius server acct port 722 radius server auth port 723 radius server host 723 radius server key 724 radius server retransmit 725 radius server timeout 725 show radius server 726 TACACS Client 726 tacacs server 727 tacacs server host 727 tacacs server key 728 tacacs server port 728 show tacacs server 729 AAA 729 aaa accounting commands 730 aaa accounting dot1x 73...

Page 19: ...Shell 744 ip ssh authentication retries 747 ip ssh server 747 ip ssh server key size 748 ip ssh timeout 748 delete public key 749 ip ssh crypto host key generate 749 ip ssh crypto zeroize 750 ip ssh save host key 751 show ip ssh 751 show public key 752 show ssh 753 802 1X Port Authentication 753 dot1x default 754 dot1x eapol pass through 754 dot1x system auth control 755 dot1x intrusion action 755...

Page 20: ... qos 774 network access dynamic vlan 775 network access guest vlan 776 network access link detection 776 network access link detection link down 777 network access link detection link up 777 network access link detection link up down 778 network access max mac count 778 network access mode mac authentication 779 network access port mac filter 780 mac authentication intrusion action 781 mac authent...

Page 21: ...ooping database flash 797 show ip dhcp snooping 798 show ip dhcp snooping binding 798 IP Source Guard 799 ip source guard binding 799 ip source guard 801 ip source guard max binding 802 show ip source guard 803 show ip source guard binding 803 ARP Inspection 804 ip arp inspection 805 ip arp inspection filter 806 ip arp inspection log buffer logs 807 ip arp inspection validate 808 ip arp inspection...

Page 22: ...ny Extended IPv6 ACL 822 show ipv6 access list 824 ipv6 access group 825 show ipv6 access group 825 MAC ACLs 826 access list mac 826 permit deny MAC ACL 827 mac access group 829 show mac access group 830 show mac access list 830 ARP ACLs 831 access list arp 831 permit deny ARP ACL 832 show arp access list 833 ACL Information 834 show access group 834 show access list 834 32 INTERFACE COMMANDS 835 ...

Page 23: ... key Ethernet Interface 858 lacp port priority 859 lacp system priority 860 lacp admin key Port Channel 860 show lacp 861 34 PORT MIRRORING COMMANDS 865 Local Port Mirroring Commands 865 port monitor 865 show port monitor 866 35 RATE LIMIT COMMANDS 869 rate limit 869 36 AUTOMATIC TRAFFIC CONTROL COMMANDS 871 auto traffic control apply timer 873 auto traffic control release timer 874 auto traffic c...

Page 24: ...884 show auto traffic control interface 884 37 ADDRESS TABLE COMMANDS 885 mac address table aging time 885 mac address table static 886 clear mac address table dynamic 887 show mac address table 887 show mac address table aging time 888 show mac address table count 889 38 SPANNING TREE COMMANDS 891 spanning tree 892 spanning tree forward time 893 spanning tree hello time 893 spanning tree max age ...

Page 25: ...ng tree loopback detection release 913 spanning tree protocol migration 913 show spanning tree 914 show spanning tree mst configuration 916 39 VLAN COMMANDS 917 GVRP and Bridge Extension Commands 918 bridge ext gvrp 918 garp timer 919 switchport forbidden vlan 920 switchport gvrp 920 show bridge ext 921 show garp timer 921 show gvrp configuration 922 Editing VLAN Groups 922 vlan database 923 vlan ...

Page 26: ... mode private vlan 942 switchport private vlan host association 943 switchport private vlan mapping 944 show vlan private vlan 944 Configuring Protocol based VLANs 945 protocol vlan protocol group Configuring Groups 946 protocol vlan protocol group Configuring Interfaces 946 show protocol vlan protocol group 947 show interfaces protocol vlan protocol group 948 Configuring IP Subnet VLANs 949 subne...

Page 27: ...uration 966 map ip port Global Configuration 967 map ip precedence Global Configuration 967 map ip dscp Interface Configuration 968 map ip port Interface Configuration 969 map ip precedence Interface Configuration 970 show map ip dscp 971 show map ip port 971 show map ip precedence 972 41 QUALITY OF SERVICE COMMANDS 973 class map 974 description 975 match 976 rename 977 policy map 977 class 978 po...

Page 28: ...igmp snooping vlan immediate leave 999 ip igmp snooping vlan last memb query count 1000 ip igmp snooping vlan last memb query intvl 1001 ip igmp snooping vlan mrd 1001 ip igmp snooping vlan proxy address 1002 ip igmp snooping vlan query interval 1003 ip igmp snooping vlan query resp intvl 1004 ip igmp snooping vlan static 1005 show ip igmp snooping 1005 show ip igmp snooping group 1006 show mac ad...

Page 29: ... Layer 3 1026 ip igmp 1026 ip igmp last member query interval 1027 ip igmp max resp interval 1028 ip igmp query interval 1029 ip igmp robustval 1029 ip igmp static group 1030 ip igmp version 1031 clear ip igmp group 1032 show ip igmp groups 1032 show ip igmp interface 1035 IGMP Proxy Routing 1035 ip igmp proxy 1036 ip igmp proxy unsolicited report interval 1037 MLD Layer 3 1038 ipv6 mld 1038 ipv6 ...

Page 30: ...p address 1054 lldp basic tlv port description 1055 lldp basic tlv system capabilities 1055 lldp basic tlv system description 1056 lldp basic tlv system name 1056 lldp dot1 tlv proto ident 1057 lldp dot1 tlv proto vid 1057 lldp dot1 tlv pvid 1058 lldp dot1 tlv vlan name 1058 lldp dot3 tlv link agg 1059 lldp dot3 tlv mac phy 1059 lldp dot3 tlv max frame 1060 lldp notification 1060 show lldp config ...

Page 31: ...079 DHCP Relay 1080 ip dhcp relay server 1080 ip dhcp restart relay 1081 DHCP Server 1082 ip dhcp excluded address 1083 ip dhcp pool 1083 service dhcp 1084 bootfile 1084 client identifier 1085 default router 1086 dns server 1086 domain name 1087 hardware address 1087 host 1088 lease 1089 netbios name server 1090 netbios node type 1091 network 1091 next server 1092 clear ip dhcp binding 1093 show i...

Page 32: ... IPv4 Interface 1105 Basic IPv4 Configuration 1106 ip address 1106 ip default gateway 1108 show ip interface 1109 traceroute 1109 ping 1110 ARP Configuration 1111 arp 1112 arp timeout 1113 ip proxy arp 1113 clear arp cache 1114 show arp 1114 UDP Helper Configuration 1115 ip forward protocol udp 1115 ip helper 1116 ip helper address 1117 show ip helper 1118 IPv6 Interface 1119 ipv6 default gateway ...

Page 33: ...Tunnels 1143 interface tunnel 1144 tunnel destination 1145 tunnel mode ipv6ip 1146 tunnel source vlan 1148 tunnel ttl 1149 show ipv6 tunnel 1149 48 IP ROUTING COMMANDS 1151 Global Routing Configuration 1151 ip route 1152 maximum paths 1153 show ip route 1153 show ip route database 1155 show ip traffic 1155 ipv6 route 1156 show ipv6 route 1158 Routing Information Protocol RIP 1159 router rip 1160 d...

Page 34: ...ls rip 1175 show ip rip 1175 Open Shortest Path First OSPFv2 1177 router ospf 1178 compatible rfc1583 1179 default information originate 1180 router id 1181 timers spf 1182 clear ip ospf process 1183 area default cost 1183 area range 1184 auto cost reference bandwidth 1185 default metric 1186 redistribute 1187 summary address 1188 area nssa 1189 area stub 1191 area virtual link 1192 network area 1...

Page 35: ... ip protocols ospf 1217 Open Shortest Path First OSPFv3 1218 router ipv6 ospf 1219 abr type 1221 max current dd 1222 router id 1223 timers spf 1224 area default cost 1224 area range 1225 default metric 1226 redistribute 1227 area stub 1228 area virtual link 1229 ipv6 router ospf area 1231 ipv6 router ospf tag area 1232 ipv6 ospf cost 1233 ipv6 ospf dead interval 1234 ipv6 ospf hello interval 1235 ...

Page 36: ...ast Routing 1253 IPv4 PIM Commands 1253 router pim 1254 ip pim 1255 ip pim hello holdtime 1256 ip pim hello interval 1257 ip pim join prune holdtime 1257 ip pim lan prune delay 1258 ip pim override interval 1259 ip pim propagation delay 1260 ip pim trigger hello delay 1260 show ip pim interface 1261 show ip pim neighbor 1262 ip pim graft retry interval 1262 ip pim max graft retries 1263 ip pim sta...

Page 37: ... ipv6 pim max graft retries 1281 ipv6 pim override interval 1281 ipv6 pim propagation delay 1282 ipv6 pim state refresh origination interval 1283 ipv6 pim trigger hello delay 1284 show ipv6 pim interface 1284 show ipv6 pim neighbor 1285 SECTION IV APPENDICES 1287 A SOFTWARE SPECIFICATIONS 1289 Software Features 1289 Management Features 1290 Standards 1291 Management Information Bases 1292 B TROUBL...

Page 38: ...CONTENTS 38 ES 4500G Series ...

Page 39: ...ng the Time Zone 121 Figure 15 Console Port Settings 123 Figure 16 Telnet Connection Settings 125 Figure 17 Displaying CPU Utilization 126 Figure 18 Displaying Memory Utilization 127 Figure 19 Renumbering the Stack 127 Figure 20 Restarting the Switch Immediately 129 Figure 21 Restarting the Switch In 130 Figure 22 Restarting the Switch At 130 Figure 23 Restarting the Switch Regularly 130 Figure 24...

Page 40: ... Figure 47 Displaying LACP Port Remote Information 156 Figure 48 Sampling Traffic Flows 158 Figure 49 Enabling Traffic Segmentation 159 Figure 50 Configuring Members for Traffic Segmentation 160 Figure 51 Configuring VLAN Trunking 161 Figure 52 Configuring VLAN Trunking 162 Figure 53 VLAN Compliant and VLAN Non compliant Devices 164 Figure 54 Using GVRP 166 Figure 55 Creating Static VLANs 167 Figu...

Page 41: ...ying the Dynamic MAC Address Table 202 Figure 86 Clearing Entries in the Dynamic MAC Address Table 203 Figure 87 STP Root Ports and Designated Ports 206 Figure 88 MSTP Region Internal Spanning Tree Multiple Spanning Tree 207 Figure 89 Common Internal Spanning Tree Common Spanning Tree Internal Spanning Tree 207 Figure 90 Configuring Port Loopback Detection 209 Figure 91 Configuring Global Settings...

Page 42: ...wing the Rules for a Class Map 249 Figure 121 Configuring a Policy Map 256 Figure 122 Showing Policy Maps 257 Figure 123 Adding Rules to a Policy Map 258 Figure 124 Showing the Rules for a Policy Map 258 Figure 125 Attaching a Policy Map to a Port 259 Figure 126 Configuring a Voice VLAN 262 Figure 127 Configuring an OUI Telephony List 264 Figure 128 Showing an OUI Telephony List 264 Figure 129 Con...

Page 43: ... 293 Figure 154 Configuring a MAC Address Filter for Network Access 294 Figure 155 Showing the MAC Address Filter Table for Network Access 295 Figure 156 Showing Addresses Authenticated for Network Access 296 Figure 157 Configuring HTTPS 298 Figure 158 Downloading the Secure Site Certificate 299 Figure 159 Configuring the SSH Server 303 Figure 160 Generating the SSH Host Key Pair 305 Figure 161 Sh...

Page 44: ...ing Static Bindings for IP Source Guard 350 Figure 193 Showing the IP Source Guard Binding Table 351 Figure 194 Configuring Global Settings for DHCP Snooping 355 Figure 195 Configuring DHCP Snooping on a VLAN 356 Figure 196 Configuring the Port Mode for DHCP Snooping 357 Figure 197 Displaying the Binding Table for DHCP Snooping 358 Figure 198 Configuring Settings for System Memory Logs 361 Figure ...

Page 45: ...igure 229 Showing Trap Managers 401 Figure 230 Configuring an RMON Alarm 404 Figure 231 Showing Configured RMON Alarms 404 Figure 232 Configuring an RMON Event 406 Figure 233 Showing Configured RMON Events 407 Figure 234 Configuring an RMON History Sample 408 Figure 235 Showing Configured RMON History Samples 409 Figure 236 Showing Collected RMON History Samples 409 Figure 237 Configuring an RMON ...

Page 46: ... Figure 263 Showing Static IGMP Groups 444 Figure 264 Displaying Multicast Groups Learned from IGMP Information 447 Figure 265 Displaying Multicast Groups Learned from IGMP Detail 447 Figure 266 MVR Concept 448 Figure 267 Configuring Global Settings for MVR 450 Figure 268 Configuring the Group Range for MVR 451 Figure 269 Showing the Configured Group Range for MVR 451 Figure 270 Configuring Interf...

Page 47: ...s 497 Figure 302 Several Virtual Master Routers Configured for Mutual Backup and Load Sharing 498 Figure 303 Configuring the VRRP Group ID 502 Figure 304 Showing Configured VRRP Groups 502 Figure 305 Setting the Virtual Router Address for a VRRP Group 503 Figure 306 Showing the Virtual Addresses Assigned to VRRP Groups 503 Figure 307 Configuring Detailed Settings for a VRRP Group 504 Figure 308 Sh...

Page 48: ...figuring General Settings for RIP 534 Figure 336 Clearing Entries from the Routing Table 535 Figure 337 Adding Network Interfaces to RIP 536 Figure 338 Showing Network Interfaces Using RIP 537 Figure 339 Specifying a Passive RIP Interface 538 Figure 340 Showing Passive RIP Interfaces 538 Figure 341 Specifying a Static RIP Neighbor 539 Figure 342 Showing Static RIP Neighbors 539 Figure 343 Redistri...

Page 49: ...marizing External Routes 570 Figure 374 Showing Summary Addresses for External Routes 571 Figure 375 Configuring Settings for All Interfaces Assigned to a VLAN 575 Figure 376 Configuring Settings for a Specific Area Assigned to a VLAN 576 Figure 377 Showing OSPF Interfaces 576 Figure 378 Showing MD5 Authentication Keys 577 Figure 379 OSPF Virtual Link 577 Figure 380 Adding a Virtual Link 578 Figur...

Page 50: ...97 Configuring an RP Candidate 605 Figure 398 Showing Settings for an RP Candidate 605 Figure 399 Showing Information About the BSR 607 Figure 400 Showing RP Mapping 608 Figure 401 Enabling PIMv6 Multicast Routing 608 Figure 402 Configuring PIMv6 Interface Settings Dense Mode 612 Figure 403 Showing PIMv6 Neighbors 613 Figure 404 Storm Control by Limiting the Traffic Rate 872 Figure 405 Storm Contr...

Page 51: ...ty Values 240 Table 14 Usage of ToS Bits 241 Table 15 Dynamic QoS Profiles 288 Table 16 HTTPS System Support 297 Table 17 ARP Inspection Statistics 332 Table 18 ARP Inspection Log 333 Table 19 802 1X Statistics 345 Table 20 Logging Levels 360 Table 21 Chassis ID Subtype 369 Table 22 System Capabilities 370 Table 23 Port ID Subtype 372 Table 24 Remote Port Auto Negotiation Advertised Capability 373...

Page 52: ...g Commands 664 Table 48 Logging Levels 665 Table 49 show logging flash ram display description 670 Table 50 show logging trap display description 670 Table 51 Event Logging Commands 671 Table 52 Time Commands 674 Table 53 Time Range Commands 679 Table 54 SNMP Commands 683 Table 55 show snmp engine id display description 695 Table 56 show snmp group display description 697 Table 57 show snmp user d...

Page 53: ... Control List Commands 813 Table 84 IPv4 ACL Commands 813 Table 85 IPv4 ACL Commands 820 Table 86 MAC ACL Commands 826 Table 87 ARP ACL Commands 831 Table 88 ACL Information Commands 834 Table 89 Interface Commands 835 Table 90 show interfaces switchport display description 849 Table 91 Link Aggregation Commands 855 Table 92 show lacp counters display description 862 Table 93 show lacp internal di...

Page 54: ...66 Table 120 Mapping IP DSCP to CoS Values 968 Table 121 Mapping IP Precedence to CoS Values 970 Table 122 Quality of Service Commands 973 Table 123 Multicast Filtering Commands 989 Table 124 IGMP Snooping Commands 990 Table 125 Static Multicast Interface Commands 1008 Table 126 IGMP Filtering and Throttling Commands 1009 Table 127 Multicast VLAN Registration Commands 1019 Table 128 show mvr displ...

Page 55: ...58 show ipv6 traffic display description 1142 Table 159 IPv6 to IPv4 Tunnelling Commands 1143 Table 160 IP Routing Commands 1151 Table 161 Global Routing Configuration Commands 1151 Table 162 Routing Information Protocol Commands 1159 Table 163 Open Shortest Path First Commands 1177 Table 164 show ip ospf display description 1205 Table 165 show ip ospf database display description 1208 Table 166 s...

Page 56: ... mroute display description 1247 Table 184 show ip mroute display description 1250 Table 185 Static Multicast Routing Commands 1251 Table 186 IPv4 and IPv6 PIM Commands 1253 Table 187 PIM DM and PIM SM Multicast Routing Commands 1253 Table 188 show ip pim neighbor display description 1262 Table 189 show ip pim bsr router display description 1274 Table 190 show ip pim rp mapping display description...

Page 57: ...s an overview of the switch and introduces some basic concepts about network switches It also describes the basic settings required to access the management interface This section includes these chapters Introduction on page 59 Initial Switch Configuration on page 71 ...

Page 58: ...SECTION I Getting Started 58 ES 4500G Series ...

Page 59: ...b user name password RADIUS TACACS Port IEEE 802 1X MAC address filtering SNMP v1 2c Community strings SNMP version 3 MD5 or SHA password Telnet SSH Web HTTPS General Security Measures AAA ARP inspection DHCP Snooping with Option 82 relay information IP Source Guard Private VLANs Port Authentication IEEE 802 1X Port Security MAC address filtering Access Control Lists Supports up to 256 ACLs 96 MAC...

Page 60: ...l LANs Up to 256 using IEEE 802 1Q port based protocol based private VLANs voice VLANs and QinQ tunnel Traffic Prioritization Default port priority traffic class map queue scheduling IP Precedence or Differentiated Services Code Point DSCP and TCP UDP Port Qualify of Service Supports Differentiated Services DiffServ Link Layer Discovery Protocol Used to discover basic information about neighboring...

Page 61: ...thentication server i e RADIUS or TACACS Port based authentication is also supported via the IEEE 802 1X protocol This protocol uses Extensible Authentication Protocol over LANs EAPOL to request user credentials from the 802 1X client and then uses the EAP between the switch and the authentication server to verify the client s right to access the network via an authentication server i e RADIUS or ...

Page 62: ...connection integrity PORT TRUNKING Ports can be combined into an aggregate connection Trunks can be manually set up or dynamically configured using Link Aggregation Control Protocol LACP IEEE 802 3 2005 The additional ports dramatically increase the throughput across any connection and provide redundancy by taking over the load if a port in the trunk should fail The switch supports up to 13 25 tru...

Page 63: ... This protocol provides loop detection When there are multiple physical paths between segments this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network This prevents the creation of network loops However if the chosen path should fail for any reason an alternate path will be activated to maintain the connection Rapi...

Page 64: ...rotocol VLANs to restrict traffic to specified interfaces based on protocol type IEEE 802 1Q TUNNELING QINQ This feature is designed for service providers carrying traffic for multiple customers across their networks QinQ tunneling is used to maintain customer specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs This is accomplished by inse...

Page 65: ...outed between any IP interfaces configured on the switch Routing to statically configured hosts or subnet addresses is provided based on next hop entries specified in the static routing table RIP This protocol uses a distance vector approach to routing Routes are determined on the basis of minimizing the distance vector or hop count which serves as a rough estimate of transmission cost OSPF This a...

Page 66: ...mote destination via the switch which uses its own routing table to reach the destination on the other network MULTICAST FILTERING Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real time delivery by setting the required priority level for the designated VLAN The switch uses IGMP Snooping and Query at Lay...

Page 67: ...ures Privileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privileged Exec from Normal Exec Level Password super RADIUS Authentication Disabled TACACS Authentication Disabled 802 1X Port Authentication Disabled MAC Authentication Disabled HTTPS Enabled SSH Disabled Port Security Disabled IP Filtering Disabled DHCP Snooping Disabled Web Managemen...

Page 68: ...ults RSTP standard Edge Ports Enabled LLDP Status Enabled Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Disabled Switchport Mode Egress Mode Hybrid tagged untagged frames GVRP global Disabled GVRP port interface Disabled QinQ Tunneling Disabled Traffic Prioritization Ingress Port Priority 0 Queue Mode WRR Weighted Round Robin Queue 0 1 2 3 4 5 6 7 Weight 1 2 4 6 8 ...

Page 69: ... Disabled Unicast Routing RIP Disabled OSPFv2 Disabled OSPFv3 Disabled Router Redundancy VRRP Disabled Multicast Filtering IGMP Snooping Layer 2 Snooping Enabled Querier Disabled Multicast VLAN Registration Disabled IGMP Layer 3 IGMP Proxy Layer 3 Disabled Disabled System Log Status Enabled Messages Logged Levels 0 7 all Messages Logged to Flash Levels 0 3 SMTP Email Alerts Event Handler Enabled b...

Page 70: ...CHAPTER 1 Introduction System Defaults 70 ES 4500G Series ...

Page 71: ... using a standard web browser such as Internet Explorer 5 x or above Netscape 6 2 or above and Mozilla Firefox 2 0 0 0 or above The switch s web management interface can be accessed from any computer attached to the network The CLI program can be accessed by a direct connection to the RS 232 serial console port on the switch or remotely by a Telnet connection over the network The switch s manageme...

Page 72: ...s an RS 232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch A null modem console cable is provided with the switch Attach a VT100 compatible terminal or a PC running a terminal emulation program to the switch You can use the console cable provided with this package or use a null modem cable that complies with the wiring assignments shown in the I...

Page 73: ...switch supports four Telnet sessions or four SSH sessions NOTE Any VLAN group can be assigned an IP interface address page 75 for managing the switch After configuring the switch s IP parameters you can access the onboard configuration program from anywhere within the attached network The onboard configuration program can be accessed using Telnet from any computer attached to the network The switc...

Page 74: ...fine new passwords for both default user names using the username command record them and put them in a safe place Passwords can consist of up to 8 alphanumeric characters and are case sensitive To prevent unauthorized access to the switch set the passwords as follows 1 Open the console interface with the default user name and password admin to access the Privileged Exec level 2 Type configure and...

Page 75: ...n IPv6 Address on page 76 MANUAL CONFIGURATION You can manually assign an IP address to the switch You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment Valid IPv4 addresses consist of four decimal numbers 0 to 255 separated by periods Anything outside this format will not be accepted by the CLI program NOTE An...

Page 76: ...IP Address IP Version 6 on page 461 Link Local Address All link local addresses must be configured with a prefix of FE80 Remember that this address type makes the switch accessible over IPv6 for all devices attached to the same local subnet only Also if the switch detects that the address you configured conflicts with that in use by another device on the subnet it will stop using the address in qu...

Page 77: ... 8 or 73 8 To generate an IPv6 global unicast address for the switch complete the following steps 1 From the global configuration mode prompt type interface vlan 1 to access the interface configuration mode Press Enter 2 From the interface prompt type ipv6 address ipv6 address or ipv6 address ipv6 address prefix length where prefix length indicates the address bits used to form the network portion...

Page 78: ...dcasting service requests Note that the ip dhcp restart client command can also be used to start broadcasting service requests for all VLANs configured to obtain address assignments through BOOTP or DHCP It may be necessary to use this command when DHCP is configured on a VLAN and the member ports which were previously shut down are now enabled If the bootp or dhcp option is saved to the startup c...

Page 79: ...dress type makes the switch accessible over IPv6 for all devices attached to the same local subnet To generate an IPv6 link local address for the switch complete the following steps 1 From the Global Configuration mode prompt type interface vlan 1 to access the interface configuration mode Press Enter 2 Type ipv6 enable and press Enter Console config interface vlan 1 Console config if ipv6 enable ...

Page 80: ...sion 1 or 2c community strings that suit your specific security requirements see Setting SNMPv3 Views on page 384 COMMUNITY STRINGS FOR SNMP VERSION 1 AND 2C CLIENTS Community strings are used to control management access to SNMP version 1 and 2c stations as well as to authorize SNMP stations to receive trap messages from the switch You therefore need to assign community strings to specified users...

Page 81: ...example creates a trap host for each type of SNMP client Console config snmp server host 10 1 19 23 batman Console config snmp server host 10 1 19 98 robin version 2c Console config snmp server host 10 1 19 34 barbie version 3 auth Console config CONFIGURING ACCESS FOR SNMP VERSION 3 CLIENTS To configure management access for SNMPv3 clients you need to first create a view that defines the portions...

Page 82: ...ifier MAC address for each unit The configuration settings from the factory defaults configuration file are copied to this file which is then used to boot the switch See Saving or Restoring Configuration Settings on page 83 for more information Operation Code System software that is executed after boot up also known as run time code This code runs the switch operations and provides the CLI and web...

Page 83: ...To select a previously saved configuration file use the boot system config filename command The maximum number of saved configuration files depends on available flash memory The amount of available flash memory can be checked by using the dir command To save the current configuration settings enter the following command 1 From the Privileged Exec mode prompt type copy running config startup config...

Page 84: ...CHAPTER 2 Initial Switch Configuration Managing System Files 84 ES 4500G Series Success Console ...

Page 85: ...agement Tasks on page 107 Interface Configuration on page 131 VLAN Configuration on page 163 Address Table Settings on page 197 Spanning Tree Algorithm on page 205 Rate Limit Configuration on page 229 Storm Control Configuration on page 231 Class of Service on page 233 Quality of Service on page 245 VoIP Traffic Configuration on page 261 Security Measures on page 267 Basic Administration Protocols...

Page 86: ...SECTION I Web Configuration 86 ES 4500G Series Multicast Filtering on page 413 ...

Page 87: ...default gateway using an out of band serial connection BOOTP or DHCP protocol See Setting an IP Address on page 75 2 Set user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Setting Passwords on page 74 3 After you enter a user name and password you will have access to the...

Page 88: ... PAGE When your web browser connects with the switch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used to navigate to other menus and display configuration parameters and statistics Figure 1 Home Page NOTE This manual covers the ES 4526G and ES 4550G Gigabit...

Page 89: ...or item Check for newer versions of stored pages should be Every visit to the page PANEL DISPLAY The web agent displays an image of the switch s ports The Mode can be set to display different information for the ports including Active i e up or down Duplex i e half or full duplex or Flow Control i e with or without flow control Figure 2 Front Panel Indicators Table 3 Web Page Configuration Buttons...

Page 90: ...ts the current time 118 SNTP Configures SNTP polling interval 119 Configure Time Server Configures a list of SNTP servers 120 Configure Time Zone Sets the local time zone for the system clock 121 Console Sets console port connection parameters 122 Telnet Sets Telnet connection parameters 124 CPU Utilization Displays information on CPU utilization 125 Memory Status Shows memory utilization paramete...

Page 91: ...rtner Configures parameters for link aggregation group members on the remote side 147 Show Information Counters Displays statistics for LACP protocol messages 152 Internal Displays configuration settings and operational state for the local side of a link aggregation 154 Neighbors Displays configuration settings and operational state for the remote side of a link aggregation 155 Configure Trunk Con...

Page 92: ...es primary or community VLANs 176 Show Display configured primary and community VLANs 176 Add Community VLAN Associates a community VLAN with a primary VLAN 178 Show Community VLAN Shows the community VLANs associated with a primary VLAN 178 Configure Interface Sets the private VLAN interface type and associates the interfaces with a private VLAN 179 Tunnel IEEE 802 1Q QinQ Tunneling 181 Configure...

Page 93: ...TP 209 Show Information Displays STA values used for the bridge 214 Configure Interface Configure Configures interface settings for STA 215 Show Informaton Displays interface settings for STA 219 MSTP Multiple Spanning Tree Algorithm Configure Global Add Configures initial VLAN and priority for an MST instance 222 Show Configures global settings for an MST instance 222 Modify Modify priority for a...

Page 94: ...map to apply to multiple interfaces 249 Show Shows configured policy maps 249 Modify Modifies the name of a policy map 249 Add Rule Sets the boundary parameters used for monitoring inbound traffic and the action to take for conforming and non conforming traffic 249 Show Rule Shows the rules used to enforce bandwidth policing for a policy map 249 Configure Interface Applies a policy map to an ingre...

Page 95: ...dd Configures authorization for various service types 280 Show Shows the authorization settings used for various service types 280 Configure Service Sets the authorization method applied used for the console port and for Telnet 280 Show Information Shows the configured authorization methods and the methods applied to specific interfaces 280 User Accounts 283 Add Configures user names passwords and...

Page 96: ...ys RSA and DSA user keys deletes user keys 305 ACL Access Control Lists 307 Configure Time Range Configures the time to apply an ACL 308 Add Specifies the name of a time range 308 Show Shows the name of configured time ranges 308 Add Rule 308 Absolute Sets exact time or time range 308 Periodic Sets a recurrent time 308 Show Rule Shows the time specified by a rule 308 Configure ACL 312 Show TCAM Sh...

Page 97: ...oping table 346 Port Configuration Enables IP source guard and selects filter type per port 346 Static Binding 348 Add Adds a static addresses to the source guard binding table 348 Show Shows static addresses in the source guard binding table 348 Dynamic Binding Displays the source guard binding table for a selected interface 350 Administration 359 Log 359 System 359 Configure Global Stores error ...

Page 98: ...e selected view 384 Show OID Subtree Shows the subtrees assigned to each view 384 Configure Group 387 Add Adds a group with access policies for assigned users 387 Show Shows configured groups and access policies 387 Configure User 390 Add Community Configures community strings and access mode 390 Show Community Shows community strings and access mode 390 Add SNMPv3 Local User Configures SNMPv3 use...

Page 99: ...Ping Sends ICMP echo request packets to another node on the network 483 Trace Route Shows the route packets take to the specified destination 484 ARP Address Resolution Protocol 485 Configure General Sets the protocol timeout and enables or disables proxy ARP for the specified VLAN 486 Configure Static Address 488 Add Statically maps a physical address to an IP address 488 Show Shows the MAC to IP...

Page 100: ...e Configures IPv6 interface address using auto configuration or link local address and sets related protocol settings 462 Add IPv6 Address Adds an global unicast EUI 64 or link local IPv6 address to an interface 465 Show IPv6 Address Show the IPv6 addresses assigned to an interface 468 Show IPv6 Neighbor Cache Displays information in the IPv6 neighbor discovery cache 469 Show Statistics 471 IPv6 S...

Page 101: ...ormation Displays the DHCP Snooping binding information 357 Server 516 Configure Global Enables DHCP service on this switch 516 Configure Excluded Address 517 Add Adds excluded addresses 517 Show Shows excluded addresses 517 Configure Pool 518 Add 518 Network Add address pool for network groups 518 Host Add address entry for specified host 518 Show Shows DHCP pool list 518 Modify Modifies the spec...

Page 102: ...ttings per VLAN interface 425 Configure Port Configures the interface to drop IGMP query packets or all multicast data packets 430 Configure Trunk Configures the interface to drop IGMP query packets or all multicast data packets 430 Forwarding Entry Displays the current multicast groups learned through IGMP Snooping 431 Filter 432 Configure General Enables IGMP filtering for the switch 432 Configu...

Page 103: ...onfigure Static Group Member 454 Add Statically assigns MVR multicast streams to an interface 454 Show Show MVR multicast streams statically assigned to an interface 454 Show Member Shows information about the interfaces associated with multicast groups assigned to the MVR VLAN 455 Routing Protocol RIP Routing Information Protocol 530 General 531 Configure Enables or disables RIP sets the global R...

Page 104: ...ages 546 Show Peer Information Displays information on neighboring RIP routers 547 Reset Statistics Clears statistics for RIP protocol messages 548 OSPF Open Shortest Path First Version 2 548 Network Area 550 Add Defines OSPF area address area ID and process ID 550 Show Shows configured areas 550 Show Process Show configured processes 550 System 553 Configure Configures the Router ID global settin...

Page 105: ...or each area 571 Virtual Link 577 Add Configures a virtual link through a transit area to the backbone 577 Show Shows virtual links neighbor address and state 577 Configure Detailed Settings Configures detailed protocol and authentication settings 577 Show MD5 Key Shows the MD5 key ID used for each neighbor 577 Information LSDB Shows information about different OSPF Link State Advertisements LSAs ...

Page 106: ...ertising itself as an RP candidate to the BSR 603 Show Information Show BSR Router Displays information about the BSR 605 Show RP Mapping Displays the active RPs and associated multicast routing entries 607 PIM6 PIM for IPv6 General Enables PIM globally for the switch 608 Interface Enables PIM per interface and sets the mode to dense or sparse 609 Neighbor Displays information neighboring PIM rout...

Page 107: ...les Setting the System Clock Sets the current time manually or through specified SNTP servers Console Port Settings Sets console port connection parameters Telnet Settings Sets Telnet connection parameters Displaying CPU Utilization Displays information on CPU utilization Displaying Memory Utilization Shows memory utilization parameters Renumbering the Stack Renumbers the units in the stack Resett...

Page 108: ...network management subsystem System Up Time Length of time the management agent has been up System Name Name assigned to the switch system System Location Specifies the system location System Contact Administrator responsible for the system WEB INTERFACE To configure general system information 1 Click System General 2 Specify the system name location and contact information for the system administ...

Page 109: ...ion of the main board Internal Power Status Displays the status of the internal power supply Management Software Information Role Shows that this switch is operating as Master or Slave EPLD Version Version number of EEPROM Programmable Logic Device Loader Version Version number of loader code Diagnostics Code Version Version of Power On Self Test POST and boot code Operation Code Version Version n...

Page 110: ...required to process protocol encapsulation fields CLI REFERENCES jumbo frame on page 646 switchport mtu on page 843 USAGE GUIDELINES To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extended frame s...

Page 111: ... LANs You can access these extensions to display default settings for the key variables CLI REFERENCES GVRP and Bridge Extension Commands on page 918 PARAMETERS The following parameters are displayed in the web interface Extended Multicast Filtering Services This switch does not support the filtering of individual multicast addresses based on GMRP GARP Multicast Registration Protocol Traffic Class...

Page 112: ...d egress status VLAN Tagged or Untagged on each port Refer to VLAN Configuration on page 163 Max Supported VLAN Numbers The maximum number of VLANs supported on this switch Max Supported VLAN ID The maximum configurable VLAN identifier supported on this switch GMRP GARP Multicast Registration Protocol GMRP allows network devices to register end stations with multicast groups This switch does not s...

Page 113: ...up file CLI REFERENCES copy on page 649 PARAMETERS The following parameters are displayed in the web interface Copy Type The firmware copy operation includes these options FTP Upgrade Copies a file from an FTP server to the switch FTP Download Copies a file from the switch to an FTP server HTTP Upgrade Copies a file from a management station to the switch HTTP Download Copies a file from the switc...

Page 114: ...EB INTERFACE To copy firmware files 1 Click System then File 2 Select Copy from the Action list 3 Select FTP Upgrade HTTP Upgrade or TFTP Upgrade as the file transfer method 4 If FTP or TFTP Upgrade is used enter the IP address of the file server 5 If FTP Upgrade is used enter the user name and password for your account on the FTP server 6 Set the file type to Operation Code 7 Enter the name of th...

Page 115: ...his option Running Config Copies the current configuration settings to a local file on the switch Destination File Name Copy to the currently designated startup file or to a new file The file name should not contain slashes or the leading letter of the file name should not be a period and the maximum length for file names is 31 characters for files on the switch Valid characters A Z a z 0 9 _ NOTE...

Page 116: ... the firmware or configuration file to use for system initialization CLI REFERENCES whichboot on page 654 boot system on page 648 WEB INTERFACE To set a file to use for system initialization 1 Click System then File 2 Select Set Start Up from the Action list 3 Mark the operation code or configuration file to be used at startup 4 Then click Apply Figure 9 Setting Start Up Files To start using the n...

Page 117: ...laying System Files SETTING THE SYSTEM CLOCK Simple Network Time Protocol SNTP allows the switch to set its internal clock based on periodic updates from a time server SNTP or NTP Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries You can also manually set the clock If the clock is not set manually or via SNTP the switch will on...

Page 118: ...ent time set on the switch Hours Sets the hour Range 0 23 Default 0 Minutes Sets the minute value Range 0 59 Default 0 Seconds Sets the second value Range 0 59 Default 0 Month Sets the month Range 1 12 Default 1 Day Sets the day of the month Range 1 31 Default 1 Year Sets the year Range 2001 2100 Default 2009 WEB INTERFACE To manually set the system clock 1 Click System then Time 2 Select Configur...

Page 119: ...s are displayed in the web interface Current Time Shows the current time set on the switch SNTP Polling Interval Sets the interval between sending requests for a time update from a time server Range 16 16384 seconds Default 16 seconds WEB INTERFACE To set the polling interval for SNTP 1 Click System then Time 2 Select Configure General from the Action list 3 Select SNTP from the Maintain Type list...

Page 120: ...ameters are displayed in the web interface SNTP Server IP Address Sets the IPv4 or IPv6 address for up to three time servers The switch attempts to update the time from the first server if this fails it attempts an update from the next server in the sequence WEB INTERFACE To set the SNTP time servers 1 Click System then Time 2 Select Configure Time Server from the Action list 3 Enter the IP addres...

Page 121: ... of the 80 predefined time zone definitions or your can manually configure the parameters for your local time zone PARAMETERS The following parameters are displayed in the web interface Direction Configures the time zone to be before east of or after west of UTC Name Assigns a name to the time zone Range 1 29 characters Hours 0 13 The number of hours before after UTC The maximum value before UTC i...

Page 122: ...5535 seconds Default 600 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time set by the Silent Time parameter before allowing the next logon attempt Range 0 120 Default 3 attempts Quiet Period Sets the amount of time the manage...

Page 123: ...g in to the console connection see login on page 657 You can select authentication by a single global password as configured for the password command or by passwords set up for specific user name accounts The default is for local passwords configured on the switch WEB INTERFACE To configure parameters for the console port 1 Click System then Console 2 Specify the connection parameters as required ...

Page 124: ...pened for Telnet and Secure Shell i e both Telnet and SSH share a maximum number or eight sessions Login Timeout Sets the interval that the system waits for a user to log into the CLI If a login attempt is not detected within the timeout interval the connection is terminated for the session Range 0 300 seconds Default 300 seconds Exec Timeout Sets the interval that the system waits until user inpu...

Page 125: ...rameters for the console port 1 Click System then Telnet 2 Specify the connection parameters as required 3 Click Apply Figure 16 Telnet Connection Settings DISPLAYING CPU UTILIZATION Use the System CPU Utilization page to display information on CPU utilization CLI REFERENCES show process cpu on page 640 PARAMETERS The following parameters are displayed in the web interface Time Interval The interv...

Page 126: ...ING MEMORY UTILIZATION Use the System Memory Status page to display memory utilization parameters CLI REFERENCES show memory on page 640 PARAMETERS The following parameters are displayed in the web interface Free Size The amount of memory currently free for use Used Size The amount of memory allocated to active processes Total The total amount of system memory WEB INTERFACE To display memory utili...

Page 127: ...ND USAGE The startup configuration file maps configuration settings to each switch in the stack based on the unit identification number You should therefore remember to save the current configuration after renumbering the stack For a line topology the stack is numbered from top to bottom with the first unit in the stack designated at unit 1 For a ring topology the Master unit is taken as the top o...

Page 128: ...649 PARAMETERS The following parameters are displayed in the web interface System Reload Configuration Reset Mode Restarts the switch immediately or at the specified time s Immediately Restarts the system immediately In Specifies an interval after which to reload the switch The specified time must be equal to or less than 24 days hours The number of hours combined with the minutes before the switc...

Page 129: ... 59 Period Daily Every day Weekly Day of the week at which to reload Range Sunday Saturday Monthly Day of the month at which to reload Range 1 31 WEB INTERFACE To restart the switch 1 Click System then Reset 2 Select the required rest mode 3 For any option other than to reset immediately fill in the required parameters 4 Click Apply 5 When prompted confirm that you want reset the switch Figure 20 ...

Page 130: ...CHAPTER 4 Basic Management Tasks Resetting the System 130 ES 4500G Series Figure 21 Restarting the Switch In Figure 22 Restarting the Switch At Figure 23 Restarting the Switch Regularly ...

Page 131: ...ation Configures the uplinks and down links to a segmented group of ports VLAN Trunking Configures a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong PORT CONFIGURATION This section describes how to configure port connections mirror traffic from one port to another and run cable diagnostics CONFIGURING BY PORT LIST Use the Interface Por...

Page 132: ...ntifier Type Indicates the port type 1000Base T 1000Base SFP or 10G Name Allows you to label an interface Range 1 64 characters Admin Allows you to manually disable an interface You can disable an interface due to abnormal behavior e g excessive collisions and then re enable it after the problem has been resolved You may also disable an interface for security reasons Media Type Configures the forc...

Page 133: ...id using flow control on a port connected to a hub unless it is actually required to solve a problem Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub Default Autonegotiation enabled on Gigabit and 10 Gigabit ports Advertised capabilities for 1000BASE T 10half 10full 100half 100full 1000full 1000Base SX LX LH 1000full 10GBASE SR LR ER 10Gfu...

Page 134: ... advertise or manually fix the speed duplex mode and flow control For more information on command usage and a description of the parameters refer to Configuring by Port List on page 131 CLI REFERENCES Interface Commands on page 835 WEB INTERFACE To configure port connection parameters 1 Click Interface Port General 2 Select Configure by Port Range from the Action List 3 Enter to range of ports to ...

Page 135: ...rt Port identifier Type Indicates the port type 1000Base T 1000Base SFP or 10G Name Interface label Admin Shows if the port is enabled or disabled Oper Status Indicates if the link is Up or Down Media Type Media type used Options 1000Base T RJ 45 Copper Forced SFP Copper Forced SFP Forced or SFP Preferred Auto XFP and 10GBase T SFP Preferred Auto Default 1000Base T RJ 45 Copper Forced SFP SFP Pref...

Page 136: ...RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner Figure 27 Configuring Local Port Mirroring CLI REFERENCES Local Port Mirroring Commands on page 865 COMMAND USAGE Traffic can be mirrored from one or more source ports to one destination port on the same switch Monitor port speed should match or exceed source port speed otherwise traffic...

Page 137: ...0 Type Allows you to select which traffic to mirror to the target port Rx receive Tx transmit or Both Default Rx WEB INTERFACE To configure a local mirror session 1 Click Interface Port Mirror 2 Select Add from the Action List 3 Specify the source port 4 Specify the monitor port 5 Specify the traffic type to be mirrored 6 Click Apply Figure 28 Configuring Local Port Mirroring To display the config...

Page 138: ...nd Statistics are refreshed every 60 seconds by default NOTE RMON groups 2 3 and 9 can only be accessed using SNMP management software CLI REFERENCES show interfaces counters on page 846 PARAMETERS These parameters are displayed in the web interface Table 5 Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface including fram...

Page 139: ...e number of successfully transmitted frames for which transmission is inhibited by exactly one collision Multiple Collision Frames A count of successfully transmitted frames for which transmission is inhibited by more than one collision Late Collisions The number of times that a collision is detected later than 512 bit times into the transmission of a packet Excessive Collisions A count of frames ...

Page 140: ...otal number of packets received that were less than 64 octets long excluding framing bits but including FCS octets and were otherwise well formed Oversize Packets The total number of packets received that were longer than 1518 octets excluding framing bits but including FCS octets and were otherwise well formed 64 Bytes Packets The total number of packets including bad packets received and transmi...

Page 141: ...e drop down list 4 Use the Refresh button at the bottom of the page if you need to update the screen Figure 30 Showing Port Statistics Table To show a chart of port statistics 1 Click Interface Port Chart 2 Select the statistics mode to display Interface Etherlike RMON or All 3 If Interface Etherlike RMON statistics mode is chosen select a port from the drop down list If All ports statistics mode ...

Page 142: ... with this test CLI REFERENCES Interface Commands on page 835 COMMAND USAGE Cable diagnostics are performed using Digital Signal Processing DSP test methods DSP analyses the cable by sending a pulsed signal into the cable and then examining the reflection of that pulse Cable diagnostics can only be performed on twisted pair media This cable test is only accurate for cables 7 140 meters long The te...

Page 143: ... are displayed in the web interface Port Switch port identifier Range 1 26 50 Test Result The results include common cable failures as well as the status and approximate distance to a fault or the approximate cable length if no fault is found Accuracy The accuracy of the reported length to a fault The accuracy displays 0 when no problem is found Last Updated Shows the last time this port was teste...

Page 144: ... other ports will be placed in standby mode Should one link in the trunk fail one of the standby ports will automatically be activated to replace it COMMAND USAGE Besides balancing the load across each port in the trunk the other ports provide redundancy by taking over the load if a port in the trunk fails However before making any physical connections between devices use the web interface or CLI ...

Page 145: ...is switch are Cisco EtherChannel compatible To avoid creating a loop in the network be sure you add a static trunk via the configuration interface before connecting the ports and also disconnect the ports before removing a static trunk via the configuration interface PARAMETERS These parameters are displayed in the web interface Trunk ID Trunk identifier Range 1 32 Member The initial trunk member ...

Page 146: ...t 3 Select Add Member from the Action list 4 Select a trunk identifier 5 Set the unit and port for an additional trunk member 6 Click Apply Figure 35 Adding Static Trunks Members To configure connection parameters for a static trunk 1 Click Interface Trunk Static 2 Select Configure General from the Step list 3 Select Configure from the Action list 4 Modify the required interface settings Refer to ...

Page 147: ...formation from the Action list Figure 37 Displaying Connection Parameters for Static Trunks CONFIGURING A DYNAMIC TRUNK Use the Interface Trunk Dynamic Configure Aggregator page to set the administrative key for an aggregation group enable LACP on a port and configure protocol parameters for local and partner ports Figure 38 Configuring Dynamic Trunks CLI REFERENCES Link Aggregation Commands on pa...

Page 148: ...2 the LACP port admin key matches and 3 the LAG admin key matches if configured However if the LAG admin key is set then the port admin key must be set to the same value for a port to be allowed to join that group NOTE If the LACP admin key is not set when a channel group is formed i e it has a null value of 0 the operational value of this key is set to the same value as the port admin key used by...

Page 149: ...LAG during LACP negotiations with other systems Port Priority If a link goes down LACP port priority is used to select a backup link Range 0 65535 Default 32768 NOTE Configuring LACP settings for a port only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with that port NOTE Configuring the port partner sets the...

Page 150: ... 3 Select Configure from the Action list 4 Click General 5 Enable LACP on the required ports 6 Click Apply Figure 40 Enabling LACP on a Port To configure LACP parameters for group members 1 Click Interface Trunk Dynamic 2 Select Configure Aggregation Port from the Step list 3 Select Configure from the Action list 4 Click Actor or Partner 5 Configure the required settings 6 Click Apply ...

Page 151: ...e Trunk from the Step List 3 Select Configure from the Action List 4 Modify the required interface settings See Configuring by Port List on page 131 for a description of the interface settings 5 Click Apply Figure 42 Configuring Connection Settings for Dynamic Trunks To show connection parameters for a dynamic trunk 1 Click Interface Trunk Dynamic 2 Select Configure Trunk from the Step List 3 Sele...

Page 152: ...TERS Use the Interface Trunk Dynamic Configure Aggregation Port Show Information Counters page to display statistics for LACP protocol messages CLI REFERENCES show lacp on page 861 PARAMETERS These parameters are displayed in the web interface Table 6 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group LACPDUs Received Number of valid L...

Page 153: ...rt list Figure 45 Displaying LACP Port Counters Marker Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type Marker Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value but contain a badly form...

Page 154: ...CPDU information Admin State Oper State Administrative or operational values of the actor s state parameters Expired The actor s receive machine is in the expired state Defaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is...

Page 155: ...ed by the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner ...

Page 156: ...ovide network administrators with an accurate detailed and real time overview of the types and levels of traffic present on their network The sFlow Agent samples 1 out of n packets from all data traversing the switch re encapsulates the samples as sFlow data grams and transmits them to the sFlow Collector This sampling occurs at the internal hardware level where all traffic is seen whereas traditi...

Page 157: ...ES Flow Sampling Commands on page 711 PARAMETERS These parameters are displayed in the web interface Port Choose the port to configure Range 1 26 50 Default 1 Status Enables sFlow on the selected port Receiver Owner1 The name of the receiver Range 1 256 characters Default None Receiver IP Address1 IP address of the sFlow Collector Receiver Port1 The UDP port on which the sFlow Collector is listeni...

Page 158: ...efault 1400 bytes Sample Rate The number of packets out of which one sample will be taken Range 256 16777215 packets or 0 to disable sampling Default Disabled WEB INTERFACE To configure flow sampling 1 Click Interface sFlow 2 Set the parameters for flow collector the reset timeout the payload and the sampling rate 3 Click Apply Figure 48 Sampling Traffic Flows ...

Page 159: ...wnlink ports is only forwarded to and from uplink ports ENABLING TRAFFIC SEGMENTATION Use the Interface Traffic Segmentation Configure Global page to enable traffic segmentation CLI REFERENCES Configuring Port based Traffic Segmentation on page 938 PARAMETERS These parameters are displayed in the web interface Status Enables port based traffic segmentation Default Disabled WEB INTERFACE To enable ...

Page 160: ...uring Port based Traffic Segmentation on page 938 PARAMETERS These parameters are displayed in the web interface Interface Displays a list of ports or trunks Port Port Identifier Range 1 26 50 Trunk Trunk Identifier Range 1 32 Direction Adds an interface to the segmented group by setting the direction to uplink or downlink Default None WEB INTERFACE To configure the members of the traffic segmenta...

Page 161: ...roup tags However by enabling VLAN trunking on the intermediate switch ports along the path connecting VLANs 1 and 2 you only need to create these VLAN groups in switches A and B Switches C D and E automatically allow frames with VLAN group tags 1 and 2 groups that are unknown to those switches to pass through their VLAN trunking ports To prevent loops from forming in the spanning tree all unknown...

Page 162: ...ables VLAN trunking on the selected interface WEB INTERFACE To enable VLAN trunking on a port or trunk 1 Click Interface VLAN Trunking 2 Click Port or Trunk to specify the interface type 3 Enable VLAN trunking on any of the Gigibit ports or on a trunk containing Gigabit ports 4 Click Apply Figure 52 Configuring VLAN Trunking ...

Page 163: ... to VLAN mapping table IEEE 802 1Q VLANS In large networks routers are used to isolate broadcast traffic for each subnet into separate domains This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains VLANs confine broadcast traffic to the originating group and can eliminate broadcast storms in large networks This also p...

Page 164: ...ned to VLAN 1 as untagged ports Add a port as a tagged port if you want it to carry traffic for one or more VLANs and any intermediate network devices or the host at the other end of the connection supports VLANs Then assign ports on the other VLAN aware network devices along the path that will carry this traffic to the same VLAN s either manually or dynamically using GVRP However if you want a po...

Page 165: ...tion should be assigned If an end station or its network adapter supports the IEEE 802 1Q VLAN protocol it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join When this switch receives these messages it will automatically place the receiving port in the specified VLANs and then forward the message to all other ports When the message arrives at anoth...

Page 166: ...ing the destination host the switch must first strip off the VLAN tag before forwarding the frame When the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag However when this switch receives an untagged frame from a VLAN unaware device it first decides where to forward the frame and then inserts a VLAN tag reflecting the ingress port s default VID CO...

Page 167: ...LAN ID ID of configured VLAN VLAN Name Name of the VLAN Status Operational status of configured VLAN WEB INTERFACE To create VLAN groups 1 Click VLAN Static 2 Select Add from the Action list 3 Enter a VLAN ID or range of IDs 4 Mark Enable to configure the VLAN as operational 5 Click Apply Figure 55 Creating Static VLANs ...

Page 168: ...tion settings for VLAN groups 1 Click VLAN Static 2 Select Show from the Action list Figure 57 Showing Static VLANs ADDING STATIC MEMBERS TO VLANS Use the VLAN Static page to configure port members for the selected VLAN index interface or a range of interfaces Use the menus for editing port members to configure the VLAN behavior for specific interfaces including the mode of operation Hybrid or 1Q ...

Page 169: ...ink between two switches so the port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames PVID VLAN ID assigned to untagged frames received on the interface Default 1 If an interface is not a member of VLAN 1 and you assign its PVID to this VLAN the interface will automatically...

