SMC Networks 6128L2 Management Manual Download Page 230 | Manualshive

Page: 230 / 606

background image

C

ONFIGURING

THE

S

WITCH

3-176

Configuring Private VLANs

Private VLANs provide port-based security between ports within the
assigned VLAN. This switch supports primary/secondary associated
groups of private VLAN. A primary VLAN contains promiscuous ports
that can communicate with all other ports in the private VLAN group,
while a secondary (or community) VLAN contains community ports that
can only communicate with other hosts within the secondary VLAN and
with any of the promiscuous ports in the associated primary VLAN. In
both cases, the promiscuous ports are designed to provide open access to
an external network such as the Internet, while the community ports
provide restricted access to local users.

Multiple primary VLANs can be configured on this switch, and multiple
community VLANs can be associated with each primary VLAN. (Note
that private VLANs and normal VLANs can exist simultaneously within
the same switch.)

To configure primary/secondary associated groups, follow these steps:

1. Use the Private VLAN Configuration menu to designate one or more

community VLANs, and the primary VLAN that will channel traffic
outside of the VLAN groups.

2. Use the Private VLAN Association menu to map the secondary (i.e.,

community) VLAN(s) to the primary VLAN.

3. Use the Private VLAN Port Configuration menu to set the port type to

promiscuous (i.e., having access to all ports in the primary VLAN), or
host (i.e., having access restricted to community VLAN members, and
channeling all other traffic through promiscuous ports). Then assign
any promiscuous ports to a primary VLAN and any host ports a
community VLAN.

«
...
228
229
230
231
232
...
»

Summary of Contents for 6128L2

Page 1: ...mbination ports Non blocking switching architecture Spanning Tree Protocol and Rapid STP Up to 8 LACP or static trunks CoS support through four priority queues Full support for VLANs with GVRP IGMP multicast filtering and snooping Support for jumbo frames up to 9 KB Manageable via console Web SNMP RMON Management Guide SMC6128L2 ...

Page 2: ......

Page 3: ...20 Mason Irvine CA 92618 Phone 949 679 8000 TigerSwitch 10 100 Management Guide From SMC s Tiger line of feature rich workgroup LAN solutions March 2007 Pub 149100033500A ...

Page 4: ...ed by implication or oth erwise under any patent or patent rights of SMC SMC reserves the right to change specifications at any time without notice Copyright 2007 by SMC Networks Inc 20 Mason Irvine CA 92618 All rights reserved Printed in Taiwan Trademarks SMC is a registered trademark and EZ Switch TigerStack and TigerSwitch are trademarks of SMC Networks Inc Other product and company names are t...

Page 5: ...ncorporates these newer technologies At that point the obsolete product is discontinued and is no longer an Active SMC product A list of discontinued products with their respective dates of discontinuance can be found at http www smc com index cfm action customer_service_warranty All products that are replaced become the property of SMC Replacement products may be either new or reconditioned Any r...

Page 6: ...CIDENT FIRE LIGHTNING OR OTHER HAZARD LIMITATION OF LIABILITY IN NO EVENT WHETHER BASED IN CONTRACT OR TORT INCLUDING NEGLIGENCE SHALL SMC BE LIABLE FOR INCIDENTAL CONSEQUENTIAL INDIRECT SPECIAL OR PUNITIVE DAMAGES OF ANY KIND OR FOR LOSS OF REVENUE LOSS OF BUSINESS OR OTHER FINANCIAL LOSS ARISING OUT OF OR IN CONNECTION WITH THE SALE INSTALLATION MAINTENANCE USE PERFORMANCE FAILURE OR INTERRUPTIO...

Page 7: ...nabling SNMP Management Access 2 9 Community Strings for SNMP version 1 and 2c clients 2 9 Trap Receivers 2 10 Configuring Access for SNMP Version 3 Clients 2 11 Saving Configuration Settings 2 11 Managing System Files 2 12 3 Configuring the Switch 3 1 Using the Web Interface 3 1 Navigating the Web Browser Interface 3 3 Home Page 3 3 Configuration Options 3 4 Panel Display 3 4 Main Menu 3 5 Basic ...

Page 8: ... Configuring SNTP 3 42 Setting the Time Zone 3 43 Simple Network Management Protocol 3 44 Enabling the SNMP Agent 3 47 Setting Community Access Strings 3 47 Specifying Trap Managers and Trap Types 3 49 Configuring SNMPv3 Management Access 3 52 Setting the Local Engine ID 3 52 Specifying a Remote Engine ID 3 53 Configuring SNMPv3 Users 3 54 Configuring Remote SNMPv3 Users 3 57 Configuring SNMPv3 Gr...

Page 9: ... Port Configuration 3 108 Displaying Connection Status 3 108 Configuring Interface Connections 3 111 Creating Trunk Groups 3 113 Statically Configuring a Trunk 3 115 Enabling LACP on Selected Ports 3 117 Configuring LACP Parameters 3 119 Displaying LACP Port Counters 3 122 Displaying LACP Settings and Status for the Local Side 3 124 Displaying LACP Settings and Status for the Remote Side 3 127 Set...

Page 10: ...ating VLANs 3 180 Displaying Private VLAN Interface Information 3 181 Configuring Private VLAN Interfaces 3 182 Configuring Protocol VLANs 3 184 Configuring Protocol VLAN Basic Settings 3 184 Configuring Protocol VLAN System 3 185 Class of Service Configuration 3 186 Setting the Default Priority for Interfaces 3 186 Mapping CoS Values to Egress Queues 3 187 Enabling CoS 3 190 Selecting the Queue M...

Page 11: ...us 3 224 Displaying Port Members of Multicast Groups 3 225 Configuring MVR Interface Status 3 227 Assigning Static Multicast Groups to Interfaces 3 229 DHCP Snooping 3 230 DHCP Snooping Configuration 3 232 DHCP Snooping VLAN Configuration 3 233 DHCP Snooping Information Option Configuration 3 233 DHCP Snooping Port Configuration 3 235 DHCP Snooping Binding Information 3 236 IP Source Guard 3 237 I...

Page 12: ...tory 4 6 Understanding Command Modes 4 7 Exec Commands 4 7 Configuration Commands 4 8 Command Line Processing 4 10 Command Groups 4 11 Line Commands 4 14 line 4 15 login 4 16 password 4 17 timeout login response 4 18 exec timeout 4 19 password thresh 4 20 silent time 4 21 databits 4 21 parity 4 22 speed 4 23 stopbits 4 24 disconnect 4 24 show line 4 25 General Commands 4 26 enable 4 27 disable 4 2...

Page 13: ... 41 ip http secure port 4 43 Telnet Server Commands 4 44 ip telnet server 4 44 ip telnet server port 4 44 Secure Shell Commands 4 45 ip ssh server 4 48 ip ssh timeout 4 49 ip ssh authentication retries 4 50 ip ssh server key size 4 51 delete public key 4 51 ip ssh crypto host key generate 4 52 ip ssh crypto zeroize 4 53 ip ssh save host key 4 53 show ip ssh 4 54 show ssh 4 54 show public key 4 56 ...

Page 14: ... 4 70 sntp server 4 71 sntp poll 4 72 show sntp 4 73 clock timezone 4 73 calendar set 4 74 show calendar 4 75 System Status Commands 4 76 show startup config 4 76 show running config 4 77 show system 4 80 show users 4 81 show version 4 81 Frame Size Commands 4 82 jumbo frame 4 82 Flash File Commands 4 84 copy 4 84 delete 4 87 dir 4 88 whichboot 4 89 boot system 4 90 Authentication Commands 4 91 Au...

Page 15: ...ontrol 4 105 dot1x default 4 105 dot1x max req 4 106 dot1x port control 4 106 dot1x operation mode 4 107 dot1x re authenticate 4 108 dot1x re authentication 4 108 dot1x timeout quiet period 4 109 dot1x timeout re authperiod 4 109 dot1x timeout tx period 4 110 show dot1x 4 110 Access Control List Commands 4 113 IP ACLs 4 114 access list ip 4 115 permit deny Standard ACL 4 116 permit deny Extended A...

Page 16: ...er group 4 137 show snmp group 4 138 snmp server user 4 140 show snmp user 4 142 Interface Commands 4 143 interface 4 144 description 4 144 speed duplex 4 145 negotiation 4 146 capabilities 4 147 flowcontrol 4 148 shutdown 4 149 clear counters 4 150 show interfaces status 4 151 show interfaces counters 4 152 show interfaces switchport 4 154 Broadcast Commands 4 156 broadcast packet rate 4 156 swit...

Page 17: ...Commands 4 180 spanning tree 4 181 spanning tree mode 4 182 spanning tree forward time 4 183 spanning tree hello time 4 184 spanning tree max age 4 185 spanning tree priority 4 186 spanning tree pathcost method 4 186 spanning tree transmission limit 4 187 spanning tree spanning disabled 4 188 spanning tree cost 4 188 spanning tree port priority 4 189 spanning tree edge port 4 190 spanning tree por...

Page 18: ...ping 4 212 show vlan private vlan 4 213 GVRP and Bridge Extension Commands 4 214 bridge ext gvrp 4 214 show bridge ext 4 215 switchport gvrp 4 216 show gvrp configuration 4 216 garp timer 4 217 show garp timer 4 218 Priority Commands 4 219 Priority Commands Layer 2 4 219 queue mode 4 220 switchport priority default 4 221 queue bandwidth 4 222 queue cos map 4 223 show queue mode 4 224 show queue ba...

Page 19: ... snooping vlan mrouter 4 240 show ip igmp snooping mrouter 4 241 IGMP Filtering and Throttling Commands 4 242 ip igmp filter Global Configuration 4 243 ip igmp profile 4 244 permit deny 4 244 range 4 245 ip igmp filter Interface Configuration 4 246 ip igmp max groups 4 247 ip igmp max groups action 4 248 show ip igmp filter 4 248 show ip igmp profile 4 249 show ip igmp throttle interface 4 250 Mul...

Page 20: ...5 ip dhcp snooping information policy 4 276 ip dhcp snooping database flash 4 277 show ip dhcp snooping 4 277 show ip dhcp snooping binding 4 278 Switch Cluster Commands 4 278 cluster 4 279 cluster commander 4 280 cluster ip pool 4 281 cluster member 4 282 rcommand 4 282 show cluster 4 283 show cluster members 4 283 show cluster candidates 4 284 A Software Specifications A 1 Software Features A 1 ...

Page 21: ...CONTENTS xvii Glossary Index ...

Page 22: ...CONTENTS xviii ...

Page 23: ...ity 3 194 Table 4 1 Command Modes 4 7 Table 4 2 Configuration Commands 4 9 Table 4 3 Keystroke Commands 4 10 Table 4 4 Command Group Index 4 11 Table 4 5 Line Command Syntax 4 14 Table 4 6 General Commands 4 26 Table 4 7 System Management Commands 4 32 Table 4 8 Device Designation Commands 4 33 Table 4 9 User Access Commands 4 34 Table 4 10 Default Login Settings 4 35 Table 4 11 IP Filter Commands...

Page 24: ... id display description 4 135 Table 4 39 show snmp view display description 4 137 Table 4 40 show snmp group display description 4 139 Table 4 41 show snmp user display description 4 142 Table 4 42 Interface Commands 4 143 Table 4 43 show interfaces switchport display description 4 155 Table 4 44 Broadcast Commands 4 156 Table 4 45 Mirror Port Commands 4 158 Table 4 46 Rate Limit Commands 4 160 Ta...

Page 25: ... Snooping Commands 4 230 Table 4 67 IGMP Query Commands Layer 2 4 235 Table 4 68 Static Multicast Routing Commands 4 240 Table 4 69 IGMP Filtering and Throttling Commands 4 242 Table 4 70 Multicast VLAN Registration Commands 4 251 Table 4 71 show mvr display description 4 256 Table 4 73 show mvr members display description 4 257 Table 4 72 show mvr interface display description 4 257 Table 4 74 IP...

Page 26: ...TABLES xxii ...

Page 27: ... Displaying Logs 3 35 Figure 3 17 System Logs 3 37 Figure 3 18 Remote Logs 3 38 Figure 3 19 Enabling and Configuring SMTP 3 40 Figure 3 20 Resetting the System 3 41 Figure 3 21 SNTP Configuration 3 43 Figure 3 22 Setting the Time Zone 3 44 Figure 3 23 Enabling the SNMP Agent 3 47 Figure 3 24 Configuring SNMP Community Strings 3 48 Figure 3 25 Configuring SNMP Trap Managers 3 51 Figure 3 26 Setting...

Page 28: ... Information 3 123 Figure 3 55 Displaying LACP Port Information 3 126 Figure 3 56 Displaying Remote LACP Port Information 3 128 Figure 3 57 Enabling Port Broadcast Control 3 130 Figure 3 58 Configuring a Mirror Port 3 132 Figure 3 59 Configuring Input Port Rate Limiting 3 133 Figure 3 60 Displaying Port Statistics 3 138 Figure 3 61 Displaying Etherlike and RMON Statistics 3 139 Figure 3 62 Mapping...

Page 29: ...vice Policy Settings 3 205 Figure 3 92 Configuring Internet Group Management Protocol 3 209 Figure 3 93 Enabling IGMP Filter 3 210 Figure 3 94 IGMP Immediate Leave 3 211 Figure 3 95 Mapping Multicast Switch Ports to VLANs 3 212 Figure 3 96 Static Multicast Router Port Configuration 3 213 Figure 3 97 Displaying Port Members of Multicast Services 3 214 Figure 3 98 Specifying Multicast Port Membershi...

Page 30: ...P Source Guard Binding Configuration 3 240 Figure 3 113 Dynamic IP Source Guard Binding Information 3 241 Figure 3 114 Cluster Configuration 3 243 Figure 3 115 Cluster Member Configuration 3 244 Figure 3 116 Cluster Member Information 3 245 Figure 3 117 Cluster Candidate Information 3 246 ...

Page 31: ...e switch s performance for your particular network environment Key Features Table 1 1 Key Features Feature Description Configuration Backup and Restore Backup to TFTP server Authentication Console Telnet web User name password RADIUS TACACS Web HTTPS Telnet SSH SNMP v1 v2c v3 Community strings Port IEEE 802 1X MAC address filtering Access Control Lists Supports up to 32 IP DHCP Client Supported Po...

Page 32: ...ications Some of the management features are briefly described below Port Trunking Supports up to 8 trunks using either static or dynamic trunking LACP Broadcast Storm Control Supported Static Address Up to 8K MAC addresses in the forwarding table IEEE 802 1D Bridge Supports dynamic data switching and addresses learning Store and Forward Switching Supported to ensure wire speed switching while eli...

Page 33: ...ent access over a Telnet equivalent connection SNMP Version 3 IP address filtering for SNMP web Telnet management access and MAC address filtering for port access Access Control Lists ACLs provide packet filtering for IP frames based on address protocol TCP UDP port number or TCP control code or any frames based on MAC address or Ethernet type ACLs can by used to improve performance by blocking un...

Page 34: ...hould fail The switch supports up to 8 trunks Broadcast Storm Control Broadcast suppression prevents broadcast traffic from overwhelming the network When enabled on a port the level of broadcast traffic passing through the port is restricted If broadcast traffic rises above a pre defined threshold it will be throttled until the level falls back beneath the threshold Static Addresses A static addre...

Page 35: ...ance by allowing two or more redundant connections to be created between a pair of LAN segments When there are multiple physical paths between segments this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network This prevents the creation of network loops However if the chosen path should fail for any reason an alterna...

Page 36: ...rity by restricting all traffic to the originating VLAN Use private VLANs to restrict traffic to pass only between data ports and the uplink ports thereby isolating adjacent ports within the same VLAN and allowing you to limit the total number of VLANs that need to be configured Traffic Prioritization This switch prioritizes each packet based on the required level of service using eight priority q...

Page 37: ...em Defaults The switch s system defaults are provided in the configuration file Factory_Default_Config cfg To reset the switch defaults this file should be set as the startup configuration file page 3 27 The following table lists some of the basic system defaults Table 1 2 System Defaults Function Parameter Default Console Port Connection Baud Rate 9600 Data bits 8 Stop bits 1 Parity none Local Co...

Page 38: ...ol Disabled Rate Limiting Input limits Disabled Port Trunking Static Trunks None LACP all ports Disabled Broadcast Storm Protection Status Enabled all ports Broadcast Limit Rate 500 packets per second Spanning Tree Protocol Status Enabled RSTP Defaults All values based on IEEE 802 1w Fast Forwarding Edge Port Disabled Address Table Aging Time 300 seconds Virtual LANs Default VLAN 1 PVID 1 Acceptab...

Page 39: ...Subnet Mask 255 0 0 0 Default Gateway 0 0 0 0 DHCP Enabled BOOTP Disabled Multicast Filtering IGMP Snooping Snooping Enabled Querier Enabled System Log Status Enabled Messages Logged Levels 0 6 all Messages Logged to Flash Levels 0 3 SMTP Email Alerts Event Handler Enabled but no server defined SNTP Clock Synchronization Disabled Table 1 2 System Defaults Continued Function Parameter Default ...

Page 40: ...INTRODUCTION 1 10 ...

Page 41: ...P Web agent allows you to configure switch parameters monitor port connections and display statistics using a standard Web browser such as Netscape Navigator version 6 2 and higher or Microsoft IE version 5 0 and higher The switch s Web management interface can be accessed from any computer attached to the network The CLI program can be accessed by a direct connection to the RS 232 serial console ...

Page 42: ...t filtering Upload and download system firmware via TFTP Upload and download switch configuration files via TFTP Configure Spanning Tree parameters Configure Class of Service CoS priority queuing Configure up to 8 static or LACP trunks Enable port mirroring Set broadcast storm control on any port Display system information and statistics Required Connections The switch provides an RS 232 serial po...