Page 170: ...of the VLAN All packets transmitted by the port will be untagged that is not carry a tag and therefore not carry VLAN or CoS information Note that an interface must be assigned to at least one group as an untagged port Forbidden Interface is forbidden from automatically joining the VLAN via GVRP For more information see Automatic VLAN Registration on page 165 None Interface is not a member of the ...

Page 171: ... Member by VLAN from the Step list 3 Set the Interface type to display as Port or Trunk 4 Modify the settings for any interface as required Remember that Membership Type cannot be changed until an interface has been added to another VLAN and the PVID changed to anything other than 1 5 Click Apply Figure 58 Configuring Static Members by VLAN Index To configure static members by interface 1 Click VL...

Page 172: ...ge from the Step list 3 Set the Interface type to display as Port or Trunk 4 Enter an interface range 5 Modify the VLAN parameters as required Remember that the PVID acceptable frame type and ingress filtering parameters for each interface within the specified range must be configured on either the Edit Member by VLAN or Edit Member by Interface page 6 Click Apply Figure 60 Configuring Static VLAN...

Page 173: ... 32 GVRP Status Enables disables GVRP for the interface GVRP must be globally enabled for the switch before this setting can take effect using the Configure General page When disabled any GVRP packets received on this port will be discarded and no GVRP registrations will be propagated from other ports Default Disabled GVRP Timers Timer settings must follow this rule 2 x join timer leave timer leav...

Page 174: ... this switch has joined through GVRP Interface Displays a list of ports or trunks which have joined the selected VLAN through GVRP WEB INTERFACE To configure GVRP on the switch 1 Click VLAN Dynamic 2 Select Configure General from the Step list 3 Enable or disable GVRP 4 Click Apply Figure 61 Configuring Global Status of GVRP To configure GVRP status and timers on a port or trunk 1 Click VLAN Dynam...

Page 175: ...Click VLAN Dynamic 2 Select Show Dynamic VLAN from the Step list 3 Select Show VLAN from the Action list Figure 63 Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN 1 Click VLAN Dynamic 2 Select Show Dynamic VLAN from the Step list 3 Select Show VLAN Members from the Action list Figure 64 Showing the Members of a Dynamic VLAN ...

Page 176: ...VLANs and normal VLANs can exist simultaneously within the same switch To configure primary secondary associated groups follow these steps 1 Use the Configure VLAN Add page to designate one or more community VLANs and the primary VLAN that will channel traffic outside of the VLAN groups 2 Use the Configure VLAN Add Community VLAN page to map a community VLAN to the primary VLAN 3 Use the Configure...

Page 177: ...ure VLAN from the Step list 3 Select Add from the Action list 4 Enter the VLAN ID to assign to the private VLAN 5 Select Primary or Community from the Type list 6 Click Apply Figure 65 Configuring Private VLANs To display a list of private VLANs 1 Click VLAN Private 2 Select Configure VLAN from the Step list 3 Select Show from the Action list Figure 66 Showing Private VLANs NOTE All member ports m...

Page 178: ...ciate a community VLAN with a primary VLAN 1 Click VLAN Private 2 Select Configure VLAN from the Step list 3 Select Add Community VLAN from the Action list 4 Select an entry from the Primary VLAN list 5 Select an entry from the Community VLAN list to associate it with the selected primary VLAN Note that a community VLAN can only be associated with one primary VLAN 6 Click Apply Figure 67 Associati...

Page 179: ... Port Trunk Mode Sets the private VLAN port types Normal The port is not assigned to a private VLAN Host The port is a community port A community port can communicate with other ports in its own community VLAN and with designated promiscuous port s Promiscuous A promiscuous port can communicate with all interfaces within a private VLAN Primary VLAN Conveys traffic between promiscuous ports and bet...

Page 180: ...gure Interface from the Step list 3 Set the Interface type to display as Port or Trunk 4 Set the Port Mode to Promiscuous 5 For an interface set the Promiscuous mode select an entry from the Primary VLAN list 6 For an interface set the Host mode select an entry from the Community VLAN list 7 Click Apply Figure 69 Configuring Interfaces for Private VLANs ...

Page 181: ... specific VLAN IDs QinQ tunneling expands VLAN space by using a VLAN in VLAN hierarchy preserving the customer s original tagged packets and adding SPVLAN tags to each frame also called double tagging A port configured to support QinQ tunneling must be set to tunnel port mode The Service Provider VLAN SPVLAN ID for the specific customer must be assigned to the QinQ tunnel access port on the edge s...

Page 182: ... the outer tag if it is a tagged or priority tagged packet 2 After successful source and destination lookup the ingress process sends the packet to the switching process with two tags If the incoming packet is untagged the outer tag is an SPVLAN tag and the inner tag is a dummy tag 8100 0000 If the incoming packet is tagged the outer tag is an SPVLAN tag and the inner tag is a CVLAN tag 3 After pa...

Page 183: ...d is equal to the TPID of the uplink port no new VLAN tag is added If the uplink port is not the member of the outer VLAN of the incoming packets the packet will be dropped when ingress filtering is enabled If ingress filtering is not enabled the packet will still be forwarded If the VLAN is not listed in the VLAN table the packet will be dropped 4 After successful source and destination lookups t...

Page 184: ...ayer 3 information are not supported on tunnel ports Spanning tree bridge protocol data unit BPDU filtering is automatically disabled on a tunnel port General Configuration Guidelines for QinQ 1 Enable Tunnel Status and set the Tag Protocol Identifier TPID value of the tunnel access port in the Ethernet Type field This step is required if the attached client is using a nonstandard 2 byte ethertype...

Page 185: ... tunnel port Range hexadecimal 0800 FFFF Default 8100 Use this field to set a custom 802 1Q ethertype value This feature allows the switch to interoperate with third party switches that do not use the standard 0x8100 ethertype to identify 802 1Q tagged frames For example if 0x1234 is set as the custom 802 1Q ethertype on a trunk port incoming frames containing that ethertype are assigned to the VL...

Page 186: ... attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames Then use the Configure Interface page to set the access interface on the edge switch to Tunnel mode and set the uplink interface on the switch attached to the service provider network to Tunnel Uplink mode PARAMETERS These parameters are displayed in the web interface Interface Displays a list of ports or tru...

Page 187: ... all the devices participating in a specific protocol This kind of configuration deprives users of the basic benefits of VLANs including security and easy accessibility To avoid these problems you can configure this switch with protocol based VLANs that divide the physical network into logical VLAN groups for each required protocol When a frame is received at a port its VLAN membership can then be...

Page 188: ...l Type Specifies the protocol type to match The available options are IP ARP RARP and IPv6 If LLC Other is chosen for the Frame Type the only available Protocol Type is IPX Raw Protocol Group ID Protocol Group ID assigned to the Protocol VLAN Group Range 1 2147483647 NOTE Traffic which matches IP Protocol Ethernet Frames is mapped to the VLAN VLAN 1 that has been configured with the switch s admin...

Page 189: ...ING PROTOCOL GROUPS TO INTERFACES Use the VLAN Protocol Configure Interface Add page to map a protocol group to a VLAN for each interface that will participate in the group CLI REFERENCES protocol vlan protocol group Configuring Interfaces on page 946 COMMAND USAGE When creating a protocol based VLAN only assign interfaces using this configuration screen If you assign interfaces using any of the o...

Page 190: ...is interface PARAMETERS These parameters are displayed in the web interface Interface Displays a list of ports or trunks Port Port Identifier Range 1 26 50 Trunk Trunk Identifier Range 1 32 Protocol Group ID Protocol Group ID assigned to the Protocol VLAN Group Range 1 2147483647 VLAN ID VLAN to which matching protocol traffic is forwarded Range 1 4093 WEB INTERFACE To map a protocol group to a VL...

Page 191: ...Figure 75 Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk 1 Click VLAN Protocol 2 Select Configure Interface from the Step list 3 Select Show from the Action list Figure 76 Showing the Interface to Protocol Group Mapping ...

Page 192: ... only one VLAN ID An IP subnet consists of an IP address and a mask When an untagged frame is received by a port the source IP address is checked against the IP subnet to VLAN mapping table and if an entry is found the corresponding VLAN ID is assigned to the frame If no mapping is found the PVID of the receiving port is assigned to the frame The IP subnet cannot be a broadcast or multicast IP add...

Page 193: ...P Address field 4 Enter a mask in the Subnet Mask field 5 Enter the identifier in the VLAN field Note that the specified VLAN need not already be configured 6 Enter a value to assign to untagged frames in the Priority field 7 Click Apply Figure 77 Configuring IP Subnet VLANs To show the configured IP subnet VLANs 1 Click VLAN IP Subnet 2 Select Show from the Action list Figure 78 Showing IP Subnet...

Page 194: ...C addresses cannot be broadcast or multicast addresses When MAC based IP subnet based and protocol based VLANs are supported concurrently priority is applied in this sequence and then port based VLANs last PARAMETERS These parameters are displayed in the web interface MAC Address A source MAC address which is to be mapped to a specific VLAN The MAC address must be specified in the format xx xx xx ...

Page 195: ...nfiguring MAC based VLANs 195 ES 4500G Series 6 Click Apply Figure 79 Configuring MAC Based VLANs To show the MAC addresses mapped to a VLAN 1 Click VLAN MAC Based 2 Select Show from the Action list Figure 80 Showing MAC Based VLANs ...

Page 196: ...CHAPTER 6 VLAN Configuration Configuring MAC based VLANs 196 ES 4500G Series ...

Page 197: ...NFIGURING MAC ADDRESS LEARNING Use the MAC Address Learning Status page to enable or disable MAC address learning on an interface CLI REFERENCES mac learning on page 768 COMMAND USAGE When MAC address learning is disabled the switch immediately stops learning new MAC addresses on the specified interface Only incoming traffic with source addresses stored in the static address table see Setting Stat...

Page 198: ... Status see Configuring Port Security on page 336 is enabled on the same interface PARAMETERS These parameters are displayed in the web interface Interface Displays a list of ports or trunks Port Port Identifier Range 1 26 50 Trunk Trunk Identifier Range 1 32 Status The status of MAC address learning Default Enabled WEB INTERFACE To enable or disable MAC address learning 1 Click MAC Address Learni...

Page 199: ...ss is seen on another interface the address will be ignored and will not be written to the address table Static addresses will not be removed from the address table when a given interface link is down A static address cannot be learned on another port until the address is removed from the table PARAMETERS These parameters are displayed in the web interface VLAN ID of configured VLAN Range 1 4093 I...

Page 200: ...sses CHANGING THE AGING TIME Use the MAC Address Dynamic Configure Aging page to set the aging time for entries in the dynamic address table The aging time is used to age out dynamically learned forwarding information CLI REFERENCES mac address table aging time on page 885 PARAMETERS These parameters are displayed in the web interface Aging Status Enables disables the function Aging Time The time ...

Page 201: ...source address for traffic entering the switch When the destination address for inbound traffic is found in the database the packets intended for that address are forwarded directly to the associated port Otherwise the traffic is flooded to all ports CLI REFERENCES show mac address table on page 887 PARAMETERS These parameters are displayed in the web interface Sort Key You can sort the informatio...

Page 202: ... Table CLEARING THE DYNAMIC ADDRESS TABLE Use the MAC Address Dynamic Clear Dynamic MAC page to remove any learned entries from the forwarding database CLI REFERENCES clear mac address table dynamic on page 887 PARAMETERS These parameters are displayed in the web interface Clear by All entries can be cleared or you can clear the entries for a specific MAC address all the entries in a VLAN or all t...

Page 203: ...0G Series 3 Select the method by which to clear the entries i e All MAC Address VLAN or Interface 4 Enter information in the additional fields required for clearing entries by MAC Address VLAN or Interface 5 Click Clear Figure 86 Clearing Entries in the Dynamic MAC Address Table ...

Page 204: ...CHAPTER 7 Address Table Settings Clearing the Dynamic Address Table 204 ES 4500G Series ...

Page 205: ...A compliant switch bridge or router in your network to ensure that only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes down The spanning tree algorithms supported by this switch include these versions STP Spanning Tree Protocol IEEE 802 1D RSTP Rapid Spanning Tree Protocol IEEE 802 1w MSTP Multiple Spanning T...

Page 206: ...nd 1 to 3 seconds compared to 30 seconds or more for STP by reducing the number of state changes before active ports start learning predefining an alternate route that can be used when a node or port fails and retaining the forwarding database for ports insensitive to changes in the tree structure when reconfiguration occurs MSTP When using STP or RSTP it may be difficult to maintain a stable path...

Page 207: ...irtual bridge node for communications with STP or RSTP nodes in the global network Figure 89 Common Internal Spanning Tree Common Spanning Tree Internal Spanning Tree MSTP connects all bridges and LAN segments with a single Common and Internal Spanning Tree CIST The CIST is formed as a result of the running spanning tree algorithm between switches that support the STP RSTP MSTP protocols Once you ...

Page 208: ...ceive it s own BPDUs in a forward delay interval NOTE If loopback detection is not enabled and an interface receives it s own BPDU then the interface will drop the loopback BPDU according to IEEE Standard 802 1w 2001 9 3 4 Note 1 NOTE Loopback detection will not be active if Spanning Tree is disabled on the switch NOTE When configured for manual release mode then a link down up event will not rele...

Page 209: ...e 891 COMMAND USAGE Spanning Tree Protocol2 Uses RSTP for the internal state machine but sends only 802 1D BPDUs This creates one spanning tree instance for the entire network If multiple VLANs are implemented on a network the path between specific VLAN members may be inadvertently disabled to prevent network loops thus isolating group members When operating multiple VLANs we recommend selecting t...

Page 210: ...tances A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments Be careful when switching between spanning tree modes Changing modes stops all spanning tree instances for the previous mode and restarts the system in the new mode temporarily disrupting user traffic PARAMETERS These parameters are displayed in the web interface Basic Configuration of Global S...

Page 211: ...ince the switch uses a backwards compatible subset of RSTP to implement STP and also apply to MSTP which is based on RSTP according to the standard Path Cost Method The path cost is used to determine the best path between devices The path cost method is used to determine the range of values that can be assigned to each interface Long Specifies 32 bit based values that range from 1 200 000 000 This...

Page 212: ...ight result Default 15 Minimum The higher of 4 or Max Message Age 2 1 Maximum 30 Configuration Settings for MSTP Max Instance Numbers The maximum number of MSTP instances to which this switch can be assigned Configuration Digest An MD5 signature key that contains the VLAN ID to MST ID mapping table In other words this key is a mapping of all VLANs to the CIST Region Revision3 The revision for this...

Page 213: ...HAPTER 8 Spanning Tree Algorithm Configuring Global Settings for STA 213 ES 4500G Series 5 Click Apply Figure 91 Configuring Global Settings for STA STP Figure 92 Configuring Global Settings for STA RSTP ...

Page 214: ...ng tree on page 914 show spanning tree mst configuration on page 916 PARAMETERS The parameters displayed in the web interface are described in the preceding section except for the following items Bridge ID A unique identifier for this bridge consisting of the bridge priority the MST Instance ID 0 for the Common Spanning Tree when spanning tree type is set to MSTP and MAC address where the address ...

Page 215: ...EB INTERFACE To display global STA settings 1 Click Spanning Tree STA 2 Select Configure Global from the Step list 3 Select Show Information from the Action list Figure 94 Displaying Global Settings for STA CONFIGURING INTERFACE SETTINGS FOR STA Use the Spanning Tree STA Configure Interface Configure page to configure RSTP and MSTP attributes for specific interfaces including port priority path co...

Page 216: ...g Tree Protocol is detecting network loops Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Default 128 Range 0 240 in steps of 16 Admin Path Cost This parameter is used by the STA to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports...

Page 217: ...the spanning tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or servers retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events does not cause the spanning tree to initiate reconfiguration when the interface changes state and also overcomes other STA rel...

Page 218: ...id configuration configured edge ports should not receive BPDUs If an edge port receives a BPDU an invalid configuration exists such as a connection to an unauthorized device The BPDU guard feature provides a secure response to invalid configurations because an administrator must manually enable the port Default Disabled BPDU Filter5 BPDU filtering allows you to avoid transmitting BPDUs on configu...

Page 219: ...Spanning Tree Shows if STA has been enabled on this interface BPDU Flooding Shows if BPDUs will be flooded to other ports when spanning tree is disabled globally on the switch or disabled on a specific port STA Status Displays current state of this port within the Spanning Tree Discarding Port receives STA configuration messages but does not forward packets Learning Port has transmitted configurat...

Page 220: ... port on the designated bridging device through which this switch must communicate with the root of the Spanning Tree Oper Path Cost The contribution of this port to the path cost of paths towards the spanning tree root which include this port Oper Link Type The operational point to point status of the LAN segment attached to this interface This parameter is determined by manual configuration or b...

Page 221: ...from the Step list 3 Select Show Information from the Action list Figure 97 Displaying Interface Settings for STA Alternate port receives more useful BPDUs from another bridge and is therefore not selected as the designated port x R Root Port A Alternate Port D Designated Port B Backup Port R R A D B Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the d...

Page 222: ...ridges within the same MSTI Region page 209 with the same set of instances and the same instance on each bridge with the same set of VLANs Also note that RSTP treats each MSTI region as a single node connecting all regions to the Common Spanning Tree To use multiple spanning trees 1 Set the spanning tree type to MSTP page 209 2 Enter the spanning tree priority for the selected MST instance on the ...

Page 223: ...4 Specify the MST instance identifier and the initial VLAN member Additional member can be added using the Spanning Tree MSTP Configure Global Add Member page If the priority is not specified the default value 32768 is used 5 Click Apply Figure 98 Creating an MST Instance To show the MSTP instances 1 Click Spanning Tree MSTP 2 Select Configure Global from the Step list 3 Select Show from the Actio...

Page 224: ...Modify the priority for an MSTP Instance 5 Click Apply Figure 100 Modifying the Priority for an MST Instance To display global settings for MSTP 1 Click Spanning Tree MSTP 2 Select Configure Global from the Step list 3 Select Show Information from the Action list 4 Select an MST ID The attributes displayed on this page are described under Displaying Global Settings for STA on page 214 Figure 101 D...

Page 225: ...ist 4 Select an MST instance from the MST ID list 5 Enter the VLAN group to add to the instance in the VLAN ID field Note that the specified member does not have to be a configured VLAN 6 Click Apply Figure 102 Adding a VLAN to an MST Instance To show the VLAN members of an MSTP instance 1 Click Spanning Tree MSTP 2 Select Configure Global from the Step list 3 Select Show Member from the Action li...

Page 226: ...ority used for this port in the Spanning Tree Protocol If the path cost for all ports on a switch are the same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops Where more than one port is assigned the highest priority...

Page 227: ... port or trunk 1 Click Spanning Tree MSTP 2 Select Configure Interface from the Step list 3 Select Configure from the Action list 4 Enter the priority and path cost for an interface 5 Click Apply Figure 104 Configuring MSTP Interface Settings To display MSTP parameters for a port or trunk 1 Click Spanning Tree MSTP 2 Select Configure Interface from the Step list 3 Select Show Information from the ...

Page 228: ...CHAPTER 8 Spanning Tree Algorithm Configuring Interface Settings for MSTP 228 ES 4500G Series ...

Page 229: ... the traffic rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped conforming traffic is forwarded without any changes CLI REFERENCES Rate Limit Commands on page 869 PARAMETERS These parameters are displayed in the web interface Port Displays the port number Type Indicates the port type 1000Base T 1000Base SFP or 10G Status Enables or disables the rate limit...

Page 230: ...CHAPTER 9 Rate Limit Configuration 230 ES 4500G Series Figure 106 Configuring Rate Limits ...

Page 231: ...ticast or unknown unicast traffic packets exceeding the threshold are dropped until the rate falls back down beneath the threshold The rate limits set by this function are also used by automatic storm control when the control response is set to rate limiting by the auto traffic control action command Using both rate limiting and storm control on the same interface may lead to unexpected results Fo...

Page 232: ...d unknown unicast storm control Rate Threshold level as a rate i e packets per second Range 500 262143 packets per second Default 500 pps for broadcast traffic 262143 pps for unknown unicast and multicast traffic WEB INTERFACE To configure broadcast storm control 1 Click Traffic Storm Control 2 Set the Status field to enable or disable storm control 3 Set the required threshold beyond which the sw...

Page 233: ...ault priority for untagged frames set the queue mode set the weights assigned to each queue and map class of service tags to queues SETTING THE DEFAULT PRIORITY FOR INTERFACES Use the Traffic Priority Default Priority page to specify the default port priority for each interface on the switch All untagged packets entering the switch are tagged with the specified default port priority and then sorte...

Page 234: ...e default priority for any interface 4 Click Apply Figure 108 Setting the Default Port Priority SELECTING THE QUEUE MODE Use the Traffic Priority Queue page to set the queue mode for the egress queues on any interface The switch can be set to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before the lower priority queues are serviced ...

Page 235: ...hts for WRR or one of the queuing modes that use a combination of strict and weighted queuing PARAMETERS These parameters are displayed in the web interface Interface Displays a list of ports or trunks Queue Mode Strict Services the egress queues in sequential order transmitting all traffic in the higher priority queues before servicing lower priority queues This ensures that the highest priority ...

Page 236: ...et the queue mode 4 If any of the weighted queue modes is selected the queue weight can be modified if required 5 If any of the queue modes that use a combination of strict and weighted queueing are selected the queues which are serviced first must be specified by enabling strict mode parameter in the table 6 Click Apply Figure 109 Setting the Queue Mode Strict Figure 110 Setting the Queue Mode WR...

Page 237: ...sed on strict priority Weighted Round Robin WRR or a combination of strict and weighted queuing Up to eight separate traffic priorities are defined in IEEE 802 1p Default priority levels are assigned according to recommendations in the IEEE 802 1p standard as shown in the following table The priority levels recommended in the IEEE 802 1p standard for various network applications are shown in Table...

Page 238: ... Range 0 7 where 7 is the highest priority Queue Output queue buffer Range 0 7 where 7 is the highest CoS priority queue WEB INTERFACE To specify which of the output queues to use for CoS priority tagged traffic 1 Click Traffic Priority CoS to Queue 2 Assign priorities to the output queues 3 Click Apply Table 12 CoS Priority Levels Priority Level Traffic Type 1 Background 2 Spare 0 default Best Ef...

Page 239: ...h and the traffic then sent to the corresponding output queue Because different priority information may be contained in the traffic this switch maps priority values to the output queues in the following manner The precedence for priority mapping is IP Port Priority IP Precedence or DSCP Priority and then Default Port Priority IP Precedence and IP DSCP cannot both be enabled Enabling one of these ...

Page 240: ...wing table Note that all the DSCP values that are not specified are mapped to CoS value 0 NOTE IP DSCP settings apply to all interfaces PARAMETERS These parameters are displayed DSCP Mapping Status Enables or disables the use of IP DSCP priorities and the mapping of these priority values to CoS values Default Disabled IP DSCP 8 bit DSCP value Range 0 63 CoS Class of Service value Range 0 7 WEB INT...

Page 241: ...USAGE The Type of Service ToS octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic The default IP Precedence values are mapped one to one to Class of Service values i e Precedence value 0 maps to CoS value 0 and so forth Bits 6 and 7 are used for network cont...

Page 242: ... Range 0 7 WEB INTERFACE To set the IP Precedence to CoS priority map 1 Click Traffic Priority IP Precedence to CoS 2 Locate an entry from the IP Precedence table and enter a value in the CoS field 3 Click Apply Figure 114 Mapping IP Precedence Priority Values MAPPING IP PORT PRIORITY Use the Traffic Priority IP Port to CoS page to map network applications designated by a TCP UDP destination port ...

Page 243: ...METERS These parameters are displayed in the web interface IP Port Mapping Status Enables or disables the use of TCP UDP destination port numbers priorities and the mapping of these priority values to CoS values Default Disabled TCP UDP Port 16 bit TCP UDP destination port number Range 0 65535 CoS Class of Service value Range 0 7 WEB INTERFACE To set the TCP UDP port number to CoS priority map 1 C...

Page 244: ...ice Layer 3 4 Priority Settings 244 ES 4500G Series To show the TCP UDP port number to CoS priority map 1 Click Traffic Priority IP Port to DSCP 2 Select Show from the Action list Figure 116 Showing IP Port Number Priority Map ...

Page 245: ... different kinds of traffic can be marked for different kinds of forwarding All switches or routers that access the Internet rely on class information to provide the same forwarding treatment to packets in the same class Class information can be assigned by end hosts or switches or routers along the path Priority can then be assigned based on a general policy or a detailed examination of the packe...

Page 246: ...red to monitor the maximum throughput and burst rate Then specify the action to take for conforming traffic or the action to take for a policy violation 5 Use the Configure Interface page to assign a policy map to a specific interface CONFIGURING A CLASS MAP A class map is used for matching packets to a specified class Use the Traffic DiffServ Configure Class page to configure a class map CLI REFE...

Page 247: ...d ACL Name of an access control list Any type of ACL can be specified including standard or extended IP ACLs and MAC ACLs IP DSCP A DSCP value Range 0 63 IP Precedence An IP Precedence value Range 0 7 IPv6 DSCP A DSCP value contained in an IPv6 packet Range 0 63 VLAN ID A VLAN Range 1 4093 WEB INTERFACE To configure a class map 1 Click Traffic DiffServ 2 Select Configure Class from the Step list 3...

Page 248: ...g Class Maps To edit the rules for a class map 1 Click Traffic DiffServ 2 Select Configure Class from the Step list 3 Select Add Rule from the Action list 4 Select the name of a class map 5 Specify type of traffic for this class based on an access list a DSCP or IP Precedence value or a VLAN You can specify up to 16 items to match when assigning ingress traffic to a class map 6 Click Apply Figure ...

Page 249: ...igured which indicates how to match the inbound packets according to an access list a DSCP or IP Precedence value or a member of specific VLAN A policy map is then configured which indicates the boundary parameters used for monitoring inbound traffic and the action to take for conforming and non conforming traffic A policy map may contain one or more classes based on previously defined class maps ...

Page 250: ...ferent colors as described below A packet is marked green if it doesn t exceed the committed information rate and committed burst size yellow if it does exceed the committed information rate and committed burst size but not the excess burst size and red otherwise The meter operates in one of two modes In the color blind mode the meter assumes that the packet stream is uncolored In color aware mode...

Page 251: ...hroughput peak information rate PIR and their associated burst sizes committed burst size BC or burst rate and peak burst size BP Action may taken for traffic conforming to the maximum throughput exceeding the maximum throughput or exceeding the peak burst size The PHB label is composed of five bits three bits for per hop behavior and two bits for the color scheme used to control queue congestion ...

Page 252: ... precolored as red or if Tp t B 0 the packet is red else if the packet has been precolored as yellow or if Tc t B 0 the packet is yellow and Tp is decremented by B else the packet is green and both Tp and Tc are decremented by B The trTCM can be used to mark a IP packet stream in a service where different decreasing levels of assurances either absolute or relative are given to packets which are gr...

Page 253: ...t results from a policy violation Meter Mode Selects one of the following policing methods Flow Police Flow Defines the committed information rate CIR or maximum throughput committed burst size BC or burst rate and the action to take for conforming and non conforming traffic Policing is based on a token bucket where bucket depth that is the maximum burst before the bucket overflows is specified by...

Page 254: ...ream is uncolored and Color Aware which assumes that the incoming packets are pre colored The functional differences between these modes is described at the beginning of this section under srTCM Police Meter Committed Information Rate CIR Rate in kilobits per second Range 1 1000000 kbps or maximum port speed whichever is lower The rate cannot exceed the configured interface speed Committed Burst S...

Page 255: ...the two color bits used to prioritize service to packets of different colors The color modes include Color Blind which assumes that the packet stream is uncolored and Color Aware which assumes that the incoming packets are pre colored The functional differences between these modes is described at the beginning of this section under trTCM Police Meter Committed Information Rate CIR Rate in kilobits...

Page 256: ...r out of conformance traffic Range 0 63 Drop Drops out of conformance traffic Violate Specifies whether the traffic that exceeds the peak information rate PIR will be dropped or the DSCP service level will be reduced Set IP DSCP Decreases DSCP priority for out of conformance traffic Range 0 63 Drop Drops out of conformance traffic WEB INTERFACE To configure a policy map 1 Click Traffic DiffServ 2 ...

Page 257: ...m the Step list 3 Select Add Rule from the Action list 4 Select the name of a policy map 5 Set the CoS or per hop behavior for matching packets to specify the quality of service to be assigned to the matching traffic class Use one of the metering options to define parameters such as the maximum throughput and burst rate Then specify the action to take for conforming traffic the action to tack for ...

Page 258: ...s 258 ES 4500G Series Figure 123 Adding Rules to a Policy Map To show the rules for a policy map 1 Click Traffic DiffServ 2 Select Configure Policy from the Step list 3 Select Show Rule from the Action list Figure 124 Showing the Rules for a Policy Map ...

Page 259: ...ce Only one policy map can be bound to an interface The switch does not allow a policy map to be bound to an interface for egress traffic PARAMETERS These parameters are displayed in the web interface Port Specifies a port Ingress Applies the selected rule to ingress traffic WEB INTERFACE To bind a policy map to a port 1 Click Traffic DiffServ 2 Select Configure Interface from the Step list 3 Chec...

Page 260: ...CHAPTER 12 Quality of Service Attaching a Policy Map to a Port 260 ES 4500G Series ...

Page 261: ...curity by isolating the VoIP traffic from other data traffic End to end QoS policies and high priority can be applied to VoIP VLAN traffic across the network guaranteeing the bandwidth it needs VLAN isolation also protects against disruptive broadcast and multicast traffic that can seriously affect voice quality The switch allows you to specify a Voice VLAN for the network and set a CoS priority f...

Page 262: ...must already be created on the switch Range 1 4093 Voice VLAN Aging Time The time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port Range 5 43200 minutes Default 1440 minutes NOTE The Voice VLAN ID cannot be modified when the global Auto Detection Status is enabled WEB INTERFACE To configure global settings for a Voice VLAN 1 Click Traffic VoIP 2...

Page 263: ... are displayed in the web interface Telephony OUI Specifies a MAC address range to add to the list Enter the MAC address in format 01 23 45 67 89 AB Mask Identifies a range of MAC addresses Selecting a mask of FF FF FF 00 00 00 identifies all devices with the same OUI the first three octets Other masks restrict the MAC address range Selecting FF FF FF FF FF FF specifies a single MAC address Defaul...

Page 264: ...erface page to configure ports for VoIP traffic you need to set the mode Auto or Manual specify the discovery method to use and set the traffic priority You can also enable security filtering to ensure that only VoIP traffic is forwarded on the Voice VLAN CLI REFERENCES Configuring Voice VLANs on page 952 PARAMETERS These parameters are displayed in the web interface Mode Specifies if the port wil...

Page 265: ...raffic on the port Default OUI OUI Traffic from VoIP devices is detected by the Organizationally Unique Identifier OUI of the source MAC address OUI numbers are assigned to manufacturers and form the first three octets of a device MAC address MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device LLDP Uses LLDP IEE...

Page 266: ...CHAPTER 13 VoIP Traffic Configuration Configuring VoIP Traffic Ports 266 ES 4500G Series Figure 129 Configuring Port Settings for a Voice VLAN ...

Page 267: ... Access authentication methods are infeasible or impractical Network Access Configure MAC authentication and dynamic VLAN assignment HTTPS Provide a secure web connection SSH Provide a secure shell for secure Telnet access ACL Access Control Lists provide packet filtering for IP frames based on address protocol Layer 4 protocol port number or TCP control code ARP Inspection Security feature that v...

Page 268: ...CACS servers in the network The security servers can be defined as sequential groups that are applied as a method for controlling user access to specified services For example when the switch attempts to authenticate a user a request is sent to the first server in the defined group if there is no response the second server will be tried and so on If at any point a pass or fail is returned the proc...

Page 269: ...on page 720 COMMAND USAGE By default management access is always checked against the authentication database stored on the local switch If a remote authentication server is used you must specify the authentication sequence Then specify the corresponding parameters for the remote authentication protocol using the Security AAA Server page Local and remote logon authentication control management acce...

Page 270: ...TACACS are logon authentication protocols that use software running on a central server to control access to RADIUS aware or TACACS aware devices on the network An authentication server contains a database of multiple user name password pairs with associated privilege levels for each user that requires management access to the switch Figure 131 Authentication Server Operation RADIUS uses UDP while...

Page 271: ...est 5 TLS Transport Layer Security or TTLS Tunneled Transport Layer Security PARAMETERS These parameters are displayed in the web interface Configure Server RADIUS Global Provides globally applicable RADIUS settings Server Index Specifies one of five RADIUS servers that may be configured The switch attempts authentication using the listed sequence of servers The process ends when a server either a...

Page 272: ... TCP port of TACACS server used for authentication messages Range 1 65535 Default 49 Authentication Timeout The number of seconds the switch waits for a reply from the RADIUS server before it resends the request Range 1 65535 Default 5 Authentication Retries Number of times the switch tries to authenticate logon access via the authentication server Range 1 30 Default 2 Set Key Mark this box to set...

Page 273: ...US or TACACS authentication 1 Click Security AAA Server 2 Select Configure Server from the Step list 3 Select RADIUS or TACACS server type 4 Select Global to specify the parameters that apply globally to all specified servers or select a specific Server Index to specify the parameters that apply to a specific server 5 To set or modify the authentication key mark the Set Key box enter the key and t...

Page 274: ...RADIUS or TACACS server groups to use for accounting and authorization 1 Click Security AAA Server 2 Select Configure Group from the Step list 3 Select Add from the Action list 4 Select RADIUS or TACACS server type 5 Enter the group name followed by the index of the server to use for each priority level 6 Click Apply Figure 134 Configuring AAA Server Groups ...

Page 275: ...o display the configured accounting methods the methods applied to specific interfaces and basic accounting information recorded for user sessions CLI REFERENCES AAA on page 729 COMMAND USAGE AAA authentication through a RADIUS or TACACS server must be enabled before accounting is enabled PARAMETERS These parameters are displayed in the web interface Configure Global Periodic Update Specifies the ...

Page 276: ...n Authentication on page 269 Any other group name refers to a server group configured on the Security AAA Server Configure Group page Configure Service Accounting Type Specifies the service as 802 1X Command or Exec as described in the preceding section 802 1X Method Name Specifies a user defined accounting method to apply to an interface This method must be defined in the Configure Method page Ra...

Page 277: ...ACE To configure global settings for AAA accounting 1 Click Security AAA Accounting 2 Select Configure Global from the Step list 3 Enter the required update interval 4 Click Apply Figure 136 Configuring Global Settings for AAA Accounting To configure the accounting method applied to various service types and the assigned server group 1 Click Security AAA Accounting 2 Select Configure Method from t...

Page 278: ... Select Configure Method from the Step list 3 Select Show from the Action list Figure 138 Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces console commands entered at specific privilege levels and local console Telnet or SSH connections 1 Click Security AAA Accounting 2 Select Configure Service from the Step list 3 Select the accounting type 802 1X E...

Page 279: ...y a summary of the configured accounting methods and assigned server groups for specified service types 1 Click Security AAA Accounting 2 Select Show Information from the Step list 3 Click Summary Figure 141 Displaying a Summary of Applied AAA Accounting Methods To display basic accounting information and statistics recorded for user sessions 1 Click Security AAA Accounting 2 Select Show Informati...

Page 280: ...e enabled before authorization is enabled PARAMETERS These parameters are displayed in the web interface Configure Method Authorization Type Specifies the service as Exec indicating administrative authorization for local console Telnet or SSH connections Method Name Specifies an authorization method for service requests The default method is used for a requested service if no other methods have be...

Page 281: ...Displays the console or Telnet interface to which these rules apply This field is null if the authorization method and associated server group has not been assigned to an interface WEB INTERFACE To configure the authorization method applied to the Exec service type and the assigned server group 1 Click Security AAA Authorization 2 Select Configure Method from the Step list 3 Specify the name of th...

Page 282: ...ions 1 Click Security AAA Authorization 2 Select Configure Service from the Step list 3 Enter the required authorization method 4 Click Apply Figure 145 Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type 1 Click Security AAA Authorization 2 Select Show Information from the Step list Figure 146...

Page 283: ...rameters are displayed in the web interface User Name The name of the user Maximum length 8 characters maximum number of users 16 Access Level Specifies the user level Options 0 Normal 15 Privileged Normal privilege level provides access to a limited number of the commands which display the current status of the switch as well as several database clear and reset functions Privileged level provides...

Page 284: ...hentication are infeasible or impractical The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries All other traffic except for HTTP protocol traffic is blocked The switch intercepts HTTP protocol traffic and redirects it to a switch generated web page that facilitates user name and password authentication via RADIUS Once...

Page 285: ...feature must also be enabled for any port where required under the Configure Interface menu Session Timeout Configures how long an authenticated session stays active before it must re authenticate itself Range 300 3600 seconds Default 3600 seconds Quiet Period Configures how long a host must wait to attempt authentication again after it has exceeded the maximum allowable failed login attempts Rang...

Page 286: ...the port Host IP Address Indicates the IP address of each connected host Remaining Session Time Indicates the remaining time until the current authorization session for the host expires Apply Enables web authentication if the Status box is checked Also ends all authenticated web sessions for selected host IP addresses in the Authenticated Host List and forces the users to re authenticate Revert Re...

Page 287: ...n page 270 NOTE MAC authentication cannot be configured on trunk ports CLI REFERENCES Network Access MAC Address Authentication on page 771 COMMAND USAGE MAC address authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port Traffic received from a specific MAC address is forwarded by the switch only if the source MAC addr...

Page 288: ...LAN identifier list is carried in the RADIUS Tunnel Private Group ID attribute The VLAN list can contain multiple VLAN identifiers in the format 1u 2t 3u where u indicates an untagged VLAN and t a tagged VLAN The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user The Filter ID attribute attribute 11 can be configured on the RADIUS s...

Page 289: ...onditions occur Illegal characters found in a profile value for example a non digital character in an 802 1p profile value Failure to configure the received profiles on the authenticated port When the last user logs off on a port with a dynamic QoS assignment the switch restores the original QoS configuration for the port When a user attempts to log into the network with a returned dynamic QoS pro...

Page 290: ...ed When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server During the reauthentication process traffic through the port remains unaffected Default 1800 seconds Range 120 1000000 seconds WEB INTERFACE To configure aging status and reauthentication time for MAC address authentication 1 Click Security Network Access 2 Select Configure Global from t...

Page 291: ...e Configuring Port Settings for 802 1X on page 340 Dynamic VLAN Enables dynamic VLAN assignment for an authenticated port When enabled any VLAN identifiers returned by the RADIUS server are applied to the port providing the VLANs have already been created on the switch GVRP is not used to create the VLANs Default Enabled The VLAN settings specified by the first authenticated MAC address are implem...

Page 292: ...ported the guest VLAN to use when MAC Authentication or 802 1X Authentication fails and the dynamic VLAN and QoS assignments 5 Click Apply Figure 152 Configuring Interface Settings for Network Access CONFIGURING PORT LINK DETECTION Use the Security Network Access Configure Interface Link Detection page to send an SNMP trap and or shut down a port when a link event occurs CLI REFERENCES Network Acc...

Page 293: ... link detection on switch ports 1 Click Security Network Access 2 Select Configure Interface from the Step list 3 Click the Link Detection button 4 Modify the link detection status trigger condition and the response for any port 5 Click Apply Figure 153 Configuring Link Detection for Network Access CONFIGURING A MAC ADDRESS FILTER Use the Security MAC Authentication Configure MAC Filter page to de...

Page 294: ...ess Mask MAC Address Mask The filter rule will check for the range of MAC addresses defined by the MAC bit mask If you omit the mask the system will assign the default mask of an exact match Range 000000000000 FFFFFFFFFFFF Default FFFFFFFFFFFF WEB INTERFACE To add a MAC address filter for MAC authentication 1 Click Security Network Access 2 Select Configure MAC Filter from the Step list 3 Select A...

Page 295: ... the web interface Query By Specifies parameters to use in the MAC address query Sort Key Sorts the information displayed based on MAC address port interface or attribute MAC Address Specifies a specific MAC address Interface Specifies a port interface Attribute Displays static or dynamic addresses Authenticated MAC Address List MAC Address The authenticated MAC address Interface The port interfac...

Page 296: ...ess CONFIGURING HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol HTTPS over the Secure Socket Layer SSL providing secure access i e an encrypted connection to the switch s web interface CONFIGURING GLOBAL SETTINGS FOR HTTPS Use the Security HTTPS Configure Global page to enable or disable HTTPS and specify the UDP port used for this service CLI REFERENCES Web Ser...

Page 297: ... operating systems currently support HTTPS To specify a secure site certificate see Replacing the Default Secure site Certificate on page 298 PARAMETERS These parameters are displayed in the web interface HTTPS Status Allows you to enable disable the HTTPS server feature on the switch Default Enabled HTTPS Port Specifies the UDP port number used for HTTPS connection to the switch s web interface D...

Page 298: ...n a unique certificate and a private key and password from a recognized certification authority CAUTION For maximum security we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity This is because the default certificate for the switch is not unique to the hardware you have purchased When you have obtained these place them on your TFTP server and transfer them...

Page 299: ...ownloading the certificate to the switch Confirm Password Re type the string entered in the previous field to ensure no errors were made The switch will not download the certificate if these two fields do not match WEB INTERFACE To replace the default secure site certificate 1 Click Security HTTPS 2 Select Copy Certificate from the Step list 3 Fill in the TFTP server certificate and private key fi...

Page 300: ...ch supports both password and public key authentication If password authentication is specified by the SSH client then the password can be authenticated either locally or via a RADIUS or TACACS remote authentication server as specified on the System Authentication page page 269 If public key authentication is specified by the client then you must configure authentication keys on both the client an...

Page 301: ...4 Set the Optional Parameters On the SSH Settings page configure the optional parameters including the authentication timeout the number of retries and the server key size 5 Enable SSH Service On the SSH Settings page enable the SSH server on the switch 6 Authentication One of the following authentication methods is employed Password Authentication for SSH v1 5 or V2 Clients a The client sends its...

Page 302: ...d with the authentication process Otherwise it rejects the request c The client sends a signature generated using the private key to the switch d When the server receives this message it checks whether the supplied key is acceptable for authentication and if so it then checks whether the signature is correct If both checks succeed the client is authenticated NOTE The SSH server supports up to four...

Page 303: ... Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process Range 1 5 times Default 3 Server Key Size Specifies the SSH server key size Range 512 896 bits Default 768 The server key is a private key that is never shared outside the switch The host key is shared with the SSH client and is fixed at 102...

Page 304: ...generate the host key pair i e public and private keys Range RSA Version 1 DSA Version 2 Both Default Both The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch and then negotiates with the client to select either DES 56 bit or 3DES 168 bit for data encryption NOTE The switch uses only RSA Version 1 for SSHv1 5 clients and DSA Version 2 for ...

Page 305: ...o clear 5 Click Show Figure 161 Showing the SSH Host Key Pair IMPORTING USER PUBLIC KEYS Use the Security SSH Configure User Key Copy page to upload a user s public key to the switch This public key must be stored on the switch for the user to be able to log in using the public key authentication mechanism If the user s public key does not exist on the switch SSH will revert to the interactive pas...

Page 306: ...nt first establishes a connection with the switch and then negotiates with the client to select either DES 56 bit or 3DES 168 bit for data encryption The switch uses only RSA Version 1 for SSHv1 5 clients and DSA Version 2 for SSHv2 clients TFTP Server IP Address The IP address of the TFTP server that contains the public key file you wish to import Source File Name The public key file to upload WE...

Page 307: ...Layer 4 protocol port number or TCP control code IPv6 frames based on address next header type or flow label or any frames based on MAC address or Ethernet type To filter incoming packets first create an access list add the required rules and then bind the list to a specific port Configuring Access Control Lists An ACL is a sequential list of permit or deny conditions that apply to IP addresses MA...

Page 308: ...r ingress ports are checked in parallel 2 Rules within an ACL are checked in the configured order from top to bottom 3 If the result of checking an IP ACL is to permit a packet but the result of a MAC ACL on the same packet is to deny it the packet will be denied because the decision to deny a packet has a higher priority for security reasons A packet will also be denied if the IP ACL denies it an...

Page 309: ... Select Configure Time Range from the Step list 3 Select Add from the Action list 4 Enter the name of a time range 5 Click Apply Figure 164 Setting the Name of a Time Range To show a list of time ranges 1 Click Security ACL 2 Select Configure Time Range from the Step list 3 Select Show from the Action list Figure 165 Showing a List of Time Ranges To configure a rule for a time range 1 Click Securi...

Page 310: ...5 Select a mode option of Absolute or Periodic 6 Fill in the required parameters for the selected mode 7 Click Apply Figure 166 Add a Rule to a Time Range To show the rules configured for a time range 1 Click Security ACL 2 Select Configure Time Range from the Step list 3 Select Show Rule from the Action list Figure 167 Showing the Rules Configured for a Time Range ...

Page 311: ...ding an ACL to a port each rule in an ACL will use two PCEs and when setting an IP Source Guard filter rule for a port the system will also use two PCEs PARAMETERS These parameters are displayed in the web interface Total Policy Control Entries The number policy control entries in use Free Policy Control Entries The number of policy control entries available for use Entries Used by System The numb...

Page 312: ...If the TCP protocol is specified then you can also filter packets based on the TCP control code IPv6 Standard IPv6 ACL mode filters packets based on the source IPv6 address IPv6 Extended IPv6 ACL mode filters packets based on the source or destination IP address as well as the type of the next header and the flow label i e a request for special handling by IPv6 routers MAC MAC ACL mode filters pac...

Page 313: ... permit deny Standard IP ACL on page 815 show ip access list on page 819 Time Range on page 679 PARAMETERS These parameters are displayed in the web interface Type Selects the type of ACLs to show in the Name list Name Shows the names of ACLs matching the selected type Action An ACL can contain any combination of permit or deny rules Address Type Specifies the source IP address Use Any to include ...

Page 314: ...t entering the port s to which this ACL has been assigned Time Range Name of a time range WEB INTERFACE To add rules to a Standard IPv4 ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the Action list 4 Select IP Standard from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the address type Any H...

Page 315: ...ination IP Address Source or destination IP address Source Destination Subnet Mask Subnet mask for source or destination address See the description for Subnet Mask on page 313 Source Destination Port Source destination port number for the specified protocol type Range 0 65535 Source Destination Port Bit Mask Decimal number representing the port bits to match Range 0 65535 Protocol Specifies the p...

Page 316: ...l code 18 control bit mask 18 SYN valid and ACK invalid use control code 2 control bit mask 18 Time Range Name of a time range WEB INTERFACE To add rules to an Extended IPv4 ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the Action list 4 Select IP Extended from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit o...

Page 317: ...y combination of permit or deny rules Source Address Type Specifies the source IP address Use Any to include all possible addresses Host to specify a specific host address in the Address field or IPv6 prefix to specify a range of addresses Options Any Host IPv6 prefix Default Any Source IPv6 Address An IPv6 source address or network class The address must be formatted according to RFC 2373 IPv6 Ad...

Page 318: ...tep list 3 Select Add Rule from the Action list 4 Select IPv6 Standard from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the source address type Any Host or IPv6 prefix 8 If you select Host enter a specific address If you select IPv6 prefix enter a subnet address and the prefix length 9 Click Apply Figure 173 Configuring a Standard I...

Page 319: ...cimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields The switch only checks the first 64 bits of the destination address Destination Prefix Length A decimal value indicating how many contiguous bits from the left of the address comprise the prefix i e the network portion of the address Range 0 64 bits DSCP DSCP t...

Page 320: ...yed to the routers by a control protocol such as a resource reservation protocol or by information within the flow s packets themselves e g in a hop by hop option A flow is uniquely identified by the combination of a source address and a non zero flow label Packets that do not belong to a flow carry a flow label of zero Hosts or routers that do not support the functions specified by the flow label...

Page 321: ...e parameters are displayed in the web interface Type Selects the type of ACLs to show in the Name list Name Shows the names of ACLs matching the selected type Action An ACL can contain any combination of permit or deny rules Source Destination Address Type Use Any to include all possible addresses Host to indicate a specific MAC address or MAC to specify an address range with the Address and Bit M...

Page 322: ...col types can be found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX Ethernet Type Bit Mask Protocol bit mask Range 600 ffff hex Time Range Name of a time range WEB INTERFACE To add rules to a MAC ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the Action list 4 Select MAC from the Type list 5 Select the name of an ACL from t...

Page 323: ...rameters are displayed in the web interface Type Selects the type of ACLs to show in the Name list Name Shows the names of ACLs matching the selected type Action An ACL can contain any combination of permit or deny rules Packet Type Indicates an ARP request ARP response or either type Range Request Response All Default Request Source Destination IP Address Type Specifies the source or destination ...

Page 324: ...e Destination MAC Bit Mask Hexadecimal mask for source or destination MAC address Log Logs a packet when it matches the access control entry WEB INTERFACE To add rules to an ARP ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the Action list 4 Select ARP from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or De...

Page 325: ...ort CLI REFERENCES ip access group on page 818 ipv6 access group on page 825 show ip access group on page 819 show ipv6 access group on page 825 mac access group on page 829 show mac access group on page 830 Time Range on page 679 COMMAND USAGE This switch supports ACLs for ingress filtering only You only bind one ACL to any port for ingress filtering PARAMETERS These parameters are displayed in t...

Page 326: ...man in the middle attacks This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropriate destination Invalid ARP packets are dropped ARP Inspection determines the validity of an ARP packet based on valid IP to MAC address bindings stored in a trusted database the DHCP snoopi...

Page 327: ...ion will not affect the ARP Inspection configuration of any VLANs When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for individual VLANs These configuration changes will only become active after ARP Inspection is enabled globally again The ARP Inspection engine in the current firmware version does not support ARP Inspection on trunk ports CONFIGURING GLOBAL ...

Page 328: ...controlled basis After the system message is generated the entry is cleared from the log buffer Each log entry contains flow information such as the receiving VLAN the port number the source and destination IP addresses and the source and destination MAC addresses If multiple identical invalid ARP packets are received consecutively on the same VLAN then the logging facility will only generate one ...

Page 329: ... Security ARP Inspection 2 Select Configure General from the Step list 3 Enable ARP inspection globally enable any of the address validation options and adjust any of the logging parameters if required 4 Click Apply Figure 178 Configuring Global Settings for ARP Inspection CONFIGURING VLAN SETTINGS FOR ARP INSPECTION Use the Security ARP Inspection Configure VLAN page to enable ARP inspection for ...

Page 330: ... These parameters are displayed in the web interface ARP Inspection VLAN ID Selects any configured VLAN Default 1 ARP Inspection VLAN Status Enables ARP Inspection for the selected VLAN Default Disabled ARP Inspection ACL Name ARP ACL Allows selection of any configured ARP ACLs Default None Static When an ARP ACL is selected and static mode also selected the switch only performs ARP Inspection and...

Page 331: ...d ports are exempt from ARP packet rate limiting Packets arriving on trusted interfaces bypass all ARP Inspection and ARP Inspection Validation checks and will always be forwarded while those arriving on untrusted interfaces are subject to all configured ARP inspection tests Packet Rate Limit Sets the maximum number of ARP packets that can be processed by CPU per second on untrusted ports Range 0 ...

Page 332: ...e limit Count of ARP packets received but not exceeding the ARP Inspection rate limit Dropped ARP packets in the process of ARP inspection rate limit Count of ARP packets exceeding and dropped by ARP rate limiting ARP packets dropped by additional validation IP Count of ARP packets that failed the IP address test ARP packets dropped by additional validation Dst MAC Count of packets that failed the...

Page 333: ... page to show information about entries stored in the log including the associated VLAN port and address components CLI REFERENCES show ip arp inspection log on page 811 PARAMETERS These parameters are displayed in the web interface Table 18 ARP Inspection Log Parameter Description VLAN ID The VLAN where this packet was seen Port The port where this packet was seen Src IP Address The source IP add...

Page 334: ... default Once you add an entry to a filter list access to that interface is restricted to the specified addresses If anyone tries to access a management interface on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respectively Eac...

Page 335: ...s for the SNMP group Telnet Configures IP address es for the Telnet group Start IP Address A single IP address or the starting address of a range End IP Address The end address of a range WEB INTERFACE To create a list of IP addresses authorized for management access 1 Click Security IP Filter 2 Select Add from the Action list 3 Select the management interface to filter Web SNMP Telnet 4 Enter the...

Page 336: ...atic address table will be authorized to access the network through that port If a device with an unauthorized MAC address attempts to use the switch port the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message To use port security specify a maximum number of addresses to allow on the port and then let the switch dynamically lear...

Page 337: ...tion to be taken when a port security violation is detected None No action should be taken This is the default Trap Send an SNMP trap message Shutdown Disable the port Trap and Shutdown Send an SNMP trap message and disable the port Security Status Enables or disables port security on the port Default Disabled Max MAC Count The maximum number of MAC addresses that can be learned on a port Range 0 ...