Page 43: ...p bit and no parity Set flow control to none Set the emulation mode to VT100 With HyperTerminal select Terminal keys not Windows keys Notes 1 When using HyperTerminal with Microsoft Windows 2000 make sure that you have Windows 2000 Service Pack 2 or later installed Windows 2000 Service Pack 2 fixes the problem of arrow keys not functioning in HyperTerminal s VT100 emulation See www microsoft com f...

Page 44: ...ed using Telnet from any computer attached to the network The switch can also be managed by any computer using a web browser Internet Explorer 5 0 or above or Netscape Navigator 6 2 or above or from a network computer using SNMP network management software Note The onboard program only provides access to basic configuration functions To access the full range of SNMP management functions you must u...

Page 45: ...Setting Passwords Note If this is your first time to log into the CLI program you should define new passwords for both default user names using the username command record them and put them in a safe place Passwords can consist of up to 8 alphanumeric characters and are case sensitive To prevent unauthorized access to the switch set the passwords as follows 1 Open the console interface with the de...

Page 46: ...You may also need to specify a default gateway that resides between this device and management stations on another network segment Valid IP addresses consist of four decimal numbers 0 to 255 separated by periods Anything outside this format will not be accepted by the CLI program Note The IP address for this switch is obtained via DHCP by default Before you can assign an IP address to the switch y...

Page 47: ...you select the bootp or dhcp option IP will be enabled but will not function until a BOOTP or DHCP reply has been received You therefore need to use the ip dhcp restart client command to start broadcasting service requests Requests will be sent periodically in an effort to obtain IP configuration information BOOTP and DHCP values can include the IP address subnet mask and default gateway If the bo...

Page 48: ... broadcasting service requests Press Enter 5 Wait a few minutes and then check the IP configuration settings by typing the show ip interface command Press Enter 6 Then save your configuration changes by typing copy running config startup config Enter the startup file name and press Enter Console config interface vlan 1 Console config if ip address dhcp Console config if end Console ip dhcp restart...

Page 49: ...ents you must specify a community string The switch provides a default MIB View i e an SNMPv3 construct for the default public community string that provides read access to the entire MIB tree and a default view for the private community string that provides read write access to the entire MIB tree However you may assign new views to version 1 or 2c community strings that suit your specific securi...

Page 50: ...he default community strings If there are no community strings then SNMP management access from SNMP v1 and v2c clients is disabled Trap Receivers You can also specify SNMP stations that are to receive traps from the switch To configure a trap receiver use the snmp server host command From the Privileged Exec level global configuration mode prompt type snmp server host host address community strin...

Page 51: ...password einstien for encryption For a more detailed explanation on how to configure the switch for access from SNMP v3 clients refer to Simple Network Management Protocol on page 3 44 or refer to the specific CLI commands for SNMP starting on page 4 123 Saving Configuration Settings Configuration commands only modify the running configuration file and are not saved when the switch is rebooted To ...

Page 52: ...ation settings are saved Saved configuration files can be selected as a system start up file or can be uploaded via TFTP to a server for backup A file named Factory_Default_Config cfg contains all the system default settings and cannot be deleted from the system See Saving or Restoring Configuration Settings on page 3 27 for more information Operation Code System software that is executed after bo...

Page 53: ...of each type must be set as the start up file During a system boot the diagnostic and operation code files set as the start up file are run and then the start up configuration file is loaded Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings If you download directly to the running config the system will reboot and the setti...

Page 54: ...INITIAL CONFIGURATION 2 14 ...

Page 55: ...ia Telnet For more information on using the CLI refer to Chapter 4 Command Line Interface Prior to accessing the switch from a Web browser be sure you have first performed the following tasks 1 Configure the switch with a valid IP address subnet mask and default gateway using an out of band serial connection BOOTP or DHCP protocol See Setting an IP Address on page 2 6 2 Set user names and password...

Page 56: ... password If you log in as admin Privileged Exec level you can change the settings on any page 3 If the path between your management station and this switch does not pass through any device that uses the Spanning Tree Algorithm then you can set the switch port attached to your management station to fast forwarding i e enable Admin Edge Port to improve the switch s response time to management comma...

Page 57: ...rs and statistics The default user name and password for the administrator is admin Home Page When your web browser connects with the switch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used to navigate to other menus and display configuration parameters and...

Page 58: ...Every visit to the page 2 When using Internet Explorer 5 0 you may have to manually refresh the screen after making configuration changes by pressing the browser s refresh button Panel Display The web agent displays an image of the switch s ports The Mode can be set to display different information for the ports including Active i e up or down Duplex i e half or full duplex or Flow Control i e wit...

Page 59: ...tus 3 15 Bridge Extension Configuration Shows the bridge extension parameters 3 17 IP Configuration Sets the IP address for management access 3 19 Jumbo Frames Enables or disables jumbo frames 3 23 File Management 3 25 Copy Operation Allows the transfer and copying files 3 25 Delete Allows deletion of files from the flash memory 3 27 Set Start Up Sets the start up file 3 25 Line 3 29 Console Sets ...

Page 60: ...ne ID Adds a Remote Engine ID and IP Host 3 53 Users Creates or deletes user accounts 3 54 Remote Users Creates or deletes remote user accounts 3 57 Groups Creates or deletes SNMPv3 Groups 3 60 Views Creates or deletes SNMPv3 Views 3 65 Security 3 67 User Accounts Assigns a new password for the current user 3 68 Authentication Settings Configures authentication sequence RADIUS and TACACS 3 69 HTTP...

Page 61: ...lter Sets IP addresses of clients allowed management access 3 106 Port 3 106 Port Information Displays port connection status 3 108 Trunk Information Displays trunk connection status 3 108 Port Configuration Configures port connection settings 3 111 Trunk Configuration Configures trunk connection settings 3 111 Trunk Membership Specifies ports to group into static trunks 3 115 LACP 3 117 Configura...

Page 62: ...output rate limit for each ports 3 132 Output Trunk Configuration Sets the output rate limit for each trunks 3 132 Port Statistics Lists Ethernet and RMON port statistics 3 134 Address Table 3 140 Static Addresses Displays entries for interface address or VLAN 3 140 Dynamic Addresses Displays or edits static entries in the Address Table 3 142 Address Aging Sets timeout for dynamically learned entr...

Page 63: ...aces including tagged untagged or forbidden 3 172 Port Configuration Specifies default PVID and VLAN attributes 3 173 Trunk Configuration Specifies default trunk VID and VLAN attributes 3 173 Private VLAN 3 176 Information Displays Private VLAN feature information 3 177 Configuration This page is used to create remove primary or community VLANs 3 179 Association Each community VLANmustbe associate...

Page 64: ...ic Classes Status Enables disables traffic class priorities 3 190 Queue Mode Sets queue mode to strict priority or Weighted Round Robin 3 190 Queue Scheduling Configures Weighted Round Robin queueing 3 191 IP DSCP Priority Status Globally selects IP DSCP Priority or disables it 3 193 IP DSCP Priority Sets IP Differentiated Services Code Point priority mapping a DSCP tag to a class of service value...

Page 65: ...ted VLAN 3 215 IGMP Filter Profile Configuration Configures IGMP profile group 3 217 IGMP Filter Throttling Port Configuration Configures IGMP port filter and throttling 3 219 IGMP Filter Throttling Trunk Configuration Configures IGMP trunk filter and throttling 3 219 MVR 3 221 Configuration Globally enables MVR sets the MVR VLAN adds multicast stream addresses 3 223 Port Information Displays MVR ...

Page 66: ...ption policy 3 235 Binding Information Displays the DHCP Snooping binding information 3 236 IP Source Guard 3 237 Port Configuration Enables IP source guard and selects filter type per port 3 237 Static Configuration Adds a static addresses to the source guard binding table 3 239 Dynamic Information Displays the source guard binding table for a selected interface 3 240 Cluster 3 242 Configuration ...

Page 67: ... the management agent has been up These additional parameters are displayed for the CLI MAC Address The physical layer address for this switch Web server Shows if management access via HTTP is enabled Web server port Shows the TCP port number used by the web interface Web secure server Shows if management access via HTTPS is enabled Web secure server port Shows the TCP port used by the HTTPS inter...

Page 68: ...stem Information Specify the system name location and contact information for the system administrator then click Apply This page also includes a Telnet button that allows access to the Command Line Interface via Telnet Figure 3 3 System Information ...

Page 69: ...ole config hostname R D 5 4 34 Console config snmp server location WC 9 4 128 Console config snmp server contact Geoff 4 127 Console config exit Console show system 4 80 System Description SMC Networks SMC6128L2 System OID String 1 3 6 1 4 1 259 6 10 94 System Information System Up Time 0 days 0 hours 7 minutes and 22 65 seconds System Name R D 5 System Location WC 9 System Contact Geoff MAC Addre...