Page 338: ...identity request The client provides its identity such as a user name in an EAPOL response to the switch which it forwards to the RADIUS server The RADIUS server verifies the client identity and sends an access challenge back to the client The EAP packet from the RADIUS server contains not only the challenge but the authentication method to be used The client can reject the authentication method a...

Page 339: ...these encryption methods is provided in Windows XP and in Windows 2000 with Service Pack 4 To support these encryption methods in Windows 95 and 98 you can use the AEGIS dot1x client or other comparable client software CONFIGURING 802 1X GLOBAL SETTINGS Use the Security Port Authentication Configure Global page to configure IEEE 802 1X port authentication The 802 1X protocol must be enabled global...

Page 340: ... 802 1X 1 Click Security Port Authentication 2 Select Configure Global from the Step list 3 Enable 802 1X globally for the switch and configure EAPOL Pass Through if required Then set the user name and password to use when the switch responds an MD5 challenge from the authentication server 4 Click Apply Figure 187 Configuring Global Settings for 802 1X Port Authentication CONFIGURING PORT SETTINGS...

Page 341: ...orces the port to grant access to all clients either dot1x aware or otherwise This is the default setting Force Unauthorized Forces the port to deny access to all clients either dot1x aware or otherwise Operation Mode Allows single or multiple hosts clients to connect to an 802 1X authorized port Default Single Host Single Host Allows only a single host to connect to this port Multi Host Allows mu...

Page 342: ...ll initiate authentication when the port link state comes up It will send an EAP request identity frame to the client to request its identity followed by one or more requests for authentication information It may also send other EAP request frames to the client during an active connection as required for reauthentication Server Timeout Sets the time that a switch port waits for a response to an EA...

Page 343: ...t state including request response success fail timeout idle initialize Request Count Number of EAP Request packets sent to the Supplicant without receiving a response Identifier Server Identifier carried in the most recent EAP Success Failure or Request packet received from the Authentication Server Reauthentication State Machine State Current state including initialize reauthenticate WEB INTERFA...

Page 344: ...CHAPTER 14 Security Measures Configuring 802 1X Port Authentication 344 ES 4500G Series Figure 188 Configuring Interface Settings for 802 1X Port Authenticator ...

Page 345: ...of any type that have been received by this Authenticator Rx Last EAPOLVer The protocol version number carried in the most recent EAPOL frame received by this Authenticator Rx Last EAPOLSrc The source MAC address carried in the most recent EAPOL frame received by this Authenticator Rx EAP Resp Id The number of EAP Resp Id frames that have been received by this Authenticator Rx EAP Resp Oth The num...

Page 346: ...en enabled see DHCP Snooping on page 351 IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network This section describes commands used to configure IP Source Guard CONFIGURING PORTS FOR IP SOURCE GUARD Use the Security IP Source Guard Port Configuration page to set the filtering type based on source IP address or sour...

Page 347: ...e page 354 IP source guard will check the VLAN ID source IP address port number and source MAC address for the SIP MAC option If a matching entry is found in the binding table and the entry type is static IP source guard binding the packet will be forwarded If DHCP snooping is enabled IP source guard will check the VLAN ID source IP address port number and source MAC address for the SIP MAC option...

Page 348: ...ltering type for each port 3 Click Apply Figure 190 Setting the Filter Type for IP Source Guard CONFIGURING STATIC BINDINGS FOR IP SOURCE GUARD Use the Security IP Source Guard Static Configuration page to bind a static address to a port Table entries include a MAC address IP address lease time entry type Static Dynamic VLAN identifier and port identifier All static entries are configured with an ...

Page 349: ... to static IP source guard binding Only unicast addresses are accepted for static bindings PARAMETERS These parameters are displayed in the web interface Port The port to which a static entry is bound VLAN ID of a configured VLAN Range 1 4093 MAC Address A valid unicast MAC address IP Address A valid unicast IP address including classful types A B or C WEB INTERFACE To configure static bindings fo...

Page 350: ... interface CLI REFERENCES show ip dhcp snooping binding on page 798 PARAMETERS These parameters are displayed in the web interface Query by Port A port on this switch VLAN ID of a configured VLAN Range 1 4093 MAC Address A valid unicast MAC address IP Address A valid unicast IP address including classful types A B or C Dynamic Binding List VLAN VLAN to which this entry is bound MAC Address Physica...

Page 351: ... information to a DHCP server This information can be useful in tracking an IP address back to a physical port COMMAND USAGE DHCP Snooping Process Network traffic may be disrupted when malicious DHCP messages are received from an outside source DHCP snooping is used to filter DHCP messages received on a non secure interface from outside the network or fire wall When DHCP snooping is enabled global...

Page 352: ...e packet only if the corresponding entry is found in the binding table If the DHCP packet is from a client such as a DISCOVER REQUEST INFORM DECLINE or RELEASE message the packet is forwarded if MAC address verification is disabled However if MAC address verification is enabled then the packet will only be forwarded if the client s hardware address stored in the DHCP packet is the same as the sour...

Page 353: ...orwarded by the switch and in reply packets sent back from the DHCP server This information may specify the MAC address or IP address of the requesting device that is the switch in this context By default the switch also fills in the Option 82 circuit id field with information indicating the local interface over which the switch received the DHCP client request including the port and VLAN ID This ...

Page 354: ...les DHCP Option 82 information relay Default Disabled DHCP Snooping Information Option Policy Specifies how to handle DHCP client request packets which already contain Option 82 information Drop Drops the client s request packet instead of relaying it Keep Retains the Option 82 information in the client request and forwards the packets to trusted ports Replace Replaces the Option 82 information ci...

Page 355: ...r specific VLANs but the changes will not take effect until DHCP snooping is globally re enabled When DHCP snooping is globally enabled and DHCP snooping is then disabled on a VLAN all dynamic bindings learned for this VLAN are removed from the binding table PARAMETERS These parameters are displayed in the web interface VLAN ID of a configured VLAN Range 1 4093 DHCP Snooping Status Enables or disa...

Page 356: ...om outside the network or fire wall When DHCP snooping is enabled both globally and on a VLAN DHCP packet filtering will be performed on any untrusted ports within the VLAN When an untrusted port is changed to a trusted port all the dynamic DHCP snooping bindings associated with this port are removed Set all ports connected to DHCP servers within the local network or fire wall to trusted state Set...

Page 357: ...responding to the client Lease Time seconds The time for which this IP address is leased to the client Type Entry types include DHCP Snooping Dynamically snooped Static DHCPSNP Statically configured VLAN VLAN to which this entry is bound Interface Port or trunk to which this entry is bound Store Writes all dynamically learned snooping entries to flash memory This function can be used to store the ...

Page 358: ...ies WEB INTERFACE To display the binding table for DHCP Snooping 1 Click Security IP Source Guard DHCP Snooping 2 Select Show Information from the Step list 3 Use the Store or Clear function if required Figure 197 Displaying the Binding Table for DHCP Snooping ...

Page 359: ...gh SNMP CONFIGURING EVENT LOGGING The switch allows you to control the logging of error messages including the type of events that are recorded in switch memory logging to a remote System Log syslog server and displays a list of recent event messages SYSTEM LOG CONFIGURATION Use the Administration Log System Configure Global page to enable or disable event logging and specify which levels are logg...

Page 360: ...to RAM Range 0 7 Default 7 NOTE The Flash Level must be equal to or less than the RAM Level WEB INTERFACE To configure the logging of error messages to system memory 1 Click Administration Log System 2 Select Configure Global from the Step list 3 Enable or disable system logging set the level of event messages to be logged to flash memory and RAM 4 Click Apply Table 20 Logging Levels Level Severit...

Page 361: ... Click Administration Log System 2 Select Show System Logs from the Step list 3 Click RAM or Flash This page allows you to scroll through the logged system and event messages The switch can store up to 2048 log entries in temporary random access memory RAM i e memory flushed on power reset and up to 4096 entries in permanent flash memory Figure 199 Showing Error Messages Logged to System Memory ...

Page 362: ...ages to an appropriate service The attribute specifies the facility type tag sent in syslog messages see RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to process messages such as sorting or storing messages in the corresponding database Range 16 23 Default 23 Logging Trap Level Limits log messages that are sent to the re...

Page 363: ...MTP Status Enables disables the SMTP function Default Enabled Severity Sets the syslog severity threshold level see table on page 360 used to trigger alert messages All events at this level or higher will be sent to the configured email recipients For example using Level 7 will report all events from level 7 to level 0 Default Level 7 Email Source Address Sets the email address used for the From f...

Page 364: ... Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device Advertised information is represented in Type Length Value TLV format according to the IEEE 802 1ab standard and can include details such as device identification capabilities and configuration settings LLDP also defines how to store and maintain information gathered about the neighboring network node...

Page 365: ...ault 2 seconds The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects and to increase the probability that multiple rather than single changes are reported in each transmission This attribute must comply with the rule 4 Delay Interval Transmission Interval Reinitialization Delay Configures the delay before at...

Page 366: ...ved whether SNMP notifications are sent and the type of information advertised CLI REFERENCES LLDP Commands on page 1049 PARAMETERS These parameters are displayed in the web interface Admin Status Enables LLDP message transmit and receive modes for LLDP Protocol Data Units Options Tx only Rx only TxRx Disabled Default TxRx SNMP Notification Enables the transmission of SNMP trap notifications about...

Page 367: ...rmance of network discovery by indicating enterprise specific or other starting points for the search such as the Interface or Entity MIB Since there are typically a number of different addresses associated with a Layer 3 device an individual LLDP PDU may contain more than one management address TLV Every management address TLV that reports an address that is accessible on a port and protocol VLAN...

Page 368: ...ANs on page 187 802 3 Organizationally Specific TLVs Configures IEEE 802 3 information included in the TLV field of advertised messages Link Aggregation The link aggregation capabilities aggregation status of the link and the IEEE 802 3 aggregated port identifier if this interface is currently a link aggregation member Max Frame Size The maximum frame size See Configuring Support for Jumbo Frames ...

Page 369: ...ssis Type Identifies the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent There are several ways in which a chassis may be identified and a chassis ID subtype is used to indicate the type of component being referenced by the chassis ID field Table 21 Chassis ID Subtype ID Basis Reference Chassis component EntPhysicalAlias when entPhysClass has a value of chass...

Page 370: ...ted with the local system Interface Settings The attributes listed below apply to both port and trunk interface types When a trunk is listed the descriptions apply to the first port of the trunk Port Trunk Description A string that indicates the port or trunk description If RFC 2863 is implemented the ifDescr object should be used for this field Port Trunk ID A string that contains the specific id...

Page 371: ... information about devices connected directly to the switch s ports which are advertising information through LLDP or to display detailed information about an LLDP enabled device connected to a specific port on the local switch CLI REFERENCES show lldp info remote device on page 1063 PARAMETERS These parameters are displayed in the web interface Port Local Port The local port to which a remote LLD...

Page 372: ...d name System Description A textual description of the network entity Management Address The IPv4 address of the remote device If no management address is available the address should be the MAC address for the CPU or for the port sending this advertisement Port Type Indicates the basis for the identifier that is listed in the Port ID field Port Description A string that indicates the port s descr...

Page 373: ...Protocol Identity List Information about particular protocols that are accessible through a port This object represents an arbitrary local integer value used by this agent to identify a particular protocol identity and an octet string used to identify the protocols associated with a port of the remote system Port Details 802 3 Extension Port Information Remote Port Auto Neg Supported Shows whether...

Page 374: ...e spare pairs only are in use Remote Power MDI Supported Shows whether MDI power is supported on the given port associated with the remote system Remote Power Pair Controlable Indicates whether the pair selection can be controlled for sourcing power on the given port associated with the remote system Remote Power Classification This classification is used to tag different terminals on the Power ov...

Page 375: ...in link aggregation state and or it does not support link aggregation this value should be zero Port Details 802 3 Extension Frame Information Remote Max Frame Size An integer value indicating the maximum supported frame size in octets on the port component associated with the remote system WEB INTERFACE To display LLDP information for a remote port 1 Click Administration LLDP 2 Select Show Remote...

Page 376: ...for LLDP capable devices attached to the switch and for LLDP protocol messages transmitted or received on all local interfaces CLI REFERENCES show lldp info statistics on page 1064 PARAMETERS These parameters are displayed in the web interface General Statistics on Remote Devices Neighbor Entries List Last Updated The time the LLDP neighbor entry list was last updated New Neighbor Entries Count Th...

Page 377: ...ation rules as well as any specific usage rules defined for the particular TLV Frames Invalid A count of all LLDPDUs received with one or more detectable errors Frames Received Number of LLDP PDUs received Frames Sent Number of LLDP PDUs transmitted TLVs Unrecognized A count of all TLVs not recognized by the receiving LLDP local agent TLVs Discarded A count of all LLDPDUs received and then discard...

Page 378: ...cally used to configure these devices for proper operation in a network environment as well as to monitor them to evaluate performance or detect potential problems Managed devices supporting SNMP contain software which runs locally on the device and is referred to as an agent A defined set of variables known as managed objects is maintained by the SNMP agent and used to manage the device These obj...

Page 379: ... are known as views The switch has a default view all MIB objects and default groups defined for security models v1 and v2c The following table shows the security models and levels available and the system default settings NOTE The predefined default groups and view can be deleted from the system You can then define customized groups and views for the SNMP clients that require access Table 25 SNMP...

Page 380: ...igure Trap page to specify trap managers so that key events are reported by this switch to your management station 3 Use the Administration SNMP Configure Engine page to change the local engine ID If you want to change the default engine ID it must be changed before configuring other parameters 4 Use the Administration SNMP Configure View page to specify read and write access views for the switch ...

Page 381: ...P and the required trap types 4 Click Apply Figure 210 Configuring Global Settings for SNMP SETTING THE LOCAL ENGINE ID Use the Administration SNMP Configure Engine Set Engine ID page to change the local engine ID An SNMPv3 engine is an independent SNMP agent that resides on the switch This engine protects against message replay delay and redirection The engine ID is also used in combination with ...

Page 382: ...st 9 hexadecimal characters 5 Click Apply Figure 211 Configuring the Local Engine ID for SNMP SPECIFYING A REMOTE ENGINE ID Use the Administration SNMP Configure Engine Add Remote Engine page to configure a engine ID for a remote management station To allow management access from an SNMPv3 user on a remote device you must first specify the engine identifier for the SNMP agent on the remote device ...

Page 383: ... 123456789 is equivalent to 1234567890 Remote IP Host The IP address of a remote management station which is using the specified engine ID WEB INTERFACE To configure a remote SNMP engine ID 1 Click Administration SNMP 2 Select Configure Engine from the Step list 3 Select Add Remote Engine from the Action list 4 Enter an ID of a least 9 hexadecimal characters and the IP address of the remote host 5...

Page 384: ... identifier of a branch within the MIB tree Wild cards can be used to mask a specific portion of the OID string Use the Add OID Subtree page to configure additional object identifiers Type Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view Add OID Subtree View Name Lists the SNMP views configured in the Add View page OID Subtree Adds an ad...

Page 385: ...Creating an SNMP View To show the SNMP views of the switch s MIB database 1 Click Administration SNMP 2 Select Configure View from the Step list 3 Select Show View from the Action list Figure 215 Showing SNMP Views To add an object identifier to an existing SNMP view of the switch s MIB database 1 Click Administration SNMP 2 Select Configure View from the Step list 3 Select Add OID Subtree from th...

Page 386: ...ubtree to an SNMP View To show the OID branches configured for the SNMP views of the switch s MIB database 1 Click Administration SNMP 2 Select Configure View from the Step list 3 Select Show OID Subtree from the Action list 4 Select a view name from the list of existing views Figure 217 Showing the OID Subtree Configured for SNMP Views ...

Page 387: ... communications This is the default security level AuthNoPriv SNMP communications use authentication but the data is not encrypted AuthPriv SNMP communications use both authentication and encryption Read View The configured view for read access Range 1 64 characters Write View The configured view for write access Range 1 64 characters Notify View The configured view for notifications Range 1 64 ch...

Page 388: ... not properly authenticated While all implementations of the SNMPv2 must be capable of generating this trap the snmpEnableAuthenTraps object indicates whether this trap will be generated RMON Events V2 risingAlarm 1 3 6 1 2 1 16 0 1 The SNMP trap that is generated when an alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps fallingAlarm 1 3 6 1 ...

Page 389: ...eleaseTrap 1 3 6 1 4 1 572 17389 302 1 2 1 0 77 When ATC is released this trap is fired swLoopbackDetectionTrap 1 3 6 1 4 1 572 17389 302 1 2 1 0 95 This trap will be sent when loopback BPDUs have been detected networkAccessPortLinkDetectionTrap 1 3 6 1 4 1 572 17389 302 1 2 1 0 96 This trap is sent when a networkAccessPortLinkDetection event is triggered swCpuUtiRisingNotification 1 3 6 1 4 1 572...

Page 390: ...from the Step list 3 Select Show from the Action list Figure 219 Showing SNMP Groups SETTING COMMUNITY ACCESS STRINGS Use the Administration SNMP Configure User Add Community page to configure up to five community strings authorized for management access by clients using SNMP v1 and v2c For security reasons you should consider removing the default strings CLI REFERENCES snmp server community on pa...

Page 391: ...zed management stations are only able to retrieve MIB objects Read Write Authorized management stations are able to both retrieve and modify MIB objects WEB INTERFACE To set a community access string 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Add Community from the Action list 4 Add new community strings as required and select the corresponding access rights fr...

Page 392: ...S These parameters are displayed in the web interface User Name The name of user connecting to the SNMP agent Range 1 32 characters Group Name The name of the SNMP group to which the user is assigned Range 1 32 characters Security Model The user security model SNMP v1 v2c or v3 Security Level The following security levels are only used for the groups assigned to the SNMP security model noAuthNoPri...

Page 393: ...nfigure User from the Step list 3 Select Add SNMPv3 Local User from the Action list 4 Enter a name and assign it to a group If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv then an authentication protocol and password must be specified If the security level is authPriv a privacy password must also be specified 5 Click Apply Figure 222 Configuring Local SNMPv3...

Page 394: ...user resides The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and the remote user See Specifying Trap Managers on page 397 and Specifying a Remote Engine ID on page 382 PARAMETERS These parameters are displayed in the web interface User Name The name of user connecting to the SNMP agent Range 1 32 characters Group Na...

Page 395: ...vailable Privacy Password A minimum of eight plain text characters is required WEB INTERFACE To configure a remote SNMPv3 user 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Add SNMPv3 Remote User from the Action list 4 Enter a name and assign it to a group Enter the IP address to identify the source of SNMPv3 inform messages sent from the local switch If the secur...

Page 396: ...nt Protocol 396 ES 4500G Series Figure 224 Configuring Remote SNMPv3 Users To show remote SNMPv3 users 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Show SNMPv3 Remote User from the Action list Figure 225 Showing Remote SNMPv3 Users ...

Page 397: ...mation is received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider these effects when deciding whether to issue notifications as traps or informs To send an inform to a SNMPv2c host complete these steps 1 Enable the SNMP agent page 380 2 Create a view with th...

Page 398: ...ation to receive notification message i e the targeted recipient Version Specifies whether to send notifications as SNMP v1 v2c or v3 traps Notification Type Traps Notifications are sent as trap messages Inform Notifications are sent as inform messages Note that this option is only available for version 2c and 3 hosts Default traps are used Timeout The number of seconds to wait for an acknowledgme...

Page 399: ...pt Range 0 255 Default 3 Local User Name The name of a local user which is used to identify the source of SNMPv3 trap messages sent from the local switch Range 1 32 characters If an account for the specified user has not been created page 392 one will be automatically generated Remote User Name The name of a remote user which is used to identify the source of SNMPv3 inform messages sent from the l...

Page 400: ...FACE To configure trap managers 1 Click Administration SNMP 2 Select Configure Trap from the Step list 3 Select Add from the Action list 4 Fill in the required parameters based on the selected SNMP version 5 Click Apply Figure 226 Configuring Trap Managers SNMPv1 Figure 227 Configuring Trap Managers SNMPv2c ...

Page 401: ...respond to specified events on an independent basis This switch is an RMON capable device which can independently perform a wide range of tasks significantly reducing network management traffic It can continuously run diagnostics and log information on network performance If an event is triggered it can automatically notify the network administrator of a failure and provide historical information ...

Page 402: ...er an alarm is triggered it will not be triggered again until the statistical value crosses the opposite bounding threshold and then back across the trigger threshold CLI REFERENCES Remote Monitoring Commands on page 703 COMMAND USAGE If an alarm is already defined for an index the entry must be deleted before any changes can be made PARAMETERS These parameters are displayed in the web interface I...

Page 403: ... to the falling threshold and the last sample value was greater than this threshold then an alarm will be generated After a falling event has been generated another such event will not be generated until the sampled value has risen above the falling threshold reaches the rising threshold and again moves back down to the failing threshold Range 1 65535 Falling Event Index The index of the event to ...

Page 404: ...ring 404 ES 4500G Series Figure 230 Configuring an RMON Alarm To show configured RMON alarms 1 Click Administration RMON 2 Select Configure Global from the Step list 3 Select Show from the Action list 4 Click Alarm Figure 231 Showing Configured RMON Alarms ...

Page 405: ...layed in the web interface Index Index to this entry Range 1 65535 Type Specifies the type of event to initiate None No event is generated Log Generates an RMON log entry when the event is triggered Log messages are processed based on the current configuration settings for event logging see System Log Configuration on page 359 Trap Sends a trap message to all configured trap managers see Specifyin...

Page 406: ...e Action list 4 Click Event 5 Enter an index number the type of event to initiate the community string to send with trap messages the name of the person who created this event and a brief description of the event 6 Click Apply Figure 232 Configuring an RMON Event To show configured RMON events 1 Click Administration RMON 2 Select Configure Global from the Step list 3 Select Show from the Action li...

Page 407: ...efore your network becomes too overloaded CLI REFERENCES Remote Monitoring Commands on page 703 COMMAND USAGE Each index number equates to a port on the switch If history collection is already enabled on an interface the entry must be deleted before any changes can be made The information collected for each sample includes input octets packets broadcast packets multicast packets undersize packets ...

Page 408: ...t 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select Add from the Action list 4 Click History 5 Select a port from the list as the data source 6 Enter an index number the sampling interval the number of buckets to use and the name of the owner for this entry 7 Click Apply Figure 234 Configuring an RMON History Sample To show configured RMON history samples 1 Click...

Page 409: ...Showing Configured RMON History Samples To show collected RMON history samples 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select Show Details from the Action list 4 Select a port from the list 5 Click History Figure 236 Showing Collected RMON History Samples ...

Page 410: ...each entry includes input octets packets broadcast packets multicast packets undersize packets oversize packets CRC alignment errors jabbers fragments collisions drop events and frames of various sizes PARAMETERS These parameters are displayed in the web interface Port The port number on the switch Index Index to this entry Range 1 65535 Owner Name of the person who created this entry Range 1 127 ...

Page 411: ...ON 2 Select Configure Interface from the Step list 3 Select Show from the Action list 4 Select a port from the list 5 Click Statistics Figure 238 Showing Configured RMON Statistical Samples To show collected RMON statistical samples 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select Show Details from the Action list 4 Select a port from the list 5 Click Statistics...

Page 412: ...CHAPTER 15 Basic Administration Protocols Remote Monitoring 412 ES 4500G Series Figure 239 Showing Collected RMON Statistical Samples ...

Page 413: ...reserving security and data isolation OVERVIEW Multicasting is used to support real time applications such as video conferencing or streaming audio A multicast server does not have to establish a separate connection with each client It merely broadcasts its service to the network and any hosts that want to receive the multicast register with their local multicast switch router Although this approa...

Page 414: ...t group members but also supports the Protocol Independent Multicasting PIM routing protocol required to forward multicast traffic to other subnets page 1253 You can also configure a single network wide multicast VLAN shared by hosts residing in other standard or private VLAN groups preserving security and data isolation Multicast VLAN Registration on page 447 IGMP PROTOCOL The Internet Group Mana...

Page 415: ...ent provided by IGMPv3 snooping is in keeping track of information about the specific multicast sources which downstream IGMPv3 hosts have requested or refused The switch maintains information about both multicast groups and channels where a group indicates a multicast flow for which the hosts have not requested a specific source the only option for IGMPv1 and v2 hosts unless statically configured...

Page 416: ...n the attached VLAN or flooded throughout the VLAN if unregistered flooding is enabled see Configuring IGMP Snooping and Query Parameters on page 417 Static IGMP Router Interface If IGMP snooping cannot locate the IGMP querier you can manually designate a known IGMP querier i e a multicast router switch connected over the network to an interface on your switch page 421 This interface will then joi...

Page 417: ... throughout the VLAN if unregistered flooding is enabled see Unregistered Data Flood in the Command Attributes section IGMP Querier A router or multicast enabled switch can periodically ask their hosts if they want to receive multicast traffic If there is more than one router switch on the LAN performing IP multicasting one of these devices is elected querier and assumes the role of querying the L...

Page 418: ...eceived and all the uplink ports are subsequently deleted a time out mechanism is used to delete all of the currently learned multicast channels When a new uplink port starts up the switch sends unsolicited reports for all currently learned channels out the new uplink port By default the switch immediately enters into multicast flooding mode when a spanning tree topology change occurs In this mode...

Page 419: ...on 2 or 3 queries that do not contain the Router Alert option Unregistered Data Flooding Floods unregistered multicast traffic into the attached VLAN Default Disabled Once the table used to store multicast entries for IGMP snooping and multicast routing is filled no new entries are learned If no router port is configured in the attached VLAN and unregistered flooding is disabled any subsequent mul...

Page 420: ...es regardless of the snooping version employed Querier Status When enabled the switch can serve as the Querier which is responsible for asking hosts if they want to receive multicast traffic This feature is not supported for IGMPv3 snooping Default Disabled WEB INTERFACE To configure general settings for IGMP Snooping and Query 1 Click Multicast IGMP Snooping General 2 Adjust the IGMP settings as ...

Page 421: ...appropriate interfaces within the switch CLI REFERENCES Static Multicast Routing on page 1008 PARAMETERS These parameters are displayed in the web interface VLAN Selects the VLAN which is to propagate all multicast traffic coming from the attached multicast router Range 1 4093 Interface Activates the Port or Trunk scroll down list Port or Trunk Specifies the interface attached to a multicast route...

Page 422: ...cast routing protocol such as PIM to support IP multicasting across the Internet These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch To show all the interfaces attached to a multicast router 1 Click Multicast IGMP Snooping Multicast Router 2 Select Current Multicast Router from the Action list 3 Select the VLAN for which to display this in...

Page 423: ...on page 1005 COMMAND USAGE Static multicast addresses are never aged out When a multicast address is assigned to an interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN PARAMETERS These parameters are displayed in the web interface VLAN Specifies the VLAN which is to propagate the multicast service Range 1 4093 Interface Activates the Port or Trunk...

Page 424: ...n list 3 Select the VLAN for which to display this information Figure 247 Showing Static Interfaces Assigned to a Multicast Service To display information about all multicast groups IGMP Snooping or multicast routing must first be enabled on the switch To show all of the interfaces statically or dynamically assigned to a multicast service 1 Click Multicast IGMP Snooping IGMP Member 2 Select Show C...

Page 425: ...and multicast routing devices MRD is used to discover which interfaces are attached to multicast routers allowing IGMP enabled devices to determine where to send multicast source and group membership messages MRD is specified in draft ietf magma mrdisc 07 Multicast source data and group membership reports must be received by all multicast routers on a segment Using the group membership protocol qu...

Page 426: ...ter is gracefully shut down Advertisement and Termination messages are sent to the All Snoopers multicast address Solicitation messages are sent to the All Routers multicast address NOTE MRD messages are flooded to all ports in a VLAN where IGMP snooping or routing has been enabled To ensure that older switches which do not support MRD can also learn the multicast router port the switch floods IGM...

Page 427: ...ness Variable fixed at 2 as defined in RFC 2236 If immediate leave is enabled the switch assumes that only one host is connected to the interface Therefore immediate leave should only be enabled on an interface if it is connected to only one IGMP enabled device either a service host or a neighbor running IGMP snooping This attribute is only effective if IGMP snooping is enabled and IGMPv2 snooping...

Page 428: ...esponse to proxy general queries Range 10 31744 tenths of a second Default 10 seconds This attribute applies when the switch is serving as the querier page 417 or as a proxy host when IGMP snooping proxy reporting is enabled page 417 Last Member Query Interval The interval to wait for a response to a group specific or group and source specific query message Range 1 31744 tenths of a second in mult...

Page 429: ...ull address in IGMP reports sent to upstream ports Many hosts do not implement RFC 4541 and therefore do not understand query messages with the source address of 0 0 0 0 These hosts will therefore not reply to the queries causing the multicast router to stop sending traffic to them To resolve this problem the source address in proxied IGMP query messages can be replaced with any valid unicast addr...

Page 430: ...cast data drop on page 1015 PARAMETERS These parameters are displayed in the web interface IGMP Query Drop Configures an interface to drop any IGMP query packets received on the specified interface If this switch is acting as a Querier this prevents it from being affected by messages received from another Querier Multicast Data Drop Configures an interface to stop multicast services from being for...

Page 431: ...erface VLAN An interface on the switch that is forwarding traffic to downstream ports for the specified multicast group address Group Address IP multicast group address with subscribers directly attached or downstream from the switch or a static multicast group assigned to this interface Source Address The address of one of the multicast servers transmitting traffic to the specified group Interfac...

Page 432: ...dresses or a range of multicast addresses but only one profile can be assigned to a port When enabled IGMP join reports received on the port are checked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP throttling sets a maximum number of multicast groups t...

Page 433: ...t IGMP Snooping Filter Add page to create an IGMP profile and set its access mode Then use the Add Multicast Group Range page to configure the multicast groups to filter CLI REFERENCES IGMP Filtering and Throttling on page 1009 COMMAND USAGE Specify a range of multicast groups by entering a start and end IP address or specify a single multicast group by entering the same IP address for the start a...

Page 434: ...ss of a range of multicast groups End Multicast IP Address Specifies the ending address of a range of multicast groups WEB INTERFACE To create an IGMP filter profile and set its access mode 1 Click Multicast IGMP Snooping Filtering 2 Select Add from the Action list 3 Enter the number for a profile and set its access mode 4 Click Apply Figure 254 Creating an IGMP Filtering Profile To show the IGMP ...

Page 435: ...ct the profile to configure and add a multicast group address or range of addresses 4 Click Apply Figure 256 Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile 1 Click Multicast IGMP Snooping Filtering 2 Select Show Multicast Group Range from the Action list 3 Select the profile for which to display this information Figure 257 Sh...

Page 436: ...parameters are displayed in the web interface Interface Port or trunk identifier An IGMP profile or throttling setting can be applied to a port or trunk When ports are configured as trunk members the trunk uses the settings applied to the first port member in the trunk Profile ID Selects an existing profile to assign to an interface Max Multicast Groups Sets the maximum number of multicast groups ...

Page 437: ...h ports which need to forward multicast traffic Layer 3 IGMP Query as described below is used in conjunction with both Layer 2 IGMP Snooping and multicast routing IGMP This protocol includes a form of multicast query specifically designed to work with multicast routing A router periodically asks its hosts if they want to receive multicast traffic It then propagates service requests on to any upstr...

Page 438: ...traffic on edge switches greatly reduces the processing load on those devices by not having to run more complicated multicast routing protocols such as PIM It also makes the proxy devices independent of the multicast routing protocols used by core routers IGMP proxy routing uses a tree topology where the root of the tree is connected to a complete multicast infrastructure with the upstream interfa...

Page 439: ...ng the proxy settings described in this section 4 Optional Indicate how often the system will send unsolicited reports to the upstream router using the Multicast IGMP Proxy page as described later in this section COMMAND USAGE When IGMP proxy is enabled on an interface that interface is known as the upstream or host interface This interface performs only the host portion of IGMP by sending IGMP me...

Page 440: ...erface should transmit unsolicited IGMP reports Range 1 65535 seconds Default 400 seconds WEB INTERFACE To configure IGMP Proxy Routing 1 Click Multicast IGMP Proxy 2 Select the upstream interface enable the IGMP Proxy Status and modify the interval for unsolicited IGMP reports if required 3 Click Apply Figure 260 Configuring IGMP Proxy Routing CONFIGURING IGMP INTERFACE PARAMETERS Use the Multica...

Page 441: ...ed in the web interface VLAN VLAN interface bound to a primary IP address Range 1 4093 IGMP Protocol Status Enables IGMP including IGMP query functions on a VLAN interface Default Disabled When a multicast routing protocol such as PIM is enabled IGMP is also enabled IGMP Version Configures the IGMP version used on an interface Options Version 1 3 Default Version 2 Robustness Variable Specifies the...

Page 442: ...ffic less bursty as host responses are spread out over a larger interval The number of seconds represented by the maximum response interval must be less than the Query Interval Last Member Query Interval The frequency at which to send IGMP group specific or IGMPv3 group source specific query messages in response to receiving a group specific or group source specific leave message Range 0 255 tenth...

Page 443: ...ree has statically mapped this group to a specific source address Also if an address outside of the SSM address range is specified and a specific source address is included in the command the request to join the multicast group will also fail if the next node up the reverse path tree has enabled the PIM SSM protocol If a static group is configured for an any source multicast G a source address can...

Page 444: ...P groups 1 Click Multicast IGMP Static Group 2 Select Add from the Action list 3 Select a VLAN interface to be assigned as a static multicast group member and then specify the multicast group If source specific multicasting is supported by the next hop router in the reverse path tree for the specified multicast group then the source address should also be specified 4 Click Apply Figure 262 Configu...

Page 445: ...n VLAN VLAN identifier The selected entry must be a configured IP interface Range 1 4093 Group Address IP multicast group address with subscribers directly attached or downstream from the switch Last Reporter The IP address of the source of the last membership report received for this multicast group address on this interface Up Time The time elapsed since this entry was created Depending on the e...

Page 446: ...given multicast address is requested from all IP source addresses except for those listed in the source list parameter and for any other sources where the source timer status has expired Group Source List A list of zero or more IP unicast addresses from which multicast reception is desired or not desired depending on the filter mode Source Address The address of one of the multicast servers transm...

Page 447: ...s television channels or video on demand across a service provider s network Any multicast traffic entering an MVR VLAN is sent to all attached subscribers This protocol can significantly reduce to processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN This makes it possible to support common multicast services over a wide part of the ne...

Page 448: ...ally bind the multicast group to the participating interfaces see Assigning Static Multicast Groups to Interfaces on page 454 Although MVR operates on the underlying mechanism of IGMP snooping the two features operate independently of each other One can be enabled or disabled without affecting the behavior of the other However if IGMP snooping and MVR are both enabled MVR reacts only to join and l...

Page 449: ... VLANs on page 168 but MVR receiver ports should not be manually configured as members of this VLAN Default 1 MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied Running status is Active as long as MVR is enabled the specified MVR VLAN exists and a source port with a valid link has been configured see Configuring MVR Interface Status on page 45...

Page 450: ...are displayed in the web interface MVR Group IP IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 Default no groups are assigned to the MVR VLAN Any multicast data sent to this address is sent to all source ports on the switch and all receiver ports that have elected to receive data on that multicast address The IP address range of 224 0 0 0 to 239 255 255 255 is used for multi...

Page 451: ...how the multicast groups assigned to the MVR VLAN 1 Click Multicast MVR 2 Select Configure Group Range from the Step list 3 Select Show from the Action list Figure 269 Showing the Configured Group Range for MVR CONFIGURING MVR INTERFACE STATUS Use the Multicast MVR Configure Interface page to configure each interface that participates in the MVR protocol as a source port or receiver port If you ar...

Page 452: ... to source ports Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message When immediate leave is disabled the switch follows the standard rules by sending a query message to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group be...

Page 453: ...ed on the switch MVR status for receiver ports is Active only if there are subscribers receiving multicast traffic from one of the MVR groups or a multicast group has been statically assigned to an interface Immediate Leave Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group This option only applies to an interface ...

Page 454: ...up IP Address Defines a multicast service sent to the selected port Multicast groups must be assigned from the MVR group range configured on the Configure General page WEB INTERFACE To assign a static MVR group to a port 1 Click Multicast MVR 2 Select Configure Static Group Member from the Step list 3 Select Add from the Action list 4 Select a VLAN and port member to receive the multicast stream a...

Page 455: ...in the web interface Group IP Address Multicast groups assigned to the MVR VLAN Source IP Address Indicates the source address of the multicast service or displays an asterisk if the group address has been statically assigned VLAN Indicates the MVR VLAN receiving the multicast service Forwarding Port Shows the interfaces with subscribers for multicast services provided through the MVR VLAN Also sh...

Page 456: ...CHAPTER 16 Multicast Filtering Multicast VLAN Registration 456 ES 4500G Series Figure 273 Showing All MVR Groups Assigned to a Port ...

Page 457: ... Add page to configure an IPv4 address for the switch An IPv4 address is obtained via DHCP by default for VLAN 1 To configure a static address you need to change the switch s default settings to values that are compatible with your network You may also need to a establish a default gateway between the switch and management stations that exist on another network segment if no routing protocols are ...

Page 458: ...iodically by the switch for an IP address DHCP BOOTP responses can include the IP address subnet mask and default gateway Default DHCP IP Address Type Specifies a primary or secondary IP address An interface can have only one primary IP address but can have many secondary IP addresses In other words secondary addresses need to be specified if more than one IP subnet can be accessed through this in...

Page 459: ...and then enter the IP address and subnet mask 4 Click Apply Figure 274 Configuring a Static IPv4 Address To obtain an dynamic address through DHCP BOOTP for the switch 1 Click IP General Routing Interface 2 Select Add from the Action list 3 Select any configured VLAN and set IP Address Mode to BOOTP or DHCP 4 Click Apply to save your changes IP will be enabled but will not function until a BOOTP o...

Page 460: ...nitely or for a specific period of time If the address expires or the switch is moved to another network segment you will lose management access to the switch In this case you can reboot the switch or submit a client request to restart DHCP service via the CLI If the address assigned by DHCP is no longer functioning you will not be able to renew the IP settings via the web interface You can only r...

Page 461: ... of address cannot be passed by any router outside of the subnet A link local address is easy to set up and may be useful for simple networks or basic troubleshooting tasks However to connect to a larger network with multiple segments the switch must be configured with a global unicast address An IPv6 global unicast or link local address can be manually configured using the Add IPv6 Address page o...

Page 462: ...cluding explicit configuration of a link local interface address the MTU size and neighbor discovery protocol settings for duplicate address detection and the neighbor solicitation interval CLI REFERENCES IPv6 Interface on page 1119 DHCP Client on page 1077 COMMAND USAGE The switch must be configured with a link local address The option to explicitly enable IPv6 creates a link local address but wi...

Page 463: ...ce Range 1280 65535 bytes Default 1500 bytes The maximum value set by this command cannot exceed the MTU of the physical interface which is currently fixed at 1500 bytes If a non default value is configured an MTU option is included in the router advertisements sent from this device This option is provided to ensure that all nodes on a link use the same MTU value in cases where the link MTU is not...

Page 464: ...dress but not for any of the IPv6 global unicast addresses already associated with the interface ND NS Interval The interval between transmitting IPv6 neighbor solicitation messages on an interface Range 1000 3600000 milliseconds Default 1000 milliseconds is used for neighbor discovery operations 0 milliseconds is advertised in router advertisements This attribute specifies the interval between tr...

Page 465: ...te number of zeros required to fill the undefined fields The switch must always be configured with a link local address Therefore explicitly enabling IPv6 see Configuring IPv6 Interface Settings on page 462 or manually assigning a global unicast address will also automatically generate a link local unicast address The prefix length for a link local address is fixed at 64 bits and the host portion ...

Page 466: ... an IP address Range 1 4093 Address Type Defines the address type configured for this interface Global Configures an IPv6 global unicast address with a full IPv6 address including the network prefix and host address bits followed by a forward slash and a decimal value indicating how many contiguous bits from the left of the address comprise the prefix i e the network portion of the address EUI 64 ...

Page 467: ...tifier and the rest of the address resulting in a modified EUI 64 interface identifier of 2A 9F 18 FF FE 1C 82 35 This host addressing method allows the same interface identifier to be used on multiple IP interfaces of a single device as long as those interfaces are attached to different subnets Link Local Configures an IPv6 link local address The address prefix must be FE80 You can configure only...

Page 468: ...ss for all attached IPv6 nodes The interface local multicast address is only used for loopback transmission of multicast traffic Link local multicast addresses cover the same types as used by link local unicast addresses including all nodes FF02 1 all routers FF02 2 and solicited nodes FF02 1 FFXX XXXX as described below A node is also required to compute and join the associated solicited node mul...

Page 469: ... NEIGHBOR CACHE Use the IP IPv6 Configuration Show IPv6 Neighbor Cache page to display the IPv6 addresses detected for neighbor devices CLI REFERENCES show ipv6 neighbors on page 1141 PARAMETERS These parameters are displayed in the web interface Table 27 ShowIPv6 Neighbors display description Field Description IPv6 Address IPv6 address of neighbor Age The time since the address was verified as re...

Page 470: ...ed since the last positive confirmation was received that the forward path was functioning While in Stale state the device takes no action until a packet is sent Delay More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning A packet was sent within the last DELAY_FIRST_PROBE_TIME interval If no reachability confirmati...

Page 471: ...buffering capacity to forward a datagram and when the gateway can direct the host to send traffic on a shorter route ICMP is also used by routers to feed back information about more suitable routes that is the next hop router to use for a specific destination UDP User Datagram Protocol provides a datagram mode of packet switched communications It uses IP as the underlying transport mechanism provi...

Page 472: ...erface for some of the fragments Reassembled Succeeded The number of IPv6 datagrams successfully reassembled Note that this counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the fragments Reassembled Failed The number of failures detected by the IPv6 re assembly algorithm for whatever reason timed out erro...

Page 473: ...rameter Problem Messages The number of ICMP Parameter Problem messages received by the interface Echo Request Messages The number of ICMP Echo request messages received by the interface Echo Reply Messages The number of ICMP Echo Reply messages received by the interface Router Solicit Messages The number of ICMP Router Solicit messages received by the interface Router Advertisement Messages The nu...

Page 474: ...sages sent by the interface Neighbor Advertisement Messages The number of ICMP Router Advertisement messages sent by the interface Redirect Messages The number of Redirect messages sent For a host this object will always be zero since hosts do not send redirects Group Membership Query Messages The number of ICMPv6 Group Membership Query messages sent by the interface Group Membership Response Mess...

Page 475: ...CHAPTER 17 IP Configuration Setting the Switch s IP Address IP Version 6 475 ES 4500G Series Figure 282 Showing IPv6 Statistics IPv6 Figure 283 Showing IPv6 Statistics ICMPv6 ...

Page 476: ...CLI REFERENCES show ipv6 mtu on page 1129 PARAMETERS These parameters are displayed in the web interface WEB INTERFACE To show the MTU reported from other devices 1 Click IP IPv6 Configuration 2 Select Show MTU from the Action list Table 29 Show MTU display description Field Description MTU Adjusted MTU contained in the ICMP packet too big message returned from this destination and now used for al...

Page 477: ...CHAPTER 17 IP Configuration Setting the Switch s IP Address IP Version 6 477 ES 4500G Series Figure 285 Showing Reported MTU Values ...

Page 478: ...CHAPTER 17 IP Configuration Setting the Switch s IP Address IP Version 6 478 ES 4500G Series ...

Page 479: ...passing traffic between VLANs with different IP interfaces and routing traffic to external IP networks However when the switch is first booted default routing can only forward traffic between local IP interfaces As with all traditional routers static and dynamic routing functions must first be configured to work INITIAL CONFIGURATION By default all ports belong to the same VLAN and the switch prov...

Page 480: ...ddress Replacing destination source MAC addresses for each hop Incrementing the hop count Decrementing the time to live Verifying and recalculating the Layer 3 checksum If the destination node is on the same subnetwork as the source network then the packet can be transmitted directly without the help of a router However if the MAC address is not yet known to the switch an Address Resolution Protoc...

Page 481: ...is not already there the switch broadcasts an ARP packet to all the ports on the destination VLAN to find out the destination MAC address After the MAC address is discovered the packet is reformatted and sent out to the destination The reformat process includes decreasing the Time To Live TTL field of the IP header recalculating the IP header checksum and replacing the destination MAC address with...

Page 482: ... and the router s host number on that network In other words a router interface address defines the network segment that is connected to that interface and allows you to send IP packets to or from the router You can specify the IP subnets connected directly to this router by manually assigning an IP address to each VLAN or using BOOTP or DHCP to dynamically assign an address To specify IP subnets ...

Page 483: ...ERS These parameters are displayed in the web interface IP Address IP address of the host Probe Count Number of packets to send Range 1 16 Packet Size Number of bytes in a packet Range 32 512 bytes The actual packet size will be eight bytes larger than the size specified because the switch adds header information COMMAND USAGE Use the ping command to see if another site on the network can be reach...

Page 484: ... responds when the maximum timeout TTL is exceeded or the maximum number of hops is exceeded The trace route function first sends probe datagrams with the TTL value set at one This causes the first router to discard the datagram and return an error message The trace function then sends several probe messages at each subsequent TTL level and displays the round trip time for each message Not all dev...

Page 485: ...from one hop to the next ARP is used to map an IP address to a physical layer i e MAC address When an IP frame is received by this router or any standards based router it first looks up the MAC address corresponding to the destination IP address in the ARP cache If the address is found the router writes the MAC address into the appropriate field in the frame header and forwards the frame on to the...

Page 486: ...es a request for its own IP address it will send back a response and also cache the MAC of the source device s IP address BASIC ARP CONFIGURATION Use the IP ARP Configure General page to specify the timeout for ARP cache entries or to enable Proxy ARP for specific VLAN interfaces CLI REFERENCES arp timeout on page 1113 ip proxy arp on page 1113 COMMAND USAGE Proxy ARP When a node in the attached s...

Page 487: ...y ARP for specified VLAN interfaces allowing a non routing device to determine the MAC address of a host on another subnet or network Default Disabled End stations that require Proxy ARP must view the entire network as a single network These nodes must therefore use a smaller subnet mask than that used by the router or other relevant network devices Extensive use of Proxy ARP can degrade router pe...

Page 488: ...ed to be used if there is no response to an ARP broadcast message For example some applications may not respond to ARP requests or the response arrives too late causing network operations to time out Static entries will not be aged out or deleted when power is reset You can only remove a static entry via the configuration interface PARAMETERS These parameters are displayed in the web interface IP ...

Page 489: ...LAYING DYNAMIC OR LOCAL ARP ENTRIES The ARP cache contains static entries and entries for local interfaces including subnet host and broadcast addresses However most entries will be dynamically learned through replies to broadcast messages Use the IP ARP Show Information page to display dynamic or local entries in the ARP cache CLI REFERENCES show arp on page 1114 WEB INTERFACE To display all dyna...

Page 490: ...the IP ARP Show Information page to display statistics for ARP messages crossing all interfaces on this router CLI REFERENCES show ip traffic on page 1155 PARAMETERS These parameters are displayed in the web interface Table 31 ARP Statistics Parameter Description Received Request Number of ARP Request packets received by the router Received Reply Number of ARP Reply packets received by the router ...

Page 491: ...ic route to a subnet rather than using dynamic routing Static routes do not automatically change in response to changes in network topology so you should only configure a small number of stable routes to ensure network accessibility CLI REFERENCES ip route on page 1152 COMMAND USAGE Up to 512 static routes can be configured Up to eight equal cost multipaths ECMP can be configured for static routin...

Page 492: ...ext Hop IP address of the next router hop used for this route Distance An administrative distance indicating that this route can be overridden by dynamic routing information if the distance of the dynamic route is less than that configured for the static route Note that the default administrative distances used by the dynamic unicast routing protocols is 110 for OSPF and 120 for RIP Range 1 255 De...

Page 493: ...ntains the interface identifier and next hop information for each reachable destination network prefix based on the IP routing table When routing or topology changes occur in the network the routing table is updated and those changes are immediately reflected in the FIB The FIB is distinct from the routing table or Routing Information Base RIB which holds all routing information received from rout...

Page 494: ...lick IP Routing Routing Table 2 Select Show Information from the Action List Figure 298 Displaying the Routing Table EQUAL COST MULTIPATH ROUTING Use the IP Routing Routing Table Configure ECMP Number page to configure the maximum number of equal cost paths that can transmit traffic to the same destination The Equal cost Multipath routing algorithm is a technique that supports load sharing over mu...

Page 495: ... dynamic paths Each path toward the same destination with equal cost takes up one entry in the routing table to record routing information In other words a route with 8 paths will take up 8 entries The routing table can only have up to 8 equal cost multipaths for static routing and 8 for dynamic routing for a common destination However the system supports up to 256 total ECMP entries in ASIC for f...

Page 496: ...ng 496 ES 4500G Series 2 Select Configure ECMP Number from the Action List 3 Enter the maximum number of equal cost paths used to route traffic to the same destination that are permitted on the switch 4 Click Apply Figure 299 Setting the Maximum ECMP Number ...

Page 497: ...ed virtual router priority Router redundancy can be set up in any of the following configurations These examples use the address of one of the participating routers as the master router When the virtual router IP address is not a real address the master router is selected based on priority When the priority is the same on several competing routers then the router with the highest IP address is sel...

Page 498: ...ine if it has a higher priority than the currently active master router CLI REFERENCES VRRP Commands on page 1095 COMMAND USAGE Address Assignment To designate a specific router as the VRRP master the IP address assigned to the virtual router must already be configured on the router that will become the Owner of the group address In other words the IP address for the virtual router exists on one a...

Page 499: ...ity of the virtual IP address Owner is the highest the original master router will always become the active master router when it recovers If two or more routers are configured with the same VRRP priority the router with the higher IP address is elected as the new master router if the current master fails Preempting the Acting Master The virtual IP Owner has the highest priority so no other router...

Page 500: ...lude information about its priority and current state as the master VRRP advertisements are sent to the multicast address 224 0 0 8 Using a multicast address reduces the amount of traffic that has to be processed by network devices that are not part of the designated VRRP group If the master router stops sending advertisements backup routers will bid to become the master router based on priority T...

Page 501: ... router in the group its authentication string is compared to the string configured on this router If the strings match the message is accepted Otherwise the packet is discarded State VRRP router role Values Master Backup Virtual MAC Address Virtual MAC address for this group Master Router The primary router servicing this group Master Priority The priority of the master router Master Advertisemen...

Page 502: ...ct Configure Group ID from the Step List 3 Select Show from the Action List Figure 304 Showing Configured VRRP Groups To configure the virtual router address for a VRRP group 1 Click IP VRRP 2 Select Configure Group ID from the Step List 3 Select Add IP Address from the Action List 4 Select a VLAN a VRRP group identifier and enter the IP address for the virtual router 5 Click Apply ...

Page 503: ...oup ID from the Step List 3 Select Show IP Addresses from the Action List 4 Select a VLAN and a VRRP group identifier Figure 306 Showing the Virtual Addresses Assigned to VRRP Groups To configure detailed settings for a VRRP group 1 Click IP VRRP 2 Select Configure Group ID from the Step List 3 Select Configure Detail from the Action List 4 Select a VRRP group identifier and set any of the VRRP pr...

Page 504: ...TERS These parameters are displayed in the web interface VRRP Packets with Invalid Checksum The total number of VRRP packets received with an invalid VRRP checksum value VRRP Packets with Unknown Error The total number of VRRP packets received with an unknown or unsupported version number VRRP Packets with Invalid VRID The total number of VRRP packets received with an invalid VRID for this virtual...

Page 505: ...ned to master Received Advertisement Packets Number of VRRP advertisements received by this router Received Error Advertisement Interval Packets Number of VRRP advertisements received for which the advertisement interval is different from the one configured for the local virtual router Received Authentication Failure Packets Number of VRRP packets received that do not pass the authentication check...

Page 506: ...nvalid value in the type field Received Error Address List VRRP Packets Number of packets received for which the address list does not match the locally configured list for the virtual router Received Invalid Authentication Type VRRP Packets Number of packets received with an unknown authentication type Received Mismatch Authentication Type VRRP Packets Number of packets received with Auth Type no...

Page 507: ... using static table entries or by redirection to other name servers on the network When a client device designates this switch as a DNS server the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch and waiting for a response You can manually configure entries in the DNS table used for mapping domain names to IP addresses configure default domain nam...

Page 508: ... and set the default domain name 4 Click Apply Figure 310 Configuring General Settings for DNS CONFIGURING A LIST OF DOMAIN NAMES Use the IP Service DNS General Add Domain Name page to configure a list of domain names to be tried in sequential order CLI REFERENCES ip domain list on page 1067 show dns on page 1073 COMMAND USAGE Use this page to define a list of domain names that can be appended to ...

Page 509: ...s on page 510 PARAMETERS These parameters are displayed in the web interface Domain Name Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 68 characters WEB INTERFACE To create a list domain names 1 Click IP Service DNS 2 Select Add Domain Name from the Action list 3 Enter one domain name at a time 4 Click Apply Figure 311 Configuring a List ...

Page 510: ...uence until a response is received or the end of the list is reached with no response If all name servers are deleted DNS will automatically be disabled This is done by disabling the domain lookup status PARAMETERS These parameters are displayed in the web interface Name Server IP Address Specifies the address of a domain name server to use for name to address resolution Up to six IP addresses can...

Page 511: ...MAND USAGE Static entries may be used for local devices connected directly to the attached network or for commonly used resources located elsewhere on the network PARAMETERS These parameters are displayed in the web interface Host Name Name of a host device that is mapped to one or more IP addresses Range 1 127 characters IP Address Internet address es associated with a host name WEB INTERFACE To ...

Page 512: ...e been learned via the designated name servers CLI REFERENCES show dns cache on page 1074 COMMAND USAGE Servers or other network devices may support one or more connections via multiple IP addresses If more than one IP address is associated with a host name via information returned from a name server a DNS client can try each address in succession until it establishes a connection with the target ...

Page 513: ... does not already include a BOOTP or DHCP server you can relay DHCP client requests to a DHCP server on another subnet or configure the DHCP server on this switch to support that subnet When configuring the DHCP server on this switch you can configure an address pool for each unique IP interface or manually assign a static IP address to clients based on their hardware address or client identifier ...

Page 514: ... be supplied by your service provider or network administrator PARAMETERS These parameters are displayed in the web interface VLAN ID of configured VLAN Vendor Class ID The following options are supported when the check box is marked to enable this feature Default Depending the unit the default strings are either ES 4526G or ES 4550G Text A text string Range 1 32 characters Hex A hexadecimal value...

Page 515: ...rom the server to the client Figure 319 Layer 3 DHCP Relay Service CLI REFERENCES ip dhcp relay server on page 1080 ip dhcp restart relay on page 1081 COMMAND USAGE You must specify the IP address for at least one DHCP server Otherwise the switch s DHCP relay agent will not forward client requests to a DHCP server DHCP relay configuration will be disabled if an active DHCP server is detected on th...

Page 516: ... identifier code or MAC address Figure 321 DHCP Server COMMAND USAGE First configure any excluded addresses including the address for this switch Then configure address pools for the network interfaces You can configure up to 8 network address pools You can also manually bind an address to a specific client if required However any fixed addresses must fall within the range of an existing network a...

Page 517: ... 322 Enabling the DHCP Server SETTING EXCLUDED ADDRESSES Use the IP Service DHCP Server Configure Excluded Addresses Add page to specify the IP addresses that should not be assigned to clients CLI REFERENCES ip dhcp excluded address on page 1083 PARAMETERS These parameters are displayed in the web interface Start IP Address Specifies a single IP address or the first address in a range that the DHC...

Page 518: ...igure 323 Configuring Excluded Addresses on the DHCP Server To show the IP addresses excluded for DHCP clients 1 Click IP Service DHCP Server 2 Select Configure Excluded Addresses from the Step list 3 Select Show from the Action list Figure 324 Showing Excluded Addresses on the DHCP Server CONFIGURING ADDRESS POOLS Use the IP Service DHCP Server Configure Pool Add page configure IP address pools f...

Page 519: ...network address pool However if no matching address pool is found the request is ignored When searching for a manual binding the switch compares the client identifier and then the hardware address for DHCP clients Since BOOTP clients cannot transmit a client identifier you must configure a hardware address for this host type If no manual binding has been specified for a host entry with a hardware ...

Page 520: ... Service WINS name server used for Microsoft DHCP clients Netbios Type NetBIOS node type for Microsoft DHCP clients Options Broadcast Hybrid Mixed Peer to Peer Default Hybrid Domain Name The domain name of the client Range 1 128 characters Bootfile The default boot image for a DHCP client This file should placed on the Trivial File Transfer Protocol TFTP server specified as the Next Server Next Se...

Page 521: ...521 ES 4500G Series 6 Click Apply Figure 325 Configuring DHCP Server Address Pools Network Figure 326 Configuring DHCP Server Address Pools Host To show the configured DHCP address pools 1 Click IP Service DHCP Server 2 Select Configure Pool from the Step list ...

Page 522: ...is switch s DHCP server CLI REFERENCES show ip dhcp binding on page 1093 PARAMETERS These parameters are displayed in the web interface IP Address IP address assigned to host MAC Address MAC address of host Lease Time Duration that this IP address can be used by the host Start Time Time this address was assigned by the switch WEB INTERFACE To show the addresses assigned to DHCP clients 1 Click IP ...

Page 523: ...be used to forward broadcast packets for specified UDP application ports to remote servers located in another network segment To configure UDP helper enable it globally see Configuring General DNS Service Parameters on page 507 specify the UDP destination ports for which broadcast traffic will be forwarded see Specifying UDP Destination Ports on page 524 and specify the remote application servers ...

Page 524: ...b interface Destination UDP Port UDP application port for which UDP service requests are forwarded Range 1 65535 The following UDP ports are included in the forwarding list when the UDP helper is enabled and a remote server address is configured BOOTP client port 67 BOOTP server port 68 Domain Name Service port 53 IEN 116 Name Service port 42 NetBIOS Datagram Server port 138 NetBIOS Name Server po...

Page 525: ...designated UDP broadcast packets are forwarded CLI REFERENCES ip helper address on page 1117 COMMAND USAGE Up to 20 helper addresses can be specified To forward UDP packets with the UDP helper the clients must be connected to the selected interface and the interface configured with an IP address The UDP packets to be forwarded must be specified in the IP Service UDP Helper Forwarding page and the ...

Page 526: ...orwarded by default as described on page 524 PARAMETERS These parameters are displayed in the web interface VLAN ID VLAN identifier Range 1 4093 IP Address Host address or directed broadcast address to which UDP broadcast packets are forwarded Range 1 65535 WEB INTERFACE To specify the target server or subnet for forwarding UDP request packets 1 Click IP Service UDP Helper Address 2 Select Add fro...

Page 527: ...CHAPTER 20 IP Services Forwarding UDP Service Requests 527 ES 4500G Series Figure 333 Showing the Target Server or Subnet for UDP Requests ...

Page 528: ...CHAPTER 20 IP Services Forwarding UDP Service Requests 528 ES 4500G Series ...

Page 529: ...ugh estimate of transmission cost Each router broadcasts its advertisement every 30 seconds together with any updates to its routing table This allows all routers on the network to learn consistent tables of next hop links which lead to relevant subnets NOTE RIPng which supports IPv6 will be supported in a future release OSPFv2 Dynamic Routing Protocols OSPF overcomes all the problems of RIP It us...

Page 530: ...AND USAGE Just as Layer 2 switches use the Spanning Tree Algorithm to prevent loops routers also use methods for preventing loops that would cause endless retransmission of data traffic RIP utilizes the following three methods to prevent loops from occurring Split horizon Never propagate routes back to an interface port from which they have been acquired Poison reverse Propagate routes back to an ...

Page 531: ...ing Information Protocol RIP on page 1159 COMMAND USAGE RIP is used to specify how routers exchange routing information When RIP is enabled on this router it sends RIP messages to all devices in the network every 30 seconds by default and updates its own routing table when RIP messages are received from other routers To communicate properly with other routers using RIP you need to specify the RIP ...

Page 532: ...n points and the router learns about the same external network with a better metric from a redistribution point other than that derived from the original source The default metric does not override the metric value set in the Redistribute screen see Configuring Route Redistribution on page 539 When a metric value has not been configured in the Redistribute screen the default metric sets the metric...

Page 533: ...ake the routing protocol less sensitive to changes in the network configuration Timeout Sets the time after which there have been no update messages that a route is declared dead The route is marked inaccessible i e the metric set to infinite and advertised as unreachable However packets are still forwarded on this route Range 90 360 seconds Default 180 seconds Garbage Collection After the timeout...

Page 534: ...ing the entire RIP network redistribute connected routes using the Routing Protocol RIP Redistribute screen page 539 to make the RIP network a connected route To delete the RIP routes learned from neighbors but keep the RIP network intact clear RIP types from the routing table PARAMETERS These parameters are displayed in the web interface Clear Route By Type Clears entries from the RIP routing tab...

Page 535: ...IP General 2 Select Clear Route from the Action list 3 When clearing routes by type select the required type from the drop down list When clearing routes by network enter a valid network address and prefix length 4 Click Apply Figure 336 Clearing Entries from the Routing Table SPECIFYING NETWORK INTERFACES Use the Routing Protocol RIP Network Add page to specify the network interfaces that will be...

Page 536: ... comprise the network portion of the address This mask identifies the network address bits used for the associated routing entries By VLAN Adds a Layer 3 VLAN to the RIP routing process The VLAN must be configured with an IP address Range 1 4093 WEB INTERFACE To add a network interface to RIP 1 Click Routing Protocol RIP Network 2 Select Add from the Action list 3 Add an interface that will partic...

Page 537: ...cked on an interface the attached subnet will still continue to be advertised to other interfaces and updates from other routers on the specified interface will continue to be received and processed This feature can be used in conjunction with the static neighbor feature described in the next section to control the routing updates sent to specific neighbors PARAMETERS These parameters are displaye...

Page 538: ... point to point links rather than relying on broadcast or multicast messages generated by the RIP protocol This feature can be used in conjunction with the passive interface feature described in the preceding section to control the routing updates sent to specific neighbors CLI REFERENCES neighbor on page 1164 PARAMETERS These parameters are displayed in the web interface IP Address IP address of ...

Page 539: ...ected routes protocols or static routes into this autonomous system CLI REFERENCES redistribute on page 1166 PARAMETERS These parameters are displayed in the web interface Protocol The type of routes that can be imported include Connected Imports routes that are established automatically just by enabling IP on an interface Static Static routes will be imported into this routing domain OSPF Externa...

Page 540: ... count of 15 By defining a low metric of 1 traffic can follow an imported route the maximum number of hops allowed within a RIP domain However using a low metric can increase the possibility of routing loops For example this can occur if there are multiple redistribution points and the router learns about the same external network with a better metric from a redistribution point other than that de...

Page 541: ...orks according to the IP address of the router supplying the routing information For example to filter out unreliable routing information from routers not under your administrative control The administrative distance is applied to all routes learned for the specified network PARAMETERS These parameters are displayed in the web interface Distance Administrative distance for external routes External...

Page 542: ... information 4 Click Apply Figure 345 Setting the Distance Assigned to External Routes To show the distance assigned to external routes learned from other routing protocols 1 Click Routing Protocol RIP Distance 2 Select Show from the Action list Figure 346 Showing the Distance Assigned to External Routes CONFIGURING NETWORK INTERFACES FOR RIP Use the Routing Protocol RIP Distance Add page to confi...

Page 543: ...n provided by RIPv2 including subnet mask next hop and authentication information This is the default setting Use Do Not Send to passively monitor route information advertised by other routers attached to the network The Receive Version can be specified based on these options Use RIPv1 or RIPv2 if all routers in the local network are based on RIPv1 or RIPv2 respectively Use RIPv1 and RIPv2 if some...

Page 544: ...ETERS These parameters are displayed in the web interface VLAN ID Layer 3 VLAN interface This interface must be configured with an IP address and have an active link Range 1 4093 Send Version The RIP version to send on an interface RIPv1 Sends only RIPv1 packets RIPv2 Sends only RIPv2 packets RIPv1 Compatible Route information is broadcast to other routers with RIPv2 Do Not Send Does not transmit ...

Page 545: ...use the same password Range 1 16 characters case sensitive Instability Prevention Specifies the method used to reduce the convergence time when the network topology changes and to prevent RIP protocol messages from looping back to the source router Split Horizon This method never propagate routes back to an interface from which they have been acquired Poison Reverse This method propagates routes b...

Page 546: ...E SETTINGS Use the Routing Protocol RIP Statistics Show Interface Information page to display information about RIP interface configuration settings CLI REFERENCES show ip rip on page 1175 PARAMETERS These parameters are displayed in the web interface Interface Source IP address of RIP router interface Auth Type The type of authentication used for exchanging RIPv2 protocol messages Send Version Th...

Page 547: ...Peer Information page to display information on neighboring RIP routers CLI REFERENCES show ip protocols rip on page 1175 PARAMETERS These parameters are displayed in the web interface Peer Address IP address of a neighboring RIP router Update Time Last time a route update was received from this peer Version Shows whether RIPv1 or RIPv2 packets were received from this peer Rcv Bad Packets Number o...

Page 548: ...th First OSPF is more suited for large area networks which experience frequent changes in the links It also handles subnets much better than RIP OSPF protocol actively tests the status of each link to its neighbors to generate a shortest path tree and builds a routing table based on this information OSPF then utilizes IP multicast to propagate routing information A separate routing area scheme is ...

Page 549: ...ments to protocol message authentication and the addition of a point to multipoint interface which allows OSPF to run over non broadcast networks as well as support for overlapping area ranges When using OSPF you must organize your network i e autonomous system into normal stub or not so stubby areas configure the ranges of subnet addresses that can be aggregated by link state advertisements and c...

Page 550: ... connected areas and external links to other areas Use the Routing Protocol OSPF Network Area Add page to define an OSPF area and the interfaces that operate within this area An autonomous system must be configured with a backbone area designated by the area identifier 0 0 0 0 By default all other areas are created as normal transit areas Routers in a normal area may import or export routing infor...

Page 551: ...d the corresponding address range forms a routing interface and can be configured to aggregate LSAs from all of its subnetwork addresses and exchange this information with other routers in the network as described under Configuring Area Ranges Route Summarization for ABRs on page 565 If an address range overlaps other network areas the router will use the network area with the address range that m...

Page 552: ...e area that is contiguous with all the other areas in the network and configure an area for all of the other OSPF interfaces 4 Click Apply Figure 354 Defining OSPF Network Areas Based on Addresses To to show the OSPF areas and the assigned interfaces 1 Click Routing Protocol OSPF Network Area 2 Select Show from the Action list Figure 355 Showing OSPF Network Areas To to show the OSPF process ident...

Page 553: ...all routers are using the same RFC for calculating summary route costs Enable this field to force the router to calculate summary route costs using RFC 1583 Default Disabled When RFC 1583 compatibility is enabled only cost is used when choosing among multiple AS external LSAs advertising the same destination When disabled preference is based on type of path using cost only to break ties see RFC 23...

Page 554: ...routes imported from other protocols Range 0 16777214 Default 20 A default metric must be used to resolve the problem of redistributing external routes from other protocols that use incompatible metrics This default metric does not override the metric value set on the Redistribute configuration screen see page 567 When a metric value has not been configured on the Redistribute page the default met...

Page 555: ... 1 route advertisements add the internal cost to the external route metric Type 2 routes do not add the internal cost metric When comparing Type 2 routes the internal cost is only used as a tie breaker if several Type 2 routes have the same cost Default Type 2 Default External Metric8 Metric assigned to the default route Range 0 16777215 Default 20 The metric for the default external route is used...

Page 556: ...ion Parameter Description Router ID Type Indicates if the router ID was manually configured or automatically generated by the system Rx LSAs The number of link state advertisements that have been received Originate LSAs The number of new link state advertisements that have been originated AS LSA Count The number of autonomous system LSAs in the link state database External LSA Count The number of ...

Page 557: ...ntaining a separate routing database for each area ASBR Status Autonomous System Boundary Router Indicates if this router exchanges routing information with boundary routers in other autonomous systems to which it may be attached If a router is enabled as an ASBR then every other router in the autonomous system can learn about external routes from this device Restart Status Indicates if the OSPF p...

Page 558: ...ng Protocol OSPF Network Area Add page Range 1 65535 Area ID Identifier for a not so stubby area NSSA or stub The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0 4294967295 Set the area ID to the same value for all routers on a network segment using the network mask to add one or more interfaces to an area Area Type Specifies an NSSA or stub WEB INT...

Page 559: ...ough an ABR An NSSA is similar to a stub It blocks most external routing information and can be configured to advertise a single default route for traffic passing between the NSSA and other areas within the autonomous system AS when the router is an ABR An NSSA can also import external routes from one or more small routing domains that are not part of the AS such as a RIP domain or locally configu...

Page 560: ... into its own area and then leaked to adjacent areas Routes that can be advertised with NSSA external LSAs include network destinations outside the AS learned through OSPF the default route static routes routes derived from other routing protocols such as RIP or directly connected networks that are not running OSPF An NSSA can be used to simplify administration when connecting a central site using...

Page 561: ...is an ASBR it can import a default external AS route for routing protocol domains adjacent to the NSSA but not within the OSPF AS into the NSSA using this option Metric Type Type 1 or Type 2 external routes When using Type 2 routers do not add internal cost to the external route metric Default Type 2 Metric Metric assigned to Type 7 default LSAs Range 1 16777214 Default 1 Default Cost Cost for the...

Page 562: ...an significantly reduce the amount of topology data that has to be exchanged over the network Figure 364 OSPF Stub Area By default a stub can only pass traffic to other areas in the autonomous system through the default external route However an area border router can also be configured to send Type 3 summary link advertisements into the stub about subnetworks located elsewhere in the autonomous s...

Page 563: ...the attached stub Summary Controls the use of summary routes Summary Allows an Area Border Router ABR to send a summary link advertisement into the stub area No Summary Stops an ABR from sending a summary link advertisement into a stub area Routing table space is saved in a stub by blocking Type 4 AS summary LSAs and Type 5 external LSAs This option can be used to completely isolate the stub by al...

Page 564: ...tion screen see page 550 Area ID Identifier for a not so stubby area NSSA or stub SPF Runs The number of times the Shortest Path First algorithm has been run for this area ABR Count The number of Area Border Routers attached to this area ASBR Count The number of Autonomous System Boundary Routers attached to this area LSA Count The number of new link state advertisements that have been originated ...

Page 565: ...igure 367 Route Summarization for ABRs CLI REFERENCES router ospf on page 1178 area range on page 1184 COMMAND USAGE Use the Area Range configuration page to summarize intra area routes and advertise this information to other areas through Area Border Routers ABRs The summary route for an area is defined by an IP address and network mask You therefore need to structure each area with a contiguous ...

Page 566: ...g Indicates whether or not to advertise the summary route If the routes are set to be advertised the router will issue a Type 3 summary LSA for each specified address range If the summary is not advertised the specified routes remain hidden from the rest of the network Default Advertise WEB INTERFACE To configure a route summary for an area range 1 Click Routing Protocol OSPF Area Range 2 Select A...

Page 567: ...uter supports redistribution for all currently connected routes entries learned through RIP and static routes When you redistribute external routes into an OSPF autonomous system AS the router automatically becomes an autonomous system boundary router ASBR However if the router has been configured as an ASBR via the General Configuration screen but redistribution is not enabled the router will onl...

Page 568: ...Metric assigned to all external routes for the specified protocol Range 1 65535 Default 10 The metric value specified for redistributed routes supersedes the Default External Metric specified in the Routing Protocol OSPF System screen page 553 Tag A tag placed in the AS external LSA to identify a specific external routing domain or to pass additional information between routers Range 0 4294967295 ...

Page 569: ...e each route individually in an external LSA as described in the preceding section The reduce the number of protocol messages required to redistribute these external routes an Autonomous System Boundary Router ASBR can instead be configured to redistribute routes learned from other protocols into all attached autonomous systems To reduce the amount of external LSAs sent to other autonomous systems...

Page 570: ... for advertising into the local domain To summarize routes sent between OSPF areas use the Area Range Configuration screen page 565 This router supports up 20 Type 5 summary routes PARAMETERS These parameters are displayed in the web interface Process ID Process ID as configured in the Network Area configuration screen see page 550 IP Address Summary address covering a range of addresses Netmask N...

Page 571: ... page to assign an interface address range to an OSPF area After assigning a routing interface to an OSPF area use the Routing Protocol OSPF Interface Configure by VLAN or Configure by Address page to configure the interface specific parameters used by OSPF to set the cost used to select preferred paths select the designated router control the timing of link state advertisements and specify the me...

Page 572: ...to zero to prevent a router from being elected as a DR or BDR If set to any value other than zero the router with the highest priority becomes the DR and the router with the next highest priority becomes the BDR If two or more routers are set to the same highest priority the router with the higher ID will be elected If a DR already exists for an area when this interface comes up the new router wil...

Page 573: ... the round trip delay between any two routers on the attached network to avoid unnecessary retransmissions Authentication Type Specifies the authentication type used for an interface Options None Simple MD5 Default None Use authentication to prevent routers from inadvertently joining an unauthorized area Configure routers in the same area with the same password or key All neighboring routers on th...

Page 574: ...thenticate incoming packets Neighbor routers must use the same key identifier and key value When changing to a new key the router will send multiple copies of all protocol messages one with the old key and another with the new key Once all the neighboring routers start sending protocol messages back to this router with the new key the router will stop using the old key This rollover process gives ...

Page 575: ...g Settings for All Interfaces Assigned to a VLAN To configure interface settings for a specific area assigned to a VLAN 1 Click Routing Protocol OSPF Interface 2 Select Configure by Address from the Action list 3 Specify the VLAN ID enter the address assigned to an area and configure the required interface settings 4 Click Apply ...

Page 576: ...ed to a VLAN To show the configuration settings for OSPF interfaces 1 Click Routing Protocol OSPF Interface 2 Select Show from the Action list 3 Select the VLAN ID Figure 377 Showing OSPF Interfaces To show the MD5 authentication keys configured for an interface 1 Click Routing Protocol OSPF Interface 2 Select Show MD5 Key from the Action list 3 Select the VLAN ID ...

Page 577: ...e non backbone area i e transit area to reach the backbone To define this path you must configure an ABR that serves as an endpoint connecting the isolated area to the common transit area and specify a neighboring ABR at the other endpoint connecting the common transit area to the backbone itself Note that you cannot configure a virtual link that runs through a stub or NSSA Figure 379 OSPF Virtual...

Page 578: ... screen see page 550 Area ID Identifies the transit area for the virtual link The area ID must be in the form of an IPv4 address or also as a four octet unsigned integer ranging from 0 4294967295 Neighbor Router ID of the virtual link neighbor This specifies the Area Border Router ABR at the other end of the virtual link To create a virtual link it must be configured for an ABR at both ends of the...

Page 579: ...detailed settings for a virtual link 1 Click Routing Protocol OSPF Virtual Link 2 Select Configure Detailed Settings from the Action list 3 Specify the process ID then modify the protocol timers and authentication settings as required 4 Click Apply Figure 382 Configuring Detailed Settings for a Virtual Link To show the MD5 authentication keys configured for a virtual link 1 Click Routing Protocol ...

Page 580: ...synchronized with neighboring routers through a process called reliable flooding You can show information about different LSAs stored in this router s database which may include any of the following types Router Type 1 All routers in an OSPF area originate Router LSAs that describe the state and cost of its active interfaces and neighbors Network Type 2 The designated router for each area originat...

Page 581: ...rmation is to be displayed Link ID Network portion described by an LSA The Link ID is either An IP network number for Type 3 Summary and Type 5 AS External LSAs When an Type 5 AS External LSA is describing a default route its Link ID is set to the default destination 0 0 0 0 A Router ID for Router Network and Type 4 AS Summary LSAs Adv Router IP address of the advertising router Age Age of LSA in ...

Page 582: ...he Routing Protocol OSPF Information Neighbor page to display information about neighboring routers on each interface CLI REFERENCES show ip ospf neighbor on page 1215 PARAMETERS These parameters are displayed in the web interface Process ID Process ID as configured in the Network Area configuration screen see page 550 ID Neighbor s router ID Priority Neighbor s router priority State OSPF state an...

Page 583: ...atabase descriptions being exchanged Loading LSA databases being exchanged Full Neighboring routers now fully adjacent Identification flags include D Dynamic neighbor S Static neighbor DR Designated router BDR Backup designated router Address IP address of this interface Interface A Layer 3 interface on which OSPF has been enabled WEB INTERFACE To display information about neighboring routers stor...

Page 584: ...CHAPTER 21 Unicast Routing Configuring the Open Shortest Path First Protocol Version 2 584 ES 4500G Series ...

Page 585: ...PIM DM is designed for networks where the probability of multicast group members is high such as a local network PIM SM is designed for networks where the probability of multicast group members is low such as the Internet Also note that if PIM is not enabled on this router or another multicast routing protocol is used on the network the switch ports attached to a multicast router can be manually c...

Page 586: ... can use a Reverse Path Tree RPT that channels the multicast traffic from each source through a single Rendezvous Point RP within the local PIM SM domain and then forwards this traffic to the Designated Router DR in the local network segment to which the host is attached However when the multicast load from a particular source is heavy enough to justify it PIM SM can be configured to construct a S...

Page 587: ...ed by routers along the RP Tree are replicated wherever the RP Tree branches and eventually reach all the receivers for that multicast group Because all routers along the shared tree are using PIM SM the multicast flow is confined to the shared tree Also note that more than one flow can be carried over the same shared tree but only one RP is responsible for each flow Shortest Path Tree SPT When us...

Page 588: ...IPv4 on page 592 or PIM DM for IPv6 on page 608 Note that only one IPv4 multicast routing protocol PIM DM or PIM SM can be enabled on any given interface but both PIMv4 and PIMv6 can be enabled on the same interface ENABLING MULTICAST ROUTING GLOBALLY Use the Multicast Multicast Routing General page to enable IP multicast routing globally on the switch CLI REFERENCES ip multicast routing on page 1...

Page 589: ...ce Source Address Subnetwork containing the IP multicast source Source Mask Network mask for the IP multicast source Note that the switch cannot detect the source mask and therefore displays 255 255 255 255 in this field Interface Upstream interface leading to the upstream neighbor PIM creates a multicast routing tree based on the unicast routing table If the related unicast routing table does not...

Page 590: ...ed Register flag This device is registering for a multicast source RPT bit set The S G entry is pointing to the Rendezvous Point RP which normally indicates a pruned state along the shared tree for a particular source SPT bit set Multicast packets have been received from a source on shortest path tree Join SPT The rate of traffic arriving over the shared tree has exceeded the SPT threshold for thi...

Page 591: ... routing table 1 Click Multicast Multicast Routing Information 2 Select Show Summary from the Action List Figure 387 Displaying the Multicast Routing Table To display detailed information on a specific flow in multicast routing table 1 Click Multicast Multicast Routing Information 2 Select Show Details from the Action List 3 Select a Group Address 4 Select a Source Address Figure 388 Displaying De...

Page 592: ...es necessary to the multicast protocol parameters To use PIM multicast routing must be enabled on the switch see Enabling Multicast Routing Globally on page 588 WEB INTERFACE To enable PIM multicast routing 1 Click Routing Protocol PIM General 2 Enable PIM Routing Protocol 3 Click Apply Figure 389 Enabling PIM Multicast Routing CONFIGURING PIM INTERFACE SETTINGS Use the Routing Protocol PIM Interf...

Page 593: ...essage is received from a downstream router or if group members are directly connected to the interface When routers want to receive a multicast flow they periodically send join messages to the RP and are subsequently added to the shared path for the specified flow back up to the RP If routers want to join the source path up through the SPT they periodically send join messages toward the source Th...

Page 594: ...ream The prune state is maintained until the join prune holdtime timer expires or a graft message is received for the forwarding entry PIM SM The multicast interface that first receives a multicast stream from a particular source forwards this traffic only to those interfaces on the router that have requests to join this group When there are no longer any requesting groups on that interface the le...

Page 595: ...st starts or PIM is enabled on an interface the hello delay is set to random value between 0 and the trigger hello delay This prevents synchronization of Hello messages on multi access links if multiple routers are powered on simultaneously Also if a Hello message is received from a new neighbor the receiving router will send its own Hello message after a random delay between 0 and the trigger hel...

Page 596: ...ve as the DR If a router does not advertise a priority in its hello messages it is assumed to have the highest priority and is elected as the DR If more than one router is not advertising its priority then the router with the highest IP address is elected to serve as the DR Join Prune Interval Sets the interval at which join prune messages are sent Range 1 65535 seconds Default 60 seconds By defau...

Page 597: ...CHAPTER 22 Multicast Routing Configuring PIM for IPv4 597 ES 4500G Series Figure 390 Configuring PIM Interface Settings Dense Mode Figure 391 Configuring PIM Interface Settings Sparse Mode ...

Page 598: ...figure Global page to configure the rate at which register messages are sent the source of register messages and switchover to the Shortest Path Tree SPT CLI REFERENCES IPv4 PIM Commands on page 1253 PARAMETERS These parameters are displayed in the web interface Register Rate Limit Configures the rate at which register messages are sent by the Designated Router DR for each source group entry Range...

Page 599: ...uter uses the RP to forward only the first packet from a new multicast group to its receivers Afterwards it calculates the shortest path tree SPT directly between the receiver and source and then uses the SPT to send all subsequent packets from the source to the receiver instead of using the shared tree Note that when the SPT threshold is not set by this command the PIM leaf router will join the s...

Page 600: ...inue to be the BSR until it receives a bootstrap message from another candidate with a higher priority or a higher IP address if the priorities are the same To improve failover recovery it is advisable to select at least two core routers in diverse locations each to serve as both a candidate BSR and candidate RP It is also preferable to set up one of these routers as both the primary BSR and RP PA...

Page 601: ...NTERFACE To configure the switch as a BSR candidate 1 Click Multicast Multicast Routing SM 2 Select BSR Candidate from the Step list 3 Specify the VLAN interface for which this router is bidding to become the BSR the hash mask length that will subsequently be used for RP selection if this router is selected as the BSR and the priority for BSR selection 4 Click Apply Figure 394 Configuring a BSR Ca...

Page 602: ...s chosen over the one statically configured All routers within the same PIM SM domain must be configured with the same RP s Selecting an RP through the dynamic election process is therefore preferable for most situations Using the dynamic RP election process also allows a backup RP to automatically take over if the active RP router becomes unavailable PARAMETERS These parameters are displayed in t...

Page 603: ... CLI REFERENCES ip pim rp candidate on page 1268 COMMAND USAGE When this router is configured as an RP candidate it periodically sends PIMv2 messages to the BSR advertising itself as a candidate RP for the specified group addresses The IP address of the designated VLAN is sent as the candidate s RP address The BSR places information about all of the candidate RPs in subsequent bootstrap messages T...

Page 604: ... primary BSR and RP PARAMETERS These parameters are displayed in the web interface VLAN Identifier of configured VLAN interface Range 1 4093 Interval The interval at which this device advertises itself as an RP candidate Range 60 16383 seconds Default 60 seconds Priority Priority used by the candidate RP in the election process The RP candidate with the largest priority is preferred If the priorit...

Page 605: ...on list 4 Select an interface from the VLAN list Figure 398 Showing Settings for an RP Candidate DISPLAYING THE BSR ROUTER Use the Routing Protocol PIM SM Show Information Show BSR Router page to display Information about the bootstrap router BSR CLI REFERENCES show ip pim bsr router on page 1273 PARAMETERS These parameters are displayed in the web interface IP Address IP address of interface conf...

Page 606: ...s giving the new BSR s identity and the RP set Accept Preferred The router knows the identity of the current BSR and is using the RP set provided by that BSR Only bootstrap messages from that BSR or from a C BSR with higher weight than the current BSR will be accepted Candidate BSR Bidding in election process Pending BSR The router is a candidate to be the BSR for the RP set Currently no other rou...

Page 607: ...re displayed in the web interface Groups A multicast group address RP Address IP address of the RP for the listed multicast group Information Source RP that advertised the mapping how the RP was selected Static or Bootstrap and the priority used in the bidding process Uptime The time this RP has been up and running Expire The time before this entry will be removed WEB INTERFACE To display the RPs ...

Page 608: ... globally on the router You also need to enable PIM DM for each interface that will support multicast routing see page 609 and make any changes necessary to the multicast protocol parameters To use PIMv6 multicast routing must be enabled on the switch see Enabling Multicast Routing Globally on page 588 To use multicast routing MLD proxy can not enabled on any interface of the device see MLD Proxy ...

Page 609: ...o when MLD proxy is enabled on an interface PIMv6 cannot be enabled on any interface PARAMETERS These parameters are displayed in the web interface VLAN Layer 3 VLAN interface Range 1 4093 Mode PIMv6 routing mode Options Dense None IPv6 Address IPv6 link local address assigned to the selected VLAN Hello Holdtime Sets the interval to wait for hello messages from a neighboring PIM router before decl...

Page 610: ...cast stream The protocol maintains both the current join state and the pending RPT prune state for this source group pair until the join prune interval timer expires LAN Prune Delay Causes this device to inform downstream routers of how long it will wait before pruning a flow after receiving a prune request Default Disabled When other downstream routers on the same VLAN are notified that this upst...

Page 611: ...elay between 0 and the trigger hello delay Graft Retry Interval The time to wait for a Graft acknowledgement before resending a Graft message Range 1 10 seconds Default 3 seconds A graft message is sent by a router to cancel a prune state When a router receives a graft message it must respond with an graft acknowledgement message If this acknowledgement message is lost the router that sent the gra...

Page 612: ...uring PIMv6 Interface Settings Dense Mode DISPLAYING NEIGHBOR INFORMATION Use the Routing Protocol PIM6 Neighbor page to display all neighboring PIMv6 routers CLI REFERENCES show ip pim neighbor on page 1262 PARAMETERS These parameters are displayed in the web interface Address IP address of the next hop router VLAN VLAN that is attached to this neighbor Uptime The duration this entry has been act...

Page 613: ...CHAPTER 22 Multicast Routing Configuring PIMv6 for IPv6 613 ES 4500G Series WEB INTERFACE To display neighboring PIMv6 routers 1 Click Routing Protocol PIM6 Neighbor Figure 403 Showing PIMv6 Neighbors ...

Page 614: ...CHAPTER 22 Multicast Routing Configuring PIMv6 for IPv6 614 ES 4500G Series ...

Page 615: ...n page 637 SNMP Commands on page 683 Remote Monitoring Commands on page 703 Flow Sampling Commands on page 711 Authentication Commands on page 717 General Security Measures on page 767 Access Control Lists on page 813 Interface Commands on page 835 Link Aggregation Commands on page 855 Port Mirroring Commands on page 865 Rate Limit Commands on page 869 Automatic Traffic Control Commands on page 87...

Page 616: ...959 Quality of Service Commands on page 973 Multicast Filtering Commands on page 989 LLDP Commands on page 1049 Domain Name Service Commands on page 1067 DHCP Commands on page 1077 VRRP Commands on page 1095 IP Interface Commands on page 1105 IP Routing Commands on page 1151 Multicast Routing Commands on page 1245 ...

Page 617: ...ough the console port perform these steps 1 At the console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec But when the guest user name and password is entered the CLI di...

Page 618: ...ay 10 1 0 254 Console config If your corporate network is connected to another network outside your office or to the Internet you need to apply for a registered IP address However if you are attached to an isolated network then you can use any IP address that matches the network segment to which you are attached After you configure the switch with an IP address you can open a Telnet session by per...

Page 619: ...nds enter each command in the required order For example to enable Privileged Exec command mode and display the startup configuration enter Console enable Console show startup config To enter commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username admin password 0 smith MINIMUM ABBREV...

Page 620: ...el dot1x 802 1X content garp GARP properties gvrp GVRP interface information history Shows history information hosts Host information interfaces Shows interface information ip IP information ipv6 IPv6 information lacp LACP statistics line TTY line information lldp LLDP log Log records logging Logging setting loop Shows the information of loopback mac MAC access list mac address table Configuration...

Page 621: ...ceiver Interface of transceiver information Console Show commands which display more than one page of information e g show running config pause and require you to press the Space bar to continue displaying one more page the Enter key to display one more line or the a key to display the rest of the information without stopping You can press any other key to terminate the display PARTIAL KEYWORD LOO...

Page 622: ... current mode The command classes and associated modes are displayed in the following table EXEC COMMANDS When you open a new console session on the switch with the user name and password guest the system enters the Normal Exec command mode or guest mode displaying the Console command prompt Only a limited number of the commands are available in this mode You can access all commands only from the ...

Page 623: ...ed To store the running configuration in non volatile storage use the copy running config startup config command The configuration commands are organized into different modes Global Configuration These commands modify the system level configuration and include commands such as hostname and snmp server community Access Control List Configuration These commands are used for packet filtering Class Ma...

Page 624: ...onfiguration prompt type one of the following commands Use the exit or end command to return to the Privileged Exec mode Table 35 Configuration Command Modes Mode Command Prompt Page Access Control List access list arp access list ip standard access list ip extended access list mac access list ipv6 standard access list ipv6 extended Console config arp acl Console config std acl Console config ext ...

Page 625: ...ystrokes for command line processing Table 36 Keystroke Commands Keystroke Function Ctrl A Shifts cursor to start of command line Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor to the right one character Ctrl K Deletes all characters from the cursor to the end of the ...

Page 626: ... by configuring valid static or dynamic addresses web authentication MAC address authentication filtering DHCP requests and replies and discarding invalid ARP responses 767 Access Control List Provides filtering for IPv4 frames based on address protocol TCP UDP port number or TCP control code IPv6 frames based on address DSCP traffic class next header or flow label or non IP frames based on MAC ad...

Page 627: ... 959 Quality of Service Configures Differentiated Services 973 Multicast Filtering Configures IGMP multicast filtering query profile and proxy parameters specifies ports attached to a multicast router also configures multicast VLAN registration 989 Link Layer Discovery Protocol Configures LLDP settings to enable information discovery about neighbor devices 1049 Domain Name Service Configures DNS s...

Page 628: ...CHAPTER 23 Using the Command Line Interface CLI Command Groups 628 ES 4500G Series ...

Page 629: ...load Restarts the system at a specified time after a specified delay or at a periodic interval GC enable Activates privileged mode NE quit Exits a CLI session NE PE show history Shows the command history buffer NE PE configure Activates global configuration mode PE disable Returns to normal mode from privileged mode PE reload Restarts the system immediately PE show reload Displays the current relo...

Page 630: ...hour at which to reload Range 0 23 minute The minute at which to reload Range 0 59 month The month at which to reload january december day The day of the month at which to reload Range 1 31 year The year at which to reload Range 2001 2050 reload in An interval after which to reload the switch hours The number of hours combined with the minutes before the switch resets Range 0 576 minutes The numbe...

Page 631: ...3 2007 Are you sure to reboot the system at the specified time y n enable This command activates Privileged Exec mode In privileged mode additional commands are available and certain commands display additional information See Understanding Command Modes on page 622 SYNTAX enable level level Privilege level to log into the device The device has two predefined privilege levels 0 Normal Exec 15 Priv...

Page 632: ...ivileged Exec COMMAND USAGE The quit and exit commands can both exit the configuration program EXAMPLE This example shows how to quit a CLI session Console quit Press ENTER to start session User Access Verification Username show history This command shows the contents of the command history buffer DEFAULT SETTING None COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE The history buffer size i...

Page 633: ...mmand history buffer when you are in any of the configuration modes In this example the 2 command repeats the second command in the Execution history buffer config Console 2 Console config Console config configure This command activates Global Configuration mode You must enter this mode to modify any settings on the switch You must also enter Global Configuration mode prior to enabling some of the...

Page 634: ...is appended to the end of the prompt to indicate that the system is in normal access mode EXAMPLE Console disable Console RELATED COMMANDS enable 631 reload Privileged Exec This command restarts the system NOTE When the system is restarted it will always run the Power On Self Test It will also retain all configuration information stored in non volatile memory by the copy running config startup con...

Page 635: ... Time 0 days 0 hours 29 minutes 52 seconds Console end This command returns to Privileged Exec mode DEFAULT SETTING None COMMAND MODE Global Configuration Interface Configuration Line Configuration VLAN Database Configuration and Multiple Spanning Tree Configuration EXAMPLE This example shows how to return to the Privileged Exec mode from the Interface Configuration mode Console config if end Cons...

Page 636: ...0G Series EXAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console config exit Console exit Press ENTER to start session User Access Verification Username ...

Page 637: ...orces fans to full speed Frame Size Enables support for jumbo frames File Management Manages code image or switch configuration files Line Sets communication parameters for the serial port including baud rate and console time out Event Logging Controls logging of error messages SMTP Alerts Configures SMTP email alerts Time System Clock Sets the system clock automatically via NTP SNTP server or man...

Page 638: ...me RD 1 Console config switch all renumber This command resets the switch unit identification numbers in the stack All stack members are numbered sequentially starting from the top unit for a non loop stack or starting from the Master unit for a looped stack SYNTAX switch all renumber DEFAULT SETTING For non loop stacking the top unit is unit 1 For loop stacking the master unit is unit 1 COMMAND M...

Page 639: ...em will also use two PCEs EXAMPLE Console show access list tcam utilization Total Policy Control Entries 512 Free Policy Control Entries 508 TCAM Utilization 0 78 Console Table 41 System Status Commands Command Function Mode show access list tcam utilization Shows utilization parameters for TCAM PE show memory Shows memory utilization parameters NE PE show process cpu Shows CPU utilization paramet...

Page 640: ...Status Bytes Free 134946816 Used 133488640 Total 268435456 Console show process cpu This command shows the CPU utilization parameters COMMAND MODE Normal Exec Privileged Exec EXAMPLE Console show process cpu CPU Utilization in the past 5 seconds 3 98 Console show running config This command displays the configuration information currently in use SYNTAX show running config interface interface inter...

Page 641: ...ettings Interface settings Any configured settings for the console port and Telnet EXAMPLE Console show running config Building running configuration Please wait stackingDB 0000000000000000 stackingDB stackingMac 01_00 00 e8 93 82 a0_01 stackingMac stackingMac 00_00 00 00 00 00 00_00 stackingMac stackingMac 00_00 00 00 00 00 00_00 stackingMac stackingMac 00_00 00 00 00 00 00_00 stackingMac stackin...

Page 642: ...njunction with the show running config command to compare the information in running memory to the information stored in non volatile memory This command displays settings for key command modes Each mode group is separated by symbols and includes the configuration mode command and corresponding commands This command displays the following information MAC address for each switch in the stack SNMP c...

Page 643: ...s near the air flow intake vents on both models The second detector is near the switch ASIC on the ES 4526G and near the physical layer ASIC on the ES 4550G No information will be displayed under POST Result unless there is a problem with the unit If any POST test indicates FAIL contact your distributor for assistance EXAMPLE Console show system System Description ES 4526G Managed L3 Stackable Swi...

Page 644: ...n program EXAMPLE Console show tech support show system System Description ES 4526G Managed L3 Stackable Switch System OID String 1 3 6 1 4 1 572 17389 302 System Information System Up Time 0 days 2 hours 17 minutes and 6 23 seconds System Name NONE System Location NONE System Contact NONE MAC Address Unit1 00 12 CF 61 24 2F Web Server Enabled Web Server Port 80 Web Secure Server Enabled Web Secur...

Page 645: ...in 0 01 24 192 168 0 61 Console show version This command displays hardware and software version information for the system COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE See Displaying Switch Hardware Software Versions on page 109 for detailed information on the items displayed by this command EXAMPLE Console show version Unit 1 Serial Number S123456 Hardware Version R0A EPLD Version 1 06...

Page 646: ... overhead required to process protocol encapsulation fields To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extended frame size And for half duplex connections all devices in the collision domain w...

Page 647: ...ing Firmware Firmware can be uploaded and downloaded to or from an FTP TFTP server By saving runtime code to a file on an FTP TFTP server that file can later be downloaded to the switch to restore operation The switch can also be set to use new firmware without overwriting the previous version When downloading runtime code the destination file name can be specified to replace the current image or ...

Page 648: ...or image used to start up the system SYNTAX boot system unit boot rom config opcode filename unit Stack unit Range 1 8 boot rom Boot ROM config Configuration file opcode Run time operation code filename Name of configuration file or code image DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE A colon is required after the specified unit number and file type If the file contains ...

Page 649: ...ows you to copy to from a file ftp Keyword that allows you to copy to from an FTP server https certificate Keyword that allows you to copy the HTTPS secure site certificate public key Keyword that allows you to copy a SSH key from a TFTP server See Secure Shell on page 744 running config Keyword that allows you to copy to from the current running configuration startup config The configuration used...

Page 650: ...acing the Default Secure site Certificate on page 298 For information on configuring the switch to use HTTPS for a secure connection see the ip http secure server command When logging into an FTP server the interface prompts for a user name and password configured on the remote server Note that anonymous is set as the default user name EXAMPLE The following example shows how to download new firmwa...

Page 651: ...nsole This example shows how to copy a secure site certificate from an TFTP server It then reboots the switch to activate the certificate Console copy tftp https certificate TFTP server ip address 10 1 0 19 Source certificate file name SS certificate Source private file name SS private Private password Success Console reload System will be restarted continue y n y This example shows how to copy a ...

Page 652: ...d deletes a file or image SYNTAX delete unit filename unit Stack unit Range 1 8 filename Name of configuration file or code image DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE If the file type is used for system startup then this file cannot be deleted Factory_Default_Config cfg cannot be deleted A colon is required after the specified unit number EXAMPLE This example shows how t...

Page 653: ...plays all files A colon is required after the specified unit number and file type File information is shown below EXAMPLE The following example shows how to display all file information Console dir File Name Type Startup Modify Time Size bytes Unit 1 ES4526G 50G_V1 2 2 0 bix OpCode Y 2010 12 20 03 12 19 14905940 Factory_Default_Config cfg Config N 2009 10 12 12 02 08 455 startup1 cfg Config Y 2010...

Page 654: ...guration program by attaching a VT100 compatible device to the server s serial port These commands are used to set communication parameters for the serial port or Telnet i e a virtual terminal Table 46 Line Commands Command Function Mode line Identifies a specific line for configuration and starts the line configuration mode GC accounting exec Applies an accounting method to local console Telnet o...

Page 655: ...le line mode enter the following command Console config line console Console config line RELATED COMMANDS show line 663 show users 644 password thresh Sets the password intrusion threshold which limits the number of failed logon attempts LC silent time Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the pas...

Page 656: ...h bit on input from devices that generate 7 data bits with parity If parity is being generated specify 7 data bits per character If no parity is required specify 8 data bits per character EXAMPLE To specify 7 data bits enter this command Console config line databits 7 Console config line RELATED COMMANDS parity 658 exec timeout This command sets the interval that the system waits until user input ...

Page 657: ...no login local Selects local password checking Authentication is based on the user name specified with the username command DEFAULT SETTING login local COMMAND MODE Line Configuration COMMAND USAGE There are three authentication modes provided by the switch itself at login login selects authentication by a single global password as specified by the password line configuration command When using th...

Page 658: ...line RELATED COMMANDS username 719 password 659 parity This command defines the generation of a parity bit Use the no form to restore the default setting SYNTAX parity none even odd no parity none No parity even Even parity odd Odd parity DEFAULT SETTING No parity COMMAND MODE Line Configuration COMMAND USAGE Communication protocols provided by devices such as terminals and modems often require a ...

Page 659: ... protection the system prompts for the password If you enter the correct password the system shows a prompt You can use the password thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state The encrypted password is required for compatibility with legacy password settings i e plain t...

Page 660: ...ime before allowing the next logon attempt Use the silent time command to set this interval When this threshold is reached for Telnet the Telnet logon interface shuts down EXAMPLE To set the password threshold to five attempts enter this command Console config line password thresh 5 Console config line RELATED COMMANDS silent time 660 silent time This command sets the amount of time the management...

Page 661: ...ceive from terminal speeds Use the no form to restore the default setting SYNTAX speed bps no speed bps Baud rate in bits per second Options 9600 19200 38400 57600 115200 bps DEFAULT SETTING 115200 bps COMMAND MODE Line Configuration COMMAND USAGE Set the speed to match the baud rate of the device connected to the serial port Some baud rates available on devices connected to the port might not be ...

Page 662: ... login response This command sets the interval that the system waits for a user to log into the CLI Use the no form to restore the default setting SYNTAX timeout login response seconds no timeout login response seconds Integer that specifies the timeout interval Range 0 300 seconds 0 disabled DEFAULT SETTING CLI Disabled 0 seconds Telnet 300 seconds COMMAND MODE Line Configuration COMMAND USAGE If...

Page 663: ...er for an SSH Telnet or console connection Range 0 4 COMMAND MODE Privileged Exec COMMAND USAGE Specifying session identifier 0 will disconnect the console connection Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection EXAMPLE Console disconnect 1 Console RELATED COMMANDS show ssh 753 show users 644 show line This command displays the terminal line s ...

Page 664: ...is section describes commands used to configure event logging on the switch Table 47 Event Logging Commands Command Function Mode logging facility Sets the facility type for remote logging of syslog messages GC logging history Limits syslog messages saved to switch memory based on severity GC logging host Adds a syslog server host IP address that will receive logging messages GC logging on Control...

Page 665: ...e used by the syslog server to sort messages or to store messages in the corresponding database EXAMPLE Console config logging facility 19 Console config logging history This command limits syslog messages saved to switch memory based on severity The no form returns the logging of syslog messages to the default level SYNTAX logging history flash ram level no logging history flash ram flash Event h...

Page 666: ...form to remove a syslog server host SYNTAX no logging host host ip address host ip address The IPv4 or IPv6 address of a syslog server DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Use this command more than once to build up a list of host IP addresses The maximum number of host IP addresses allowed is five 4 warnings Warning conditions e g return false unexpected return 3 e...

Page 667: ...type of error messages that are stored in memory You can use the logging trap command to control the type of error messages that are sent to specified syslog servers EXAMPLE Console config logging on Console config RELATED COMMANDS logging history 665 logging trap 667 clear log 668 logging trap This command enables the logging of system messages to a remote server or limits the syslog messages sav...

Page 668: ...ecified level also enables remote logging but restores the minimum severity level to the default EXAMPLE Console config logging trap 4 Console config clear log This command clears messages from the log buffer SYNTAX clear log flash ram flash Event history stored in flash memory i e permanent memory ram Event history stored in temporary RAM i e memory flushed on power reset DEFAULT SETTING Flash an...

Page 669: ...level 6 module 5 function 1 and event no 1 0 00 01 30 2001 01 01 Unit 1 Port 1 link up notification level 6 module 5 function 1 and event no 1 Console show logging This command displays the configuration settings for logging messages to local switch memory to an SMTP event handler or to a remote syslog server SYNTAX show logging flash ram sendmail trap flash Displays settings for storing event mes...

Page 670: ... Log Server IP Address 0 0 0 0 Console RELATED COMMANDS show logging sendmail 674 Table 49 show logging flash ram display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command History logging in FLASH The message level s reported based on the logging history command History logging in RAM The message level s reported based on the logging h...

Page 671: ...servers that will be sent alert messages Use the no form to remove an SMTP server SYNTAX no logging sendmail host ip address ip address IP address of an SMTP server that will be sent alert messages for event handling DEFAULT SETTING None Table 51 Event Logging Commands Command Function Mode logging sendmail Enables SMTP event handling GC logging sendmail host SMTP servers to receive alert messages...

Page 672: ...mail again If it still fails the system will repeat the process at a periodic interval A trap will be triggered if the switch cannot successfully open a connection EXAMPLE Console config logging sendmail host 192 168 1 19 Console config logging sendmail level This command sets the severity threshold used to trigger alert messages Use the no form to restore the default setting SYNTAX logging sendma...

Page 673: ...1 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE You can specify up to five recipients for alert messages However you must enter a separate command to specify each recipient EXAMPLE Console config logging sendmail destination email ted this company com Console config logging sendmail source email This command sets the email address used for the From field in alert ...

Page 674: ...email addresses 1 ted this company com SMTP Source E mail Address bill this company com SMTP Status Enabled Console TIME The system clock can be dynamically set by polling a set of specified time servers NTP or SNTP Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries If the clock is not set the switch will only record the time fr...

Page 675: ...client time requests to time servers specified via the sntp server command It issues time synchronization requests based on the interval set via the sntp poll command EXAMPLE Console config sntp server 10 1 0 19 Console config sntp poll 60 Console config sntp client Console config end Console show sntp Current Time Dec 23 02 52 44 2002 Poll Interval 60 Current Mode unicast SNTP Status Enabled SNTP...

Page 676: ... to which SNTP time requests are issued Use the this command with no arguments to clear all time servers from the current list Use the no form to clear all time servers from the current list or to clear a specific server SYNTAX sntp server ip1 ip2 ip3 no sntp server ip1 ip2 ip3 ip IPv4 or IPv6 address of an time server NTP or SNTP Range 1 3 addresses DEFAULT SETTING None COMMAND MODE Global Config...

Page 677: ... requests and the current SNTP mode i e unicast EXAMPLE Console show sntp Current Time Nov 5 18 51 22 2006 Poll Interval 16 seconds Current Mode Unicast SNTP Status Enabled SNTP Server 137 92 140 80 137 92 140 81 Console clock timezone This command sets the time zone for the switch s internal clock SYNTAX clock timezone name hour hours minute minutes before utc after utc name Name of timezone usua...