Page 70: ...number of the Electronically Programmable Logic Device code Loader Version Version number of loader code Boot ROM Version Version of Power On Self Test POST and boot code Operation Code Version Version number of runtime code Role Displays the switch as a master or slave unit Web Click System Switch Information Figure 3 4 Switch Information ...

Page 71: ...on Protocol Traffic Classes This switch provides mapping of user priorities to multiple traffic classes Refer to Displaying Private VLAN Interface Information on page 3 181 Static Entry Individual Port This switch allows static filtering for unicast and multicast addresses Refer to Setting Static Addresses on page 3 140 VLAN Learning This switch uses Independent VLAN Learning IVL where each port m...

Page 72: ...able This switch supports multiple local bridges i e multiple spanning trees Refer to VLAN Configuration on page 3 161 GMRP GARP Multicast Registration Protocol GMRP allows network devices to register endstations with multicast groups This switch does not support GMRP it uses the Internet Group Management Protocol IGMP to provide automatic multicast filtering Web Click System Bridge Extension Conf...

Page 73: ...c IP address or direct the device to obtain an address from a BOOTP or DHCP server Valid IP addresses consist of four decimal numbers 0 to 255 separated by periods Anything outside this format will not be accepted by the CLI program Command Attributes Management VLAN ID of the configured VLAN 1 4093 no leading zeroes By default all ports on the switch are members of VLAN 1 However the management s...

Page 74: ...e IP address subnet mask and default gateway IP Address Address of the VLAN interface that is allowed management access Valid IP addresses consist of four numbers 0 to 255 separated by periods Default 0 0 0 0 Subnet Mask This mask identifies the host address bits used for routing to specific subnets Default 255 255 255 0 Gateway IP Address IP address of the gateway router between this device and m...

Page 75: ...tatic enter the IP address subnet mask and gateway then click Apply Figure 3 6 Manual IP Configuration CLI Specify the management interface IP address and default gateway Console config Console config interface vlan 1 4 144 Console config if ip address 10 1 0 254 255 255 255 0 4 259 Console config if exit Console config ip default gateway 192 168 1 254 4 261 Console config ...

Page 76: ...management station is attached set the IP Address Mode to DHCP or BOOTP Click Apply to save your changes Then click Restart DHCP to immediately request a new address Note that the switch will also broadcast a request for IP configuration settings on each power reset Figure 3 7 DHCP IP Configuration Note If you lose your management connection use a console connection and enter show ip interface to ...

Page 77: ...ctioning you will not be able to renew the IP settings via the web interface You can only restart DHCP service via the web interface if the current address is still available CLI Enter the following command to restart DHCP service Enabling Jumbo Frames You can enable jumbo frames to support data packets up to 9000 bytes in size Command Attributes Jumbo Packet Status Check the box to enable jumbo f...

Page 78: ...can discover switches on local or other networks After discovering the switches Batch Upgrade can then be set to automatically upgrade the runtime code on all discovered switches Batch Upgrade is provided in the Batch Upgrade folder in the CD provided with this switch For details see the Batch Upgrade document in this Batch Upgrade folder Command Attributes File Transfer Method The firmware copy o...

Page 79: ...is file cannot be deleted Downloading System Software from a Server When downloading runtime code you can specify the destination file name to replace the current image or first download the file using a different name from the current runtime code file and then set the new file as the startup file Web Click System File Management Copy Operation Select tftp to file as the file transfer method ente...

Page 80: ...Apply Note that the file currently designated as the startup code cannot be deleted Figure 3 11 Deleting Files CLI Enter the IP address of the TFTP server select config or opcode file type then enter the source and destination file names set the new file to start up the system and then restart the switch Console copy tftp file 4 84 TFTP server ip address 10 1 0 19 Choose file type 1 config 2 opcod...

Page 81: ...s a file from the switch to a TFTP server running config to file Copies the running configuration to a file running config to startup config Copies the running config to the startup config running config to tftp Copies the running configuration to a TFTP server startup config to file Copies the startup configuration to a file on the switch startup config to running config Copies the startup config...

Page 82: ...t it as the startup file or you can specify the current startup configuration file as the destination file to directly replace it Note that the file Factory_Default_Config cfg can be copied to the TFTP server but cannot be used as the destination on the switch Web Click System File Management Copy Operation Select tftp to startup config or tftp to file and enter the IP address of the TFTP server S...

Page 83: ...h Console Port Settings You can access the onboard configuration program by attaching a VT100 compatible device to the switch s serial console port Management access through the console port is controlled by various parameters including a password timeouts and basic communication settings These parameters can be configured via the web or CLI interface Console copy tftp startup config 4 84 TFTP ser...

Page 84: ...ing the next logon attempt Range 0 120 Default 3 attempts Silent Time Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts has been exceeded Range 0 65535 Default 0 Data Bits Sets the number of data bits per character that are interpreted and generated by the console port If parity is being generated specify 7 data bits per character If no ...

Page 85: ... the correct password the system shows a prompt Default No password Login Enables password checking at login You can select authentication by a single global password as configured for the Password parameter or by passwords set up for specific user name accounts Default Local Web Click System Line Console Specify the console port connection parameters as required then click Apply Figure 3 14 Conso...

Page 86: ...ult Enabled Telnet Port Number Sets the TCP port number for Telnet on the switch Default 23 Console config line console 4 15 Console config line login local 4 16 Console config line password 0 secret 4 17 Console config line timeout login response 0 4 18 Console config line exec timeout 0 4 19 Console config line password thresh 3 4 20 Console config line silent time 60 4 21 Console config line da...

Page 87: ...gon attempt threshold is reached the system interface becomes silent for a specified amount of time set by the Silent Time parameter before allowing the next logon attempt Range 0 120 Default 3 attempts Available in CLI only Password Specifies a password for the line connection When a connection is started on a line with password protection the system prompts for the password If you enter the corr...

Page 88: ...d system and event messages The switch can store up to 2048 log entries in temporary random access memory RAM i e memory flushed on power reset and up to 4096 entries in permanent flash memory Console config line vty 4 15 Console config line login local 4 16 Console config line password 0 secret 4 17 Console config line timeout login response 300 4 18 Console config line exec timeout 600 4 19 Cons...

Page 89: ...ms Up to 4096 log entries can be stored in the flash memory with the oldest entries being overwritten first when the available log memory 256 kilobytes has been exceeded The System Logs page allows you to configure and limit system messages that are logged to flash or RAM memory The default is for event levels 0 to 3 to be logged to flash and levels 0 to 6 to be logged to RAM Console show log ram ...

Page 90: ...xample if level 7 is specified all messages from level 0 to level 7 will be logged to RAM Range 0 7 Default 7 Note The Flash Level must be equal to or less than the RAM Level Table 3 3 Logging Levels Level Severity Name Description 7 Debug Debugging messages 6 Informational Informational messages only 5 Notice Normal but significant condition such as cold start 4 Warning Warning conditions e g ret...

Page 91: ...servers or other management stations You can also limit the error messages sent to only those messages below a specified level Command Attributes Remote Log Status Enables disables the logging of debug or error messages to the remote logging process Default Enabled Logging Facility Sets the facility type for remote logging of syslog messages There are eight facility types specified by values of 16...

Page 92: ... all levels up to the specified level For example if level 3 is specified all messages from level 0 to level 3 will be sent to the remote server Range 0 7 Default 7 Host IP List Displays the list of remote server IP addresses that receive the syslog messages The maximum number of host IP addresses allowed is five Host IP Address Specifies a new server IP address to add to the Host IP List Web Clic...

Page 93: ...e notification only Level 6 Notifice Sends notification of a normal but significant condition such as a cold start Level 5 Warning Sends notification of a warning condition such as return false or unexpected return Level 4 Error Sends notification that an error conditions has occurred such as invalid input or default used Level 3 Console config logging host 192 168 1 15 4 59 Console config logging...

Page 94: ...list of recipient SMTP servers SMTP Server Specifies a new SMTP server address to add to the SMTP Server List Email Destination Address List Specifies a list of recipient Email Destination Address Email Destination Address This command specifies SMTP servers that may receive alert messages Web Click System Log SMTP To add an IP address to the Server IP List type the new IP address in the Server IP...

Page 95: ... want reset the switch Figure 3 20 Resetting the System CLI Use the reload command to restart the switch When prompted confirm that you want to reset the switch Note When restarting the system it will always run the Power On Self Test Console config logging sendmail host 192 168 1 19 Console config logging sendmail level 3 Console config logging sendmail source email bill this company com Console ...

Page 96: ...pdate to a configured time server You can configure up to three time server IP addresses The switch will attempt to poll each server in the configured sequence Configuring SNTP You can configure the switch to send time synchronization requests to specific time servers Command Attributes SNTP Client Configures the switch to operate as an SNTP client This requires at least one time server to be spec...

Page 97: ...s longitude To display a time corresponding to your local time you must indicate the number of hours and minutes your time zone is east before or west after of UTC Command Attributes Current Time Displays the current time Name Assigns a name to the time zone Range 1 29 characters Console config sntp client 4 71 Console config sntp poll 604 72 Console config sntp server 10 1 0 19 137 82 140 80 128 ...