Page 678: ...apan hours 8 minute 0 after UTC Console config RELATED COMMANDS show sntp 677 calendar set This command sets the system clock It may be used if there is no time server on your network or if you have not configured the switch to receive signals from a time server SYNTAX calendar set hour min sec day month year month day year hour Hour in 24 hour format Range 0 23 min Minute Range 0 59 sec Second Ra...

Page 679: ...d to sets a time range for use by other functions such as Access Control Lists time range This command specifies the name of a time range and enters time range configuration mode Use the no form to remove a previously specified time range SYNTAX no time range name name Name of the time range Range 1 30 characters Table 53 Time Range Commands Command Function Mode time range Specifies the name of a...

Page 680: ...o form to remove a previously specified time SYNTAX absolute start hour minute day month year end hour minutes day month year absolute end hour minutes day month year no absolute hour Hour in 24 hour format Range 0 23 minute Minute Range 0 59 day Day of month Range 1 31 month january february march april may june july august september october november december year Year 4 digit Range 2009 2109 DEF...

Page 681: ...day monday saturday sunday thursday tuesday wednesday weekdays weekend hour minute to daily friday monday saturday sunday thursday tuesday wednesday weekdays weekend hour minute daily Daily friday Friday monday Monday saturday Saturday sunday Sunday thursday Thursday tuesday Tuesday wednesday Wednesday weekdays Weekdays weekend Weekends hour Hour in 24 hour format Range 0 23 minute Minute Range 0 ...

Page 682: ...gured time ranges SYNTAX show time range name name Name of the time range Range 1 30 characters DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show time range r d Time range r d absolute start 01 01 01 April 2009 periodic Daily 01 01 to Daily 02 01 periodic Daily 02 01 to Daily 03 01 Console ...

Page 683: ... Commands Command Function Mode General SNMP Commands snmp server Enables the SNMP agent GC snmp server community Sets up the community access string to permit access to SNMP commands GC snmp server contact Sets the system contact string GC snmp server location Sets the system location string GC show snmp Displays the status of SNMP communications NE PE SNMP Target Host Commands snmp server enable...

Page 684: ...tc broadcast control apply Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires IC Port snmp server enable port traps atc broadcast control release Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires IC Port snmp server enable port tra...

Page 685: ...gement stations are only able to retrieve MIB objects rw Specifies read write access Authorized management stations are able to both retrieve and modify MIB objects DEFAULT SETTING public Read only access Authorized management stations are only able to retrieve MIB objects private Read write access Authorized management stations are able to both retrieve and modify MIB objects COMMAND MODE Global ...

Page 686: ... system location Maximum length 255 characters DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE Console config snmp server location WC 19 Console config RELATED COMMANDS snmp server contact 685 show snmp This command can be used to check the status of SNMP communications DEFAULT SETTING None COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE This command provides information on t...

Page 687: ...ues errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging Disabled Console snmp server enable traps This command enables this device to send Simple Network Management Protocol traps or informs i e SNMP notifications Use the no form to disable SNMP notifications SYNTAX no snmp server enable traps authentication link up down authentication Keyword to issue authentication failure notificat...

Page 688: ...nmp server host This command specifies the recipient of a Simple Network Management Protocol notification operation Use the no form to remove the specified host SYNTAX snmp server host host addr inform retry retries timeout seconds community string version 1 2c 3 auth noauth priv udp port port no snmp server host host addr host addr Internet address of the host the targeted recipient Maximum host ...

Page 689: ...for each host The snmp server host command is used in conjunction with the snmp server enable traps command Use the snmp server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally For a host to receive notifications at least one snmp server enable traps command and the snmp server host command for that host must be enabled Some n...

Page 690: ...page 692 5 Allow the switch to send SNMP traps i e notifications page 687 6 Specify the target host that will receive inform messages with the snmp server host command as described in this section The switch can send SNMP Version 1 2c or 3 notifications to a host IP address depending on the SNMP version that the management station supports If the snmp server host command does not specify the SNMP ...

Page 691: ... keys for authenticating and encrypting SNMPv3 packets A remote engine ID is required when using SNMPv3 informs See the snmp server host command The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and a user on the remote host SNMP passwords are localized using the engine ID of the authoritative agent For informs the au...

Page 692: ...efines the view for write access 1 32 characters notifyview Defines the view for notifications 1 32 characters DEFAULT SETTING Default groups public10 read only private11 read write readview Every object belonging to the Internet OID space 1 writeview Nothing is defined notifyview Nothing is defined COMMAND MODE Global Configuration COMMAND USAGE A group sets the access policy for the assigned use...

Page 693: ...a remote device ip address The Internet address of the remote device v1 v2c v3 Use SNMP version 1 2c or 3 encrypted Accepts the password as encrypted input auth Uses SNMPv3 with authentication md5 sha Uses MD5 or SHA authentication auth password Authentication password Enter as plain text if the encrypted option is not used Otherwise enter an encrypted password A minimum of eight characters is req...

Page 694: ...remote user will fail SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it EXAMPLE Console config snmp server user steve group r d v3 auth md5 greenpeace priv des56 einstien Console config snmp serv...

Page 695: ...onsole config This view includes the MIB 2 interfaces table and the mask selects all index entries Console config snmp server view ifEntry a 1 3 6 1 2 1 2 2 1 1 included Console config show snmp engine id This command shows the SNMP engine ID COMMAND MODE Privileged Exec EXAMPLE This example shows the default engine ID Console show snmp engine id Local SNMP EngineID 8000002a8000000000e8666672 Loca...

Page 696: ...ow Status active Group Name public Security Model v2c Read View defaultview Write View No writeview specified Notify View No notifyview specified Storage Type volatile Row Status active Group Name private Security Model v1 Read View defaultview Write View defaultview Notify View No notifyview specified Storage Type volatile Row Status active Group Name private Security Model v2c Read View defaultv...

Page 697: ...tion Field Description Group Name Name of an SNMP group Security Model The SNMP version Read View The associated read view Write View The associated write view Notify View The associated notify view Storage Type The storage type for this entry Row Status The row status of this entry Table 57 show snmp user display description Field Description EngineId String identifying the engine ID User Name Na...

Page 698: ...otification log SYNTAX no nlm filter name filter name Notification log name Range 1 32 characters DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE Notification logging is enabled by default but will not start recording information until a logging profile specified by the snmp server notify filter command is enabled by the nlm command Table 58 show snmp view display descripti...

Page 699: ...e host parameter is only required to complete mandatory fields in the SNMP Notification MIB DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notifications whether those are Traps or Informs that exceed retransmission limits The Notification Log MIB NLM RFC 3014 provid...

Page 700: ...g can contain up to 256 entries and the entry aging time is 1440 minutes Information recorded in a notification log and the entry aging time can only be configured using SNMP from a network management station When a trap host is created with the snmp server host command a default notify filter will be created as shown in the example under the show snmp notify filter command EXAMPLE This example fi...

Page 701: ...ilter This command displays the configured notification logs COMMAND MODE Privileged Exec EXAMPLE This example displays the configured notification logs and associated target hosts Console show snmp notify filter Filter profile name IP address A1 10 1 19 23 Console ...

Page 702: ...CHAPTER 26 SNMP Commands 702 ES 4500G Series ...

Page 703: ... History Event and Alarm groups When RMON is enabled the system gradually builds up information about its physical interfaces storing this information in the relevant RMON database group A management agent then periodically communicates with the switch using the SNMP protocol However if the switch encounters a critical event it can automatically send a trap message to the management agent which ca...

Page 704: ...rrent value and the difference is then compared to the thresholds threshold An alarm threshold for the sampled variable Range 0 2147483647 event index The index of the event to use if an alarm is triggered If there is no corresponding entry in the event control table then no event will be generated Range 1 65535 name Name of the person who created this entry Range 1 127 characters DEFAULT SETTING ...

Page 705: ...n event index index Index to this entry Range 1 65535 log Generates an RMON log entry when the event is triggered Log messages are processed based on the current configuration settings for event logging see Event Logging on page 664 trap Sends a trap message to all configured trap managers see snmp server host on page 688 community A password like community string sent with the trap operation to S...

Page 706: ... number The number of buckets requested for this entry Range 1 65536 seconds The polling interval Range 1 3600 seconds name Name of the person who created this entry Range 1 127 characters DEFAULT SETTING 1 3 6 1 2 1 16 1 1 1 6 1 1 3 6 1 2 1 16 1 1 1 6 26 50 Buckets 8 Interval 30 seconds for even numbered entries 1800 seconds for odd numbered entries COMMAND MODE Interface Configuration Ethernet C...

Page 707: ... entry Range 1 127 characters DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE By default each index number equates to a port on the switch but can be changed to any number not currently in use If statistics collection is already enabled on an interface the entry must be deleted before any changes can be made with this command The information collected for each e...

Page 708: ... 2 is valid owned by mike Description is urgent Event firing causes log and trap to community last fired 00 00 00 Console show rmon history This command shows the sampling parameters configured for each entry in the history group COMMAND MODE Privileged Exec EXAMPLE Console show rmon history Entry 1 is valid and owned by Monitors 1 3 6 1 2 1 2 2 1 1 1 every 1800 seconds Requested of time intervals...

Page 709: ... rmon statistics Interface 1 is valid and owned by Monitors 1 3 6 1 2 1 2 2 1 1 1 which has Received 164289 octets 2372 packets 120 broadcast and 2211 multicast packets 0 undersized and 0 oversized packets 0 fragments and 0 jabbers 0 CRC alignment errors and 0 collisions of dropped packet events due to lack of resources 0 of packets received of length in octets 64 2245 65 127 87 128 255 31 256 511...

Page 710: ...CHAPTER 27 Remote Monitoring Commands 710 ES 4500G Series ...

Page 711: ...4 ipv4 address ipv6 ipv6 address destination udp port no sflow destination ipv4 address IPv4 address of the sFlow Collector Valid IPv4 addresses consist of four decimal numbers 0 to 255 separated by periods ipv6 address IPv6 address of the sFlow Collector A full IPv6 address including the network prefix and host address bits An IPv6 address consists of 8 colon separated 16 bit hexadecimal values T...

Page 712: ...and uses the default UDP port Console config interface ethernet 1 9 Console config if sflow destination ipv4 192 168 0 4 Console config if sflow max datagram size This command configures the maximum size of the sFlow datagram payload Use the no form to restore the default setting SYNTAX sflow max datagram size max datagram size no max datagram size max datagram size The maximum size of the sFlow d...

Page 713: ...MAND MODE Interface Configuration Ethernet EXAMPLE Console config interface ethernet 1 9 Console config if sflow max header size 256 Console config if sflow owner This command configures the name of the receiver i e sFlow Collector Use the no form to remove this name SYNTAX sflow owner name no sflow owner name The name of the receiver Range 1 256 characters DEFAULT SETTING None COMMAND MODE Interf...

Page 714: ...ace Configuration Ethernet EXAMPLE This example sets the sample rate to 1 out of every 100 packets Console config interface ethernet 1 9 Console config if sflow sample 100 Console config if sflow source This command enables sFlow on the source ports to be monitored Use the no form to disable sFlow on the specified ports SYNTAX no sflow source DEFAULT SETTING Disabled COMMAND MODE Interface Configu...

Page 715: ...e 0 indicates no time out DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE The sFlow parameters affected by this command include the sampling interval the receiver s name address and UDP port the time out maximum header size and maximum datagram size EXAMPLE This example sets the time out to 1000 seconds Console config interface ethernet 1 9 Console config if sf...

Page 716: ...ileged Exec EXAMPLE Console show sflow interface ethernet 1 9 Interface of Ethernet 1 9 Interface status Enabled Owner name Lamar Owner destination 192 168 0 4 Owner socket port 6343 Time out 9994 Maximum header size 256 Maximum datagram size 1500 Sample rate 1 256 Console ...

Page 717: ...able 61 Authentication Commands Command Group Function User Accounts Configures the basic user names and passwords for management access Authentication Sequence Defines logon authentication method and precedence RADIUS Client Configures settings for authentication via a RADIUS server TACACS Client Configures settings for authentication via a TACACS server AAA Configures authentication authorizatio...

Page 718: ...ilege level Maximum length 8 characters plain text 32 encrypted case sensitive DEFAULT SETTING The default is level 15 The default password is super COMMAND MODE Global Configuration COMMAND USAGE You cannot set a null password You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command The encrypted password is required for compatibilit...

Page 719: ...7 means encrypted password password password The authentication password for the user Maximum length 8 characters plain text 32 encrypted case sensitive DEFAULT SETTING The default access level is Normal Exec The factory defaults for the user names and passwords are COMMAND MODE Global Configuration COMMAND USAGE The encrypted password is required for compatibility with legacy password settings i ...

Page 720: ... UDP only offers best effort delivery while TCP offers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level...

Page 721: ... UDP while TACACS uses TCP UDP only offers best effort delivery while TCP offers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name pa...

Page 722: ...erver acct port This command sets the RADIUS server network port for accounting messages Use the no form to restore the default SYNTAX radius server acct port port number no radius server acct port port number RADIUS server UDP port used for accounting messages Range 1 65535 DEFAULT SETTING 1813 COMMAND MODE Global Configuration Table 65 RADIUS Client Commands Command Function Mode radius server a...

Page 723: ... backup RADIUS servers and authentication and accounting parameters that apply to each server Use the no form to remove a specified server or to restore the default values SYNTAX no radius server index host host ip address auth port auth port acct port acct_port key key retransmit retransmit timeout timeout index Allows you to specify up to five servers These servers are queried in sequence until ...

Page 724: ...AND MODE Global Configuration EXAMPLE Console config radius server 1 host 192 168 1 20 port 181 timeout 10 retransmit 5 key green Console config radius server key This command sets the RADIUS encryption key Use the no form to restore the default SYNTAX radius server key key string no radius server key key string Encryption key used to authenticate logon access for client Do not use blank spaces in...

Page 725: ... DEFAULT SETTING 2 COMMAND MODE Global Configuration EXAMPLE Console config radius server retransmit 5 Console config radius server timeout This command sets the interval between transmitting authentication requests to the RADIUS server Use the no form to restore the default SYNTAX radius server timeout number of seconds no radius server timeout number of seconds Number of seconds the switch waits...

Page 726: ... 1 Console TACACS CLIENT Terminal Access Controller Access Control System TACACS is a logon authentication protocol that uses software running on a central server to control access to TACACS aware devices on the network An authentication server contains a database of multiple user name password pairs with associated privilege levels for each user or group that require management access to a switch...

Page 727: ...ogon access for the client Do not use blank spaces in the string Maximum length 48 characters port number TACACS server TCP port used for authentication messages Range 1 65535 DEFAULT SETTING 10 11 12 13 COMMAND MODE Global Configuration EXAMPLE Console config tacacs server host 192 168 1 25 Console config tacacs server host This command specifies the TACACS server Use the no form to restore the d...

Page 728: ...in the string Maximum length 48 characters DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE Console config tacacs server key green Console config tacacs server port This command specifies the TACACS server network port Use the no form to restore the default SYNTAX tacacs server port port number no tacacs server port port number TACACS server TCP port used for authentication messages ...

Page 729: ...tions require the use of configured RADIUS or TACACS servers in the network Table 67 AAA Commands Command Function Mode aaa accounting commands Enables accounting of Exec mode commands GC aaa accounting dot1x Enables accounting of 802 1X services GC aaa accounting exec Enables accounting of Exec services GC aaa accounting update Enables periodoc updates to be sent to the accounting server GC aaa a...

Page 730: ...es the server group to use tacacs Specifies all TACACS hosts configure with the tacacs server host command server group Specifies the name of a server group configured with the aaa group server command Range 1 255 characters DEFAULT SETTING Accounting is not enabled No servers are specified COMMAND MODE Global Configuration COMMAND USAGE The accounting of Exec mode commands is only supported by TA...

Page 731: ...op Records accounting from starting point and stopping point group Specifies the server group to use radius Specifies all RADIUS hosts configure with the radius server host command tacacs Specifies all TACACS hosts configure with the tacacs server host command server group Specifies the name of a server group configured with the aaa group server command Range 1 255 characters DEFAULT SETTING Accou...

Page 732: ...radius Specifies all RADIUS hosts configure with the radius server host command tacacs Specifies all TACACS hosts configure with the tacacs server host command server group Specifies the name of a server group configured with the aaa group server command Range 1 255 characters DEFAULT SETTING Accounting is not enabled No servers are specified COMMAND MODE Global Configuration COMMAND USAGE This co...

Page 733: ...ifying an interim interval enables updates but does not change the current interval setting EXAMPLE Console config aaa accounting update periodic 30 Console config aaa authorization exec This command enables the authorization for Exec access Use the no form to disable the authorization service SYNTAX aaa authorization exec default method name group tacacs server group no aaa authorization exec def...

Page 734: ...s authorization type applies except those that have a named method explicitly defined EXAMPLE Console config aaa authorization exec default group tacacs Console config aaa group server Use this command to name a group of security server hosts To remove a server group from the configuration list enter the no form of this command SYNTAX no aaa group server radius tacacs group name radius Defines a R...

Page 735: ...us server host command When specifying the index for a TACACS server that server index must already be defined by the tacacs server host command EXAMPLE Console config aaa group server radius tps Console config sg radius server 10 2 68 120 Console config sg radius accounting dot1x This command applies an accounting method for 802 1X service requests on an interface Use the no form to disable accou...

Page 736: ...ed with the aaa accounting exec command DEFAULT SETTING None COMMAND MODE Line Configuration EXAMPLE Console config line console Console config line accounting exec tps Console config line exit Console config line vty Console config line accounting exec default Console config line authorization exec This command applies an authorization method to local console Telnet or SSH connections Use the no ...

Page 737: ...istics username user name interface interface exec statistics statistics commands Displays command accounting information level Displays command accounting information for a specifiable command level dot1x Displays dot1x accounting information exec Displays Exec accounting records statistics Displays accounting records user name Displays accounting records for a specifiable username interface ethe...

Page 738: ...form to use the default port SYNTAX ip http port port number no ip http port port number The TCP port to be used by the browser interface Range 1 65535 DEFAULT SETTING 80 COMMAND MODE Global Configuration EXAMPLE Console config ip http port 769 Console config Table 68 Web Server Commands Command Function Mode ip http port Specifies the port to be used by the web browser interface GC ip http server...

Page 739: ...ow system 643 ip http secure server This command enables the secure hypertext transfer protocol HTTPS over the Secure Socket Layer SSL providing secure access i e an encrypted connection to the switch s web interface Use the no form to disable this function SYNTAX no ip http secure server DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE Both HTTP and HTTPS service can be ena...

Page 740: ... Mozilla Firefox 2 0 0 0 or above The following web browsers and operating systems currently support HTTPS To specify a secure site certificate see Replacing the Default Secure site Certificate on page 298 Also refer to the copy tftp https certificate command EXAMPLE Console config ip http secure server Console config RELATED COMMANDS ip http secure port 741 copy tftp https certificate 649 show sy...

Page 741: ...ing to connect to the HTTPS server must specify the port number in the URL in this format https device port_number EXAMPLE Console config ip http secure port 1000 Console config RELATED COMMANDS ip http secure server 739 show system 643 TELNET SERVER This section describes commands used to configure Telnet management access to the switch Table 70 Telnet Server Commands Command Function Mode ip tel...

Page 742: ...ns session count no ip telnet max sessions session count The maximum number of allowed Telnet session Range 0 4 DEFAULT SETTING 4 sessions COMMAND MODE Global Configuration COMMAND USAGE A maximum of four sessions can be concurrently opened for Telnet and Secure Shell i e both Telnet and SSH share a maximum number or four sessions EXAMPLE Console config ip telnet max sessions 1 Console config ip t...

Page 743: ... Telnet Use the no form to disable this function SYNTAX no ip telnet server DEFAULT SETTING Enabled COMMAND MODE Global Configuration EXAMPLE Console config ip telnet server Console config show ip telnet This command displays the configuration settings for the Telnet server COMMAND MODE Normal Exec Privileged Exec EXAMPLE Console show ip telnet IP Telnet Configuration Telnet Status Enabled Telnet ...

Page 744: ...you still have to generate authentication keys on the switch and enable the SSH server Table 71 Secure Shell Commands Command Function Mode ip ssh authentication retries Specifies the number of retries allowed by a client GC ip ssh server Enables the SSH server on the switch GC ip ssh server key size Sets the SSH server key size GC ip ssh timeout Specifies the authentication timeout for the SSH se...

Page 745: ...aining the public key for all the SSH client s granted management access to the switch Note that these clients must be configured locally on the switch with the username command The clients are subsequently authenticated using these keys The current firmware only accepts public key files based on standard UNIX format as shown in the following example for an RSA key 1024 35 134108168560989392104094...

Page 746: ...ecrypt the challenge string computes the MD5 checksum and sends the checksum back to the switch e The switch compares the checksum sent from the client against that computed for the original string it sent If the two check sums match this means that the client s private key corresponds to an authorized public key and the client is authenticated Authenticating SSH v2 Clients a The client first quer...

Page 747: ...cation retires 2 Console config RELATED COMMANDS show ip ssh 751 ip ssh server This command enables the Secure Shell SSH server on this switch Use the no form to disable this service SYNTAX no ip ssh server DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE The SSH server supports up to four client sessions The maximum number of client sessions includes both current Telnet se...

Page 748: ...erver key size key size The size of server key Range 512 896 bits DEFAULT SETTING 768 bits COMMAND MODE Global Configuration COMMAND USAGE The server key is a private key that is never shared outside the switch The host key is shared with the SSH client and is fixed at 1024 bits EXAMPLE Console config ip ssh server key size 512 Console config ip ssh timeout This command configures the timeout for ...

Page 749: ...0 Console config RELATED COMMANDS exec timeout 656 show ip ssh 751 delete public key This command deletes the specified user s public key SYNTAX delete public key username dsa rsa username Name of an SSH user Range 1 8 characters dsa DSA public key type rsa RSA public key type DEFAULT SETTING Deletes both the DSA and RSA key COMMAND MODE Privileged Exec EXAMPLE Console delete public key admin dsa ...

Page 750: ...Otherwise you must manually create a known hosts file and place the host public key in it The SSH server uses this host key to negotiate a session key and encryption method with the client trying to connect to it EXAMPLE Console ip ssh crypto host key generate dsa Console RELATED COMMANDS ip ssh crypto zeroize 750 ip ssh save host key 751 ip ssh crypto zeroize This command clears the host key from...

Page 751: ...he host key from RAM to flash memory SYNTAX ip ssh save host key DEFAULT SETTING Saves both the DSA and RSA key COMMAND MODE Privileged Exec EXAMPLE Console ip ssh save host key dsa Console RELATED COMMANDS ip ssh crypto host key generate 749 show ip ssh This command displays the connection settings used when authenticating client access to the SSH server COMMAND MODE Privileged Exec EXAMPLE Conso...

Page 752: ... and the last string is the encoded modulus EXAMPLE Console show public key host Host RSA 1024 65537 13236940658254764031382795526536375927835525327972629521130241 071942106165575942459093923609695405036277525755625100386613098939383452310 332802149888661921595568598879891919505883940181387440468908779160305837768 185490002831341625008348718449522087429212255691665655296328163516964040831 55476606...

Page 753: ...ion number State The authentication negotiation state Values Negotiation Started Authentication Started Session Started Username The user name of the client Table 73 802 1X Port Authentication Commands Command Function Mode General Commands dot1x default Resets all dot1x parameters to their default values GC dot1x eapol pass through Passes EAPOL frames to all ports in STP forwarding state when dot...

Page 754: ...apol pass through command can be used to forward EAPOL frames from other switches on to the authentication servers thereby allowing the authentication process to still be carried out by switches located on the edge of the network dot1x timeout quiet period Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client IC dot1x timeout...

Page 755: ...bles IEEE 802 1X port authentication globally on the switch Use the no form to restore the default SYNTAX no dot1x system auth control DEFAULT SETTING Disabled COMMAND MODE Global Configuration EXAMPLE Console config dot1x system auth control Console config dot1x intrusion action This command sets the port s response to a failed authentication either to block all traffic or to assign all traffic f...

Page 756: ...e eth 1 2 Console config if dot1x intrusion action guest vlan Console config if dot1x max req This command sets the maximum number of times the switch port will retransmit an EAP request identity packet to the client before it times out the authentication session Use the no form to restore the default SYNTAX dot1x max req count no dot1x max req count The maximum number of requests Range 1 10 DEFAU...

Page 757: ...sed Allows multiple hosts to connect to this port with each host needing to be authenticated DEFAULT Single host COMMAND MODE Interface Configuration COMMAND USAGE The max count parameter specified by this command is only effective if the dot1x mode is set to auto by the dot1x port control command In multi host mode only one host connected to a port needs to pass authentication for all other hosts...

Page 758: ...e DEFAULT force authorized COMMAND MODE Interface Configuration EXAMPLE Console config interface eth 1 2 Console config if dot1x port control auto Console config if dot1x re authentication This command enables periodic re authentication for a specified port Use the no form to disable re authentication SYNTAX no dot1x re authentication COMMAND MODE Interface Configuration COMMAND USAGE The re authe...

Page 759: ...t the default SYNTAX dot1x timeout quiet period seconds no dot1x timeout quiet period seconds The number of seconds Range 1 65535 DEFAULT 60 seconds COMMAND MODE Interface Configuration EXAMPLE Console config interface eth 1 2 Console config if dot1x timeout quiet period 350 Console config if dot1x timeout re authperiod This command sets the time period after which a connected client must be re au...

Page 760: ...rames other than EAP request identity frames If dot1x authentication is enabled on a port the switch will initiate authentication when the port link state comes up It will send an EAP request identity frame to the client to request its identity followed by one or more requests for authentication information It may also send other EAP request frames to the client during an active connection as requ...

Page 761: ...pecific interface SYNTAX dot1x re authenticate interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 COMMAND MODE Privileged Exec COMMAND USAGE The re authentication process verifies the connected client s user ID and password on the RADIUS server During re authentication the client remains connected the network and the process is handled transparently by ...

Page 762: ... Type Administrative state for port access control Enabled Authenticator or Supplicant Operation Mode Allows single or multiple hosts page 757 Control Mode Dot1x port control mode page 758 Authorized Authorization status yes or n a not authorized 802 1X Port Details Displays the port access control parameters for each interface including the following items Reauthentication Periodic re authenticat...

Page 763: ...ession Backend State Machine State Current state including request response success fail timeout idle initialize Request Count Number of EAP Request packets sent to the Supplicant without receiving a response Identifier Server Identifier carried in the most recent EAP Success Failure or Request packet received from the Authentication Server Reauthentication State Machine State Current state includ...

Page 764: ...ent Identifier 0 Authenticator PAE State Machine State Authenticated Reauth Count 0 Current Identifier 3 Backend State Machine State Idle Request Count 0 Identifier Server 2 Reauthentication State Machine State Initialize Console MANAGEMENT IP FILTER This section describes commands used to configure IP management access to the switch Table 74 Management IP Filter Commands Command Function Mode man...

Page 765: ...from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respectively Each of these groups can include up to five different sets of addresses either individual addresses or address ranges When entering addresses for the same group i e SNMP web or Tel...

Page 766: ...s IP addresses for all groups http client Displays IP addresses for the web group snmp client Displays IP addresses for the SNMP group telnet client Displays IP addresses for the Telnet group COMMAND MODE Privileged Exec EXAMPLE Console show management all client Management IP Filter HTTP Client Start IP Address End IP Address 192 168 1 19 192 168 1 19 SNMP Client Start IP Address End IP Address 1...

Page 767: ...ecurity The priority of execution for these filtering commands is Port Security Port Authentication Network Access Web Authentication Access Control Lists DHCP Snooping and then IP Source Guard Configures secure addresses for a port 802 1X Port Authentication Configures host authentication on specific ports using 802 1X Network Access Configures MAC authentication and dynamic VLAN assignment Web A...

Page 768: ...automatically take action by disabling the port and sending a trap message mac learning This command enables MAC address learning on the selected interface Use the no form to disable MAC address learning SYNTAX no mac learning DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet or Port Channel COMMAND USAGE The no mac learning command immediately stops the switch from learning ne...

Page 769: ...keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses SYNTAX port security action shutdown trap trap and shutdown max mac count address count no port security action max mac count action Response to take when port security is violated shutdown Disable port only trap Issue SNMP trap message only trap and shutdown Issue SNMP trap ...

Page 770: ...count command to disable port security and reset the maximum number of addresses to the default You can also manually add secure addresses with the mac address table static command A secure port has the following restrictions Cannot be connected to a network interconnection device Cannot be a trunk port If a port is disabled due to a security violation it must be manually re enabled using the no s...

Page 771: ...ork access guest vlan Specifies the guest VLAN IC network access link detection Enables the link detection feature IC network access link detection link down Configures the link detection feature to detect and act upon link down events IC network access link detection link up Configures the link detection feature to detect and act upon link up events IC network access link detection link up down C...

Page 772: ...es configured by the MAC Address Authentication process described in this section as well as to any secure MAC addresses authenticated by 802 1X regardless of the 802 1X Operation Mode Single Host Multi Host or MAC Based authentication as described on page 757 The maximum number of secure MAC addresses supported for the switch system is 1024 EXAMPLE Console config if network access aging Console c...

Page 773: ...ole config network access mac filter 1 mac address 11 22 33 44 55 66 Console config mac authentication reauth time Use this command to set the time period after which a connected MAC address must be re authenticated Use the no form of this command to restore the default value SYNTAX mac authentication reauth time seconds no mac authentication reauth time seconds The reauthentication time period Ra...

Page 774: ...nfiguration for the port When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port the user is denied access While a port has an assigned dynamic QoS profile any manual QoS configuration changes only take effect after all users have logged off of the port NOTE Any configuration changes for dynamic QoS are not sa...

Page 775: ...rt providing the VLANs have already been created on the switch GVRP is not used to create the VLANs The VLAN settings specified by the first authenticated MAC address are implemented for a port Other authenticated MAC addresses on the port must have same VLAN configuration or they are treated as an authentication failure If dynamic VLAN assignment is enabled on a port and the RADIUS server returns...

Page 776: ... the guest VLAN must be defined and set as active See the vlan database command When used with 802 1X authentication the intrusion action must be set for guest vlan to be effective see the dot1x intrusion action command EXAMPLE Console config interface ethernet 1 1 Console config if network access guest vlan 25 Console config if network access link detection Use this command to enable link detecti...

Page 777: ...age and disable the port DEFAULT SETTING Disabled COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 1 Console config if network access link detection link down action trap Console config if network access link detection link up Use this command to detect link up events When detected the switch can shut down the port send an SNMP trap or both Use the no form of this c...

Page 778: ...tion Response to take when port security is violated shutdown Disable port only trap Issue SNMP trap message only trap and shutdown Issue SNMP trap message and disable the port DEFAULT SETTING Disabled COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 1 Console config if network access link detection link up down action trap Console config if network access max mac c...

Page 779: ... USAGE When enabled on a port the authentication process sends a Password Authentication Protocol PAP request to a configured RADIUS server The user name and password are both equal to the MAC address being authenticated On the RADIUS server PAP user name and passwords must be configured in the MAC address format XX XX XX XX XX XX all in upper case Authenticated MAC addresses are stored as dynamic...

Page 780: ... Medium Type attribute set to 802 EXAMPLE Console config if network access mode mac authentication Console config if network access port mac filter Use this command to enable the specified MAC address filter Use the no form of this command to disable the specified MAC address filter SYNTAX network access port mac filter filter id no network access port mac filter filter id Specifies a MAC address ...

Page 781: ...E Interface Configuration EXAMPLE Console config if mac authentication intrusion action block traffic Console config if mac authentication max mac count Use this command to set the maximum number of MAC addresses that can be authenticated on a port via MAC authentication Use the no form of this command to restore the default SYNTAX mac authentication max mac count count no mac authentication max m...

Page 782: ...rnet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 DEFAULT SETTING Displays the settings for all interfaces COMMAND MODE Privileged Exec EXAMPLE Console show network access interface ethernet 1 1 Global secure port information Reauthentication Time 1800 Port 1 1 MAC Authentication Disabled MAC Authentication Intrusion action Block traffic MAC Authentication Maximum MAC Counts ...

Page 783: ...it Range 1 8 port Port number Range 1 26 50 sort Sorts displayed entries by either MAC address or interface DEFAULT SETTING Displays all filters COMMAND MODE Privileged Exec COMMAND USAGE When using a bit mask to filter displayed MAC addresses a 1 means care and a 0 means don t care For example a MAC of 00 00 01 02 03 04 and mask FF FF FF 00 00 00 would result in all MACs in the range 00 00 01 00 ...

Page 784: ...ress and perform DNS queries All other traffic except for HTTP protocol traffic is blocked The switch intercepts HTTP protocol traffic and redirects it to a switch generated web page that facilitates user name and password authentication via RADIUS Once authentication is successful the web browser is forwarded on to the originally requested web page Successful authentication is valid for all hosts...

Page 785: ...ts 2 Console config web auth system auth control Enables web authentication globally for the switch GC web auth Enables web authentication for an interface IC web auth re authenticate Port Ends all web authentication sessions on the port and forces the users to re authenticate PE web auth re authenticate IP Ends the web authentication session associated with the designated IP address and forces th...

Page 786: ...s COMMAND MODE Global Configuration EXAMPLE Console config web auth quiet period 120 Console config web auth session timeout This command defines the amount of time a web authentication session remains valid When the session timeout has been reached the host is logged off and must re authenticate itself the next time data transmission takes place Use the no form to restore the default SYNTAX web a...

Page 787: ...he switch and web auth for an interface must be enabled for the web authentication feature to be active EXAMPLE Console config web auth system auth control Console config web auth This command enables web authentication for an interface Use the no form to restore the default SYNTAX no web auth DEFAULT SETTING Disabled COMMAND MODE Interface Configuration COMMAND USAGE Both web auth system auth con...

Page 788: ...E Privileged Exec EXAMPLE Console web auth re authenticate interface ethernet 1 2 Failed to reauth Console web auth re authenticate IP This command ends the web authentication session associated with the designated IP address and forces the user to re authenticate SYNTAX web auth re authenticate interface interface ip interface Specifies a port interface ethernet unit port unit Stack unit Range 1 ...

Page 789: ... Attempts 3 Console show web auth interface This command displays interface specific web authentication parameters and statistics SYNTAX show web auth interface interface interface Specifies a port interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 COMMAND MODE Privileged Exec EXAMPLE Console show web auth interface ethernet 1 2 Web Auth Status Enabled Host Summa...

Page 790: ...mand Function Mode ip dhcp snooping Enables DHCP snooping globally GC ip dhcp snooping database flash Writes all dynamically learned snooping entries to flash memory GC ip dhcp snooping information option Enables or disables DHCP Option 82 information relay GC ip dhcp snooping information policy Sets the information option policy for DHCP client packets that include Option 82 information GC ip dhc...

Page 791: ...e are filtered based upon dynamic entries learned via DHCP snooping Table entries are only learned for trusted interfaces Each entry includes a MAC address IP address lease time VLAN identifier and port identifier When DHCP snooping is enabled the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second Any DHCP packets in excess of this limit are dr...

Page 792: ...warded to trusted ports in the same VLAN If a DHCP packet is from server is received on a trusted port it will be forwarded to both trusted and untrusted ports in the same VLAN If the DHCP snooping is globally disabled all dynamic bindings are removed from the binding table Additional considerations when the switch itself is a DHCP client The port s through which the switch submits a client reques...

Page 793: ...nformation option DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server Known as DHCP Option 82 it allows compatible DHCP servers to use the information when assigning IP addresses or to set other services or policies for clients When the DHCP Snooping Information Opt...

Page 794: ...d of relaying it keep Retains the Option 82 information in the client request and forwards the packets to trusted ports replace Replaces the Option 82 information circuit id and remote id fields in the client s request with information about the relay agent itself inserts the relay agent s address when DHCP snooping is enabled and forwards the packets to trusted ports DEFAULT SETTING replace COMMA...

Page 795: ...ket the packet is dropped EXAMPLE This example enables MAC address verification Console config ip dhcp snooping verify mac address Console config RELATED COMMANDS ip dhcp snooping 791 ip dhcp snooping vlan 795 ip dhcp snooping trust 796 ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN Use the no form to restore the default setting SYNTAX no ip dhcp snooping vlan vlan ...

Page 796: ...as trusted Use the no form to restore the default setting SYNTAX no ip dhcp snooping trust DEFAULT SETTING All interfaces are untrusted COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE A trusted interface is an interface that is configured to receive only messages from within the network An untrusted interface is an interface that is configured to receive messages from outs...

Page 797: ...bmits a client request to the DHCP server must be configured as trusted EXAMPLE This example sets port 5 to untrusted Console config interface ethernet 1 5 Console config if no ip dhcp snooping trust Console config if RELATED COMMANDS ip dhcp snooping 791 ip dhcp snooping vlan 795 clear ip dhcp snooping database flash This command removes all dynamically learned snooping entries from flash memory ...

Page 798: ...tus disable DHCP Snooping Information Policy replace DHCP Snooping is configured on the following VLANs 1 Verify Source Mac Address enable Interface Trusted Eth 1 1 No Eth 1 2 No Eth 1 3 No Eth 1 4 No Eth 1 5 Yes show ip dhcp snooping binding This command shows the DHCP snooping binding table entries COMMAND MODE Privileged Exec EXAMPLE Console show ip dhcp snooping binding MacAddress IpAddress Le...

Page 799: ...p address interface no ip source guard binding mac address vlan vlan id mac address A valid unicast MAC address vlan id ID of a configured VLAN Range 1 4093 ip address A valid unicast IP address including classful types A B or C interface Specifies a port interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 DEFAULT SETTING No configured entries Table 81 IP Source G...

Page 800: ...e processed as follows If there is no entry with same VLAN ID and MAC address a new entry is added to binding table using the type of static IP source guard binding If there is an entry with same VLAN ID and MAC address and the type of entry is static IP source guard binding then the new entry will replace the old one If there is an entry with same VLAN ID and MAC address and the type of the entry...

Page 801: ...e selected port Use the sip option to check the VLAN ID source IP address and port number against all entries in the binding table Use the sip mac option to check these same parameters plus the source MAC address Use the no ip source guard command to disable this function on the selected port When enabled traffic is filtered based upon dynamic entries learned via DHCP snooping or static addresses ...

Page 802: ...source guard if enabled on an interface for which IP source bindings dynamically learned via DHCP snooping or manually configured are not yet configured the switch will drop all IP traffic on that port except for DHCP packets Only unicast addresses are accepted for static bindings EXAMPLE This example enables IP source guard on port 5 Console config interface ethernet 1 5 Console config if ip sour...

Page 803: ...rd max binding 1 Console config if show ip source guard This command shows whether source guard is enabled or disabled on each interface COMMAND MODE Privileged Exec EXAMPLE Console show ip source guard Interface Filter type Max binding Eth 1 1 DISABLED 5 Eth 1 2 DISABLED 5 Eth 1 3 DISABLED 5 Eth 1 4 DISABLED 5 Eth 1 5 SIP 1 Eth 1 6 DISABLED 5 show ip source guard binding This command shows the so...

Page 804: ... ACLs for hosts with statically configured IP addresses This section describes commands used to configure ARP Inspection Table 82 ARP Inspection Commands Command Function Mode ip arp inspection Enables ARP Inspection globally on the switch GC ip arp inspection filter Specifies an ARP ACL to apply to one or more VLANs GC ip arp inspection log buffer logs Sets the maximum number of entries saved in ...

Page 805: ...ARP Inspection is enabled When ARP Inspection is disabled all ARP request and reply packets bypass the ARP Inspection engine and their manner of switching matches that of all other packets Disabling and then re enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for i...

Page 806: ...abase is not checked DEFAULT SETTING ARP ACLs are not bound to any VLAN Static mode is not enabled COMMAND MODE Global Configuration COMMAND USAGE ARP ACLs are configured with the commands described on page 323 If static mode is enabled the switch compares ARP packets to the specified ARP ACLs Packets matching an IP to MAC address binding in a permit or deny rule are processed accordingly Packets ...

Page 807: ...default logging is active for ARP Inspection and cannot be disabled When the switch drops a packet it places an entry in the log buffer Each entry contains flow information such as the receiving VLAN the port number the source and destination IP addresses and the source and destination MAC addresses If multiple identical invalid ARP packets are received consecutively on the same VLAN then the logg...

Page 808: ...nses while target IP addresses are checked only in ARP responses src mac Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses When enabled packets with different MAC addresses are classified as invalid and are dropped DEFAULT SETTING No additional validation is performed COMMAND MODE Global Co...

Page 809: ...ction engine and their manner of switching matches that of all other packets Disabling and then re enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for individual VLANs These configuration changes will only become active after ARP Inspection is globally enabled aga...

Page 810: ...thus exempted from ARP Inspection Use the no form to restore the default setting SYNTAX no ip arp inspection trust DEFAULT SETTING Untrusted COMMAND MODE Interface Configuration Port COMMAND USAGE Packets arriving on untrusted ports are subject to any configured ARP Inspection and additional validation checks Packets arriving on trusted ports bypass all of these checks and are forwarded according ...

Page 811: ...ection interface interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 COMMAND MODE Privileged Exec EXAMPLE Console show ip arp inspection interface ethernet 1 1 Port Number Trust Status Limit Rate pps Eth 1 1 trusted 150 Console show ip arp inspection log This command shows information about entries stored in the log including the associated VLAN port and...

Page 812: ... source MAC address 0 ARP packets dropped by additional validation destination MAC address 0 ARP packets dropped by additional validation IP address 0 ARP packets dropped by ARP ACLs 0 ARP packets dropped by DHCP snooping 0 Console show ip arp inspection vlan This command shows the configuration settings for VLANs including ARP Inspection status the ARP ACL name and if the DHCP Snooping database i...

Page 813: ...ommand Group Function IPv4 ACLs Configures ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code IPv6 ACLs Configures ACLs based on IPv6 addresses or DSCP traffic class MAC ACLs Configures ACLs based on hardware addresses packet format and Ethernet type ARP ACLs Configures ACLs based on ARP messages addresses ACL Information Displays ACLs and associated rules shows AC...

Page 814: ...s and other more specific criteria acl name Name of the ACL Maximum length 16 characters no spaces or other special characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To remove a rule use the no permit or no deny command fo...

Page 815: ...SETTING None COMMAND MODE Standard IPv4 ACL COMMAND USAGE New rules are appended to the end of the list Address bit masks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for ea...

Page 816: ...ask permit deny tcp any source address bitmask host source any destination address bitmask host destination precedence precedence tos tos dscp dscp source port sport bitmask destination port dport port bitmask control flag control flags flag bitmask time range time range name no permit deny tcp any source address bitmask host source any destination address bitmask host destination precedence prece...

Page 817: ...re The bit mask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned You can specify both Precedence and ToS in the same rule However if DSCP is used then neither Precedence nor ToS can be specified The control code bitmask is a decimal number representing an equivalent bit mask that is a...

Page 818: ...192 168 1 0 255 255 255 0 any destination port 80 Console config ext acl This permits all TCP packets from class C addresses 192 168 1 0 with the TCP control code set to SYN Console config ext acl permit tcp 192 168 1 0 255 255 255 0 any control flag 2 2 Console config ext acl RELATED COMMANDS access list ip 814 Time Range 679 ip access group This command binds an IPv4 ACL to a port Use the no for...

Page 819: ...show ip access list 819 Time Range 679 show ip access group This command shows the ports assigned to IP ACLs COMMAND MODE Privileged Exec EXAMPLE Console show ip access group Interface ethernet 1 2 IP access list david in Console RELATED COMMANDS ip access group 818 show ip access list This command displays the rules for configured IPv4 ACLs SYNTAX show ip access list standard extended acl name st...

Page 820: ...AX no access list ipv6 standard extended acl name standard Specifies an ACL that filters packets based on the source IP address extended Specifies an ACL that filters packets based on the destination IP address and other more specific criteria acl name Name of the ACL Maximum length 16 characters DEFAULT SETTING None Table 85 IPv4 ACL Commands Command Function Mode access list ipv6 Creates an IPv6...

Page 821: ...o a Standard IPv6 ACL The rule sets a filter condition for packets emanating from the specified source Use the no form to remove a rule SYNTAX permit deny any host source ipv6 address source ipv6 address prefix length time range time range name no permit deny any host source ipv6 address source ipv6 address prefix length any Any source IP address host Keyword followed by a specific IP address sour...

Page 822: ...AX no permit deny any destination ipv6 address prefix length dscp dscp flow label flow label next header next header time range time range name any Any IP address an abbreviation for the IPv6 prefix 0 destination ipv6 address An IPv6 destination address or network class The address must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal value...

Page 823: ... special handling might be conveyed to the routers by a control protocol such as a resource reservation protocol or by information within the flow s packets themselves e g in a hop by hop option A flow is uniquely identified by the combination of a source address and a non zero flow label Packets that do not belong to a flow carry a flow label of zero Hosts or routers that do not support the funct...

Page 824: ...le config ext ipv6 acl permit 2009 DB9 2229 79 48 flow label 43 Console config ext ipv6 acl RELATED COMMANDS access list ipv6 820 Time Range 679 show ipv6 access list This command displays the rules for configured IPv6 ACLs SYNTAX show ipv6 access list standard extended acl name standard Specifies a standard IPv6 ACL extended Specifies an extended IPv6 ACL acl name Name of the ACL Maximum length 1...

Page 825: ...OMMAND MODE Interface Configuration Ethernet COMMAND USAGE A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one IPv6 ACLs can only be applied to ingress packets EXAMPLE Console config interface ethernet 1 2 Console config if ipv6 access group standard david in Console config if RELATED C...

Page 826: ...ther special characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 128 rules Table 86 MA...

Page 827: ... address bitmask any host destination destination address bitmask vid vid vid bitmask ethertype protocol protocol bitmask NOTE The default is for Ethernet II packets permit deny tagged eth2 any host source source address bitmask any host destination destination address bitmask vid vid vid bitmask ethertype protocol protocol bitmask time range time range name no permit deny tagged eth2 any host sou...

Page 828: ...y host destination destination address bitmask tagged eth2 Tagged Ethernet II packets untagged eth2 Untagged Ethernet II packets tagged 802 3 Tagged Ethernet 802 3 packets untagged 802 3 Untagged Ethernet 802 3 packets any Any MAC source or destination address host A specific MAC address source Source MAC address destination Destination MAC address range with bitmask address bitmask14 Bitmask for ...

Page 829: ...mac acl permit any host 00 e0 29 94 34 de ethertype 0800 Console config mac acl RELATED COMMANDS access list mac 826 Time Range 679 mac access group This command binds a MAC ACL to a port Use the no form to remove the port SYNTAX mac access group acl name in time range time range name acl name Name of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets time ...

Page 830: ...DE Privileged Exec EXAMPLE Console show mac access group Interface ethernet 1 5 MAC access list M5 in Console RELATED COMMANDS mac access group 829 show mac access list This command displays the rules for configured MAC ACLs SYNTAX show mac access list acl name acl name Name of the ACL Maximum length 16 characters COMMAND MODE Privileged Exec EXAMPLE Console show mac access list MAC access list je...

Page 831: ...NG None COMMAND MODE Global Configuration COMMAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up t...

Page 832: ...it deny response ip any host source ip source ip ip address bitmask any host destination ip destination ip ip address bitmask mac any host source mac source mac mac address bitmask any host destination mac destination mac mac address bitmask log source ip Source IP address destination ip Destination IP address with bitmask ip address bitmask15 IPv4 number representing the address bits to match sou...

Page 833: ... 255 0 0 mac any any Console config mac acl RELATED COMMANDS access list arp 831 show arp access list This command displays the rules for configured ARP ACLs SYNTAX show arp access list acl name acl name Name of the ACL Maximum length 16 characters COMMAND MODE Privileged Exec EXAMPLE Console show arp access list ARP access list factory permit response ip any 192 168 0 0 255 255 0 0 mac any any Co...

Page 834: ...iated rules COMMAND MODE Privileged Exec EXAMPLE Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 0 0 255 255 15 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 255 255 255 0 any destination port 80 80 permit 192 168 1 0 255 255 255 0 any protocol tcp control code 2 2 MAC access list jerry permit any host 00 30 29 94 34 d...

Page 835: ...plex Configures the speed and duplex operation of a given interface when autonegotiation is disabled IC switchport mtu Sets the maximum transfer unit for an interface IC switchport packet rate Configures broadcast multicast and unknown unicast storm control thresholds IC clear counters Clears statistics on an interface PE show interfaces counters Displays statistics for the specified interfaces NE...

Page 836: ... 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 vlan vlan id Range 1 4093 DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE To specify port 4 enter the following command Console config interface ethernet 1 4 Console config if alias This command configures an alias name for the interface Use the no form to remove the alias name SYNTAX alias string no alias string...

Page 837: ...l 1000full 100full 100half 10full 10half flowcontrol symmetric 10000full Supports 10 Gbps full duplex operation 1000full Supports 1 Gbps full duplex operation 100full Supports 100 Mbps full duplex operation 100half Supports 100 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 10half Supports 10 Mbps half duplex operation flowcontrol Supports flow control symmetric Gigabit a...

Page 838: ...e config interface ethernet 1 5 Console config if capabilities 100half Console config if capabilities 100full Console config if capabilities flowcontrol Console config if RELATED COMMANDS negotiation 840 speed duplex 842 flowcontrol 839 description This command adds a description to an interface Use the no form to remove the description SYNTAX description string no description string Comment or a ...

Page 839: ...when its buffers fill When enabled back pressure is used for half duplex operation and IEEE 802 3 2002 formally IEEE 802 3x for full duplex operation To force flow control on or off with the flowcontrol or no flowcontrol command use the no negotiation command to disable auto negotiation on the selected interface When using the negotiation command to enable auto negotiation the optimal settings wil...

Page 840: ...le not installed sfp preferred auto Uses SFP port if both combination types are functioning and the SFP port has a valid link DEFAULT SETTING Ports 1 20 1 44 copper forced Ports 21 24 45 48 sfp preferred auto Ports 25 26 49 50 sfp preferred auto COMMAND MODE Interface Configuration Ethernet EXAMPLE This forces the switch to use the built in RJ 45 port for the combination port 25 Console config int...

Page 841: ...gotiation is disabled auto MDI MDI X pin signal configuration will also be disabled for the RJ 45 ports EXAMPLE The following example configures port 11 to use auto negotiation Console config interface ethernet 1 11 Console config if negotiation Console config if RELATED COMMANDS capabilities 837 speed duplex 842 shutdown This command disables an interface To restart a disabled interface use the n...

Page 842: ... the default speed duplex setting is 100full on the 1000Base T ports 1000full on the 1000Base SFP ports and 10Gfull on the 10G ports The speed duplex setting on the 10G ports is fixed at 10Gfull COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE The 1000BASE T and 10GBASE T standard does not support forced mode Auto negotiation should always be used to establish a connection ...

Page 843: ...on Ethernet Port Channel COMMAND USAGE Use the jumbo frame command to enable or disable jumbo frames for all Gigabit and 10 Gigabit Ethernet ports To set the MTU for a specific interface enable jumbo frames and use this command to specify the required size of the MTU The comparison of packet size against the configured port MTU considers only the incoming packet size and is not affected by the fac...

Page 844: ...Console config jumbo frame Console config interface ethernet 1 1 Console config if switchport mtu 9216 Console config if RELATED COMMANDS jumbo frame 646 show interfaces status 847 switchport packet rate This command configures broadcast multicast and unknown unicast storm control Use the no form to restore the default setting SYNTAX switchport broadcast multicast unicast packet rate rate no switc...

Page 845: ...he command rate limit input 20 on a port Since 200 Mbps is 1 5 of line speed 1000 Mbps the received rate will actually be 100 pps or 1 5 of the 500 pps limit set by the storm control command It is therefore not advisable to use both of these commands on the same interface EXAMPLE The following shows how to configure broadcast storm control at 600 packets per second Console config interface etherne...

Page 846: ...Range 1 32 DEFAULT SETTING Shows the counters for all interfaces COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE If no interface is specified information on all interfaces is displayed For a description of the items displayed by this command see Showing Port or Trunk Statistics on page 138 EXAMPLE Console show interfaces counters ethernet 1 17 Ethernet 1 1 IF table Stats 138550 Octets Input...

Page 847: ... Errors 0 Collisions 2142 Packet Size 64 Octets 303 Packet Size 65 to 127 Octets 140 Packet Size 128 to 255 Octets 75 Packet Size 256 to 511 Octets 140 Packet Size 512 to 1023 Octets 459 Packet Size 1024 to 1518 Octets Port Utilization 35 Octets Input per seconds 0 Packets Input per seconds 0 00 Input Utilization 56 Octets Output per seconds 0 Packets Output per second 0 00 Output Utilization Cons...

Page 848: ...ll 1000full Broadcast Storm Enabled Broadcast Storm Limit 500 packets second Flow Control Disabled VLAN Trunking Disabled LACP Disabled MAC Learning Yes Port Security Disabled Max MAC Count 0 Port Security Action None Media Type Copper forced MTU 1518 Current Status Link Status Up Port Operation Status Up Operation Speed duplex 100full Flow Control Type None Console show interfaces switchport This...

Page 849: ...aces switchport display description Field Description Broadcast Threshold Shows if broadcast storm suppression is enabled or disabled if enabled it also shows the threshold level page 844 LACP Status Shows if Link Aggregation Control Protocol has been enabled or disabled page 857 Ingress Egress Rate Limit Shows if rate limiting is enabled and the current rate limit page 869 VLAN Membership Mode In...

Page 850: ...cal devices EXAMPLE Console show interfaces transceiver ethernet 1 24 Information of Eth 1 24 Connector Type LC Fiber Type Single Mode SM Eth Compliance Codes 1000BASE LX Tx Central Wavelength 1310 nm Baud Rate 1300 MBd Vendor OUI 00 00 00 Vendor Name DELTA Vendor PN LCP 1250B4QDRT Private VLAN Mode Shows the private VLAN mode as host promiscuous or none 942 Private VLAN host association Shows the...

Page 851: ...rrent 43 11 mA TX Power 605 uW RX Power 3 uW Console test cable diagnostics dsp This command performs cable diagnostics on the specified port to diagnose any cable faults short open etc and report the cable length SYNTAX test cable diagnostics dsp interface interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 COMMAND MODE Privileged Exec COMMAND USAGE Cab...

Page 852: ...able Short with accuracy 0 meters Pair A OK length 1 meters Pair B OK length 2 meters Pair C Short length 1 meters Pair D Short length 2 meters Last Update 0n 2010 04 23 07 59 26 Console test loop internal This command performs an internal loop back test on the specified port SYNTAX test loop internal interface interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range...

Page 853: ...Range 1 26 50 COMMAND MODE Privileged Exec EXAMPLE Console show cable diagnostics dsp interface ethernet 1 1 Cable Diagnostics on interface Ethernet 1 1 Cable OK with accuracy 0 meters Pair A OK length 0 meters Pair B OK length 0 meters Pair C OK length 1 meters Pair D OK length 1 meters Last Update 0n 2009 10 21 15 08 20 Console show loop internal This command shows the results of a loop back tes...

Page 854: ...CHAPTER 32 Interface Commands 854 ES 4500G Series EXAMPLE Console show loop internal interface ethernet 1 1 Port Test Result Last Update Eth 1 1 Succeeded 2024 07 15 15 26 56 Console ...

Page 855: ... avoid creating a loop A trunk can have up to 8 ports The ports at both ends of a connection must be configured as trunk ports All ports in a trunk must be configured in an identical manner including communication mode i e speed and duplex mode VLAN assignments and CoS settings Table 91 Link Aggregation Commands Command Function Mode Manual Configuration Commands interface port channel Configures ...

Page 856: ...ormed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group However if the port channel admin key is set then the port admin key must be set to the same value for a port to be allowed to join a channel group If a link goes down LACP port priority is used to select the backup link channel...

Page 857: ...ally be assigned the next available port channel ID If the target switch has also enabled LACP on the connected ports the trunk will be activated automatically If more than eight ports attached to the same target switch have LACP enabled the additional ports will be placed in standby mode and will only be enabled if one of the active links fails EXAMPLE The following shows LACP enabled on ports 10...

Page 858: ... key Use the no form to restore the default setting SYNTAX lacp actor partner admin key key no lacp actor partner admin key actor The local side an aggregate link partner The remote side of an aggregate link key The port admin key must be set to the same value for ports that belong to the same link aggregation group LAG Range 0 65535 DEFAULT SETTING 0 COMMAND MODE Interface Configuration Ethernet ...

Page 859: ...ty LACP port priority is used to select a backup link Range 0 65535 DEFAULT SETTING 32768 COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Setting a lower value indicates a higher effective priority If an active port link goes down the backup port with the highest priority is selected to replace the downed link However if two or more ports have the same LACP port priority the port with ...

Page 860: ...with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a link has been established LACP operational settings are already in use on that side Configuring LACP settings for the partner only applies to its administrative state not its operational state and will only take effect the...

Page 861: ...sed by the interfaces that joined the group Note that when the LAG is no longer used the port channel admin key is reset to 0 EXAMPLE Console config interface port channel 1 Console config if lacp admin key 3 Console config if show lacp This command displays LACP information SYNTAX show lacp port channel counters internal neighbors sys id port channel Local identifier for a link aggregation group ...

Page 862: ...ived on this channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group LACPDUs Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Prot...

Page 863: ...g frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information Synchronization The System considers this link to be IN_SYNC i e it has been allocated to the correct Link Aggregation Group the group has been associated with a compatible Aggregator and the identity of the Lin...

Page 864: ... partner Admin Key Current administrative value of the Key for the protocol partner Oper Key Current operational value of the Key for the protocol partner Admin State Administrative values of the partner s state parameters See preceding table Oper State Operational values of the partner s state parameters See preceding table Table 95 show lacp sysid display description Field Description Channel gr...

Page 865: ... session SYNTAX port monitor interface rx tx both no port monitor interface interface ethernet unit port source port unit Stack unit Range 1 8 port Port number Range 1 26 50 rx Mirror received packets tx Mirror transmitted packets both Mirror both received and transmitted packets DEFAULT SETTING No mirror session is defined Table 96 Port Mirroring Commands Command Function Local Port Mirroring Mir...

Page 866: ...port monitor command to specify the source of the traffic to mirror When mirroring traffic from a port the mirror port and monitor port speeds should match otherwise traffic may be dropped from the monitor port You can create multiple mirror sessions but all sessions must share the same destination port Spanning Tree BPDU packets are not mirrored to the target port EXAMPLE The following example co...

Page 867: ...t destination port and mirror mode i e RX TX RX TX EXAMPLE The following shows mirroring configured from port 6 to port 11 Console config interface ethernet 1 11 Console config if port monitor ethernet 1 6 Console config if end Console show port monitor Port Mirroring Destination Port listen port Eth1 1 Source Port monitored port Eth1 6 Mode RX TX Console ...

Page 868: ...CHAPTER 34 Port Mirroring Commands Local Port Mirroring Commands 868 ES 4500G Series ...

Page 869: ...tus of disabled SYNTAX rate limit input output rate no rate limit input output input Input rate for specified interface output Output rate for specified interface rate Maximum value in Mbps Range 64 1000000 kbps for Gigabit Ethernet ports 64 10000000 kbps for 10 Gigabit Ethernet ports DEFAULT SETTING 1000 Mbps COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE Using both rate...

Page 870: ...Series command It is therefore not advisable to use both of these commands on the same interface EXAMPLE Console config interface ethernet 1 1 Console config if rate limit input 64 Console config if RELATED COMMAND show interfaces switchport 848 ...

Page 871: ...e apply timer expires IC Port auto traffic control auto control release Automatically releases a control response IC Port auto traffic control control release Manually releases a control response PE SNMP Trap Commands snmp server enable port traps atc broadcast alarm clear Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered IC Por...

Page 872: ...c falls beneath the lower threshold after a storm control response has been triggered and the release timer expires IC Port ATC Display Commands show auto traffic control Shows global configuration settings for automatic storm control PE show auto traffic control interface Shows interface configuration settings and storm control status for the specified port PE Enabling automatic storm control on ...

Page 873: ...ally re enable the port FUNCTIONAL LIMITATIONS Automatic storm control is a software level control function Traffic storms can also be controlled at the hardware level using the switchport packet rate command However only one of these control types can be applied to a port Enabling automatic storm control on a port will disable hardware level storm control on that port auto traffic control apply t...

Page 874: ...mmand sets the time at which to release the control response after ingress traffic has fallen beneath the lower threshold Use the no form to restore the default setting SYNTAX auto traffic control broadcast multicast release timer seconds no auto traffic control broadcast multicast release timer broadcast Specifies automatic storm control for broadcast traffic multicast Specifies automatic storm c...

Page 875: ...AULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Automatic storm control can be enabled for either broadcast or multicast traffic It cannot be enabled for both of these traffic types at the same time Automatic storm control is a software level control function Traffic storms can also be controlled at the hardware level using the switchport packet rate command Howev...

Page 876: ...ontrol can only be manually re enabled DEFAULT SETTING rate control COMMAND MODE Interface Configuration Ethernet COMMAND USAGE When the upper threshold is exceeded and the apply timer expires a control response will be triggered based on this command When the control response is set to rate limiting by this command the rate limits are determined by the auto traffic control alarm clear threshold c...

Page 877: ...er seconds COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Once the traffic rate falls beneath the lower threshold a trap message may be sent if configured by the snmp server enable port traps atc broadcast alarm clear command or snmp server enable port traps atc multicast alarm clear command If rate limiting has been configured as a control response it will discontinued after the traf...

Page 878: ...ered after the apply timer expires Range 1 255 kilo packets per second seconds DEFAULT SETTING 128 kilo packets per seconds COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Once the upper threshold is exceeded a trap message may be sent if configured by the snmp server enable port traps atc broadcast alarm fire command or snmp server enable port traps atc multicast alarm fire command Af...

Page 879: ...ntrol response after the specified action has been triggered and the release timer has expired EXAMPLE Console config interface ethernet 1 1 Console config if auto traffic control broadcast auto control release Console config if auto traffic control control release This command manually releases a control response SYNTAX auto traffic control broadcast multicast control release broadcast Specifies ...

Page 880: ... server enable port traps atc broadcast alarm clear Console config if RELATED COMMANDS auto traffic control action 876 auto traffic control alarm clear threshold 877 snmp server enable port traps atc broadcast alarm fire This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control Use the no form to disable this trap SYNTAX no snmp server enable port tra...

Page 881: ...ELATED COMMANDS auto traffic control alarm fire threshold 878 auto traffic control apply timer 873 snmp server enable port traps atc broadcast control release This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires Use the no form to disable this trap SYNTAX no snmp server enable port traps a...

Page 882: ... server enable port traps atc multicast alarm clear Console config if RELATED COMMANDS auto traffic control action 876 auto traffic control alarm clear threshold 877 snmp server enable port traps atc multicast alarm fire This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control Use the no form to disable this trap SYNTAX no snmp server enable port tra...

Page 883: ...ELATED COMMANDS auto traffic control alarm fire threshold 878 auto traffic control apply timer 873 snmp server enable port traps atc multicast control release This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires Use the no form to disable this trap SYNTAX no snmp server enable port traps a...

Page 884: ...tings and storm control status for the specified port SYNTAX show auto traffic control interface interface interface ethernet unit port unit Unit identifier Range 1 8 port Port number Range 1 26 50 COMMAND MODE Privileged Exec EXAMPLE Console show auto traffic control interface ethernet 1 1 Eth 1 1 Information Storm Control Broadcast Multicast State Disabled Disabled Action rate control rate contr...

Page 885: ...ETTING 300 seconds COMMAND MODE Global Configuration COMMAND USAGE The aging time is used to age out dynamically learned forwarding information Table 100 Address Table Commands Command Function Mode mac address table aging time Sets the aging time of the address table GC mac address table static Maps a static address to a port in a VLAN GC clear mac address table dynamic Removes any learned entrie...

Page 886: ...until the switch is reset permanent Assignment is permanent DEFAULT SETTING No static addresses are defined The default mode is permanent COMMAND MODE Global Configuration COMMAND USAGE The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add static addresses to the MAC Address Table Static addresses have the following characteristics S...

Page 887: ...e clear mac address table dynamic Console show mac address table This command shows classes of entries in the bridge forwarding database SYNTAX show mac address table address mac address mask interface interface vlan vlan id sort address vlan interface mac address MAC address mask Bits to match in the address interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 por...

Page 888: ... binary bit 0 means to match a bit and 1 means to ignore a bit For example a mask of 00 00 00 00 00 00 means an exact match and a mask of FF FF FF FF FF FF means any The maximum number of address entries is 16K EXAMPLE Console show mac address table Interface MAC Address VLAN Type Life Time Eth 1 1 00 E0 29 94 34 DE 1 Config Delete on Reset Eth 1 21 00 01 EC F8 D8 D9 1 Learn Delete on Timeout Cons...

Page 889: ...2 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show mac address table count Compute the number of MAC Address Maximum number of MAC Address which can be created in the system Total Number of MAC Address 16384 Number of Static MAC Address 1024 Current number of entries which have been created in the system Total Number of MAC Address 2 Number of Static MAC Address 1 Number of D...

Page 890: ...CHAPTER 37 Address Table Commands 890 ES 4500G Series ...

Page 891: ...ts in the same VLAN when global spanning tree is disabled GC spanning tree transmission limit Configures the transmission limit for RSTP MSTP GC max hops Configures the maximum number of hops allowed in the region before a BPDU is discarded MST mst priority Configures the priority of a spanning tree instance MST mst vlan Adds VLANs to a spanning tree instance MST name Configures the name for the m...

Page 892: ...n instance in the MST IC spanning tree mst port priority Configures the priority of an instance in the MST IC spanning tree port bpdu flooding Floods BPDUs to other ports when global spanning tree is disabled IC spanning tree port priority Configures the spanning tree priority of an interface IC spanning tree root guard Prevents a designated port from passing superior BPDUs IC spanning tree spanni...

Page 893: ...d sets the maximum time in seconds the root device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to the discarding state otherwise temporary data lo...

Page 894: ...x age seconds Time in seconds Range 6 40 seconds The minimum value is the higher of 6 or 2 x hello time 1 The maximum value is the lower of 40 or 2 x forward time 1 DEFAULT SETTING 20 seconds COMMAND MODE Global Configuration COMMAND USAGE This command sets the maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports exce...

Page 895: ...abled to prevent network loops thus isolating group members When operating multiple VLANs we recommend selecting the MSTP option Rapid Spanning Tree Protocol RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits as described below STP Mode If the switch receives an 802 1D BP...

Page 896: ...ing Tree Use the no form to restore the default SYNTAX spanning tree pathcost method long short no spanning tree pathcost method long Specifies 32 bit based values that range from 1 200 000 000 This method is based on the IEEE 802 1w Rapid Spanning Tree Protocol short Specifies 16 bit based values that range from 1 65535 This method is based on the IEEE 802 1 Spanning Tree Protocol DEFAULT SETTING...

Page 897: ...used in selecting the root device root port and designated port The device with the highest priority i e lower numeric value becomes the STA root device However if all devices have the same priority the device with the lowest MAC address will then become the root device EXAMPLE Console config spanning tree priority 40000 Console config spanning tree mst configuration This command changes to Multip...

Page 898: ...thin the receiving port s native VLAN i e as determined by port s PVID DEFAULT SETTING Floods to all other ports in the same VLAN COMMAND MODE Global Configuration COMMAND USAGE The spanning tree system bpdu flooding command has no effect if BPDU flooding is disabled on a port see the spanning tree port bpdu flooding command EXAMPLE Console config spanning tree system bpdu flooding Console config ...

Page 899: ...ing tree Range 1 40 DEFAULT SETTING 20 COMMAND MODE MST Configuration COMMAND USAGE An MSTI region is treated as a single node by the STP and RSTP protocols Therefore the message age for BPDUs inside an MSTI region is never changed However each spanning tree instance within a region and the internal spanning tree IST that connects these instances use a hop count to specify the maximum number of br...

Page 900: ...ernate bridge of the specified instance The device with the highest priority i e lowest numerical value becomes the MSTI root device However if all devices have the same priority the device with the lowest MAC address will then become the root device You can set this switch to act as the MSTI root device by specifying a priority of 0 or as the MSTI alternate device by specifying a priority of 1638...

Page 901: ...rk However remember that you must configure all bridges within the same MSTI Region page 901 with the same set of instances and the same instance on each bridge with the same set of VLANs Also note that RSTP treats each MSTI region as a single node connecting all regions to the Common Spanning Tree EXAMPLE Console config mstp mst 1 vlan 2 5 Console config mstp name This command configures the name...

Page 902: ...ration COMMAND USAGE The MST region name page 901 and revision number are used to designate a unique MST region A bridge i e spanning tree compliant device such as this switch can only belong to one MST region And all bridges in the same region must be configured with the same MST instances EXAMPLE Console config mstp revision 1 Console config mstp RELATED COMMANDS name 901 spanning tree bpdu filt...

Page 903: ...le config if spanning tree bpdu filter Console config if RELATED COMMANDS spanning tree edge port 905 spanning tree bpdu guard This command shuts down an edge port i e an interface set for fast forwarding if it receives a BPDU Use the no form to disable this feature SYNTAX no spanning tree bpdu guard DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE ...

Page 904: ...ally detects the speed and duplex mode used on each port and configures the path cost according to the values shown below Path cost 0 is used to indicate auto configuration mode When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is set to 65 535 COMMAND MODE Interface Configuration Ethernet Port Channel 16 Use the...

Page 905: ...led COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstation...

Page 906: ...nected to two or more bridges When automatic detection is selected the switch derives the link type from the duplex mode A full duplex interface is considered a point to point link while a half duplex interface is assumed to be on a shared link RSTP only works on point to point links between two bridges If you designate a port as a shared link RSTP is forbidden Since MSTP is an extension of RSTP t...

Page 907: ... loopback detection release mode auto Allows a port to automatically be released from the discarding state when the loopback state ends manual The port can only be released from the discarding state manually DEFAULT SETTING auto COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE If the port is configured for automatic loopback release then the port will only be returned to th...

Page 908: ...LE Console config interface ethernet ethernet 1 5 Console config if spanning tree loopback detection trap spanning tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree Use the no form to restore the default auto configuration mode SYNTAX spanning tree mst instance id cost cost no spanning tree mst instance id cost instance id Instance identifier ...

Page 909: ... media and higher values assigned to interfaces with slower media Use the no spanning tree mst cost command to specify auto configuration mode Path cost takes precedence over interface priority EXAMPLE Console config interface Ethernet 1 5 Console config if spanning tree mst 1 cost 50 Console config if RELATED COMMANDS spanning tree mst port priority 909 spanning tree mst port priority This comman...

Page 910: ...ing tree mst cost 908 spanning tree port bpdu flooding This command floods BPDUs to other ports when spanning tree is disabled globally or disabled on a specific port Use the no form to restore the default setting SYNTAX no spanning tree port bpdu flooding DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE When enabled BPDUs are flooded to all other po...

Page 911: ... same the port with the highest priority that is lowest value will be configured as an active link in the spanning tree Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled EXAMPLE Console config interface ethernet 1 5 Console config if spanning tree port priority 0 RELATED COMMANDS spanning tree cost 904 spanning tree root guard This co...

Page 912: ...gy It could also be used to form a border around part of the network where the root bridge is allowed When spanning tree is initialized globally on the switch or on an interface the switch will wait for 20 seconds to ensure that the spanning tree has converged before enabling Root Guard EXAMPLE Console config interface ethernet ethernet 1 5 Console config if spanning tree edge port Console config ...

Page 913: ...ck occurs EXAMPLE Console spanning tree loopback detection release ethernet 1 1 Console spanning tree protocol migration This command re checks the appropriate BPDU format to send on the selected interface SYNTAX spanning tree protocol migration interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 COMMAND MODE Privileged...

Page 914: ...g tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree CST and for every interface in the tree Use the show spanning tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree CST Use the show spanning tree mst instance id command to display the spanning tree configuration for ...

Page 915: ...1 information Admin Status Enabled Role Disabled State Discarding External Admin Path Cost 0 Internal Admin Path Cost 0 External Oper Path Cost 100000 Internal Oper Path Cost 100000 Priority 128 Designated Cost 100000 Designated Port 128 1 Designated Root 32768 0 0001ECF8D8C6 Designated Bridge 32768 0 123412341234 Fast Forwarding Disabled Forward Transitions 4 Admin Edge Port Disabled Oper Edge Po...

Page 916: ...ee mst configuration This command shows the configuration of the multiple spanning tree COMMAND MODE Privileged Exec EXAMPLE Console show spanning tree mst configuration Mstp Configuration Information Configuration Name R D Revision Level 0 Instance VLANs 0 1 4093 Console ...

Page 917: ...VLAN Interfaces Configures VLAN interface parameters including ingress and egress tagging mode ingress filtering PVID and GVRP Displaying VLAN Information Displays VLAN groups status port members and MAC addresses Configuring IEEE 802 1Q Tunneling Configures 802 1Q Tunneling QinQ Tunneling Configuring Port based Traffic Segmentation Configures traffic segmentation for different client sessions bas...

Page 918: ...n COMMAND USAGE GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration and to support VLANs which extend beyond the local switch EXAMPLE Console config bridge ext gvrp Console config Table 105 GVRP and Bridge Extension Commands Command Function Mode bridge ext g...

Page 919: ...OMMAND USAGE Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are independent of the media access method or data rate These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration deregistration Timer values are applied...

Page 920: ...ULT SETTING No VLANs are included in the forbidden list COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This command prevents a VLAN from being automatically added to the specified interface via GVRP If a VLAN has been added to the set of allowed VLANs for an interface then you cannot add it to the set of forbidden VLANs for that same interface EXAMPLE The following exampl...

Page 921: ...XAMPLE Console show bridge ext Maximum Supported VLAN Numbers 4093 Maximum Supported VLAN ID 4093 Extended Multicast Filtering Services No Static Entry Individual Port Yes VLAN Learning IVL Configurable PVID Tagging Yes Local VLAN Capable No Traffic Classes Enabled Global GVRP Status Disabled GMRP Disabled Console show garp timer This command shows the GARP timers for the selected interface SYNTAX...

Page 922: ...on interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 DEFAULT SETTING Shows both global and interface specific configuration COMMAND MODE Normal Exec Privileged Exec EXAMPLE Console show gvrp configuration ethernet 1 7 Eth 1 7 GVRP Configuration Disabled Console EDITING VLAN GROUPS Table 106 Commands for Editing VLAN G...

Page 923: ...le and you can display this file by entering the show running config command EXAMPLE Console config vlan database Console config vlan RELATED COMMANDS show vlan 931 vlan This command configures a VLAN Use the no form to restore the default settings or delete a VLAN SYNTAX vlan vlan id name vlan name media ethernet state active suspend no vlan vlan id name state vlan id VLAN ID specified as a singl...

Page 924: ...1 CONFIGURING VLAN INTERFACES Table 107 Commands for Configuring VLAN Interfaces Command Function Mode interface vlan Enters interface configuration mode for a specified VLAN GC switchport acceptable frame types Configures frame types to be accepted by an interface IC switchport allowed vlan Configures the VLANs associated with an interface IC switchport forbidden vlan Configures forbidden VLANs f...

Page 925: ...nterface configuration for the desired VLAN enter any Layer 3 configuration commands and save the configuration settings To change a Layer 3 normal VLAN back to a Layer 2 VLAN use the no interface command EXAMPLE The following example shows how to set the interface configuration mode to VLAN 1 and then assign an IP address to the VLAN Console config interface vlan 1 Console config if ip address 19...

Page 926: ...d interface Use the no form to restore the default SYNTAX switchport allowed vlan add vlan list tagged untagged remove vlan list no switchport allowed vlan add vlan list List of VLAN identifiers to add remove vlan list List of VLAN identifiers to remove vlan list Separate nonconsecutive VLAN identifiers with a comma and no spaces use a hyphen to designate a range of IDs Do not enter leading zeros ...

Page 927: ...ANs 1 2 5 and 6 to the allowed list as tagged VLANs for port 1 Console config interface ethernet 1 1 Console config if switchport allowed vlan add 1 2 5 6 tagged Console config if switchport ingress filtering This command enables ingress filtering for an interface Use the no form to restore the default SYNTAX no switchport ingress filtering DEFAULT SETTING Disabled COMMAND MODE Interface Configura...

Page 928: ...es a port as an end point for a VLAN trunk A trunk is a direct link between two switches so the port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames private vlan For an explanation of this command see the switchport mode private vlan command DEFAULT SETTING All ports are i...

Page 929: ... be added to VLAN 1 as an untagged member For all other VLANs an interface must first be configured as an untagged member before you can assign its PVID to that group If acceptable frame types is set to all or switchport mode is set to hybrid the PVID will be inserted into all untagged frames entering the ingress port EXAMPLE The following example shows how to set the PVID for port 1 to VLAN 3 Con...

Page 930: ...ps that are unknown to those switches to pass through their VLAN trunking ports VLAN trunking is mutually exclusive with the access switchport mode see the switchport mode command If VLAN trunking is enabled on an interface then that interface cannot be set to access mode and vice versa To prevent loops from forming in the spanning tree all unknown VLANs will be bound to a single instance either S...

Page 931: ...LAN type Options community primary DEFAULT SETTING Shows all VLANs COMMAND MODE Normal Exec Privileged Exec EXAMPLE The following example shows how to display information for VLAN 1 Console show vlan id 1 VLAN ID 1 Type Static Name DefaultVlan Status Active Ports Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 9 S Eth1 10 S Eth1 11 S Eth1 12 S Eth1 13 S E...

Page 932: ...nnel access mode switchport dot1q tunnel mode 4 Set the Tag Protocol Identifier TPID value of the tunnel access port This step is required if the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is 0x8100 See switchport dot1q tunnel tpid 5 Configure the QinQ tunnel access port to join the SPVLAN as an untagged member switchport a...

Page 933: ... protocol is enabled be aware that a tunnel access or tunnel uplink port may be disabled if the spanning tree structure is automatically reconfigured to overcome a break in the tree It is therefore advisable to disable spanning tree on these ports dot1q tunnel system tunnel control This command sets the switch to operate in QinQ mode Use the no form to disable QinQ operating mode SYNTAX no dot1q t...

Page 934: ... tunnel control command before the switchport dot1q tunnel mode interface command can take effect When a tunnel uplink port receives a packet from a customer the customer tag regardless of whether there are one or more tag layers is retained in the inner tag and the service provider s tag added to the outer tag When a tunnel uplink port receives a packet from the service provider the outer service...

Page 935: ...based on the default VID of the edge router s ingress port This process is performed in a transparent manner as described under IEEE 802 1Q Tunneling on page 181 When priority bits are found in the inner tag these are also copied to the outer tag This allows the service provider to differentiate service based on the indicated priority and appropriate methods of queue management at intermediate nod...

Page 936: ...1 CVID 10 ingress vlan translation Inject double tagged frame SVID 101 CVID 10 to Port 2 then Port 1 exits single tagged frame VID 10 switching 3 Port 1 switchport dot1q tunnel service 101 match cvid 10 remove ctag Inject tagged frame VID 10 to Port 1 then Port 2 exits single tagged frame SVID 101 ingress vlan translation Inject single tagged frame SVID 101 to Port 2 then Port 1 exits single tagge...

Page 937: ...e looked upon as untagged frames and assigned to the native VLAN of that port All ports on the switch will be set to the same ethertype EXAMPLE Console config interface ethernet 1 1 Console config if switchport dot1q tunnel tpid 9100 Console config if RELATED COMMANDS show interfaces switchport 848 show dot1q tunnel This command displays information about QinQ tunnel ports SYNTAX show dot1q tunnel...

Page 938: ...nsole RELATED COMMANDS switchport dot1q tunnel mode 934 CONFIGURING PORT BASED TRAFFIC SEGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider port based traffic segmentation can be used to isolate traffic for individual clients traffic segmentation This command enables traffic...

Page 939: ...y within the same switch Traffic may pass freely between uplink ports in segmented groups and ports in normal VLANs Enter the traffic segmentation command without any parameters to enable traffic segmentation Then set the interface members for segmented groups Enter no traffic segmentation to disable traffic segmentation and clear the configuration settings for segmented groups EXAMPLE This exampl...

Page 940: ...unity VLANs can be associated with each primary VLAN Note that private VLANs and normal VLANs can exist simultaneously within the same switch This section describes commands used to configure private VLANs To configure private VLANs follow these steps 1 Use the private vlan command to designate one or more community VLANs and the primary VLAN that will channel traffic outside of the community grou...

Page 941: ...d vlan id ID of private VLAN Range 1 4093 no leading zeroes community A VLAN in which traffic is restricted to host members in the same VLAN and to promiscuous ports in the associate primary VLAN primary A VLAN which can contain one or more community VLANs and serves to channel traffic between community VLANs and other locations DEFAULT SETTING None COMMAND MODE VLAN Configuration COMMAND USAGE Pr...

Page 942: ...g zeroes secondary vlan id ID of secondary i e community VLAN Range 1 4093 no leading zeroes DEFAULT SETTING None COMMAND MODE VLAN Configuration COMMAND USAGE Secondary VLANs provide security for group members The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN e g servers configured with promiscuous ports and to resources outside ...

Page 943: ...le config interface ethernet 1 3 Console config if switchport mode private vlan host Console config if switchport private vlan host association Use this command to associate an interface with a secondary VLAN Use the no form to remove this association SYNTAX switchport private vlan host association secondary vlan id no switchport private vlan host association secondary vlan id ID of secondary i e ...

Page 944: ...signed to a primary VLAN can communicate with any other promiscuous ports in the same VLAN and with the group members within any associated secondary VLANs EXAMPLE Console config interface ethernet 1 2 Console config if switchport private vlan mapping 2 Console config if show vlan private vlan Use this command to show the private VLAN configuration settings on this switch SYNTAX show vlan private ...

Page 945: ...ned based on the protocol type in use by the inbound packets To configure protocol based VLANs follow these steps 1 First configure VLAN groups for the protocols you want to use page 923 Although not mandatory we suggest configuring a separate VLAN for each major protocol running on your network Do not add port members at this time 2 Create a protocol group for each of the protocols you want to as...

Page 946: ...gured COMMAND MODE Global Configuration EXAMPLE The following creates protocol group 1 and specifies Ethernet frames with IP and ARP protocol types Console config protocol vlan protocol group 1 add frame type ethernet protocol type ip Console config protocol vlan protocol group 1 add frame type ethernet protocol type arp Console config protocol vlan protocol group Configuring Interfaces This comma...

Page 947: ...tagged frames If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the default VLAN for this interface EXAMPLE The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2 Console config interface ...

Page 948: ...groups to VLANs for the selected interfaces SYNTAX show interfaces protocol vlan protocol group interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 12 DEFAULT SETTING The mapping for all interfaces is displayed COMMAND MODE Privileged Exec EXAMPLE This shows that traffic entering Port 1 that matches the specifications for ...

Page 949: ...address mask vlan vlan id priority priority no subnet vlan subnet ip address mask all ip address The IP address that defines the subnet Valid IP addresses consist of four decimal numbers 0 to 255 separated by periods mask This mask identifies the host address bits of the IP subnet vlan id VLAN to which matching IP subnet traffic is forwarded Range 1 4093 priority The priority assigned to untagged ...

Page 950: ...255 255 224 vlan 4 Console config show subnet vlan This command displays IP Subnet VLAN assignments COMMAND MODE Privileged Exec COMMAND USAGE Use this command to display subnet to VLAN mappings The last matched entry is used if more than one entry can be matched EXAMPLE The following example displays all configured IP subnet based VLANs Console show subnet vlan IP Address Mask VLAN ID Priority 19...

Page 951: ...o form to remove an assignment SYNTAX mac vlan mac address mac address vlan vlan id priority priority no mac vlan mac address mac address all mac address The source MAC address to be matched Configured MAC addresses can only be unicast addresses The MAC address must be specified in the format xx xx xx xx xx xx or xxxxxxxxxxxx vlan id VLAN to which the matching source MAC address traffic is forward...

Page 952: ...an MAC Address VLAN ID Priority 00 00 00 11 22 33 10 0 Console CONFIGURING VOICE VLANS The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic VoIP traffic can be detected on switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the...

Page 953: ...etected on switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the switch automatically assigns the port as a tagged member of the Voice VLAN Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN The Voice VLAN ...

Page 954: ...ple configures the Voice VLAN aging time as 3000 minutes Console config voice vlan aging 3000 Console config voice vlan mac address This command specifies MAC address ranges to add to the OUI Telephony list Use the no form to remove an entry from the list SYNTAX voice vlan mac address mac address mask mask address description description no voice vlan mac address mac address mask mask address mac ...

Page 955: ... the OUI Telephony list Console config voice vlan mac address 00 12 34 56 78 90 mask ff ff ff 00 00 00 description A new phone Console config switchport voice vlan This command specifies the Voice VLAN mode for ports Use the no form to disable the Voice VLAN feature on the port SYNTAX switchport voice vlan manual auto no switchport voice vlan manual The Voice VLAN feature is enabled on the port bu...

Page 956: ...ration COMMAND USAGE Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port EXAMPLE The following example sets the CoS priority to 5 on port 1 Console config interface ethernet 1 1 Console config if switchport voice vlan priority 5 Console config if...

Page 957: ...for detecting VoIP traffic Console config interface ethernet 1 1 Console config if switchport voice vlan rule oui Console config if switchport voice vlan security This command enables security filtering for VoIP traffic on a port Use the no form to disable filtering on a port SYNTAX no switchport voice vlan security DEFAULT SETTING Disabled COMMAND MODE Interface Configuration COMMAND USAGE Securi...

Page 958: ...ce vlan status Global Voice VLAN Status Voice VLAN Status Enabled Voice VLAN ID 1234 Voice VLAN aging time 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority Remaining Age minutes Eth 1 1 Auto Enabled OUI 6 100 Eth 1 2 Disabled Disabled OUI 6 NA Eth 1 3 Manual Enabled OUI 5 100 Eth 1 4 Auto Enabled OUI 6 100 Eth 1 5 Disabled Disabled OUI 6 NA Eth 1 6 Disabled Disabled OUI 6 NA E...

Page 959: ...d Group Function Priority Commands Layer 2 Configures the queue mode queue weights and default priority for untagged frames Priority Commands Layer 3 and 4 Maps TCP ports IP precedence tags or IP DSCP tags to class of service values Table 117 Priority Commands Layer 2 Command Function Mode queue cos map Assigns class of service values to the priority queues IC queue mode Sets the queue mode to str...

Page 960: ...d Robin queuing for each port Eight separate traffic classes are defined in IEEE 802 1p The default priority levels are assigned according to recommendations in the IEEE 802 1p standard as shown below COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE CoS values assigned at the ingress port are also used at the egress port This command sets the CoS priority for all interfaces...

Page 961: ...and Weighted Round Robin for the rest of the queues queue type list Indicates if the queue is a normal or strict type Options 0 indicates a normal queue 1 indicates a strict queue DEFAULT SETTING Weighted Round Robin COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE The switch can be set to service the port queues based on strict priority WRR or a combination of strict and w...

Page 962: ...onfig if queue mode strict Console config if RELATED COMMANDS queue weight 962 show queue mode 964 queue weight This command assigns weights to the eight class of service CoS priority queues when using weighted queuing or one of the queuing modes that use a combination of strict and weighted queuing Use the no form to restore the default weights SYNTAX queue weight weight0 weight7 no queue weight ...

Page 963: ...edence for priority mapping is IP Port IP Precedence or IP DSCP and then default switchport priority The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged frames This priority does not apply to IEEE 802 1Q VLAN tagged frames If the incoming frame is an IEEE 802 1Q VLAN tagged frame the IEEE 802 1p User Priority bit...

Page 964: ...f service priority map SYNTAX show queue cos map interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show queue cos map ethernet 1 1 Information of Eth 1 1 CoS Value 0 1 2 3 4 5 6 7 Priority Queue 2 0 1 3 4 5 6 7 Console show queue mode This command shows the curre...

Page 965: ...n Console show queue weight This command displays the weights used for the weighted queues SYNTAX show queue mode interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 COMMAND MODE Privileged Exec EXAMPLE Console show queue weight ethernet 1 1 Information of Eth 1 1 Queue ID Weight 0 1 1 2 2 4 3 6 4 8 5 10 6 12 7 14 Conso...

Page 966: ...ce and IP DSCP cannot both be enabled Enabling one of these priority types will automatically disable the other type EXAMPLE The following example shows how to enable IP DSCP mapping globally Console config map ip dscp Console config Table 119 Priority Commands Layer 3 and 4 Command Function Mode map ip dscp Enables IP DSCP class of service mapping GC map ip port Enables TCP UDP class of service m...

Page 967: ...t switchport priority EXAMPLE The following example shows how to enable TCP UDP port mapping globally Console config map ip port Console config map ip precedence Global Configuration This command enables IP precedence mapping i e IP Type of Service Use the no form to disable IP precedence mapping SYNTAX no map ip precedence DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE T...

Page 968: ... DEFAULT SETTING The DSCP default values are defined in the following table Note that all the DSCP values that are not specified are mapped to CoS value 0 COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority DSCP priority values are mapped to default Class of Service values a...

Page 969: ...umber cos cos value no map ip port port number port number 16 bit TCP UDP port number Range 0 65535 cos value Class of Service value Range 0 7 DEFAULT SETTING None COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority Up to 8 entries can be specified for IP Port priority mappi...

Page 970: ...Configuration Ethernet Port Channel COMMAND USAGE The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority IP Precedence values are mapped to default Class of Service values on a one to one basis according to recommendations in the IEEE 802 1p standard and then subsequently mapped to the eight hardware priority queues This command sets the IP Preceden...

Page 971: ...id Range 1 32 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show map ip dscp ethernet 1 1 DSCP mapping status Disabled Port DSCP CoS Eth 1 1 0 0 Eth 1 1 1 0 Eth 1 1 2 0 Eth 1 1 3 0 Eth 1 1 61 0 Eth 1 1 62 0 Eth 1 1 63 0 Console show map ip port This command shows the IP port priority map SYNTAX show map ip port interface interface ethernet unit port unit Stack unit Range 1 8 po...

Page 972: ...map ip precedence This command shows the IP precedence priority map SYNTAX show map ip precedence interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 COMMAND MODE Privileged Exec EXAMPLE Console show map ip precedence ethernet 1 5 Precedence mapping status Disabled Port Precedence CoS Eth 1 5 0 0 Eth 1 5 1 1 Eth 1 5 2 2...

Page 973: ...a traffic classification for the policy to act on PM rename Redefines the name of a policy map PM police flow Defines an enforcer for classified traffic based on a metered flow rate PM C police srtcm color Defines an enforcer for classified traffic based on a single rate three color meter PM C police trtcm color Defines an enforcer for classified traffic based on a two rate three color meter PM C ...

Page 974: ...IP header for the matching traffic class and use one of the police commands to monitor parameters such as the average flow and burst rate and drop any traffic that exceeds the specified rate or just reduce the DSCP service level for traffic exceeding the specified rate 6 Use the service policy command to assign a policy map to a specific interface NOTE Create a Class Map before creating a Policy M...

Page 975: ... or set commands EXAMPLE This example creates a class map call rd class and sets it to match packets marked for DSCP service value 3 Console config class map rd class match any Console config cmap match ip dscp 3 Console config cmap RELATED COMMANDS show class map 987 description This command specifies the description of a class map or policy map SYNTAX description string string Description of the...

Page 976: ...he class map command to designate a class map and enter the Class Map configuration mode Then use match commands to specify the fields within ingress packets that must match to qualify for this class map If an ingress packet matches an ACL specified by this command any deny rules included in the ACL will be ignored If match criteria includes an IP ACL or IP priority rule then a VLAN rule cannot be...

Page 977: ...Console config cmap rename This command redefines the name of a class map or policy map SYNTAX rename map name map name Name of the class map or policy map Range 1 16 characters COMMAND MODE Class Map Configuration Policy Map Configuration EXAMPLE Console config class map rd class 1 Console config cmap rename rd class 9 Console config cmap policy map This command creates a policy map that can be a...

Page 978: ...fig policy map rd policy Console config pmap class rd class Console config pmap c set ip dscp 3 Console config pmap c police flow 10000 4000 conform action transmit violate action drop Console config pmap c class This command defines a traffic classification upon which a policy can act and enters Policy Map Class configuration mode Use the no form to delete a class map SYNTAX no class class map na...

Page 979: ...fic based on the metered flow rate Use the no form to remove a policer SYNTAX no police flow committed rate committed burst violate action drop new dscp committed rate Committed information rate CIR in kilobits per second Range 64 1000000 kbps at a granularity of 64 kbps or maximum port speed whichever is lower committed burst Committed burst size BC in bytes Range 4000 16000000 at a granularity o...

Page 980: ...d Tc is decremented by B down to the minimum value of 0 else else the packet is red and Tc is not decremented EXAMPLE This example creates a policy called rd policy uses the class command to specify the previously defined rd class uses the set command to classify the service that incoming packets will receive and then uses the police flow command to limit the average bandwidth to 100 000 Kbps the ...

Page 981: ...up to 16 policers i e class maps for ingress ports The committed rate cannot exceed the configured interface speed and the committed burst and excess burst cannot exceed 16 Mbytes The srTCM as defined in RFC 2697 meters a traffic stream and processes its packets according to three traffic parameters Committed Information Rate CIR Committed Burst Size BC and Excess Burst Size BE The PHB label is co...

Page 982: ...ted by B down to the minimum value of 0 else If the packet has been precolored as yellow or green and if Te t B 0 the packets is yellow and Te is decremented by B down to the minimum value of 0 else the packet is red and neither Tc nor Te is decremented The metering policy guarantees a deterministic behavior where the volume of green packets is never smaller than what has been determined by the CI...

Page 983: ...e PIR in kilobits per second Range 64 1000000 kbps at a granularity of 64 kbps or maximum port speed whichever is lower peak burst Burst size BP in bytes Range 4000 16000000 at a granularity of 4k bytes exceed action Action to take when rate exceeds the CIR but is within the PIR Packet size exceeds BC but there are enough tokens in bucket BP to service the packet the packet is set yellow violate a...

Page 984: ...CIR respectively The maximum size of the token bucket P is BP and the maximum size of the token bucket C is BC The token buckets P and C are initially at time 0 full that is the token count Tp 0 BP and the token count Tc 0 BC Thereafter the token count Tp is incremented by one PIR times per second up to BP and the token count Tc is incremented by one CIR times per second up to BC When a packet of ...

Page 985: ...his command modifies the CoS DSCP or IP Precedence value in a matching packet as specified by the match command Use the no form to remove this traffic classification SYNTAX no set cos new cos ip dscp new dscp ip precedence new ip precedence new cos New Class of Service CoS value Range 0 7 new dscp New Differentiated Service Code Point DSCP value Range 0 63 new ip precedence New IP Precedence value...

Page 986: ...lies a policy map defined by the policy map command to the ingress side of a particular interface Use the no form to remove this mapping SYNTAX no service policy input policy map name input Apply to the input traffic policy map name Name of the policy map for this interface Range 1 32 characters DEFAULT SETTING No policy map is attached to an interface COMMAND MODE Interface Configuration Ethernet...

Page 987: ...atch access list rd access Match ip dscp 0 Class Map match any rd class 2 Match ip precedence 5 Class Map match any rd class 3 Match vlan 1 Console show policy map This command displays the QoS policy maps which define classification criteria for incoming traffic and may include policers for bandwidth limitations SYNTAX show policy map policy map name class class map name policy map name Name of t...

Page 988: ...s 3 Console show policy map interface This command displays the service policy assigned to the specified interface SYNTAX show policy map interface interface input interface unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 COMMAND MODE Privileged Exec EXAMPLE Console show policy map interface 1 5 input Service policy rd policy Console ...

Page 989: ...ulticast service and group members Static Multicast Routing Configures static multicast router ports which forward all inbound multicast traffic to the attached VLANs IGMP Filtering and Throttling Configures IGMP filtering and throttling Multicast VLAN Registration Configures a single network wide multicast VLAN shared by hosts residing in other standard or private VLAN groups preserving security ...

Page 990: ...g version Configures the IGMP version for snooping GC ip igmp snooping version exclusive Discards received IGMP messages which use a version different to that currently configured GC ip igmp snooping vlan general query suppression Suppresses general queries except for ports attached to downstream multicast hosts GC ip igmp snooping vlan immediate leave Immediately deletes a member port of a multic...

Page 991: ...gured per VLAN interface but the interface settings will not take effect until snooping is re enabled globally EXAMPLE The following example enables IGMP snooping globally Console config ip igmp snooping Console config ip igmp snooping vlan version Configures the IGMP version for snooping GC ip igmp snooping vlan version exclusive Discards received IGMP messages which use a version different to th...

Page 992: ... performs IGMP Snooping with Proxy Reporting as defined in DSL Forum TR 101 April 2006 including report suppression last leave and query suppression Report suppression intercepts absorbs and summarizes IGMP reports coming from downstream hosts Last leave sends out a proxy query when the last member leaves a multicast group and query suppression means that neither specific queries nor general queri...

Page 993: ...AULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE As described in Section 9 1 of RFC 3376 for IGMP Version 3 the Router Alert Option can be used to protect against DOS attacks One common method of attack is launched by an intruder who takes over the role of querier and starts overloading multicast hosts by sending a large number of group and source specific queries each with a ...

Page 994: ...oping tcn flood This command enables flooding of multicast traffic if a spanning tree topology change notification TCN occurs Use the no form to disable flooding SYNTAX no ip igmp snooping tcn flood DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE When a spanning tree topology change occurs the multicast membership information learned by the switch may be out of date For ex...

Page 995: ...s the root bridge sends a proxy query to quickly re learn the host membership port relations for multicast channels The root bridge also sends an unsolicited Multicast Router Discover MRD request to quickly locate the multicast routers in this VLAN The proxy query and unsolicited MRD request are flooded to all VLAN ports except for the receiving port when the switch receives such packets EXAMPLE T...

Page 996: ... config ip igmp snooping tcn query solicit Console config ip igmp snooping unregistered data flood This command floods unregistered multicast traffic into the attached VLAN Use the no form to drop unregistered multicast traffic SYNTAX no ip igmp snooping unregistered data flood DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE Once the table used to store multicast entries f...

Page 997: ...uration COMMAND USAGE When a new upstream interface that is uplink port starts up the switch sends unsolicited reports for all currently learned multicast channels out through the new upstream interface This command only applies when proxy reporting is enabled see page 992 EXAMPLE Console config ip igmp snooping unsolicited report interval 5 Console config ip igmp snooping version This command con...

Page 998: ...This command discards any received IGMP messages except for multicast protocol packets which use a version different to that currently configured by the ip igmp snooping version command Use the no form to disable this feature SYNTAX ip igmp snooping vlan vlan id version exclusive no ip igmp snooping version exclusive vlan id VLAN ID Range 1 4093 DEFAULT SETTING Global Disabled VLAN Disabled COMMAN...

Page 999: ...have joined a multicast service EXAMPLE Console config ip igmp snooping vlan 1 general query suppression Console config ip igmp snooping vlan immediate leave This command immediately deletes a member port of a multicast service if a leave packet is received at that port and immediate leave is enabled for the parent VLAN Use the no form to restore the default SYNTAX no ip igmp snooping vlan vlan id...

Page 1000: ...n last memb query count This command configures the number of IGMP proxy group specific or group and source specific query messages that are sent out before the system assumes there are no more local members Use the no form to restore the default SYNTAX ip igmp snooping vlan vlan id last memb query count count no ip igmp snooping vlan vlan id last memb query count vlan id VLAN ID Range 1 4093 coun...

Page 1001: ... is received by the switch it checks to see if this host is the last to leave the group by sending out an IGMP group specific or group and source specific query message and starts a timer If no reports are received before the timer expires the group record is deleted and a report is sent to the upstream multicast router A reduced value will result in reduced time to detect the loss of the last mem...

Page 1002: ...periodic timer as a part of a router s start up procedure during the restart of a multicast forwarding interface and on receipt of a solicitation message When the multicast services provided to a VLAN is relatively stable the use of solicitation messages is not required and may be disabled using the no ip igmp snooping vlan mrd command This command may also be used to disable multicast router soli...

Page 1003: ...can be replaced with any valid unicast address other than the router s own address using this command EXAMPLE The following example sets the source address for proxied IGMP query messages to 10 0 1 8 Console config ip igmp snooping vlan 1 proxy address 10 0 1 8 Console config ip igmp snooping vlan query interval This command configures the interval between sending IGMP general queries Use the no f...

Page 1004: ...o general queries Use the no form to restore the default SYNTAX ip igmp snooping vlan vlan id query resp intvl interval no ip igmp snooping vlan vlan id query resp intvl vlan id VLAN ID Range 1 4093 interval The maximum time the system waits for a response to general queries Range 10 31744 tenths of a second DEFAULT SETTING 100 10 seconds COMMAND MODE Global Configuration COMMAND USAGE This comman...

Page 1005: ...ation COMMAND USAGE Static multicast entries are never aged out When a multicast entry is assigned to an interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN EXAMPLE The following shows how to statically configure a multicast group on a port Console config ip igmp snooping vlan 1 static 224 0 0 12 ethernet 1 5 Console config show ip igmp snooping T...

Page 1006: ...lusive Using global status Disabled Immediate leave Disabled Last member query interval 10 1 10s Last member query count 2 General query suppression Disabled Query interval 125 Query response interval 100 1 10s Proxy query address 0 0 0 0 Proxy reporting Using global status Disabled Multicast Router Discovery Enabled show ip igmp snooping group This command shows known multicast group source and h...

Page 1007: ...his command shows known multicast addresses SYNTAX show mac address table multicast vlan vlan id user igmp snooping user igmp snooping vlan id VLAN ID 1 to 4093 user Display only the user configured multicast entries igmp snooping Display only entries learned through IGMP snooping DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Member types displayed include IGMP or USER depending ...

Page 1008: ...NG No static multicast router ports are configured COMMAND MODE Global Configuration COMMAND USAGE Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore if the IGMP querier is a known multicast router or switch connected over the network to an interface port or trunk on this switch that interface can be manually configured to join all the c...

Page 1009: ...ROTTLING In certain switch applications the administrator may want to control the multicast services that are available to end users For example an IP TV service based on a specific subscription plan The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port and IGMP throttling limits the number of simultaneous multicast groups a por...

Page 1010: ... group is denied the IGMP join report is dropped IGMP filtering and throttling only applies to dynamically learned multicast groups it does not apply to statically configured groups The IGMP filtering feature operates in the same manner when MVR is used to forward multicast traffic EXAMPLE Console config ip igmp filter Console config ip igmp max groups action Sets the IGMP throttling action for an...

Page 1011: ... applied to many interfaces but only one profile can be assigned to one interface Each profile has only one access mode either permit or deny EXAMPLE Console config ip igmp profile 19 Console config igmp profile permit deny This command sets the access mode for an IGMP filter profile Use the no form to delete a profile number SYNTAX permit deny DEFAULT SETTING Deny COMMAND MODE IGMP Profile Config...

Page 1012: ...icast group range DEFAULT SETTING None COMMAND MODE IGMP Profile Configuration COMMAND USAGE Enter this command multiple times to specify more than one multicast address or address range for a profile EXAMPLE Console config ip igmp profile 19 Console config igmp profile range 239 1 1 1 Console config igmp profile range 239 2 3 1 239 2 3 100 Console config igmp profile ip igmp filter Interface Conf...

Page 1013: ...AX ip igmp max groups number no ip igmp max groups number The maximum number of multicast groups an interface can join at the same time Range 0 64 DEFAULT SETTING 64 COMMAND MODE Interface Configuration Ethernet COMMAND USAGE IGMP throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can take one...

Page 1014: ...ce If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group EXAMPLE Console config interface ethernet 1 1 Console config if ip igmp max groups action replace Console config if ip igmp query drop This command drops any received IGMP query packets Use the no form t...

Page 1015: ...E This command can be used to stop multicast services from being forwarded to users attached to the downstream port i e the interfaces specified by this command EXAMPLE Console config interface ethernet 1 1 Console config if ip multicast data drop Console config if show ip igmp filter This command displays the global and interface settings for IGMP filtering SYNTAX show ip igmp filter interface in...

Page 1016: ...mp profile profile number profile number An existing IGMP filter profile number Range 1 4294967295 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console show ip igmp profile 19 IGMP Profile 19 Deny Range 239 1 1 1 239 1 1 1 Range 239 2 3 1 239 2 3 100 Console show ip igmp query drop This command shows if the specified interfa...

Page 1017: ...nterface This command displays the interface settings for IGMP throttling SYNTAX show ip igmp throttle interface interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Using this command without specifying an interface displays all interfaces EXAMPLE Console s...

Page 1018: ...ets SYNTAX show ip igmp throttle interface interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Using this command without specifying an interface displays all interfaces EXAMPLE Console show ip multicast data drop interface ethernet 1 1 Ethernet 1 1 Enabled...

Page 1019: ...a specific address or range of addresses Or use the no form with the vlan keyword to restore the default MVR VLAN SYNTAX no mvr group ip address count vlan vlan id group Defines a multicast service sent to all attached subscribers ip address IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 count The number of contiguous MVR group addresses Range 1 255 vlan Specifies the VLAN t...