Page 98: ...d specifically for managing devices on a network Equipment commonly managed with SNMP includes switches routers and host computers SNMP is typically used to configure these devices for proper operation in a network environment as well as to monitor them to evaluate performance or detect potential problems Managed devices supporting SNMP contain software which runs locally on the device and is refe...

Page 99: ...ubmit a valid community string for authentication Access to the switch using from clients using SNMPv3 provides additional security features that cover message integrity authentication and encryption as well as controlling user access to specific areas of the MIB tree The SNMPv3 security structure consists of security models with each model having it s own security levels There are three security ...

Page 100: ...er defined user defined user defined Community string only v2c noAuth NoPriv public read only defaultview none none Community string only v2c noAuth NoPriv private read write defaultview defaultview none Community string only v2c noAuth NoPriv user defined user defined user defined user defined Community string only v3 noAuth NoPriv user defined user defined user defined user defined A user name m...

Page 101: ...community strings authorized for management access by clients using SNMP v1 and v2c All community strings used for IP Trap Managers should be listed in this table For security reasons you should consider removing the default strings Command Attributes SNMP Community Capability The switch supports up to five community strings Current Displays a list of the community strings currently configured Com...

Page 102: ...gement stations are able to both retrieve and modify MIB objects Web Click SNMP Configuration Add new community strings as required select the access rights from the Access Mode drop down list then click Add Figure 3 24 Configuring SNMP Community Strings CLI The following example adds the string spiderman with read write access Console config snmp server community spiderman rw 4 127 Console config...

Page 103: ...on noAuth option an SNMP user account will be automatically generated and the switch will authorize SNMP access for the host Notifications are issued by the switch as trap messages by default The recipient of a trap message does not send a response to the switch Traps are therefore not as reliable as inform messages which include a request for acknowledgement of receipt Informs can be used to ensu...

Page 104: ...onding User Name in the SNMPv3 Users page for Version 3 clients Range 1 32 characters case sensitive Trap UDP Port Specifies the UDP port number used by the trap manager Trap Version Indicates if the user is running SNMP v1 v2c or v3 Default v1 Trap Security Level When trap version 3 is selected you must specify one of the following security levels Default noAuthNoPriv noAuthNoPriv There is no aut...

Page 105: ...nt station that will receive trap messages specify the UDP port trap version trap security level for v3 clients trap inform settings for v2c v3 clients and then click Add Select the trap types required using the check boxes for Authentication and Link up down traps and then click Apply Figure 3 25 Configuring SNMP Trap Managers CLI This example adds a trap manager and enables authentication traps ...

Page 106: ...ne ID An SNMPv3 engine is an independent SNMP agent that resides on the switch This engine protects against message replay delay and redirection The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A local engine ID is automatically generated that is unique to the switch This is referred to as the default engin...

Page 107: ...are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it See Specifying Trap Managers and Trap Types on page 3 49 and Configuring Remote SNMPv3 Users on page 3 57 The engine ID can be specified by entering 1 to 26 hex...

Page 108: ...1 32 characters Group Name The name of the SNMP group to which the user is assigned Range 1 32 characters Security Model The user security model SNMP v1 v2c or v3 Security Level The security level used for the user noAuthNoPriv There is no authentication or encryption used in SNMP communications This is the default for SNMPv3 AuthNoPriv SNMP communications use authentication but the data is not en...

Page 109: ...he method used for user authentication Options MD5 SHA Default MD5 Authentication Password A minimum of eight plain text characters is required Privacy Protocol The encryption algorithm use for data privacy only 56 bit DES is currently available Privacy Password A minimum of eight plain text characters is required Actions Enables the user to be assigned to another SNMPv3 group ...

Page 110: ...nd assign it to a group then click Add to save the configuration and return to the User Name list To delete a user check the box next to the user name then click Delete To change the assigned group of a user click Change Group in the Actions column of the users table and select the new group Figure 3 28 Configuring SNMPv3 Users ...

Page 111: ...rst specify the engine identifier for the SNMP agent on the remote device where the user resides The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host See Specifying Trap Managers and Trap Types on page 3 49 and Specifying a Remote Engine ID on page 3 53 Console config snmp server user chris group r d v3 auth md5 gre...

Page 112: ...SNMP v1 v2c or v3 Default v1 Security Level The security level used for the user noAuthNoPriv There is no authentication or encryption used in SNMP communications This is the default for SNMPv3 AuthNoPriv SNMP communications use authentication but the data is not encrypted only available for the SNMPv3 security model AuthPriv SNMP communications use both authentication and encryption only availabl...

Page 113: ...ck New to configure a user name In the New User page define a name and assign it to a group then click Add to save the configuration and return to the User Name list To delete a user check the box next to the user name then click Delete Figure 3 29 Configuring Remote SNMPv3 Users ...

Page 114: ...ication or encryption used in SNMP communications AuthNoPriv SNMP communications use authentication but the data is not encrypted only available for the SNMPv3 security model AuthPriv SNMP communications use both authentication and encryption only available for the SNMPv3 security model Read View The configured view for read access Range 1 64 characters Write View The configured view for write acc...

Page 115: ...the new root e g upon expiration of the Topology Change Timer immediately subsequent to its election topologyChange 1 3 6 1 2 1 17 0 2 A topologyChange trap is sent by a bridge when any of its configured ports transitions from the Learning state to the Forwarding state or from the Forwarding state to the Discarding state The trap is not sent if a newRoot trap is sent for the same transition SNMPv2...

Page 116: ... is about to enter the down state from some other state but not from thenotPresentstate This other state is indicated by the included value of ifOperStatus linkUpa 1 3 6 1 6 3 1 1 5 4 A linkUp trap signifies that the SNMP entity acting in an agent role has detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state but not int...

Page 117: ...and generates an event that is configured for sending SNMP traps fallingAlarm 1 3 6 1 2 1 16 0 2 The SNMP trap that is generated when an alarm entry crosses its falling threshold and generates an event that is configured for sending SNMP traps Private Traps swPowerStatus ChangeTrap 1 3 6 1 4 1 259 6 10 94 2 1 0 1 This trap is sent when the power state changes swIpFilterRejectTrap 1 3 6 1 4 1 259 6...

Page 118: ... group In the New Group page define a name assign a security model and level and then select read and write views Click Add to save the new group and return to the Groups list To delete a group check the box next to the group name then click Delete Figure 3 30 Configuring SNMPv3 Groups ...

Page 119: ... configured object identifiers of branches within the MIB tree that define the SNMP view Edit OID Subtrees Allows you to configure the object identifiers of branches within the MIB tree Wild cards can be used to mask a specific portion of the OID string Type Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view Console config snmp server grou...

Page 120: ...B to be included or excluded in the view Click Back to save the new view and return to the SNMPv3 Views list For a specific view click on View OID Subtrees to display the current configuration or click on Edit OID Subtrees to make changes to the view settings To delete a view check the box next to the view name then click Delete Figure 3 31 Configuring SNMPv3 Views ...

Page 121: ...cure web connection SSH Settings Provide a secure shell for secure Telnet access Port Security Configure secure addresses for individual ports 802 1X Use IEEE 802 1X port authentication to control access to specific ports Console config snmp server view ifEntry a 1 3 6 1 2 1 2 2 1 1 included 4 135 Console config exit Console show snmp view 4 136 View Name ifEntry a Subtree OID 1 3 6 1 2 1 2 2 1 1 ...

Page 122: ...possible and store it in a safe place The default guest name is guest with the password guest The default administrator name is admin with the password admin Command Attributes Account List Displays the current list of user accounts and associated access levels Default admin and guest New Account Displays configuration settings for a new account User Name The name of the user Maximum length 8 char...

Page 123: ...ntering it again then click Apply Figure 3 32 Access Levels CLI Assign a user name to access level 15 i e administrator then specify the password Configuring Local Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords You can manually configure access rights on the switch or you can use a remote access authenticat...

Page 124: ...RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet Command Usage By default management access is always checked against the authentication database stored on the local switch If a remote authentication server is used you must specify the authentication sequence and the corresponding parameters for the rem...

Page 125: ...d on the RADIUS server is verified first If the RADIUS server is not available then authentication is attempted using the TACACS server and finally the local user name and password is checked Command Attributes Authentication Select the authentication or authentication sequence required Local User authentication is performed only locally by the switch Radius User authentication is performed using ...

Page 126: ...racters Number of Server Transmits Number of times the switch tries to authenticate logon access via the authentication server Range 1 30 Default 2 Timeout for a reply The number of seconds the switch waits for a reply from the RADIUS server before it resends the request Range 1 65535 Default 5 TACACS Settings Server IP Address Address of the TACACS server Default 10 11 12 13 Server Port Number Ne...

Page 127: ...4 95 Console config radius server port 181 4 96 Console config radius server key green 4 96 Console config radius server retransmit 5 4 97 Console config radius server timeout 10 4 98 Console show radius server 4 98 Server IP address 192 168 1 25 Communication key with radius server Server port number 181 Retransmit times 5 Request timeout 10 Console config authentication login tacacs 4 92 Console...

Page 128: ...ing the server s digital certificate The client and server negotiate a set of security protocols to use for the connection The client and server generate session keys for encrypting and decrypting data The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 5 x or above and Netscape Navigator 6 2 or above The following web ...

Page 129: ...erver where the authorized certificate will be saved Source Certificate File Name File name for the certificate Source Private File Name Private key file name Private Password Password for the private key Web Click Security HTTPS Settings Enable HTTPS and specify the port number then click Apply To replace the default secure site certificate enter the TFTP Server IP Address the Source Certificate ...

Page 130: ...from a recognized certification authority Caution For maximum security we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity This is because the default certificate for the switch is not unique to the hardware you have purchased When you have obtained these place them on your TFTP server and use the following command at the switch s command line interface to...

Page 131: ...sing between the switch and SSH enabled management station clients and ensures that data traveling over the network arrives unaltered Notes 1 You need to install an SSH client on the management station to access the switch for management via the SSH protocol 2 The switch supports both SSH Version 1 5 and 2 0 Command Usage The SSH server on this switch supports both password and public key authenti...

Page 132: ...port Client s Public Key to the Switch Use the copy tftp public key command page 4 84 to copy a file containing the public key for all the SSH client s granted management access to the switch Note that these clients must be configured locally on the switch via the User Accounts page as described on page 3 68 The clients are subsequently authenticated using these keys The current firmware only acce...

Page 133: ...the bytes and sends the decrypted bytes back to the switch e The switch compares the decrypted bytes to the original bytes it sent If the two sets match this means that the client s private key corresponds to an authorized public key and the client is authenticated Notes 1 To use SSH with only password authentication the host public key must still be given to the client either during initial conne...

Page 134: ...n attempts that a client is allowed before authentication fails and the client has to restart the authentication process Range 1 5 times Default 3 SSH Server Key Size Specifies the SSH server key size Range 512 896 bits Default 768 The server key is a private key that is never shared outside the switch The host key is shared with the SSH client and is fixed at 1024 bits Web Click Security SSH Sett...

Page 135: ...A The first field indicates the size of the host key e g 1024 the second field is the encoded public exponent e g 65537 and the last string is the encoded modulus DSA The first field indicates that the encryption method used by SSH is based on the Digital Signature Standard DSS The last string is the encoded modulus Console config ip ssh server 4 48 Console config ip ssh timeout 100 4 49 Console c...

Page 136: ...ry Otherwise the host key pair is stored to RAM by default Note that you must select this item prior to generating the host key pair Generate This button is used to generate the host key pair Note that you must first generate the host key pair before you can enable the SSH server on the SSH Server Settings page Clear This button clears the host key from both volatile memory RAM and non volatile me...

Page 137: ...Console ip ssh save host key 4 48 Console show public key host 4 48 Host RSA 1024 65537 127250922544926402131336514546131189679055192360076028653006761 8240969094744832010252487896597759216832222558465238779154647980739 6314033869257931051057652122430528078658854857892726029378660892368 4142327591212760325919683697053439336438445223335188287173896894511 72929051081391964202519093210432857904576489...

Page 138: ...ublic and private keys Range RSA DSA Both Default RSA The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch and then negotiates with the client to select either DES 56 bit or 3DES 168 bit for data encryption TFTP Server IP Address The TFTP server IP address location for the public key pair Source File Name The file name used for the public k...

Page 139: ...ck Security SSH SSH User Key Settings Select the user type and public key type from the drop down box enter the TFTP server IP address input the source file name and then click Copy Public Key Figure 3 37 SSH User Public Key Settings ...

Page 140: ...frames received on a port for an initial training period and then enable port security to stop address Console ip ssh crypto host key generate 4 48 Console ip ssh save host key 4 48 Console show public key host 4 48 Host RSA 1024 65537 127250922544926402131336514546131189679055192360076028653006761 8240969094744832010252487896597759216832222558465238779154647980739 63140338692579310510576521224305...

Page 141: ...i VLAN port It cannot be used as a member of a static or dynamic trunk It should not be connected to a network interconnection device If a port is disabled shut down due to a security violation it must be manually re enabled from the Port Port Configuration page page 3 111 Command Attributes Port Port number Name Descriptive text page 4 144 Action Indicates the action to be taken when a port secur...

Page 142: ...entication Network switches can provide open and easy access to network resources by simply attaching a client PC Although this automatic configuration and access is a desirable feature it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data The IEEE 802 1X dot1x standard defines a port based access control procedure that prevents unauthorized acc...

Page 143: ...sponse to the switch which it forwards to the RADIUS server The RADIUS server verifies the client identity and sends an access challenge back to the client The EAP packet from the RADIUS server contains not only the challenge but the authentication method to be used The client can reject the authentication method and request another depending on the configuration of the client software and the RAD...

Page 144: ...ver and 802 1X client support EAP The switch only supports EAPOL in order to pass the EAP packets from the server to the client The RADIUS server and client also have to support the same EAP authentication type The current version of the firmware supports only the EAP MD5 authetication type Some clients have native support in Windows otherwise the dot1x client must support it Displaying 802 1X Glo...

Page 145: ...led Web Select Security 802 1X Configuration Enable dot1x globally for the switch and click Apply Figure 3 40 802 1X Global Configuration CLI This enables 802 1X globally for the switch Console show dot1x 4 110 Global 802 1X Parameters system auth control Disabled 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 disabled Single Ho...

Page 146: ...ons Single Host Multi Host Default Single Host Max Count The maximum number of hosts that can connect to a port when the Multi Host operation mode is selected Range 1 1024 Default 5 Mode Sets the authentication mode to one of the following options Auto Requires a dot1x aware client to be authorized by the authentication server Clients that are not dot1x aware will be denied access Force Authorized...

Page 147: ... 3600 seconds Tx Period Sets the time period during an authentication session that the switch waits before re transmitting an EAP packet Range 1 65535 Default 30 seconds Authorized Yes Connected client is authorized No Connected client is not authorized Blank Displays nothing when dot1x is disabled on a port Supplicant Indicates the MAC address of a connected client Trunk Indicates if the port is ...

Page 148: ... Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 enabled Single Host auto yes 1 28 disabled Single Host ForceAuthorized n a 802 1X Port Details 802 1X is disabled on port 1 1 802 1X is enabled on port 1 2 reauth enabled Enable reauth period 1800 quiet period 30 tx period 40 supplicant timeout 30 server timeout 10 reauth max 2 max req 5 Status Authorized Opera...

Page 149: ...The number of valid EAPOL frames of any type that have been received by this Authenticator Rx EAP Resp Id The number of EAP Resp Id frames that have been received by this Authenticator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx EAP LenError The number of EAPOL frames that have been received by this Authenticato...

Page 150: ... the statistics Figure 3 42 Displaying 802 1X Port Statistics Tx EAP Req Id The number of EAP Req Id frames that have been transmitted by this Authenticator Tx EAP Req Oth The number of EAP Request frames other than Rq Id frames that have been transmitted by this Authenticator Table 3 7 802 1X Statistics Continued Parameter Descripton ...

Page 151: ...tions that apply to IP addresses MAC addresses or other more specific criteria This switch tests ingress or egress packets against the conditions in an ACL one by one A packet will be accepted as soon as it matches a permit rule or dropped as soon as it matches a deny rule If no rules match for a list of all permit rules the packet is dropped and if no rules match for a list of all deny rules the ...

Page 152: ...rmit any any in the ingress IP ACL for ingress ports 3 If no explicit rule is matched the implicit default is permit all Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL Command Attributes Name Name of the ACL Maximum length 16 characters Type There are three filtering modes Standard IP ACL mode that filters packets based on the source IP addres...

Page 153: ...he source IP address Use Any to include all possible addresses Host to specify a specific host address in the Address field or IP to specify a range of addresses with the Address and SubMask fields Options Any Host IP Default Any IP Address Source IP address Subnet Mask A subnet mask containing four integers from 0 to 255 each separated by a period The mask uses 1 bits to indicate match and 0 bits...

Page 154: ... 10 1 1 21 and another rule for the address range 168 92 16 x 168 92 31 x using a bitmask Configuring an Extended IP ACL Command Attributes Action An ACL can contain either all permit rules or all deny rules Default Permit rules Src Dst Address Type Specifies the source or destination IP address Use Any to include all possible addresses Host to specify a specific host address in the Address field ...

Page 155: ...l number 0 255 Options TCP UDP Others Default TCP Src Dst Port Source destination port number for the specified protocol type Range 0 65535 Src Dst Bit Mask Decimal number representing the port bits to match Range 0 65535 Control Code Decimal number representing a bit string that specifies flag bits in byte 14 of the TCP header Range 0 63 Control Code Bit Mask Decimal number representing the code ...