Page 1020: ... command and switchport native vlan command but MVR receiver ports should not be statically configured as members of this VLAN IGMP snooping must be enabled to a allow a subscriber to dynamically join or leave an MVR group see the ip igmp snooping command Note that only IGMP version 2 or 3 hosts can issue multicast join or leave messages IGMP snooping and MVR share a maximum number of 255 groups A...

Page 1021: ...ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message When immediate leave is disabled the switch follows the standard rules by sending a group specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list Using im...

Page 1022: ...g can be used to allow a receiver port to dynamically join or leave multicast groups sourced through the MVR VLAN Also note that VLAN membership for MVR receiver ports cannot be set to trunk mode see the switchport mode command One or more interfaces may be configured as MVR source ports A source port is able to both receive and send data for multicast groups which it has joined through IGMP snoop...

Page 1023: ...55 255 DEFAULT SETTING No receiver port is a member of any configured multicast group COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE Multicast groups can be statically assigned to a receiver port using this command The IP address range from 224 0 0 0 to 239 255 255 255 is used for multicast streams MVR group addresses cannot fall within the reserved IP multicast address r...

Page 1024: ... command without any keywords to display the global settings for MVR Use the interface keyword to display information about interfaces attached to the MVR VLAN Or use the members keyword to display information about multicast groups assigned to the MVR VLAN EXAMPLE The following shows the global MVR settings Console show mvr MVR Config Status Enabled MVR Running Status Active MVR Multicast VLAN 1 ...

Page 1025: ... The source IP address assigned to all upstream control packets Table 129 show mvr interface display description Field Description Port Shows interfaces attached to the MVR Type Shows the MVR port type Status Shows the MVR status and interface status MVR status for source ports is ACTIVE if MVR is globally enabled on the switch MVR status for receiver ports is ACTIVE only if there are subscribers ...

Page 1026: ...ay be different from the MVR VLAN if the group address has been statically assigned Table 130 show mvr members display description Continued Field Description Table 131 IGMP Commands Layer 3 Command Function Mode ip igmp Enables IGMP for the specified interface IC ip igmp last member query interval Configures the frequency at which to send query messages in response to receiving a leave message IC...

Page 1027: ... 0 0 Joined Groups Static Groups Console RELATED COMMANDS ip igmp snooping 991 show ip igmp snooping 1005 ip igmp last member query interval This command configures the frequency at which to send IGMP group specific or IGMPv3 group source specific query messages in response to receiving a group specific or group source specific leave message Use the no form to restore the default setting SYNTAX ip...

Page 1028: ...ds The report delay advertised in IGMP queries Range 0 255 tenths of a second DEFAULT SETTING 100 10 seconds COMMAND MODE Interface Configuration VLAN COMMAND USAGE IGMPv1 does not support a configurable maximum response time for query messages It is fixed at 10 seconds for IGMPv1 By varying the Maximum Response Interval the burstiness of IGMP messages passed on the subnet can be tuned where large...

Page 1029: ...for a subnet sends host query messages which are addressed to the multicast address 224 0 0 1 and uses a time to live TTL value of 1 For IGMP Version 1 the designated router is elected according to the multicast routing protocol that runs on the LAN But for IGMP Version 2 and 3 the designated querier is the lowest IP addressed multicast router on the subnet EXAMPLE The following shows how to confi...

Page 1030: ...ic group This command configures the router to be a static member of a multicast group on the specified VLAN interface Use the no form to remove the static mapping SYNTAX ip igmp static group group address source source address no ip igmp static group group address IP multicast group address The group addresses specified cannot be in the range of 224 0 0 1 239 255 255 255 source address Source add...

Page 1031: ...c multicast entries for the specified group The switch supports a maximum of 16 static group entries EXAMPLE The following example assigns VLAN 1 as a static member of the specified multicast group Console config interface vlan1 Console config if ip igmp static group 225 1 1 1 ip igmp version This command configures the IGMP version used on an interface Use the no form of this command to restore t...

Page 1032: ...ed COMMAND MODE Privileged Exec COMMAND USAGE Enter the address for a multicast group to delete all entries for the specified group Enter the interface option to delete all multicast groups for the specified interface Enter no options to clear all multicast groups from the cache EXAMPLE The following example clears all multicast group entries for VLAN 1 Console clear ip igmp interface vlan1 Consol...

Page 1033: ...68 1 10 0 0 1 0 4 19 0 0 0 Console Table 132 show ip igmp groups display description Field Description Group Address IP multicast group address with subscribers directly attached or downstream from the switch VLAN The interface on the switch that has received traffic directed to the multicast group address Last Reporter The IP address of the source of the last membership report received for this m...

Page 1034: ...ddress is requested only from those IP source addresses listed in the source list parameter In EXCLUDE mode reception of packets sent to the given multicast address is requested from all IP source addresses except for those listed in the source list parameter and where the source timer status has expired Note that EXCLUDE mode does not apply to SSM addresses Last Reporter The IP address of the sou...

Page 1035: ... 1 up IGMP Disabled IGMP Version 2 IGMP Proxy Enabled IGMP Unsolicited Report Interval 400 sec Robustness Variable 2 Query Interval 125 sec Query Max Response Time 100 resolution in 0 1 sec Last Member Query Interval 10 resolution in 0 1 sec Querier 0 0 0 0 Joined Groups Static Groups Console IGMP PROXY ROUTING This section describes commands used to configure IGMP Proxy Routing on the switch Tabl...

Page 1036: ...ING Disabled COMMAND MODE Interface Configuration VLAN COMMAND USAGE When IGMP proxy is enabled on an interface that interface is known as the upstream or host interface This interface performs only the host portion of IGMP by sending IGMP membership reports and automatically disables IGMP router functions Interfaces with IGMP enabled but not located in the direction of the multicast tree root are...

Page 1037: ...an1 Console config if ip igmp proxy Console config if ip igmp proxy unsolicited report interval This command specifies how often the upstream interface should transmit unsolicited IGMP reports Use the no form to restore the default value SYNTAX ip igmp proxy unsolicited report interval seconds no ip igmp proxy unsolicited report interval seconds The interval at which to issue unsolicited reports R...

Page 1038: ...ion 2 MLD Proxy Disabled MLD Unsolicited Report Interval 400 sec Robustness Variable 2 Table 135 MLD Commands Layer 3 Command Function Mode ipv6 mld Enables MLD for the specified interface IC ipv6 mld last member query response interval Configures the frequency at which to send query messages in response to receiving a leave message IC ipv6 mld max resp interval Configures the maximum host respons...

Page 1039: ...ery response interval seconds no ipv6 mld last member query response interval seconds The frequency at which the switch sends group specific or group source specific queries upon receipt of a leave message Range 1 255 seconds DEFAULT SETTING 10 1 second COMMAND MODE Interface Configuration VLAN COMMAND USAGE When the switch receives an MLD or MLDv2 leave message from a host that wants to leave a m...

Page 1040: ...he subnet can be tuned where larger values make the traffic less bursty as host responses are spread out over a larger interval The number of seconds represented by the maximum response interval must be less than the Query Interval page 1040 EXAMPLE The following shows how to configure the maximum response time to 20 seconds Console config if ipv6 mld max resp interval 200 Console config if RELATE...

Page 1041: ...p interval 1040 ipv6 mld robustval This command specifies the robustness expected packet loss for this interface Use the no form of this command to restore the default value SYNTAX ipv6 mld robustval robust value no ipv6 mld robustval robust value The robustness of this interface Range 1 255 DEFAULT SETTING 2 COMMAND MODE Interface Configuration VLAN COMMAND USAGE The robustness value is used to c...

Page 1042: ...erver transmitting traffic to the corresponding multicast group address DEFAULT SETTING None COMMAND MODE Interface Configuration VLAN COMMAND USAGE If a static group is configured for an any source multicast G a source address cannot subsequently be defined for this group without first deleting the entry If a static group is configured for one or more source specific multicasts S G an any source ...

Page 1043: ...rface Configuration VLAN COMMAND USAGE MLDv1 is derived from IGMPv2 and MLDv2 from IGMPv3 IGMP uses IP Protocol 2 message types and MLD uses IP Protocol 58 message types which is a subset of the ICMPv6 messages MLDv2 adds the ability for a node to report interest in listening to packets with a particular multicast address only from specific source addresses as required to support Source Specific M...

Page 1044: ...no options to clear all multicast groups from the cache EXAMPLE The following example clears all multicast group entries for VLAN 1 Console clear ipv6 mld interface vlan 1 Console show ipv6 mld groups This command displays information on multicast groups active on the switch and learned through MLD SYNTAX show ipv6 mld groups group address interface detail detail group address IPv6 multicast group...

Page 1045: ...since this entry was created Expire The time remaining before this entry will be aged out The default is 260 seconds This field displays stopped if the Group Mode is INCLUDE Group Mode In Include mode reception of packets sent to the specified multicast address is requested only from those IP source addresses listed in the source list parameter In Exclude mode reception of packets sent to the give...

Page 1046: ...e vlan 1 Vlan 1 Up MLD Enabled MLD Version 2 MLD Proxy Disabled MLD Unsolicited Report Interval 400 sec Robustness Variable 2 Query Interval 125 sec Query Max Response Time 10 Last Member Query Interval 1 Querier FE80 200 E8FF FE93 82A0 Joined Groups Static Groups FFEE 101 Console MLD PROXY ROUTING This section describes commands used to configure MLD Proxy Routing on the switch Table 137 IGMP Pro...

Page 1047: ...oxy DEFAULT SETTING Disabled COMMAND MODE Interface Configuration VLAN COMMAND USAGE When MLD proxy is enabled on an interface that interface is known as the upstream or host interface This interface performs only the host portion of MLD by sending MLD membership reports and automatically disables MLD router functions Interfaces with MLD enabled but not located in the direction of the multicast tr...

Page 1048: ...pv6 mld proxy unsolicited report interval This command specifies how often the upstream interface should transmit unsolicited MLD reports Use the no form to restore the default value SYNTAX ipv6 mld proxy unsolicited report interval seconds no ipv6 mld proxy unsolicited report interval seconds The interval at which to issue unsolicited reports Range 1 65535 seconds DEFAULT SETTING 400 seconds COMM...

Page 1049: ... attempting to re initialize after LLDP ports are disabled or the link goes down GC lldp tx delay Configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables GC lldp admin status Enables LLDP transmit receive or transmit and receive mode on the specified port IC lldp basic tlv management ip address Configures an LLDP enabled port to ad...

Page 1050: ... aggregation capabilities IC lldp dot3 tlv mac phy Configures an LLDP enabled port to advertise its MAC and physical layer specifications IC lldp dot3 tlv max frame Configures an LLDP enabled port to advertise its maximum frame size IC lldp notification Enables the transmission of SNMP trap notifications about LLDP changes IC show lldp config Shows LLDP configuration settings for all ports PE show...

Page 1051: ...val seconds no lldp notification interval seconds Specifies the periodic interval at which SNMP notifications are sent Range 5 3600 seconds DEFAULT SETTING 5 seconds COMMAND MODE Global Configuration COMMAND USAGE This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management Information about changes in LLDP neighbors that occur between...

Page 1052: ...y with the following rule refresh interval holdtime multiplier 65536 EXAMPLE Console config lldp refresh interval 60 Console config lldp reinit delay This command configures the delay before attempting to re initialize after LLDP ports are disabled or the link goes down Use the no form to restore the default setting SYNTAX lldp reinit delay seconds no lldp reinit delay seconds Specifies the delay ...

Page 1053: ...ed to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects and to increase the probability that multiple rather than single changes are reported in each transmission This attribute must comply with the following rule 4 tx delay refresh interval EXAMPLE Console config lldp tx delay 10 Console config lldp admin status This command enables...

Page 1054: ...r for the port sending this advertisement The management address TLV may also include information about the specific interface associated with this address and an object identifier indicating the type of hardware component or protocol entity associated with this address The interface number and OID are included to assist SNMP applications to perform network discovery by indicating enterprise speci...

Page 1055: ...hich includes information about the manufacturer the product name and the version of the interface hardware software EXAMPLE Console config interface ethernet 1 1 Console config if lldp basic tlv port description Console config if lldp basic tlv system capabilities This command configures an LLDP enabled port to advertise its system capabilities Use the no form to disable this feature SYNTAX no ll...

Page 1056: ...object in RFC 3418 which includes the full name and version identification of the system s hardware type software operating system and networking software EXAMPLE Console config interface ethernet 1 1 Console config if lldp basic tlv system description Console config if lldp basic tlv system name This command configures an LLDP enabled port to advertise the system name Use the no form to disable t...

Page 1057: ...n advertises the protocols that are accessible through this interface EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot1 tlv proto ident Console config if lldp dot1 tlv proto vid This command configures an LLDP enabled port to advertise port related VLAN information Use the no form to disable this feature SYNTAX no lldp dot1 tlv proto vid DEFAULT SETTING Enabled COMMAND M...

Page 1058: ...e VLAN with which untagged or priority tagged frames are associated see the switchport native vlan command EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot1 tlv pvid Console config if lldp dot1 tlv vlan name This command configures an LLDP enabled port to advertise its VLAN name Use the no form to disable this feature SYNTAX no lldp dot1 tlv vlan name DEFAULT SETTING Ena...

Page 1059: ...egation status of the link and the 802 3 aggregated port identifier if this interface is currently a link aggregation member EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot3 tlv link agg Console config if lldp dot3 tlv mac phy This command configures an LLDP enabled port to advertise its MAC and physical layer capabilities Use the no form to disable this feature SYNTAX ...

Page 1060: ...um frame size for this switch EXAMPLE Console config interface ethernet 1 1 Console config if lldp dot3 tlv max frame Console config if lldp notification This command enables the transmission of SNMP trap notifications about LLDP changes Use the no form to disable LLDP notifications SYNTAX no lldp notification DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMA...

Page 1061: ...ig interface ethernet 1 1 Console config if lldp notification Console config if show lldp config This command shows LLDP configuration settings for all ports SYNTAX show lldp config detail interface detail Shows configuration summary interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 COMMAND MODE Privileged Exec EXAMPLE Console ...

Page 1062: ...gg max frame Console show lldp info local device This command shows LLDP global and interface specific configuration settings for this device SYNTAX show lldp info local device detail interface detail Shows configuration summary interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 COMMAND MODE Privileged Exec EXAMPLE Console show ...

Page 1063: ...t Desc Ethernet Port on unit 1 port 1 Console show lldp info remote device This command shows LLDP global and interface specific configuration settings for remote devices attached to an LLDP enabled port SYNTAX show lldp info remote device detail interface detail Shows configuration summary interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel i...

Page 1064: ...nk Aggregation Remote link aggregation capable Yes Remote link aggregation enable No Remote link aggregation port id 0 Remote Max Frame Size 1518 Console show lldp info statistics This command shows statistics based on traffic received through all attached LLDP enabled interfaces SYNTAX show lldp info statistics detail interface detail Shows configuration summary interface ethernet unit port unit ...

Page 1065: ... Eth 1 1 10 11 0 Eth 1 2 0 0 0 Eth 1 3 0 0 0 Eth 1 4 0 0 0 Eth 1 5 0 0 0 Console show lldp info statistics detail ethernet 1 1 LLDP Port Statistics Detail PortName Eth 1 1 Frames Discarded 0 Frames Invalid 0 Frames Received 12 Frames Sent 13 TLVs Unrecognized 0 TLVs Discarded 0 Neighbor Ageouts 0 Console ...

Page 1066: ...CHAPTER 43 LLDP Commands 1066 ES 4500G Series ...

Page 1067: ... domain list name name Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 68 characters Table 139 Address Table Commands Command Function Mode ip domain list Defines a list of default domain names for incomplete host names GC ip domain lookup Enables DNS based host name to address translation GC ip domain name Defines a default domain name for...

Page 1068: ...the ip domain name command is used If there is a domain list the default domain name is not used EXAMPLE This example adds two domain names to the current list and then displays the list Console config ip domain list sample com jp Console config ip domain list sample com uk Console config end Console show dns Domain Lookup Status DNS disabled Default Domain Name sample com Domain Name List sample ...

Page 1069: ...rver List 192 168 1 55 10 1 0 55 Console RELATED COMMANDS ip domain name 1069 ip name server 1071 ip domain name This command defines the default domain name appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation Use the no form to remove the current domain name SYNTAX ip domain name name no ip domain name name Name of the host Do not incl...

Page 1070: ...orm to remove an entry SYNTAX no ip host name address name Name of an IPv4 host Range 1 100 characters address Corresponding IPv4 address DEFAULT SETTING No static entries COMMAND MODE Global Configuration COMMAND USAGE Use the no ip host command to clear static entries or the clear host command to clear dynamic entries EXAMPLE This example maps an IPv4 address to a host name Console config ip hos...

Page 1071: ...ain name servers DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE The listed name servers are queried in the specified sequence until a response is received or the end of the list is reached with no response EXAMPLE This example adds two domain name servers to the list and then displays the list Console config ip name server 192 168 1 55 10 1 0 55 Console config end Console sho...

Page 1072: ...adecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields DEFAULT SETTING No static entries COMMAND MODE Global Configuration EXAMPLE This example maps an IPv6 address to a host name Console config ipv6 host rd6 2001 0db8 1 12 Console config end Console show hosts No Flag Type IP Address TTL Domain 0 2 Address 192 ...

Page 1073: ... the clear host command to clear dynamic entries or the no ip host command to clear static entries EXAMPLE This example clears all dynamic entries from the DNS table Console config clear host Console config show dns This command displays the configuration of the DNS service COMMAND MODE Privileged Exec EXAMPLE Console show dns Domain Lookup Status DNS enabled Default Domain Name sample com Domain ...

Page 1074: ...entry Console show hosts No Flag Type IP Address TTL Domain 0 2 Address 192 168 1 55 rd5 1 2 Address 2001 DB8 1 12 rd6 3 4 Address 209 131 36 158 65 www real wa1 b yahoo com 4 4 CNAME POINTER TO 3 65 www yahoo com 5 4 CNAME POINTER TO 3 65 www wa1 b yahoo com Console Table 140 show dns cache display description Field Description No The entry number for each resource record Flag The flag is always ...

Page 1075: ...ic entry stored in the cache Type This field includes Address which specifies the primary name for the owner and CNAME which specifies multiple domain names or aliases which are mapped to the same IP address as an existing entry IP Address The IP address associated with this record TTL The time to live reported by the name server This field is always blank for static entries Domain The domain name...

Page 1076: ...CHAPTER 44 Domain Name Service Commands 1076 ES 4500G Series ...

Page 1077: ...he switch s VLAN interfaces to dynamically acquire IP address information Table 142 DHCP Commands Command Group Function DHCP Client Allows interfaces to dynamically acquire IPv4 address information DHCP Relay Relays DHCP requests from local hosts to a remote DHCP server DHCP Server Configures DHCP service using address pools or static bindings Table 143 DHCP Client Commands Command Function Mode ...

Page 1078: ...how to service the client or the type of information to return The general framework for this DHCP option is set out in RFC 2132 Option 60 This information is used to convey configuration settings or other identification information about a client but the specific string to use should be supplied by your service provider or network administrator EXAMPLE Console config interface vlan 2 Console conf...

Page 1079: ...ddress 1106 ipv6 dhcp client rapid commit vlan This command specifies the Rapid Commit option for DHCPv6 message exchange for all DHCPv6 client requests submitted from the specified interface Use the no form to disable this option SYNTAX no ipv6 dhcp client rapid commit vlan vlan id vlan id VLAN ID specified as a single number a range of consecutive numbers separated by a hyphen or multiple number...

Page 1080: ... ip dhcp relay server address1 address2 address3 no ip dhcp relay server address IP address of DHCP server Range 1 3 addresses DEFAULT SETTING None COMMAND MODE Interface Configuration VLAN USAGE GUIDELINES You must specify the IP address for at least one DHCP server Otherwise the switch s DHCP relay agent will not forward client requests to a DHCP server To start DHCP relay service enter the ip d...

Page 1081: ...he client is located Then the switch forwards the packet to the DHCP server on another network When the server receives the DHCP request it allocates a free IP address for the DHCP client from its defined scope for the DHCP client s subnet and sends a DHCP response back to the DHCP relay agent i e this switch This switch then broadcasts the DHCP response received from the server to the client EXAM...

Page 1082: ...client DC domain name Specifies the domain name for a DHCP client DC hardware address Specifies the hardware address of a DHCP client DC host These commands are used for manually binding an address to a client Specifies the IP address and network mask to manually bind to a DHCP client DC lease Sets the duration an IP address is assigned to a DHCP client DC netbios name server Configures NetBIOS Wi...

Page 1083: ...CP address pool and enter DHCP Pool Configuration mode Use the no form to remove the address pool SYNTAX no ip dhcp pool name name A string or integer Range 1 8 characters DEFAULT SETTING DHCP address pools are not configured COMMAND MODE Global Configuration USAGE GUIDELINES After executing this command the switch changes to DHCP Pool Configuration mode identified by the config dhcp prompt From t...

Page 1084: ...MAND USAGE If the DHCP server is running you must restart it to implement any configuration changes EXAMPLE Console config service dhcp Console config bootfile This command specifies the name of the default boot image for a DHCP client This file should placed on the Trivial File Transfer Protocol TFTP server specified with the next server command Use the no form to delete the boot image name SYNTA...

Page 1085: ...hexadecimal value DEFAULT SETTING None COMMAND MODE DHCP Pool Configuration COMMAND USAGE This command identifies a DHCP client to bind to an address specified in the host command If both a client identifier and hardware address are configured for a host address the client identifier takes precedence over the hardware address in the search procedure BOOTP clients cannot transmit a client identifie...

Page 1086: ...order of preference starting with address1 as the most preferred router EXAMPLE Console config dhcp default router 10 1 0 54 10 1 0 64 Console config dhcp dns server This command specifies the Domain Name System DNS IP servers available to a DHCP client Use the no form to remove the DNS server list SYNTAX dns server address1 address2 no dns server address1 Specifies the IP address of the primary D...

Page 1087: ...DE DHCP Pool Configuration EXAMPLE Console config dhcp domain name sample com Console config dhcp hardware address This command specifies the hardware address of a DHCP client This command is valid for manual bindings only Use the no form to remove the hardware address SYNTAX hardware address hardware address type no hardware address hardware address Specifies the MAC address of the client device ...

Page 1088: ...a client mask Specifies the network mask of the client DEFAULT SETTING None COMMAND MODE DHCP Pool Configuration USAGE GUIDELINES Host addresses must fall within the range specified for an existing network pool When a client request is received the switch first checks for a network address pool matching the gateway where the request originated i e if the request was forwarded by a relay server If ...

Page 1089: ... 255 255 255 0 Console config dhcp RELATED COMMANDS client identifier 1085 hardware address 1087 lease This command configures the duration that an IP address is assigned to a DHCP client Use the no form to restore the default value SYNTAX lease days hours minutes infinite no lease days Specifies the duration of the lease in numbers of days Range 0 364 hours Specifies the number of hours in the le...

Page 1090: ...e no form to remove the NetBIOS name server list SYNTAX netbios name server address1 address2 no netbios name server address1 Specifies IP address of primary NetBIOS WINS name server address2 Specifies IP address of alternate NetBIOS WINS name server DEFAULT SETTING None COMMAND MODE DHCP Pool Configuration USAGE GUIDELINES Servers are listed in order of preference starting with address1 as the mo...

Page 1091: ...nd configures the subnet number and mask for a DHCP address pool Use the no form to remove the subnet number and mask SYNTAX network network number mask no network network number The IP address of the DHCP address pool mask The bit combination that identifies the network or subnet and the host portion of the DHCP address pool COMMAND MODE DHCP Pool Configuration USAGE GUIDELINES When a client requ...

Page 1092: ...he class 0 127 is class A only uses the first field in the network address 128 191 is class B uses the first two fields in the network address 192 223 is class C uses the first three fields in the network address The DHCP server assumes that all host addresses are available You can exclude subsets of the address space by using the ip dhcp excluded address command EXAMPLE Console config dhcp networ...

Page 1093: ...sk is used as the address parameter the DHCP server clears all automatic bindings Use the no host command to delete a manual binding This command is normally used after modifying the address pool or after moving DHCP service to another device EXAMPLE Console clear ip dhcp binding Console RELATED COMMANDS show ip dhcp binding 1093 show ip dhcp binding This command displays address bindings on the D...

Page 1094: ...mm ss 192 1 3 21 00 00 e8 98 73 21 86400 Dec 25 08 01 57 2002 Console show ip dhcp This command displays DHCP address pools configured on the switch COMMAND MODE Privileged Exec EXAMPLE Console show ip dhcp Name Type IP Address Mask Active Pool tps Net 192 168 1 0 255 255 255 0 192 168 1 1 192 168 1 254 Total entry 1 Console ...

Page 1095: ...eature which allows a router to take over as the master router when it comes on line if it has a higher priority than the currently active master router Table 146 VRRP Commands Command Function Mode vrrp authentication Configures a key used to authenticate VRRP packets received from other routers IC vrrp ip Enables VRRP and sets the IP address of the virtual router IC vrrp preempt Configures the r...

Page 1096: ...mpared to the string configured on this router If the keys match the message is accepted Otherwise the packet is discarded Plain text authentication does not provide any real security It is supported only to prevent a misconfigured router from participating in VRRP EXAMPLE Console config if vrrp 1 authentication bluebird Console config if vrrp ip This command enables the Virtual Router Redundancy ...

Page 1097: ...u need to customize any of the other parameters for VRRP such as authentication priority or advertisement interval then first configure these parameters before enabling VRRP EXAMPLE This example creates VRRP group 1 using the primary interface for VLAN 1 as the VRRP group Owner Console config interface vlan 1 Console config if vrrp 1 ip 192 168 1 6 Console config if vrrp preempt This command confi...

Page 1098: ...MANDS vrrp priority 1098 vrrp priority This command sets the priority of this router in a VRRP group Use the no form to restore the default setting SYNTAX vrrp group priority level no vrrp group priority group Identifies the VRRP group Range 1 255 level Priority of this router in the VRRP group Range 1 254 DEFAULT SETTING Master 255 Backup 100 COMMAND MODE Interface VLAN COMMAND USAGE A router tha...

Page 1099: ...ter sends advertisements communicating its state as the master Use the no form to restore the default interval SYNTAX vrrp group timers advertise interval no vrrp group timers advertise group Identifies the VRRP group Range 1 255 interval Advertisement interval for the master virtual router Range 1 255 seconds DEFAULT SETTING 1 second COMMAND MODE Interface VLAN COMMAND USAGE VRRP advertisements f...

Page 1100: ...ace Identifier of configured VLAN interface Range 1 4093 DEFAULTS None COMMAND MODE Privileged Exec EXAMPLE Console clear vrrp 1 interface 1 counters Console clear vrrp router counters This command clears VRRP system statistics COMMAND MODE Privileged Exec EXAMPLE Console clear vrrp router counters Console show vrrp This command displays status information for VRRP SYNTAX show vrrp brief group bri...

Page 1101: ...ster Priority 255 Master Advertisement Interval 5 sec Master Down Interval 15 Console Table 147 show vrrp display description Field Description State VRRP role of this interface master or backup Virtual IP address Virtual address that identifies this VRRP group Virtual MAC address Virtual MAC address derived from the owner of the virtual IP address Advertisement interval Interval at which the mast...

Page 1102: ...vileged Exec Master Advertisement interval The advertisement interval configured on the VRRP master Master down interval The down interval configured on the VRRP master This interval is used by all the routers in the group regardless of their local settings Table 148 show vrrp brief display description Field Description Interface VLAN interface Grp VRRP group State VRRP role of this interface mast...

Page 1103: ...p Identifies a VRRP group Range 1 255 interface Identifier of configured VLAN interface Range 1 4093 DEFAULTS None COMMAND MODE Privileged Exec EXAMPLE Console show vrrp 1 interface vlan 1 counters Total Number of Times Transitioned to MASTER 6 Total Number of Received Advertisements Packets 0 Total Number of Received Error Advertisement Interval Packets 0 Total Number of Received Authentication F...

Page 1104: ...ackets COMMAND MODE Privileged Exec EXAMPLE Note that unknown errors indicate VRRP packets received with an unknown or unsupported version number Console show vrrp router counters Total Number of VRRP Packets with Invalid Checksum 0 Total Number of VRRP Packets with Unknown Error 0 Total Number of VRRP Packets with Invalid VRID 0 Console ...

Page 1105: ...ch by default You must manually configure a new address to manage the switch over your network or to connect the switch to existing IP subnets You may also need to a establish a default gateway between this device and management stations or other devices that exist on another network segment if routing is not enabled This section includes commands for configuring IP interfaces the Address Resoluti...

Page 1106: ...t create a router interface for each VLAN that will support routing The router interface consists of an IP address and subnet mask This interface address defines both the network number to which the router interface is attached and the router s host number on that network In other words a router interface address defines the network and subnetwork numbers of the segment that is connected to that i...

Page 1107: ... any router in a network segment uses a secondary address all other routers in that segment must also use a secondary address from the same network or subnet address space If bootp or dhcp options are selected the system will immediately start broadcasting service requests for all VLANs configured to obtain address assignments through BOOTP or DHCP IP is enabled but will not function until a BOOTP...

Page 1108: ...ork interface that directly connects to the gateway has been configured on the router The same link local address may be used by different interfaces nodes in different zones RFC 4007 Therefore when specifying a link local address for a default gateway include zone id information indicating the VLAN identifier after the delimiter For example FE80 7272 1 identifies VLAN 1 as the interface from whic...

Page 1109: ...s is 00 00 E8 93 82 A0 via 00 00 E8 93 82 A0 Index 1001 MTU 1280 Bandwidth 1g Address Mode is User specified IP Address 192 168 1 3 Mask 255 255 255 0 Proxy ARP is disabled Console RELATED COMMANDS ip address 1106 show ipv6 interface 1127 traceroute This command shows the route packets take to the specified destination SYNTAX traceroute host host IP address or alias of the host DEFAULT SETTING Non...

Page 1110: ...en the maximum timeout has been reached may indicate this problem with the target device EXAMPLE Console traceroute 192 168 0 1 Press ESC to abort Source address 192 168 0 9 Destination address 192 168 0 1 Hop IP Address Packet 1 Packet 2 Packet 3 1 192 168 0 1 10 ms 10 ms 10 ms Trace completed Console ping This command sends IPv4 ICMP echo request packets to another node on the network SYNTAX pin...

Page 1111: ...MPLE Console ping 10 1 0 9 Type ESC to abort PING to 10 1 0 9 by 5 32 byte payload ICMP packets timeout is 5 seconds response time 10 ms response time 10 ms response time 10 ms response time 10 ms response time 0 ms Ping statistics for 10 1 0 9 5 packets transmitted 5 packets received 100 0 packets lost 0 Approximate round trip times Minimum 0 ms Maximum 10 ms Average 8 ms Console RELATED COMMANDS...

Page 1112: ...32 bit IP addresses into 48 bit hardware i e Media Access Control addresses This cache includes entries for hosts and other routers on local network interfaces defined on this router The maximum number of static entries allowed in the ARP cache is 128 You may need to enter a static entry in the cache if there is no response to an ARP broadcast message For example some applications may not respond ...

Page 1113: ...nd an ARP request packet is sent to re establish the MAC address The aging time determines how long dynamic entries remain in the cache If the timeout is too short the router may tie up resources by repeating ARP requests for addresses recently flushed from the table EXAMPLE This example sets the ARP cache timeout for 15 minutes i e 900 seconds Console config arp timeout 900 Console config ip prox...

Page 1114: ...ND MODE Privileged Exec EXAMPLE This example clears all dynamic entries in the ARP cache Console clear arp cache This operation will delete all the dynamic entries in ARP Cache Are you sure to continue this operation y n y Console show arp This command displays entries in the Address Resolution Protocol ARP cache COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE This command displays informat...

Page 1115: ... destination port destination port UDP application port for which UDP service requests are forwarded Range 1 65535 DEFAULT SETTING The following UDP ports are included in the forwarding list when UDP helper is enabled with the ip helper command and a remote server address is configured with the ip helper address command BOOTP client port 67 BOOTP server port 68 Domain Name Service port 53 IEN 116 ...

Page 1116: ...roadcasts are confined to the local subnet either as an all hosts broadcast all ones broadcast 255 255 255 255 or a directed subnet broadcast such as 10 10 10 255 To reduce the number of application servers deployed in a multi segment network UDP helper can be used to forward broadcast packets for specified UDP application ports to remote servers located in another network segment To configure UDP...

Page 1117: ...face configured with an IP address The UDP packets to be forwarded must be specified by the ip forward protocol udp command and the packets meet the following criteria The MAC address of the received frame must be all ones broadcast address ffff ffff ffff The IP destination address must be one of the following all ones broadcast 255 255 255 255 subnet broadcast for the receiving interface The IP t...

Page 1118: ...iguration settings for UDP helper COMMAND MODE Privileged Exec COMMAND USAGE This command displays all configuration settings for UDP helper including its functional status the UDP ports for which broadcast traffic will be forwarded and the remote servers or subnets to which the traffic will be forwarded EXAMPLE Console show ip helper Helper mechanism is enabled Forward port list maximum count 100...

Page 1119: ...usability and configured settings for IPv6 interfaces NE PE show ipv6 mtu Displays maximum transmission unit MTU information for IPv6 interfaces NE PE show ipv6 traffic Displays statistics about IPv6 traffic NE PE clear ipv6 traffic Resets IPv6 traffic counters PE ping6 Sends IPv6 ICMP echo request packets to another node on the network PE Neighbor Discovery ipv6 hop limit Configures the maximum n...

Page 1120: ... hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields The same link local address may be used by different interfaces nodes in different zones RFC 4007 Therefore when specifying a link local address include zone id information indicating the VLAN identifier after the delimiter For example FE80 7272 1 identi...

Page 1121: ...rger network with multiple subnets you must configure a global unicast address This address can be manually configured with this command If a link local address has not yet been assigned to this interface this command will assign the specified static global unicast address and also dynamically generate a link local unicast address for the interface The link local address is made with an address pr...

Page 1122: ...ddress eui 64 1122 show ipv6 interface 1127 ip address 1106 ipv6 address eui 64 This command configures an IPv6 address for an interface using an EUI 64 interface ID in the low order 64 bits and enables IPv6 on the interface Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface Use the no form with a specific address to remove it from the interfa...

Page 1123: ...as EUI 48 format it must be converted into EUI 64 format by inverting the universal local bit in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address For example if a device had an EUI 48 address of 28 9F 18 1C 82 35 the global local bit must first be inverted to meet EUI 64 requirements i e 1 for globally defined addresses and 0 for loca...

Page 1124: ...terval is 1000 milliseconds Console RELATED COMMANDS show ipv6 interface 1127 ipv6 address link local This command configures an IPv6 link local address for an interface and enables IPv6 on the interface Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface Use the no form with a specific address to remove it from the interface SYNTAX ipv6 addres...

Page 1125: ...0 269 3EF9 FE19 6779 link local Console config if end Console show ipv6 interface VLAN 1 is up IPv6 is enabled Link local address FE80 269 3EF9 FE19 6779 64 Global unicast address es 2001 DB8 1 2E0 CFF FE00 FD 64 subnet is 2001 DB8 1 0 0 0 0 64 EUI 2001 DB8 2222 7272 72 96 subnet is 2001 DB8 2222 7272 96 EUI Joined group address es FF02 1 FF19 6779 FF02 1 FF00 72 FF02 1 FF00 FD FF02 1 IPv6 link MT...

Page 1126: ... In this example IPv6 is enabled on VLAN 1 and the link local address FE80 2E0 CFF FE00 FD 64 is automatically generated by the switch Console config interface vlan 1 Console config if ipv6 enable Console config if end Console show ipv6 interface VLAN 1 is up IPv6 is enabled Link local address FE80 200 E8FF FE93 82A0 64 Global unicast address es 2001 DB8 2222 7272 72 96 subnet is 2001 DB8 2222 727...

Page 1127: ...nterface before the MTU can be set EXAMPLE The following example sets the MTU for VLAN 1 to 1280 bytes Console config interface vlan 1 Console config if ipv6 mtu 1280 Console config if RELATED COMMANDS show ipv6 mtu 1129 jumbo frame 646 show ipv6 interface This command displays the usability and configured settings for IPv6 interfaces SYNTAX show ipv6 interface brief vlan vlan id ipv6 prefix prefi...

Page 1128: ... 82A0 FF02 1 IPv6 link MTU is 1280 bytes ND DAD is enabled number of DAD attempts 2 ND retransmit interval is 1000 milliseconds Console Table 155 show ipv6 interface display description Field Description VLAN A VLAN is marked up if the switch can send and receive packets on this interface down if a line signal is not present or administratively down if the interface has been disabled by the admini...

Page 1129: ... local multicast address is only used for loopback transmission of multicast traffic Link local multicast addresses cover the same types as used by link local unicast addresses including all nodes FF02 1 all routers FF02 2 and solicited nodes FF02 1 FFXX XXXX as described below A node is also required to compute and join the associated solicited node multicast addresses for every unicast and anyca...

Page 1130: ...rds delivers reassembly request datagrams reassembled succeeded reassembled failed IPv6 sent forwards datagrams 15 requests discards no routes generated fragments fragment succeeded fragment failed ICMPv6 Statistics ICMPv6 received input errors destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages Table 1...

Page 1131: ...ce including those received in error header errors The number of input datagrams discarded due to errors in their IPv6 headers including version number mismatch other format errors hop count exceeded IPv6 options etc too big errors The number of input datagrams that could not be forwarded because their size exceeded the link MTU of outgoing interface no routes The number of input datagrams discard...

Page 1132: ... as they are received This counter is incremented at the interface to which these fragments were addressed which might not be necessarily the input interface for some of the fragments IPv6 sent forwards datagrams The number of output datagrams which this entity received and forwarded to their final destinations In entities which do not act as IPv6 routers this counter will include only those packe...

Page 1133: ...the interface router advertisement messages The number of ICMP Router Advertisement messages received by the interface neighbor solicit messages The number of ICMP Neighbor Solicit messages received by the interface neighbor advertisement messages The number of ICMP Neighbor Advertisement messages received by the interface redirect messages The number of Redirect messages received by the interface...

Page 1134: ... number of ICMP Router Advertisement messages sent by the interface redirect messages The number of Redirect messages sent For a host this object will always be zero since hosts do not send redirects group membership query messages The number of ICMPv6 Group Membership Query messages sent by the interface group membership response messages The number of ICMPv6 Group Membership Response messages se...

Page 1135: ...100 bytes COMMAND MODE Privileged Exec COMMAND USAGE Use the ping6 command to see if another site on the network can be reached or to evaluate delays over the path The same link local address may be used by different interfaces nodes in different zones RFC 4007 Therefore when specifying a link local address include zone id information indicating the VLAN identifier after the delimiter For example ...

Page 1136: ...values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields vlan id VLAN ID Range 1 4093 hardware address The 48 bit MAC layer address for the neighbor device This address must be formatted as six hexadecimal pairs separated by hyphens DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Address Resolution Pro...

Page 1137: ...ss Age Link layer Addr State VLAN 2009 DB9 2229 80 956 12 34 11 11 43 21 R 1 2009 DB9 2229 81 Permanent 30 65 14 01 11 86 R 1 FE80 1034 11FF FE11 4321 961 12 34 11 11 43 21 R 1 Console RELATED COMMANDS show ipv6 neighbors 1141 mac address table static 886 ipv6 hop limit This command configures the maximum number of hops used in router advertisements that are originated by this router Use the no fo...

Page 1138: ...t interface are placed in a pending state Duplicate address detection is automatically restarted when the interface is administratively re activated An interface that is re activated restarts duplicate address detection for all unicast IPv6 addresses on the interface While duplicate address detection is performed on the interface s link local address the other IPv6 addresses remain in a tentative ...

Page 1139: ...10 FF02 1 IPv6 link MTU is 1500 bytes ND DAD is enabled number of DAD attempts 5 ND retransmit interval is 1000 milliseconds Console RELATED COMMANDS ipv6 nd ns interval 1139 show ipv6 neighbors 1141 ipv6 nd ns interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface Use the no form to restore the default value SYNTAX ipv6 nd ns interva...

Page 1140: ...272 64 subnet is 2001 DB8 2222 7272 64 2009 DB9 2229 79 subnet is Joined group address es FF02 2 FF02 1 FF00 0 FF02 1 2 FF02 1 FF9C CA10 FF02 1 IPv6 link MTU is 1500 bytes ND DAD is enabled number of DAD attempts 2 ND retransmit interval is 30000 milliseconds Console RELATED COMMANDS show running config 640 ipv6 nd reachable time This command configures the amount of time that a remote IPv6 node i...

Page 1141: ...s command deletes all dynamic entries in the IPv6 neighbor discovery cache COMMAND MODE Privileged Exec EXAMPLE The following deletes all dynamic entries in the IPv6 neighbor cache Console clear ipv6 neighbors Console show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache SYNTAX show ipv6 neighbors vlan vlan id ipv6 address vlan id VLAN ID Range 1 4093 ipv6 addr...

Page 1142: ...ive confirmation was received within the last ReachableTime interval that the forward path to the neighbor was functioning While in REACH state the device takes no special action when sending packets S Stale More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning While in STALE state the device takes no action until a...

Page 1143: ... For configured tunnel mode specify the IPv4 address of the far end of the tunnel using the tunnel destination command Table 159 IPv6 to IPv4 Tunnelling Commands Command Function Mode interface tunnel Configures a tunnel interface and enters tunnel configuration mode GC ipv6 address Configures an IPv6 global unicast address and enables IPv6 on an interface IC tunnel ipv6 address link local Configu...

Page 1144: ...unnel interface identifier Range 1 16 DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Although this command is labeled with the name tunnel it allows configuration of either a manually configured IPv6 over IPv4 transport network based on RFC 2893 or of an automatic method of transporting IPv6 traffic over IPv4 clouds without explicit tunnels using RFC 3056 Configured IPv6 over...

Page 1145: ...e IPv4 address of an IPv6 IPv4 router bordering the IPv6 backbone is known this can be used as the tunnel end point address This tunnel can be configured into the routing table as an IPv6 default route That is all IPv6 destination addresses will match the route and could potentially traverse the tunnel Since the mask length of such a default route is zero it will be used only if there are no other...

Page 1146: ... Use the no form to restore the default setting SYNTAX tunnel mode ipv6ip configured 6to4 no tunnel mode ipv6ip configured Configured IPv6 over IPv4 tunneling using point to point tunnels by encapsulating IPv6 packets within IPv4 headers to carry them over IPv4 routing infrastructures based on RFC 2893 6to4 Transports IPv6 over IPv4 clouds by assigning a unique IPv6 address prefix to any site that...

Page 1147: ...ther a 6to4 node or native IPv6 host Router to Host IPv6 IPv4 routers can tunnel IPv6 packets to their final destination IPv6 IPv4 host This tunnel spans only the last segment of the end to end path Tunneling techniques are classified according to the mechanism by which the encapsulating node determines the address of the node at the end of the tunnel In the first two tunneling methods listed abov...

Page 1148: ...cket if needed removes the IPv4 header updates the IPv6 header and processes the received IPv6 packet EXAMPLE Console config interface tunnel 2 Console config if tunnel mode ipv6ip configured Console config if tunnel source vlan This command sets the VLAN to which a tunnel source or local end point of a tunnel is assigned Use the no form to detach the tunnel from the assigned VLAN SYNTAX tunnel so...

Page 1149: ...4 encapsulating packet However note that IPv6 over IPv4 tunnels are modeled as a single hop That is the IPv6 hop limit is decremented by only one when an IPv6 packet traverses the tunnel The single hop model serves to hide the existence of a tunnel The tunnel is opaque to users of the network and is not detectable by network diagnostic tools such as traceroute EXAMPLE Console config interface tunn...

Page 1150: ... is enabled number of DAD attempts 2 ND retransmit interval is 1000 milliseconds Tunnel 1 is up IPv6 is stale Link local address FE80 C0A8 3 64 Global unicast address es 2002 DB9 2222 7272 72 48 subnet is 2002 DB9 2222 48 Joined group address es FF02 1 IPv6 link MTU is 0 bytes ND DAD is enabled number of DAD attempts 2 ND retransmit interval is 1000 milliseconds Console show ipv6 interface brief I...

Page 1151: ... ROUTING CONFIGURATION Table 160 IP Routing Commands Command Group Function Global Routing Configuration Configures global parameters for static and dynamic routing displays the routing table and statistics for protocols used to exchange routing information Routing Information Protocol RIP Configures global and interface specific parameters for RIP Open Shortest Path First OSPFv2 Configures global...

Page 1152: ...nces used by the dynamic unicast routing protocols is 110 for OSPF and 120 for RIP Range 1 255 Default 1 Removes all static routing table entries DEFAULT SETTING No static routes are configured COMMAND MODE Global Configuration COMMAND USAGE Up to 512 static routes can be configured Up to eight equal cost multipaths ECMP can be configured for static routing using the maximum paths command If an ad...

Page 1153: ...aths path count no maximum paths path count The maximum number of equal cost paths to the same destination that can be installed in the routing table Range 1 8 DEFAULT SETTING Enabled 4 paths COMMAND MODE Global Configuration EXAMPLE switch config maximum paths 8 switch config show ip route This command displays information in the Forwarding Information Base FIB SYNTAX show ip route connected ospf...

Page 1154: ... of information necessary to make a forwarding decision on a particular packet The typical components within a forwarding information base entry are a network prefix a router port identifier and next hop information This command only displays routes which are currently accessible for forwarding The router must be able to directly reach the next hop so the VLAN interface associated with any dynamic...

Page 1155: ...s C connected S static R RIP B BGP O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OSPF external type 1 E2 OSPF external type 2 i IS IS L1 IS IS level 1 L2 IS IS level 2 ia IS IS inter area selected route FIB route p stale info C 127 0 0 0 8 is directly connected lo0 C 192 168 1 0 24 is directly connected VLAN1 Console show ip traffic This command displays st...

Page 1156: ... quench messages address mask request messages address mask reply messages UDP Statistics 2 input no port errors other errors output TCP Statistics 4698 input input errors 5867 output Console ipv6 route This command configures static IPv6 routes Use the no form to remove static routes SYNTAX no ipv6 route destination ipv6 address prefix length gateway address distance link local address zone id di...

Page 1157: ...outes can be configured Up to eight equal cost multipaths ECMP can be configured for static routing using the maximum paths command If an administrative distance is defined for a static route and the same destination can be reached through a dynamic route at a lower administration distance then the dynamic route will be used The default distance of 1 will take precedence over any other type of rou...

Page 1158: ...D MODE Privileged Exec COMMAND USAGE The FIB contains information required to forward IP traffic It contains the interface identifier and next hop information for each reachable destination network prefix based on the IP routing table When routing or topology changes occur in the network the routing table is updated and those changes are immediately reflected in the FIB The FIB is distinct from th...

Page 1159: ... Sets the default metric assigned to external routes imported from other protocols RC distance Defines an administrative distance for external routes learned from other routing protocols RC maximum prefix Sets the maximum number of RIP routes allowed RC neighbor Defines a neighboring router with which to exchange information RC network Specifies the network interfaces that are to use RIP routing R...

Page 1160: ...ole config router rip Console config router RELATED COMMANDS network 1164 ip rip receive packet Configures the interface to receive of RIP packets IC ip rip send version Sets the RIP send version to use on a network interface IC ip rip send packet Configures the interface to send RIP packets IC ip rip split horizon Enables split horizon or poison reverse loop prevention IC clear ip rip route Clear...

Page 1161: ...ault information originate Console config router RELATED COMMANDS ip route 1152 redistribute 1166 default metric This command sets the default metric assigned to external routes imported from other protocols Use the no form to restore the default value SYNTAX default metric metric value no default metric metric value Metric assigned to external routes Range 1 15 DEFAULT SETTING 1 COMMAND MODE Rout...

Page 1162: ...her than that derived from the original source EXAMPLE This example sets the default metric to 5 Console config router default metric 5 Console config router RELATED COMMANDS redistribute 1166 distance This command defines an administrative distance for external routes learned from other routing protocols Use the no form to restore the default setting SYNTAX no distance distance network address ne...

Page 1163: ...ative control The administrative distance is applied to all routes learned for the specified network EXAMPLE Console config router distance 2 192 168 3 0 255 255 255 0 Console config router maximum prefix This command sets the maximum number of RIP routes allowed by the system Use the no form to restore the default setting SYNTAX maximum prefix maximum routes no maximum prefix maximum routes The m...

Page 1164: ...ast or multicast messages generated by the RIP protocol Use this command in conjunction with the passive interface command to control the routing updates sent to specific neighbors EXAMPLE Console config router neighbor 10 2 0 254 Console config router RELATED COMMANDS passive interface 1165 network This command specifies the network interfaces that will be included in the RIP routing process Use ...

Page 1165: ...om sending routing updates on the specified interface Use the no form to disable this feature SYNTAX no passive interface vlan vlan id vlan id VLAN ID Range 1 4093 DEFAULT SETTING Disabled COMMAND MODE Router Configuration COMMAND USAGE If this command is used to stop sending routing updates on an interface the attached subnet will still continue to be advertised to other interfaces and updates fr...

Page 1166: ... the metric value to be used for all imported external routes A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics It is advisable to use a low metric when redistributing routes from another protocol into RIP Using a high metric limits the usefulness of external routes redistributed into RIP For example if a metric of 10 is defined for redi...

Page 1167: ...Range 60 240 seconds DEFAULT SETTING Update 30 seconds Timeout 180 seconds Garbage collection 120 seconds COMMAND MODE Router Configuration COMMAND USAGE The update timer sets the rate at which updates are sent This is the fundamental timer used to control all basic RIP processes The timeout timer is the time after which there have been no update messages that a route is declared dead The route is...

Page 1168: ...e Accepts RIPv1 or RIPv2 packets Send Route information is broadcast to other routers with RIPv2 COMMAND MODE Router Configuration COMMAND USAGE When this command is used to specify a global RIP version any VLAN interface not previously set by the ip rip receive version or ip rip send version command will use the global RIP version setting When the no form of this command is used to restore the de...

Page 1169: ...entication string command This command requires the interface to exchange routing information with other routers based on an authorized password Note that this command only applies to RIPv2 For authentication to function properly both the sending and receiving interface must be configured with the same password or authentication key MD5 is a one way hash algorithm is that takes the authentication ...

Page 1170: ...mmand does not apply to RIPv1 For authentication to function properly both the sending and receiving interface must be configured with the same password and authentication enabled by the ip rip authentication mode command EXAMPLE This example sets an authentication password of small to verify incoming routing messages and to tag outgoing routing messages Console config interface vlan 1 Console con...

Page 1171: ...l some older routers using RIPv1 EXAMPLE This example sets the interface version for VLAN 1 to receive RIPv1 packets Console config interface vlan 1 Console config if ip rip receive version 1 Console config if RELATED COMMANDS version 1168 ip rip receive packet This command configures the interface to receive RIP packets Use the no form to disable this feature SYNTAX no ip rip receive packet DEFAU...

Page 1172: ...COMMAND MODE Interface Configuration VLAN COMMAND USAGE Use this command to override the global setting specified by the RIP version command You can specify the send version based on these options Use version 1 or version 2 if all routers in the local network are based on RIPv1 or RIPv2 respectively Use 1 compatible to propagate route information by broadcasting to other routers on the network usi...

Page 1173: ...o passively monitor route information advertised by other routers attached to the network without transmitting any RIP updates EXAMPLE Console config interface vlan 1 Console config if ip rip send packet Console config if RELATED COMMANDS ip rip receive packet 1171 ip rip split horizon This command enables split horizon or poison reverse a variation on an interface Use the no form to disable this ...

Page 1174: ...izon poison reverse Console config if clear ip rip route This command clears specified data from the RIP routing table SYNTAX clear ip rip route ip address netmask all connected ospf rip static ip address IP address of a route entry netmask Network mask for the route This mask identifies the network address bits used for the associated routing entries all Deletes all entries from the routing table...

Page 1175: ...for all interface is not set Incoming update filter list for all interface is not set Default redistribution metric is 1 Redistributing Default version control send version by interface set receive version by interface set Interface Send Recv VLAN1 1 compatible 1 2 Routing for Networks 10 0 0 0 24 Routing Information Sources Gateway Distance Last Update Bad Packets Bad Routes 10 0 0 2 120 00 00 13...

Page 1176: ... O OSPF Network Next Hop Metric From Interface Time Rc 192 168 0 0 24 1 VLAN1 01 57 Console show ip rip interface vlan 1 Interface vlan1 Routing Protocol RIP Receive RIPv1 and RIPv2 packets Send RIPv1 Compatible Passive interface Disabled Authentication mode None Authentication string None Split horizon Enabled with Poisoned Reverse IP interface address 192 168 0 2 24 Console ...