Page 156: ... select Host enter a specific address If you select IP enter a subnet address and the mask for an address range Set any other required criteria such as service type protocol type or TCP control code Then click Add Figure 3 45 Configuring Extended IP ACLs CLI This example adds three rules 1 Accept any incoming packets if the source address is in subnet 10 7 1 x For example if the rule is matched i ...

Page 157: ... destination MAC address VID VLAN ID Range 1 4095 VID Bit Mask VLAN bitmask Range 1 4095 Ethernet Type This option can only be used to filter Ethernet II formatted packets Range 600 fff hex A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX Ethernet Type Bit Mask Protocol bitmask Range 600 fff hex Packet Format Th...

Page 158: ...fic address e g 11 22 33 44 55 66 If you select MAC enter a base address and a hexidecimal bitmask for an address range Set any other required criteria such as VID Ethernet type or packet format Then click Add Figure 3 46 Configuring MAC ACLs CLI This rule permits packets from any source MAC address to the destination address 00 e0 29 94 34 de where the Ethernet type is 0800 Console config mac acl...

Page 159: ...d one IP or MAC ACL to any port for ingress filtering In other words only one ACL can be bound to an interface Ingress IP or MAC ACL Command Attributes Port Fixed port or SFP module Range 1 28 IP Specifies the IP ACL to bind to a port MAC Specifies the MAC ACL to bind to a port IN ACL for ingress packets ACL Name Name of the ACL Web Click Security ACL Port Binding Mark the Enable field for the por...

Page 160: ... IP address can be configured for SNMP web and Telnet access respectively Each of these groups can include up to five different sets of addresses either individual addresses or address ranges When entering addresses for the same group i e SNMP web or Telnet the switch will not accept overlapping address ranges When entering addresses for different groups the switch will accept overlapping address ...

Page 161: ... single IP address or the starting address of a range End IP Address The end address of a range Add Remove Filtering Entry Adds removes an IP address from the list Web Click Security IP Filter Enter the addresses that are allowed management access to an interface and click Add IP Filtering Entry Figure 3 48 Filtering Management Access CLI This example restricts management access for Telnet clients...

Page 162: ...s Shows if the interface is enabled or disabled Oper Status Indicates if the link is Up or Down Speed Duplex Status Shows the current speed and duplex mode Auto or fixed choice Flow Control Status Indicates the type of flow control currently in use IEEE 802 3x Back Pressure or None Autonegotiation Shows if auto negotiation is enabled or disabled Media Type1 Indicates the type of media used for por...

Page 163: ...he port type 1000BASE T 1000BASE SX 1000BASE LX or 100BASE FX MAC address The physical layer address for this port To access this item on the web see Setting the Switch s IP Address on page 3 19 Configuration Name Interface label Port admin Shows if the interface is enabled or disabled i e up or down Speed duplex Shows the current speed and duplex mode Auto or fixed choice ...

Page 164: ...enabled or disabled Broadcast storm limit Shows the broadcast storm threshold 240 1488100 packets per second Flow control Shows if flow control is enabled or disabled LACP Shows if LACP is enabled or disabled Port Security Shows if port security is enabled or disabled Max MAC count Shows the maximum number of MAC address that can be learned by a port 0 1024 addresses Port security action Shows the...

Page 165: ...y also disable an interface for security reasons Speed Duplex Allows you to manually set the port speed and duplex mode Flow Control Allows automatic or manual selection of flow control Autonegotiation Port Capabilities Allows auto negotiation to be enabled disabled When auto negotiation is enabled you need to Console show interfaces status ethernet 1 5 4 151 Information of Eth 1 5 Basic informati...

Page 166: ...m end stations or segments connected directly to the switch when its buffers fill When enabled back pressure is used for half duplex operation and IEEE 802 3x for full duplex operation Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub Def...

Page 167: ...n bandwidth for network segments where bottlenecks exist as well as providing a fault tolerant link between two devices You can create up to 8 trunks at a time Console config interface ethernet 1 13 4 144 Console config if description RD SW 13 4 144 Console config if shutdown 4 149 Console config if no shutdown Console config if no negotiation 4 146 Console config if speed duplex 100half 4 145 Con...

Page 168: ...ncing the load across each port in the trunk the other ports provide redundancy by taking over the load if a port in the trunk fails However before making any physical connections between devices use the web interface or CLI to specify the trunk on the devices at both ends When using a port trunk take note of the following points Finish configuring port trunks before you connect the corresponding ...

Page 169: ...hannel compatible To avoid creating a loop in the network be sure you add a static trunk via the configuration interface before connecting the ports and also disconnect the ports before removing a static trunk via the configuration interface Command Attributes Member List Current Shows configured trunks Trunk ID Unit Port New Includes entry fields for creating new trunks Trunk Trunk identifier Ran...

Page 170: ...Port Trunk Membership Enter a trunk ID in the Trunk field select any of the switch ports from the scroll down port list and click Add After you have completed adding ports to the member list click Apply Figure 3 51 Static Trunk Configuration ...

Page 171: ...Console config interface ethernet 1 1 4 144 Console config if channel group 1 4 164 Console config if exit Console config interface ethernet 1 2 Console config if channel group 1 Console config if end Console show interfaces status port channel 1 4 151 Information of Trunk 1 Basic information Port type 1000T Mac address 00 00 E8 AA AA 01 Configuration Name Port admin Up Speed duplex Auto Capabilit...

Page 172: ...f one of the active links fails All ports on both ends of an LACP trunk must be configured for full duplex and auto negotiation Command Attributes Member List Current Shows configured trunks Port New Includes entry fields for creating new trunks Port Port identifier Range 1 28 Web Click Port LACP Configuration Select any of the switch ports from the scroll down port list and click Add After you ha...

Page 173: ...he port channel admin key lacp admin key page 4 169 is Console config interface ethernet 1 1 4 144 Console config if lacp 4 164 Console config if exit Console config interface ethernet 1 6 Console config if lacp Console config if end Console show interfaces status port channel 1 4 151 Information of Trunk 1 Basic information Port type 1000T Mac address 22 22 22 22 22 2d Configuration Name Port adm...

Page 174: ... system priority to join the same LAG System priority is combined with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Admin Key The LACP administration key must be set to the same value for ports that belong to the same LAG Range 0 65535 Default 1 Port Priority If a link goes down LACP port priority...

Page 175: ...ptionally configure these settings for the Port Partner Be aware that these settings only affect the administrative state of the partner and will not take effect until the next time an aggregate link is formed with this device After you have completed setting the port LACP parameters click Apply Figure 3 53 LACP Aggregation Port Configuration ...

Page 176: ...ole config if lacp actor system priority 3 Console config if lacp actor admin key 120 Console config if lacp actor port priority 512 Console config if end Console sh lacp sysid 4 171 Channel Group System Priority System MAC Address 1 32768 00 00 E9 31 31 31 2 32768 00 00 E9 31 31 31 3 32768 00 00 E9 31 31 31 4 32768 00 00 E9 31 31 31 5 32768 00 00 E9 31 31 31 6 32768 00 00 E9 31 31 31 Console show...

Page 177: ...Marker Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type Marker Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value but contain a badly formed PDU or an illegal value of Protocol Subtype T...

Page 178: ...LACPDUs Sent 21 LACPDUs Received 21 Marker Sent 0 Marker Received 0 LACPDUs Unknown Pkts 0 LACPDUs Illegal Pkts 0 Console Table 3 9 LACP Settings Field Description Oper Key Current operational value of the key for the aggregation port Admin Key Current administrative value of the key for the aggregation port LACPDUs Interval Number of seconds before invalidating received LACPDU information LACP Sy...

Page 179: ...on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information Synchronization The System considers this link to be IN_SYNC i e it has been allocated to the correct Link Aggregation Group the group has been associated with a compatible Aggregator and the identity of the Link Aggrega...

Page 180: ...ACP configuration settings and operational state for the local side of port channel 1 Console show 1 lacp internal 4 171 Channel group 1 Oper Key 4 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP System Priority 32768 LACP Port Priority 32768 Admin Key 4 Oper Key 4 Admin State defaulted aggregation long timeout LACP activity Oper State distributing collecting synchronization aggregation long time...

Page 181: ...trative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port Oper Priority Priority value assigned to this aggregation port by the partner Admin Key Current administrative value of the Key ...

Page 182: ...ote side of port channel 1 Console show 1 lacp neighbors 4 171 Channel group 1 neighbors Eth 1 1 Partner Admin System ID 32768 00 00 00 00 00 00 Partner Oper System ID 32768 00 00 00 00 00 01 Partner Admin Port Number 1 Partner Oper Port Number 1 Port Admin Priority 32768 Port Oper Priority 32768 Admin Key 0 Oper Key 4 Admin State defaulted distributing collecting synchronization long timeout Oper...

Page 183: ...raffic for each port Any broadcast packets exceeding the specified threshold will then be dropped Command Usage Broadcast Storm Control is enabled by default Broadcast control does not effect IP multicast traffic The specified threshold applies to each individual port on the switch Command Attributes Port Port number Type Indicates the port type 100BASE TX 1000BASE T or SFP Protect Status Shows wh...