Page 1177: ... the default metric for external routes imported from other protocols RC redistribute Redistribute routes from one routing domain to another RC summary address Summarizes routes advertised by an ASBR RC Area Configuration area nssa Defines a not so stubby that can import external routes RC area stub Defines a stubby area that cannot send or receive LSAs RC area virtual link Defines a virtual link ...

Page 1178: ...t interval Specifies the time between resending a link state advertisement IC ip ospf transmit delay Estimates time to send a link state update packet over an interface IC passive interface Suppresses OSPF routing traffic on the specified interface RC Display Information show ip ospf Displays general information about the routing processes PE show ip ospf border routers Displays routing table entr...

Page 1179: ...g the same destination When disabled preference is based on type of path where type 1 external paths are preferred over type 2 external paths using cost only to break ties RFC 2328 All routers in an OSPF routing domain should use the same RFC for calculating summary routes If there are any OSPF routers in an area exchanging summary information specifically ABRs which have not been upgraded to OSPF...

Page 1180: ...n configured to import external routes through other routing protocols or static routing and such a route is known See the redistribute command The metric for the default external route is used to calculate the path cost for traffic passed from other routers within the AS out through the ASBR When you use this command to redistribute routes into a routing domain i e an Autonomous System this route...

Page 1181: ...unique router ID for this device within the autonomous system for the current OSPF process Use the no form to use the default router identification method i e the highest interface address SYNTAX router id ip address no router id ip address Router ID formatted as an IPv4 address COMMAND MODE Router Configuration DEFAULT SETTING Highest interface address COMMAND USAGE This command sets the router I...

Page 1182: ...two consecutive SPF calculations Use the no form to restore the default values SYNTAX timers spf spf delay spf holdtime no timers spf spf delay The delay after receiving a topology change notification and starting the SPF calculation Range 0 2147483647 seconds spf holdtime Minimum time between two consecutive SPF calculations Range 0 2147483647 seconds COMMAND MODE Router Configuration DEFAULT SET...

Page 1183: ...st This command specifies a cost for the default summary route sent into a stub or NSSA from an Area Border Router ABR Use the no form to remove the assigned default cost SYNTAX area area id default cost cost no area area id default cost area id Identifies the stub or NSSA The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0 4294967295 cost Cost for ...

Page 1184: ...the routes remain hidden from the rest of the network COMMAND MODE Router Configuration DEFAULT SETTING Disabled COMMAND USAGE This command can be used to summarize intra area routes and advertise this information to other areas through Area Border Routers ABRs If the network addresses within an area are assigned in a contiguous manner the ABRs can advertise a summary route that covers all of the ...

Page 1185: ...system calculates the cost for an interface by dividing the reference bandwidth by the interface bandwidth By default the cost is 1 Mbps for all port types including 100 Mbps ports 1 Gigabit ports and 10 Gigabit ports A higher reference bandwidth can be used for aggregate links to indicate preferred use as a lower cost interface The ip ospf cost command overrides the cost calculated by the auto co...

Page 1186: ...er protocols Range 0 16777214 COMMAND MODE Router Configuration DEFAULT SETTING 20 COMMAND USAGE The default metric must be used to resolve the problem of redistributing external routes from other protocols that use incompatible metrics This command does not override the metric value set by the redistribute command When a metric value has not been configured by the redistribute command the default...

Page 1187: ...lue A tag placed in the AS external LSA to identify a specific external routing domain or to pass additional information between routers Range 0 4294967295 COMMAND MODE Router Configuration DEFAULT SETTING redistribution none metric value 10 type metric 2 COMMAND USAGE This command is used to import routes learned from other routing protocols into the OSPF domain and to generate AS external LSAs W...

Page 1188: ...external routes Console config router redistribute rip metric type 1 Console config router RELATED COMMANDS default information originate 1180 summary address This command aggregates routes learned from other protocols Use the no form to remove a summary address SYNTAX no summary address summary address netmask summary address Summary address covering a range of addresses netmask Network mask for ...

Page 1189: ...ole Indicates NSSA ABR translator role for Type 5 external LSAs candidate Router translates NSSA LSAs to Type 5 external LSAs if elected never Router never translates NSSA LSAs to Type 5 external LSAs always Router always translates NSSA LSAs to Type 5 external LSAs no redistribution Use this keyword when the router is an NSSA Area Border Router ABR and you want the redistribute command to import ...

Page 1190: ...ginate keyword External routes advertised into an NSSA can include network destinations outside the AS learned via OSPF the default route static routes routes imported from other routing protocols such as RIP and networks directly connected to the router that are not running OSPF NSSA external LSAs Type 7 are converted by any ABR adjacent to the NSSA into external LSAs Type 5 and propagated into o...

Page 1191: ...Routing table space is saved in a stub by blocking Type 4 AS summary LSAs and Type 5 external LSAs The default setting for this command completely isolates the stub by blocking Type 3 summary LSAs that advertise the default route for destinations external to the local area or the autonomous system Use the no summary parameter of this command on the ABR attached to the stub to define a totally stub...

Page 1192: ...ned integer ranging from 0 4294967295 router id Router ID of the virtual link neighbor This specifies the Area Border Router ABR at the other end of the virtual link To create a virtual link enter this command for an ABR at both ends of the link One of the ABRs must be next to the isolated area and the transit area at one end of the link while the other ABR must be next to the transit area and bac...

Page 1193: ...ication key key Sets a plain text password up to 8 characters that is used by neighboring routers on a virtual link to generate or verify the authentication field in protocol message headers A separate password can be assigned to each network interface However this key must be the same for all neighboring routers on the same network i e autonomous system This key is only used when authentication i...

Page 1194: ...e config router network 10 4 0 0 0 255 255 0 0 area 10 4 0 0 Console config router area 10 4 0 0 virtual link 10 4 3 254 Console config router This example creates a virtual link using MD5 authentication Console config router network 10 4 0 0 0 255 255 0 0 area 10 4 0 0 Console config router area 10 4 0 0 virtual link 10 4 3 254 message digest key 5 md5 ld83jdpq Console config router RELATED COMMA...

Page 1195: ... the backbone 0 0 0 0 covering class B addresses 10 1 x x and a normal transit area 10 2 9 0 covering the class C addresses 10 2 9 x Console config router network 10 1 0 0 255 255 0 0 area 0 0 0 0 Console config router network 10 2 9 0 255 255 255 0 area 10 1 0 0 Console config router ip ospf authentication This command specifies the authentication type used for an interface Enter this command wit...

Page 1196: ... snooping on routing protocol packets When using Message Digest 5 MD5 authentication the router uses the MD5 algorithm to verify data integrity by creating a 128 bit message digest from the authentication key Without the proper key and key id it is nearly impossible to produce any message that matches the pre specified target message digest Before specifying plain text password authentication for ...

Page 1197: ... SETTING No password COMMAND USAGE Before specifying plain text password authentication for an interface with the ip ospf authentication command configure a password with this command This command creates a password key that is inserted into the OSPF header when routing protocol packets are originated by this device Assign a separate password to each network for different interfaces All neighborin...

Page 1198: ...st Link metric for this interface Use higher values to indicate slower ports Range 1 65535 COMMAND MODE Interface Configuration VLAN DEFAULT SETTING 1 COMMAND USAGE The interface cost indicates the overhead required to send packets across a certain interface This is advertised as the link cost in router link state advertisements Routes are assigned a metric equal to the sum of all metrics for each...

Page 1199: ...s connected to the current interface seconds The maximum time that neighbor routers can wait for a hello packet before declaring the transmitting router down This interval must be set to the same value for all routers on the network Range 1 65535 COMMAND MODE Interface Configuration VLAN DEFAULT SETTING 40 or four times the interval specified by the ip ospf hello interval command COMMAND USAGE The...

Page 1200: ...routers that the sending router is still active Setting the hello interval to a smaller value can reduce the delay in detecting topological changes but will increase routing traffic EXAMPLE Console config interface vlan 1 Console config if ip ospf hello interval 5 Console config if ip ospf message digest key This command enables message digest MD5 authentication on the specified interface and to a...

Page 1201: ... network administrator time to update all the routers on the network without affecting the network connectivity Once all the network routers have been updated with the new key the old key should be removed for security reasons EXAMPLE This example sets a message digest key identifier and password Console config interface vlan 1 Console config if ip ospf message digest key 1 md5 aiebel Console conf...

Page 1202: ... network segment when this interface comes up the new router will accept the current DR regardless of its own priority The DR will not change until the next time the election process is initiated Configure router priority for multi access networks only and not for point to point networks EXAMPLE Console config interface vlan 1 Console config if ip ospf priority 5 Console config if ip ospf retransm...

Page 1203: ...lt value SYNTAX ip ospf ip address transmit delay seconds no ip ospf ip address transmit delay ip address This parameter can be used to indicate a specific IP address connected to the current interface If not specified the command applies to all networks connected to the current interface seconds Sets the estimated time required to send a link state update Range 1 65535 COMMAND MODE Interface Conf...

Page 1204: ...ULT SETTING None COMMAND USAGE You can configure an OSPF interface as passive to prevent OSPF routing traffic from exiting or entering that interface No OSPF adjacency can be formed if one of the interfaces involved is set to passive mode The specified interface will appear as a stub in the OSPF domain Also if you configure an OSPF interface as passive where an adjacency already exists the adjacen...

Page 1205: ...ion this is normally set to one of the router s IP interface addresses Process uptime The time this process has been running Conforms to RFC2328 Shows that this router is compliant with OSPF Version 2 RFC1583 Compatibility flag Shows whether or not compatibility with the RFC 1583 an earlier version of OSPFv2 is enabled Supports only single TOS TOS0 routes Optional Type of Service ToS specified in ...

Page 1206: ...te advertisements that have been received Number of areas attached to this router The number of configured areas attached to this router Number of interfaces in this area is The number of interfaces attached to this area Number of fully adjacent neighbors in this area is The number of neighbors for which the exchange of recognition protocol messages has been completed and are now fully adjacent Ar...

Page 1207: ...ed information about all advertising routers is displayed ip address IP address of the specified router If no address is entered information about the local router is displayed link state id The network portion described by an LSA The link state id entered should be An IP network number for Type 3 Summary and External LSAs A Router ID for Router Network and Type 4 AS Summary LSAs Also note that wh...

Page 1208: ...p ospf database asbr summary OSPF Router with ID 0 0 0 0 Process ID 1 ASBR Summary Link States Area 0 0 0 1 LS age 0 Options 0x2 E LS Type ASBR summary LSA Link State ID 2 1 0 0 AS Boundary Router address Table 165 show ip ospf database display description Field Description OSPF Router Process with ID OSPF process ID and router ID The router ID uniquely identifies the router in the autonomous syst...

Page 1209: ...Metric 20 Forward Address 10 10 11 50 External Route Tag 0 OSPF Router with ID 0 0 0 0 Process ID 1 AS External Link States LS age 0 Options 0x2 E Table 166 show ip ospf database summary display description Field Description OSPF Router ID Router ID LS age Age of LSA in seconds Options Optional capabilities associated with the LSA LS Type Summary Links LSA describes routes to AS boundary routers L...

Page 1210: ... Field Description OSPF Router ID Router ID LS age Age of LSA in seconds Options Optional capabilities associated with the LSA LS Type AS External Links LSA describes routes to destinations outside the AS including default external routes for the AS Link State ID IP network number External Network Number Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA used to det...

Page 1211: ...s 192 168 0 2 Link Data Router Interface address 192 168 0 2 Number of TOS metrics 0 TOS 0 Metric 1 Table 168 show ip ospf database network display description Field Description OSPF Router ID Router ID LS age Age of LSA in seconds Options Optional capabilities associated with the LSA LS Type Network Link LSA describes the routers attached to the network Link State ID Interface address of the desi...

Page 1212: ... if this router is a virtual link endpoint an ASBR or an ABR LS Type Router Link LSA describes the router s interfaces Link State ID Router ID of the router that originated the LSA Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA used to detect older duplicate LSAs Checksum Checksum of the complete contents of the LSA Length The length of the LSA in bytes Link con...

Page 1213: ...s configured Hello 10 Dead 40 Wait 40 Retransmit 5 Hello due in 00 00 10 Neighbor Count is 1 Adjacent neighbor count is 1 Hello received 920 sent 975 DD received 5 sent 4 LS Req received 1 sent 1 LS Upd received 14 sent 18 LS Ack received 17 sent 13 Discarded 0 Console Table 170 show ip ospf database summary display description Field Description OSPF Router ID Router ID LS age Age of LSA in second...

Page 1214: ...ack This is a loopback interface Waiting Router is trying to find the DR and BDR DR Designated Router BDR Backup Designated Router DRother Interface is on a multiaccess network but is not the DR or BDR Priority Router priority Designated Router Designated router ID and respective interface address Backup Designated Router Backup designated router ID and respective interface address Timer intervals...

Page 1215: ...eld Description Neighbor ID Neighbor s router ID Pri Neighbor s router priority State OSPF state and identification flag States include Down Connection down Attempt Connection down but attempting contact for non broadcast networks Init Have received Hello packet but communications not yet established Two way Bidirectional communications established ExStart Initializing adjacency between neighbors ...

Page 1216: ... 0 0 O 10 10 11 0 24 10 is directly connected fe1 2 Area 0 0 0 0 O 10 10 11 100 32 10 is directly connected lo Area 0 0 0 0 E2 10 15 0 0 24 10 50 via 10 10 0 1 VLAN1 IA 172 16 10 0 24 30 via 10 10 11 50 VLAN2 Area 0 0 0 0 E2 192 168 0 0 16 10 20 via 10 10 11 50 VLAN2 Console show ip ospf virtual links This command displays detailed information about virtual links SYNTAX show ip ospf virtual links ...

Page 1217: ...area the virtual link crosses to reach the target router Local address The IP address of ABR that serves as an endpoint connecting the isolated area to the common transit area Remote address The IP address this virtual neighbor is using The neighbor must be an ABR at the other endpoint connecting the common transit area to the backbone itself Transmit Delay Estimated transmit delay in seconds on t...

Page 1218: ...pology change and the hold time between consecutive SPF calculations RC Route Metrics and Summaries area default cost Sets the cost for a default summary route sent into a stub RC area range Summarizes routes advertised by an ABR RC default metric Sets the default metric for external routes imported from other protocols RC redistribute Redistribute routes from one routing domain to another RC Area...

Page 1219: ...ath First OSPFv3 routing process and enters router configuration mode Use the no form to disable OSPF for all processes or for a specified process SYNTAX no router ipv6 ospf tag process name process name A process name must be entered when configuring multiple routing instances Range Alphanumeric string up to 16 characters ipv6 ospf retransmit interval Specifies the time between resending a link s...

Page 1220: ...ing on the same link local network segment EXAMPLE Console config router ipv6 ospf tag 0 Console config router end Console show ipv6 ospf Routing Process ospf r d with ID 192 168 0 2 Process uptime is 1 hour 34 minutes Supports only single TOS TOS0 routes SPF schedule delay 5 secs Hold time between two SPFs 10 secs Number of incoming concurrent DD exchange neighbors 0 5 Number of outgoing concurre...

Page 1221: ...dered to be an ABR if it has more than one actively attached area and the backbone area is configured Standard Interpretation A router is considered to be an ABR if it is attached to two or more areas It does not have to be attached to the backbone area To successfully route traffic to inter area and AS external destinations an ABR must be connected to the backbone If an ABR has no backbone connec...

Page 1222: ...ckbone areas EXAMPLE Console config router abr type ibm Console config router max current dd This command sets the maximum number of neighbors with which the switch can concurrently exchange database descriptor DD packets Use the no form to restore the default setting SYNTAX max current dd max packets no max current dd max packets The maximum number of neighbors with which the switch can concurren...

Page 1223: ...d The router ID must be unique for every router in the autonomous system Note that the router ID can also be set to 255 255 255 255 If this router already has registered neighbors the new router ID will be used when the router is rebooted or manually restarted by entering the no router ipv6 ospf followed by the router ipv6 ospf command If the priority values of the routers bidding to be the design...

Page 1224: ...n DEFAULT SETTING SPF delay 5 seconds SPF holdtime 10 seconds COMMAND USAGE Setting the SPF holdtime to 0 means that there is no delay between consecutive calculations Using a low value for the holdtime allows the router to switch to a new path faster but uses more CPU processing time EXAMPLE Console config router timers spf 20 Console config router area default cost This command specifies a cost ...

Page 1225: ...The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0 4294967295 ipv6 prefix A full IPv6 address including the network prefix and host address bits prefix length A decimal value indicating how many contiguous bits from the left of the address comprise the prefix i e the portion of the address to summarize advertise Advertises the specified address ran...

Page 1226: ...s command sets the default metric for external routes imported from other protocols Use the no form to remove the default metric for the supported protocol types SYNTAX default metric metric value no default metric metric value Metric assigned to all external routes imported from other protocols Range 0 16777214 COMMAND MODE Router Configuration DEFAULT SETTING 20 COMMAND USAGE The default metric ...

Page 1227: ...rnal route default Routers do not add internal route metric to external route metric COMMAND MODE Router Configuration DEFAULT SETTING redistribution none metric value 20 type metric 2 COMMAND USAGE This command is used to import routes learned from other routing protocols into the OSPF domain and to generate AS external LSAs When you redistribute external routes into an OSPF autonomous system AS ...

Page 1228: ...dvertisement are sent into the stub COMMAND USAGE All routers in a stub must be configured with the same area ID Routing table space is saved by stopping an ABR from flooding Type 4 Inter Area Router and Type 5 AS External LSAs into the stub Since no information on external routes is known inside the stub an ABR will advertise the default route 0 0 0 using a Type 3 Inter Area Prefix LSA The defaul...

Page 1229: ...virtual link enter this command for an ABR at both ends of the link One of the ABRs must be next to the isolated area and the transit area at one end of the link while the other ABR must be next to the transit area and backbone at the other end of the link dead interval seconds Specifies the time that neighbor routers will wait for a hello packet before they declare the router down This value must...

Page 1230: ... routing connectivity throughout the autonomous system If it not possible to physically connect an area to the backbone you can use a virtual link A virtual link can provide a logical path to the backbone for an isolated area or can be configured as a backup connection that can take over if the normal connection to the backbone fails A virtual link can be configured between any two backbone router...

Page 1231: ...5 COMMAND MODE Interface Configuration DEFAULT SETTING None COMMAND USAGE An area ID uniquely defines an OSPF broadcast area The area ID 0 0 0 0 indicates the OSPF backbone for an autonomous system Each router must be connected to the backbone via a direct connection or a virtual link Set the area ID to the same value for all routers on a network segment The process name is only used on the local ...

Page 1232: ...e Alphanumeric string up to 16 characters instance id Identifies a specific OSPFv3 routing process on the link local network segment attached to this interface Range 0 255 COMMAND MODE Interface Configuration VLAN DEFAULT SETTING No areas are defined COMMAND USAGE An area ID uniquely defines an OSPF broadcast area The area ID 0 0 0 0 indicates the OSPF backbone for an autonomous system Each router...

Page 1233: ...nce id instance id cost Link metric for this interface Use higher values to indicate slower ports Range 1 65535 instance id Identifies a specific OSPFv3 routing process on the link local network segment attached to this interface Range 0 255 COMMAND MODE Interface Configuration VLAN DEFAULT SETTING 1 COMMAND USAGE The interface cost indicates the overhead required to send packets across a certain ...

Page 1234: ...acket before declaring the transmitting router down This interval must be set to the same value for all routers on the network Range 1 65535 instance id Identifies a specific OSPFv3 routing process on the link local network segment attached to this interface Range 0 255 COMMAND MODE Interface Configuration VLAN DEFAULT SETTING 40 seconds or four times the interval specified by the ipv6 ospf hello ...

Page 1235: ...TING 10 seconds COMMAND USAGE Hello packets are used to inform other routers that the sending router is still active Setting the hello interval to a smaller value can reduce the delay in detecting topological changes but will increase routing traffic EXAMPLE Console config interface vlan 1 Console config if ipv6 ospf hello interval 5 Console config if RELATED COMMANDS ipv6 ospf dead interval 1234 ...

Page 1236: ...be elected If a DR already exists for a network segment when this interface comes up the new router will accept the current DR regardless of its own priority The DR will not change until the next time the election process is initiated Configure router priority for multi access networks only and not for point to point networks EXAMPLE Console config interface vlan 1 Console config if ipv6 ospf prio...

Page 1237: ...ed time to send a link state update packet over an interface Use the no form to restore the default value SYNTAX ipv6 ospf transmit delay seconds instance id instance id no ipv6 ospf transmit delay instance id instance id seconds Sets the estimated time required to send a link state update Range 1 65535 instance id Identifies a specific OSPFv3 routing process on the link local network segment atta...

Page 1238: ...ncluding the network prefix and host address bits COMMAND MODE Router Configuration DEFAULT SETTING None COMMAND USAGE You can configure an OSPF interface as passive to prevent OSPF routing traffic from exiting or entering that interface No OSPF adjacency can be formed if one of the interfaces involved is set to passive mode The specified interface will appear as a stub in the OSPF domain Also if ...

Page 1239: ...st per interface can be assigned SPF schedule delay The delay after receiving a topology change notification and starting the SPF calculation Hold time Sets the hold time between two consecutive SPF calculations Number of concurrent DD exchange neighbors Number of neighbors currently exchanging database descriptor packets Number of external LSA The number of external link state advertisements Type...

Page 1240: ...A Link State ID ADV Router Age Seq CkSum Console SPF algorithm executed x times The number of times the shortest path first algorithm has been executed for this area Number of LSA The total number of link state advertisements in this area s link state database excluding AS External LSA s Checksum The sum of the LS checksums of link state advertisements for this network area contained in the link s...

Page 1241: ...0 Retransmit 5 Neighbor Count is 0 Adjacent neighbor count is 0 Hello received 0 sent 92 DD received 0 sent 0 LS Req received 0 sent 0 LS Upd received 0 sent 0 LS Ack received 0 sent 0 Discarded 0 Console Seq Sequence number of LSA used to detect older duplicate LSAs CkSum Checksum of the complete contents of the LSA Link Number of interfaces attached to the router Table 177 show ip ospf database ...

Page 1242: ...multiaccess network but is not the DR or BDR Loopback This is a loopback interface PointToPoint A direct link between two routers Waiting Router is trying to find the DR and BDR Priority Router priority Designated Router Designated router ID and respective interface address Backup Designated Router Backup designated router ID and respective interface address Timer intervals Configuration settings ...

Page 1243: ...72 64 VLAN1 FE80 64 VLAN1 inactive C FE80 64 VLAN1 FF00 8 VLAN1 inactive Console Table 179 show ipv6 ospf neighbor display description Field Description ID Neighbor s router ID Pri Neighbor s router priority State OSPF state and identification flag States include Down Connection down Attempt Connection down but attempting contact for non broadcast networks Init Have received Hello packet but commu...

Page 1244: ...p or down Transit area Common area the virtual link crosses to reach the target router Local address The IP address of ABR that serves as an endpoint connecting the isolated area to the common transit area Remote address The IP address this virtual neighbor is using The neighbor must be an ABR at the other endpoint connecting the common transit area to the backbone itself Transmit Delay Estimated ...

Page 1245: ...ng SYNTAX no ip multicast routing DEFAULT SETTING Disabled Table 181 Multicast Routing Commands Command Group Function General Multicast Routing Enables IP multicast routing globally also displays the IP multicast routing table created from static and dynamic routing information Static Multicast Routing Configures static multicast router ports PIM Multicast Routing Configures global and interface ...

Page 1246: ...ddress source summary group address An IPv4 multicast group address with subscribers directly attached or downstream from this router source The IPv4 subnetwork at the root of the multicast delivery tree This subnetwork contains a known multicast source summary Displays summary information for each entry in the IP multicast routing table COMMAND MODE Privileged Exec COMMAND USAGE This command disp...

Page 1247: ...lticast packets have been received from a source on the shortest path tree J Join SPT The rate of traffic arriving over the shared tree has exceeded the SPT threshold for this group If the SPT flag is set for G entries the next S G packet received will cause the router to join the shortest path tree If the SPT flag is set for S G the router immediately joins the shortest path tree Interface state ...

Page 1248: ...ticast routing globally for the router A multicast routing protocol also needs to be enabled on the interfaces that will support multicast routing using the router pim6 command and then specify the interfaces that will support multicast routing using the ipv6 pim dense mode command To use multicast routing MLD proxy can not enabled on any interface of the device see ipv6 mld proxy on page 1047 EXA...

Page 1249: ...ional parameters are selected detailed information for each entry in the multicast address table is displayed If you select a multicast group and source pair detailed information is displayed only for the specified entry If the summary option is selected an abbreviated list of information for each entry is displayed on a single line EXAMPLE This example shows detailed multicast information for a s...

Page 1250: ...er immediately joins the shortest path tree Interface state The multicast state for the displayed interface group address IP multicast group address for a requested service source Subnetwork containing the IP multicast source Uptime The time elapsed since this entry was created Owner The associated multicast protocol PIM Incoming Interface Interface leading to the upstream neighbor PIM creates a m...

Page 1251: ...routes on the switch ip igmp snooping vlan mrouter This command statically configures a multicast router port Use the no form to remove the configuration SYNTAX ip igmp snooping vlan vlan id mrouter interface no ip igmp snooping vlan vlan id mrouter interface vlan id VLAN ID Range 1 4093 interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id R...

Page 1252: ... port within VLAN 1 Console config ip igmp snooping vlan 1 mrouter ethernet 1 11 Console config show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports SYNTAX show ip igmp snooping mrouter vlan vlan id vlan id VLAN ID Range 1 4093 DEFAULT SETTING Displays multicast router ports for all configured VLANs COMMAND MODE Pri...

Page 1253: ...ges from a neighboring PIM router before declaring it dead IC ip pim hello interval Sets the interval between sending PIM hello messages IC ip pim join prune holdtime Configures the hold time for the prune state IC ip pim lan prune delay Informs downstream routers of the delay before it prunes a flow after receiving a prune request IC ip pim override interval Specifies the time it takes a downstre...

Page 1254: ... Configures the rate at which register messages are sent by the Designated Router DR GC ip pim register source Configure the IP source address of a register message to an address other than the outgoing interface address of the designated router DR leading toward the rendezvous point RP GC ip pim rp address Sets a static address for the rendezvous point GC ip pim rp candidate Configures the switch...

Page 1255: ...AND MODE Interface Configuration VLAN COMMAND USAGE To fully enable PIM you need to enable multicast routing globally for the router with the ip multicast routing command enable PIM globally for the router with the router pim command and also enable PIM DM or PIM SM for each interface that will participate in multicast routing with this command If you enable PIM on an interface you should also ena...

Page 1256: ...ne the shared path if they have already connected to the source through the SPT or if there are no longer any group members connected to the interface EXAMPLE Console config interface vlan 1 Console config if ip pim dense mode Console show ip pim interface PIM is enabled VLAN 1 is up PIM Mode Dense Mode IP Address 192 168 0 2 Hello Interval 30 sec Hello HoldTime 105 sec Triggered Hello Delay 5 sec...

Page 1257: ...l between sending PIM hello messages Range 1 65535 DEFAULT SETTING 30 seconds COMMAND MODE Interface Configuration VLAN COMMAND USAGE Hello messages are sent to neighboring PIM routers from which this device has received probes and are used to verify whether or not these neighbors are still active members of the multicast tree EXAMPLE Console config if ip pim hello interval 60 Console config if ip...

Page 1258: ... to disable this feature SYNTAX no ip pim lan prune delay DEFAULT SETTING Disabled COMMAND MODE Interface Configuration VLAN COMMAND USAGE When other downstream routers on the same VLAN are notified that this upstream router has received a prune request they must send a Join to override the prune before the prune delay expires if they want to continue receiving the flow The message generated by th...

Page 1259: ...referenced in the message Range 500 6000 milliseconds DEFAULT SETTING 2500 milliseconds COMMAND MODE Interface Configuration VLAN COMMAND USAGE The override interval configured by this command and the propagation delay configured by the ip pim propagation delay command are used to calculate the LAN prune delay If a downstream router has group members which want to continue receiving the flow refer...

Page 1260: ...o calculate the LAN prune delay If a downstream router has group members which want to continue receiving the flow referenced in a LAN prune delay message then the propagation delay represents the time required for the lan prune delay message to be propagated down from the upstream router to all downstream routers attached to the same VLAN interface EXAMPLE Console config if ip pim propagation del...

Page 1261: ...y 3 Console config if show ip pim interface This command displays information about interfaces configured for PIM SYNTAX show ip pim interface vlan vlan id vlan id VLAN ID Range 1 4094 COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE This command displays the PIM settings for the specified interface as described in the preceding pages It also shows the address of the designated PIM router an...

Page 1262: ...t for a Graft acknowledgement before resending a Graft Use the no form to restore the default value SYNTAX ip pim graft retry interval seconds no ip pim graft retry interval seconds The time before resending a Graft Range 1 10 seconds DEFAULT SETTING 3 seconds COMMAND MODE Interface Configuration VLAN COMMAND USAGE A graft message is sent by a router to cancel a prune state When a router receives ...

Page 1263: ...fault value SYNTAX ip pim max graft retries retries no ip pim max graft retries retries The maximum number of times to resend a Graft Range 1 10 DEFAULT SETTING 3 COMMAND MODE Interface Configuration VLAN EXAMPLE Console config if ip pim max graft retries 5 Console config if ip pim state refresh origination interval This command sets the interval between sending PIM DM state refresh control messag...

Page 1264: ... form to restore the default value SYNTAX ip pim bsr candidate interface vlan vlan id hash hash mask length priority priority no ip pim bsr candidate vlan id VLAN ID Range 1 4094 hash mask length Hash mask length in bits used for RP selection see ip pim rp candidate and ip pim rp address The portion of the hash specified by the mask length is ANDed with the group address Therefore when the hash fu...

Page 1265: ...e locations each to serve as both a candidate BSR and candidate RP It is also preferable to set up one of these routers as both the primary BSR and RP EXAMPLE The following example configures the router to start sending bootstrap messages out of the interface for VLAN 1 to all of its PIM SM neighbors Console config ip pim bsr candidate interface vlan 1 hash 20 priority 200 Console config exit Cons...

Page 1266: ...oward the rendezvous point RP Use the no form to restore the default setting SYNTAX ip pim register source interface vlan vlan id no ip pim register source vlan id VLAN ID Range 1 4094 DEFAULT SETTING The IP address of the DR s outgoing interface that leads back to the RP COMMAND MODE Global Configuration COMMAND USAGE When the source address of a register message is filtered by intermediate netwo...

Page 1267: ...llowed If an IP address is specified that was previously used for an RP then the older entry is replaced Multiple RPs can be defined for different groups or group ranges If a group is matched by more than one entry the router will use the RP associated with the longer group prefix length If the prefix lengths are the same then the static RP with the highest IP address is chosen Static definitions ...

Page 1268: ...zvous Point RP candidate to the bootstrap router BSR Use the no form to remove this router as an RP candidate SYNTAX ip pim rp candidate interface vlan vlan id group prefix group address mask interval seconds priority value no ip pim rp candidate interface vlan vlan id vlan id VLAN ID Range 1 4094 group address An IP multicast group address If a group address is not specified the RP is advertised ...

Page 1269: ...alue based on the group address RP address priority and hash mask included in the bootstrap messages If there is a tie use the candidate RP with the highest IP address This distributed election process provides faster convergence and minimal disruption when an RP fails It also serves to provide load balancing by distributing groups across multiple RPs Moreover when an RP fails the responsible RPs ...

Page 1270: ...cast source to a receiver is through the RP However the path through the RP is not always the shortest path Therefore the router uses the RP to forward only the first packet from a new multicast group to its receivers Afterwards it calculates the shortest path tree SPT directly between the receiver and source and then uses the SPT to send all subsequent packets from the source to the receiver inst...

Page 1271: ...ng a simple election process The router with the highest priority configured on an interface is elected as the DR If more than one router attached to this interface uses the same priority then the router with the highest IP address is elected to serve as the DR If a router does not advertise a priority in its hello messages it is assumed to have the highest priority and is elected as the DR If mor...

Page 1272: ...ill be adversely affected The multicast interface that first receives a multicast stream from a particular source forwards this traffic only to those interfaces on the router that have requested to join this group When there are no longer any requesting groups on that interface the leaf node sends a prune message upstream and enters a prune state for this multicast stream The protocol maintains bo...

Page 1273: ...es to the RP Use the show ip pim rp mapping command to display active RPs that are cached with associated multicast routing entries EXAMPLE This example clears the RP map Console clear ip pim bsr rp set Console show ip pim rp mapping PIM Group to RP Mappings Console show ip pim bsr router This command displays information about the bootstrap router BSR COMMAND MODE Privileged Exec COMMAND USAGE Th...

Page 1274: ...gth The number of significant bits used in the multicast group comparison mask This mask determines the multicast group for which this router can be a BSR Expire The time before this entry will be removed Role Candidate BSR or Non candidate BSR State Operation state of BSR includes No information No information stored for this device Accept Any The router does not know of an active BSR and will ac...

Page 1275: ... 0 2 32 via null Console Table 190 show ip pim rp mapping display description Field Description Groups The multicast group address mask length managed by the RP RP address IP address of the RP used for the listed multicast group Info source RP that advertised the mapping how the RP was selected Static or Bootstrap and the priority used in the bidding process Uptime The time this RP has been up and...

Page 1276: ...ft acknowledgement before resending a Graft message IC ipv6 pim hello holdtime Sets the time to wait for hello messages from a neighboring PIM router before declaring it dead IC ipv6 pim hello interval Sets the interval between sending PIM hello messages IC ipv6 pim join prune holdtime Configures the hold time for the prune state IC ipv6 pim lan prune delay Informs downstream routers of the delay ...

Page 1277: ...that will participate in multicast routing with this command If you enable PIM on an interface you should also enable IGMP on that interface PIM mode selection determines how the switch populates the multicast routing table and how it forwards packets received from directly connected LAN interfaces Dense mode interfaces are always added to the multicast routing table Dense mode interfaces are subj...

Page 1278: ...ace Configuration VLAN COMMAND USAGE A graft message is sent by a router to cancel a prune state When a router receives a graft message it must respond with an graft acknowledgement message If this acknowledgement message is lost the router that sent the graft message will resend it a number of times as defined by the ipv6 pim max graft retries command EXAMPLE Console config if ipv6 pim graft retr...

Page 1279: ... hello interval seconds Interval between sending PIM hello messages Range 1 65535 DEFAULT SETTING 30 seconds COMMAND MODE Interface Configuration VLAN COMMAND USAGE Hello messages are sent to neighboring PIM routers from which this device has received probes and are used to verify whether or not these neighbors are still active members of the multicast tree EXAMPLE Console config if ipv6 pim hello...

Page 1280: ...w after receiving a prune request Use the no form to disable this feature SYNTAX no ipv6 pim lan prune delay DEFAULT SETTING Disabled COMMAND MODE Interface Configuration VLAN COMMAND USAGE When other downstream routers on the same VLAN are notified that this upstream router has received a prune request they must send a Join to override the prune before the prune delay expires if they want to cont...

Page 1281: ...ber of times to resend a Graft Range 1 10 DEFAULT SETTING 3 COMMAND MODE Interface Configuration VLAN EXAMPLE Console config if ipv6 pim max graft retries 5 Console config if ipv6 pim override interval This command configures the override interval or the time it takes a downstream router to respond to a lan prune delay message Use the no form to restore the default setting SYNTAX ipv6 pim override...

Page 1282: ...ay 1280 ipv6 pim propagation delay This command configures the propagation delay required for a LAN prune delay message to reach downstream routers Use the no form to restore the default setting ipv6 pim propagation delay milliseconds no ipv6 pim propagation delay milliseconds The time required for a lan prune delay message to reach downstream routers attached to the same VLAN interface Range 100 ...

Page 1283: ... seconds COMMAND MODE Interface Configuration VLAN COMMAND USAGE The pruned state times out approximately every three minutes and the entire PIM DM network is reflooded with multicast packets and prune messages The state refresh feature keeps the pruned state from timing out by periodically forwarding a control message down the distribution tree refreshing the prune state on the outgoing interface...

Page 1284: ...random value between 0 and the trigger hello delay This prevents synchronization of Hello messages on multi access links if multiple routers are powered on simultaneously Also if a Hello message is received from a new neighbor the receiving router will send its own Hello message after a random delay between 0 and the trigger hello delay EXAMPLE Console config if ipv6 pim trigger hello delay 3 Cons...

Page 1285: ...is command displays information about PIM neighbors SYNTAX show ipv6 pim neighbor interface vlan vlan id vlan id VLAN ID Range 1 4094 DEFAULT SETTING Displays information for all known PIM neighbors COMMAND MODE Normal Exec Privileged Exec EXAMPLE Console show ipv6 pim neighbor Address VLAN Interface Uptime Expire FF80 0101 VLAN 1 00 01 23 00 01 23 FF80 0202 VLAN 2 1d 11h Never Console Table 193 s...

Page 1286: ...CHAPTER 49 Multicast Routing Commands PIM Multicast Routing 1286 ES 4500G Series ...

Page 1287: ... ES 4500G Series SECTION IV APPENDICES This section provides additional information and includes these items Software Specifications on page 1289 Troubleshooting on page 1295 License Information on page 1297 ...

Page 1288: ...SECTION I Appendices 1288 ES 4500G Series ...

Page 1289: ... at full duplex SFP 10GBASE SR LR ER 10 Gbps at full duplex Module 10GBASE T 10 Gbps 1000 Mbps 100 Mbps at full duplex Module FLOW CONTROL Full Duplex IEEE 802 3 2005 Half Duplex Back pressure STORM CONTROL Broadcast traffic throttled above a critical threshold PORT MIRRORING 26 sessions one or more source ports to one destination port RATE LIMITS Input Output Limits Range configured per port PORT...

Page 1290: ...aps policy maps and service policies MULTICAST FILTERING IGMP Snooping Layer 2 Multicast VLAN Registration ARP Proxy ARP ADDITIONAL FEATURES BOOTP Client DHCP Client DNS Client Proxy LLDP Link Layer Discover Protocol RMON Remote Monitoring groups 1 2 3 9 SMTP Email Alerts SNMP Simple Network Management Protocol SNTP Simple Network Time Protocol MANAGEMENT FEATURES IN BAND MANAGEMENT Telnet web bas...

Page 1291: ...IEEE 802 1v Protocol based VLANs IEEE 802 1X Port Authentication IEEE 802 3 2005 Ethernet Fast Ethernet Gigabit Ethernet and 10 Gigabit Ethernet fiber and short haul copper Link Aggregation Control Protocol LACP Full duplex flow control ISO IEC 8802 3 IEEE 802 3ac VLAN tagging DHCP Client RFC 2131 HTTPS ICMP RFC 792 IGMP RFC 1112 IGMPv2 RFC 2236 IGMPv3 RFC 3376 partial support IPv4 IGMP RFC 3228 O...

Page 1292: ... MAU MIB RFC 3636 MIB II RFC 1213 OSPF MIB RFC 1850 OSPFv3 MIB draft ietf ospf ospfv3 mib 15 txt P Bridge MIB RFC 2674P Port Access Entity MIB IEEE 802 1X Port Access Entity Equipment MIB Private MIB Q Bridge MIB RFC 2674Q QinQ Tunneling IEEE 802 1ad Provider Bridges Quality of Service MIB RADIUS Accounting Server MIB RFC 2621 RADIUS Authentication Client MIB RFC 2619 RMON MIB RFC 2819 RMON II Pro...

Page 1293: ...APPENDIX A Software Specifications Management Information Bases 1293 ES 4500G Series UDP MIB RFC 2013 ...

Page 1294: ...APPENDIX A Software Specifications Management Information Bases 1294 ES 4500G Series ...

Page 1295: ...sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH client software is properly configured on the manag...

Page 1296: ...essages 6 Repeat the sequence of commands or other actions that lead up to the error 7 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 8 Set up your terminal emulation software so that it can capture all console output to a file Then enter the show tech support command to record all system settings in this file 9 Contact your dist...

Page 1297: ...e copies of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that you know you can do these things To protect your rights we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights These restrictions transla...

Page 1298: ...work that you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof to be licensed as a whole at no charge to all third parties under the terms of this License c If the modified program normally reads commands interactively when run you must cause it when started running for such interactive use in the most ordinary way to print or display an an...

Page 1299: ...tive works These actions are prohibited by law if you do not accept this License Therefore by modifying or distributing the Program or any work based on the Program you indicate your acceptance of this License to do so and all its terms and conditions for copying distributing or modifying the Program or works based on it 7 Each time you redistribute the Program or any work based on the Program the...

Page 1300: ...hor to ask for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY 1 BECAUSE THE PROGRAM IS LICENSED FREE OF CH...

Page 1301: ...eighted round robin service to enforce priority service and prevent blockage of lower level queues Priority may be set according to the port default the packet s priority bit in the VLAN tag TCP UDP port number IP Precedence bit or DSCP priority bit DHCP Dynamic Host Control Protocol Provides a framework for passing configuration information to hosts on a TCP IP network DHCP is based on the Bootst...

Page 1302: ...user name and password is requested by the switch and then passed to an authentication server e g RADIUS for verification EAPOL is implemented as part of the IEEE 802 1X Port Authentication standard EUI Extended Universal Identifier is an address format used by IPv6 to identify the host portion of the network address The interface identifier in EUI compatible addresses is based on the link layer M...

Page 1303: ...ality of service QoS in Ethernet networks The standard uses packet tags that define up to eight traffic classes and allows switches to transmit packets based on the tagged priority value IEEE 802 1S An IEEE standard for the Multiple Spanning Tree Protocol MSTP which provides independent spanning trees for VLAN groups IEEE 802 1W An IEEE standard for the Rapid Spanning Tree Protocol RSTP which redu...

Page 1304: ...tween IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members IN BAND MANAGEMENT Management of the network from a station attached directly to the network IP MULTICAST FILTERING A process whereby this switch can pass multicast traffic along to participating hosts IP PRECEDENCE The Type of Service ToS octet in the IPv4 header includes three precedence bits defining ...

Page 1305: ...nd group membership messages MSTP Multiple Spanning Tree Protocol can provide an independent spanning tree for different VLANs It simplifies network management provides for even faster convergence than RSTP by limiting the size of each region and prevents VLAN members from being segmented from the rest of the group MULTICAST SWITCHING A process whereby the switch filters incoming multicast frames ...

Page 1306: ...ts can only be forwarded to and from uplink ports QINQ QinQ tunneling is designed for service providers carrying traffic for multiple customers across their networks It is used to maintain customer specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs QOS Quality of Service QoS refers to the capability of a network to provide better service ...

Page 1307: ... via broadcasts sent by NTP servers SSH Secure Shell is a secure replacement for remote access functions including Telnet SSH can authenticate users with a cryptographic key and encrypt data connections between management clients and the switch STA Spanning Tree Algorithm is a technology that checks your network for any loops A loop can often occur in complicated or backup linked network systems S...

Page 1308: ...l LAN A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network A VLAN serves as a logical workgroup with no physical barriers and allows users to share information and resources as though located on the same LAN VRRP Virtual Router Redundancy Protocol uses a virtual IP address to support a primary r...

Page 1309: ...l release 879 auto traffic control control release 879 auto traffic control release timer 874 B boot system 648 bootfile 1084 bridge ext gvrp 918 C calendar set 678 capabilities 837 channel group 856 class 978 class map 974 clear arp cache 1114 clear counters 845 clear dns cache 1072 clear host 1073 clear ip dhcp binding 1093 clear ip dhcp snooping database flash 797 clear ip igmp group 1032 clear...

Page 1310: ...791 ip dhcp snooping database flash 793 ip dhcp snooping information option 793 ip dhcp snooping information policy 794 ip dhcp snooping trust 796 ip dhcp snooping verify mac address 795 ip dhcp snooping vlan 795 ip domain list 1067 ip domain lookup 1068 ip domain name 1069 ip forward protocol udp 1115 ip helper 1116 ip helper address 1117 ip host 1070 ip http port 738 ip http secure port 741 ip h...

Page 1311: ... rip receive version 1170 ip rip receive packet 1171 ip rip send version 1172 ip rip send packet 1173 ip rip split horizon 1173 ip route 1152 ip source guard 801 ip source guard binding 799 ip source guard max binding 802 ip ssh authentication retries 747 ip ssh crypto host key generate 749 ip ssh crypto zeroize 750 ip ssh save host key 751 ip ssh server 747 ip ssh server key size 748 ip ssh timeo...

Page 1312: ... access group 829 mac address table aging time 885 mac address table static 886 mac authentication intrusion action 781 mac authentication max mac count 781 mac authentication reauth time 773 mac learning 768 mac vlan 951 management 765 map ip dscp Global Configuration 966 map ip dscp Interface Configuration 968 map ip port Global Configuration 967 map ip port Interface Configuration 969 map ip pr...

Page 1313: ...ction history 706 rmon collection rmon1 707 rmon event 705 router ipv6 ospf 1219 router ospf 1178 router pim 1254 router pim6 1276 router rip 1160 router id 1181 router id 1223 S server 735 service dhcp 1084 service policy 986 set 985 sflow destination 711 sflow max datagram size 712 sflow max header size 713 sflow owner 713 sflow sample 714 sflow source 714 sflow timeout 715 show access group 834...

Page 1314: ...spf neighbor 1242 show ipv6 ospf route 1243 show ipv6 ospf virtual links 1244 show ipv6 pim interface 1284 show ipv6 pim neighbor 1285 show ipv6 route 1158 show ipv6 traffic 1130 show ipv6 tunnel 1149 show lacp 861 show line 663 show lldp config 1061 show lldp info local device 1062 show lldp info remote device 1063 show lldp info statistics 1064 show log 669 show logging 669 show logging sendmail...

Page 1315: ...ng tree hello time 893 spanning tree link type 906 spanning tree loopback detection 906 spanning tree loopback detection release 913 spanning tree loopback detection release mode 907 spanning tree loopback detection trap 908 spanning tree max age 894 spanning tree mode 895 spanning tree mst configuration 897 spanning tree mst cost 908 spanning tree mst port priority 909 spanning tree pathcost meth...

Page 1316: ...ersion 1168 vlan 923 vlan database 923 vlan trunking 929 voice vlan 953 voice vlan aging 954 voice vlan mac address 954 vrrp authentication 1096 vrrp ip 1096 vrrp preempt 1097 vrrp priority 1098 vrrp timers advertise 1099 W web auth 787 web auth login attempts 785 web auth quiet period 786 web auth re authenticate IP 788 web auth re authenticate Port 788 web auth session timeout 786 web auth syste...

Page 1317: ... 822 IPv6 Standard 312 317 820 821 MAC 312 321 826 time range 308 679 Address Resolution Protocol See ARP address table 197 885 aging time 200 885 aging time displaying 200 888 aging time setting 200 885 administrative users displaying 644 ARP ACL 323 806 configuration 486 1111 description 485 proxy 486 1113 statistics 490 1155 ARP inspection 326 804 ACL filter 329 806 additional validation criter...

Page 1318: ...n option enabling 354 793 policy selection 354 794 specifying trusted interfaces 356 796 verifying MAC addresses 354 795 VLAN configuration 355 795 Differentiated Services See DiffServ DiffServ 245 973 binding policy to interface 259 986 class map 246 974 978 class map description 247 975 classifying QoS traffic 246 976 color aware srTCM 254 980 color aware trTCM 255 983 color blind srTCM 254 980 ...

Page 1319: ...02 1D 205 895 IEEE 802 1s 205 895 IEEE 802 1w 205 895 IEEE 802 1X 338 753 755 IGMP clearing the cache 1032 enabling per interface 441 1026 filter profiles binding to interface 436 1012 filter profiles configuration 433 1011 filter interface configuration 436 1012 1014 filter parameters 433 filtering throttling 432 1009 filtering throttling enabling 433 1010 filtering throttling interface configura...

Page 1320: ...106 dynamic configuration 78 manual configuration 75 setting 75 457 1106 IPv6 configuring static neighbors 1136 displaying neighbors 469 1136 duplicate address detection 469 1138 enabling 463 1125 hop limit advertisements 1137 MTU 463 1126 IPv6 address dynamic configuration global unicast 79 466 1121 dynamic configuration link local 79 463 1125 EUI format 466 1123 EUI 64 setting 466 1122 1123 expl...

Page 1321: ...outing enabling 1047 MSTP 205 222 895 global settings configuring 209 222 891 global settings displaying 214 914 interface settings configuring 215 226 891 interface settings displaying 227 914 max hop count 212 899 path cost 226 908 region name 212 901 region revision 212 902 MTU for IPv6 463 1126 multicast filtering 413 989 enabling IGMP snooping 417 991 enabling IGMP snooping per interface 425 ...

Page 1322: ...buting external routes 567 1187 retransmit interval 573 1202 RFC 1583 compatible 553 1179 router ID 553 1181 router priority 572 1201 routing table displaying 580 1216 SPF timers 554 1182 stub 558 562 1191 transit area 550 551 560 562 577 578 1192 transmit delay over interface 573 1203 virtual link 577 1192 virtual links displaying 1216 OSPFv3 1218 ABR route summary 1225 area border router 1225 ba...

Page 1323: ... forced selection on combo ports 132 840 loopback test 852 mirroring 136 865 mirroring local traffic 136 865 mtu 843 multicast storm threshold 232 844 speed 133 842 statistics 138 846 unknown unicast storm threshold 231 844 primary VLAN 176 178 179 941 priority default port ingress 233 963 private key 300 744 private VLANs configuring 176 940 private VLANs displaying 177 179 944 problems troublesh...

Page 1324: ...g 408 708 statistics collection 410 707 statistics displaying 411 709 root guard 217 911 router redundancy protocols 497 1095 VRRP 497 1095 Routing Information Protocol See RIP routing nformation base description 1154 routing table displaying 493 1153 RSA encryption 304 305 749 RSTP 205 895 global settings configuring 209 895 global settings displaying 214 914 interface settings configuring 215 90...

Page 1325: ...P 209 895 Also see STA summary accounting 276 737 switch settings restoring 115 648 saving 115 648 system clock setting 117 674 setting manually 118 678 setting the time zone 121 677 setting with SNTP 119 675 677 system logs 359 667 system software downloading from server 113 649 T TACACS logon authentication 270 726 settings 272 726 TCN flood 418 994 general query solitication 418 995 Telnet conf...

Page 1326: ...ng unknown groups 161 929 voice 261 952 voice VLANs 261 952 detecting VoIP devices 262 953 enabling for ports 264 955 957 identifying client devices 263 954 VoIP traffic 261 952 ports configuring 264 955 957 telephony OUI configuring 263 954 voice VLAN configuring 261 952 VoIP detecting devices 265 956 VRRP 497 1095 authentication 501 1096 configuration settings 497 498 1095 group statistics 505 1...

Page 1327: ...ES 4526G ES 4550G E042011 ST R01 150200000149A ...

Page 1328: ...APRIL 2011 ISSUE 1 0 ...

Reviews:

No comments

Related manuals for iPECS ES-4526G

D-Link DGS-1024D - Switch Quick Installation Manual preview
DGS-1024D - Switch
Brand: D-Link Pages: 16
D-Link DGS-1016D - Switch User Manual preview
DGS-1016D - Switch
Brand: D-Link Pages: 44
D-Link DES-6000 Series Firmware Update Manual preview
DES-6000 Series
Brand: D-Link Pages: 3
D-Link DES-5024 - Switch Application Notes preview
DES-5024 - Switch
Brand: D-Link Pages: 2
D-Link DES-3828 - xStack Switch - Stackable Datasheet preview
DES-3828 - xStack Switch - Stackable
Brand: D-Link Pages: 3
D-Link DES-3550 User Manual preview
DES-3550
Brand: D-Link Pages: 192
D-Link DES-3326 Configuration Manual preview
DES-3326
Brand: D-Link Pages: 9
D-Link DES-3226L User Manual preview
DES-3226L
Brand: D-Link Pages: 110
D-Link DES-1026G User Manual preview
DES-1026G
Brand: D-Link Pages: 10
D-Link DES-1008D Manual preview
DES-1008D
Brand: D-Link Pages: 17
D-Link DES-1005P Quick Install Manual preview
DES-1005P
Brand: D-Link Pages: 4
D-Link DGS-1210-28P Manual preview
DGS-1210-28P
Brand: D-Link Pages: 9
D-Link DES-1024D Brochure preview
DES-1024D
Brand: D-Link Pages: 4
D-Link DGS-105 - Switch Datasheet preview
DGS-105 - Switch
Brand: D-Link Pages: 4
D-Link DES-1024D Quick Install Manual preview
DES-1024D
Brand: D-Link Pages: 2
D-Link des-1016a Quick Install Manual preview
des-1016a
Brand: D-Link Pages: 2
Datavideo SE-1000 Reference Manual preview
SE-1000
Brand: Datavideo Pages: 4
Datavideo SE-1200MU Quick Start Manual preview
SE-1200MU
Brand: Datavideo Pages: 66

Brands by name

Popular brands

Load more brands