Page 184: ... switchport broadcast 4 157 Console config if exit Console config broadcast packet rate 500 4 156 Console config exit Console show interfaces switchport ethernet 1 2 4 154 Information of Eth 1 2 Broadcast threshold Enabled 500 packets second Lacp status Disabled Ingress rate limit disable 1000M bits per second Egress rate limit disable 1000M bits per second VLAN membership mode Hybrid Ingress rule...

Page 185: ...ffic may be dropped from the monitor port All mirror sessions have to share the same destination port When mirroring port traffic the target port must be included in the same VLAN as the source port Command Attributes Mirror Sessions Displays a list of current mirror sessions Source Port The port whose traffic will be monitored Range 1 28 Type Allows you to select which traffic to mirror to the ta...

Page 186: ...aximum rate for traffic received on an interface Rate limiting is configured on interfaces at the edge of a network to limit traffic coming into the switch Packets that exceed the acceptable amount of traffic are dropped Rate limiting can be applied to individual ports or trunks When an interface is configured with this feature the traffic rate will be monitored by the hardware to verify conformit...

Page 187: ...led Input Output Rate Limit Level Sets the rate limit level Web Click Port Rate Limit Input Output Port Trunk Configuration Enable the Rate Limit Status for the required interfaces set the Rate Limit Level and click Apply Figure 3 59 Configuring Input Port Rate Limiting CLI This example sets the rate limit for input traffic passing through port 3 Console config interface ethernet 1 3 4 144 Console...

Page 188: ... the last system reboot and are shown as counts per second Statistics are refreshed every 60 seconds by default Note RMON groups 2 3 and 9 can only be accessed using SNMP management software such as SMC EliteView or HP OpenView Statistical Values Table 3 11 Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface including fram...

Page 189: ...sted be transmitted to a subnetwork unicast address including those that were discarded or not sent Transmit Multicast Packets The total number of packets that higher level protocols requested be transmitted and which were addressed to a multicast address at this sub layer including those that were discarded or not sent Transmit Broadcast Packets The total number of packets that higher level proto...

Page 190: ... frames for which transmission is inhibited by exactly one collision Internal MAC Transmit Errors A count of frames for which transmission on a particular interface fails due to an internal MAC sublayer transmit error Multiple Collision Frames A count of successfully transmitted frames for which transmission is inhibited by more than one collision Carrier Sense Errors The number of times that the ...

Page 191: ...of collisions on this Ethernet segment Received Frames The total number of frames bad broadcast and multicast received Broadcast Frames The total number of good frames received that were directed to the broadcast address Note that this does not include multicast packets Multicast Frames The total number of good frames received that were directed to this multicast address CRC Alignment Errors The n...

Page 192: ...had either an FCS or alignment error 64 Bytes Frames The total number of frames including bad packets received and transmitted that were 64 octets in length excluding framing bits but including FCS octets 65 127 Byte Frames 128 255 Byte Frames 256 511 Byte Frames 512 1023 Byte Frames 1024 1518 Byte Frames 1519 1536 Byte Frames The total number of frames including bad packets received and transmitt...

Page 193: ...PORT CONFIGURATION 3 139 Figure 3 61 Displaying Etherlike and RMON Statistics ...

Page 194: ...stats Octets input 868453 Octets output 3492122 Unicast input 7315 Unitcast output 6658 Discard input 0 Discard output 0 Error input 0 Error output 0 Unknown protos input 0 QLen output 0 Extended iftable stats Multi cast input 0 Multi cast output 17027 Broadcast input 231 Broadcast output 7 Ether like stats Alignment errors 0 FCS errors 0 Single Collision frames 0 Multiple collision frames 0 SQE T...

Page 195: ... of a device mapped to this interface VLAN ID of configured VLAN 1 4093 Web Only Web Click Address Table Static Addresses Specify the interface the MAC address and VLAN then click Add Static Address Figure 3 62 Mapping Ports to Static Addresses CLI This example adds an address to the static address table but sets it to be deleted when the switch is reset Console config mac address table static 00 ...

Page 196: ...ddress are forwarded directly to the associated port Otherwise the traffic is flooded to all ports Command Attributes Interface Indicates a port or trunk MAC Address Physical address associated with this interface VLAN ID of configured VLAN 1 4093 Address Table Sort Key You can sort the information displayed based on MAC address VLAN or interface port or trunk Dynamic Address Counts The number of ...

Page 197: ... method of sorting the displayed addresses and then click Query Figure 3 63 Displaying the MAC Dynamic Address Table CLI This example also displays the address table entries for port 1 Console show mac address table interface ethernet 1 1 4 178 Interface Mac Address Vlan Type Eth 1 1 00 E0 29 94 34 DE 1 Permanent Eth 1 1 00 20 9C 23 CD 60 2 Learned Console ...

Page 198: ...me CLI This example sets the aging time to 300 seconds Spanning Tree Algorithm Configuration The Spanning Tree Algorithm STA can be used to detect and disable network loops and to provide backup links between switches bridges or routers This allows the switch to interact with other bridging devices that is an STA compliant switch bridge or router in your network to ensure that only one route exist...

Page 199: ... packet from that LAN to the root device It then selects a port on the designated bridging device to communicate with each attached LAN or host device as a designated port After determining the lowest cost spanning tree it enables all root ports and designated ports and disables all other ports Network packets are therefore only forwarded between root ports and designated ports eliminating any pos...

Page 200: ... entire switch using the STA Information screen Field Attributes Spanning Tree State Shows if the switch is enabled to participate in an STA compliant network Bridge ID A unique identifier for this bridge consisting of the bridge priority and MAC address where the address is taken from the switch system Max Age The maximum time in seconds a device can wait without receiving a configuration message...

Page 201: ...anning Tree network Root Path Cost The path cost from the root port on this switch to the root device Configuration Changes The number of times the Spanning Tree has been reconfigured Last Topology Change Time since the Spanning Tree was last reconfigured These additional parameters are only displayed for the CLI Spanning tree mode Specifies the type of spanning tree used on this switch STP Spanni...

Page 202: ...warding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to a discarding state otherwise temporary data loops might result Transmission limit The minimum interval between the transmission of consecutive RSTP BPDUs Path Cost M...

Page 203: ...ath between specific VLAN members may be inadvertently disabled to prevent network loops thus isolating group members Rapid Spanning Tree Protocol RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting Console show spanning tree 4 194 Spanning tree information Spanning tree mode RSTP Spanning tree enabled disabled enabled Priori...

Page 204: ...bles STA on this switch Default Enabled Spanning Tree Type Specifies the type of spanning tree used on this switch STP Spanning Tree Protocol IEEE 802 1D i e when this option is selected the switch will use RSTP set to STP forced compatibility mode RSTP Rapid Spanning Tree IEEE 802 1w RSTP is the default Priority Bridge priority is used in selecting the root device root port and designated port Th...

Page 205: ...ched LAN If it is a root port a new root port is selected from among the device ports attached to the network References to ports in this section mean interfaces which includes both ports and trunks Default 20 Minimum The higher of 6 or 2 x Hello Time 1 Maximum The lower of 40 or 2 x Forward Delay 1 Forward Delay The maximum time in seconds this device will wait before changing states i e discardi...

Page 206: ... can be assigned to each interface Long Specifies 32 bit based values that range from 1 200 000 000 This is the default Short Specifies 16 bit based values that range from 1 65535 Transmission Limit The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messages Range 1 10 Default 3 Web Click Spanning Tree STA Configrat...

Page 207: ...thout receiving contradictory information Port address table is cleared and the port begins learning addresses Forwarding Port forwards packets and continues learning addresses The rules defining port status are A port on a network segment with no other STA compliant bridging device is always forwarding If two ports of a switch are connected to the same segment and there is no other STA device att...

Page 208: ...igned to ports attached to faster media and higher values assigned to ports with slower media Path cost takes precedence over port priority Oper Link Type The operational point to point status of the LAN segment attached to this interface This parameter is determined by manual configuration or by auto detection as described for Admin Link Type in STA Port Configuration on page 3 157 Oper Edge Port...

Page 209: ...r this port in the Spanning Tree Algorithm If the path cost for all ports on a switch is the same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Algorithm is detecting network loops Where more than one port is assigned the highest priority the port wi...

Page 210: ...nce for devices such as workstations or servers retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events does not cause the spanning tree to reconfigure when the interface changes state and also overcomes other STA related timeout problems However remember that Edge Port should only be enabled for ports connecte...

Page 211: ...point connection or shared media connection and edge port to indicate if the attached device can support fast forwarding Console show spanning tree ethernet 1 5 4 194 Eth 1 5 information Admin status enable Role disable State discarding External path cost 10000 Internal path cost 10000 Priority 128 Designated cost 200000 Designated port 128 5 Designated root 61440 0 0000E9313131 Designated bridge ...

Page 212: ... forwards packets and continues learning addresses Trunk Indicates if a port is a member of a trunk STA Port Configuration only The following interface attributes can be configured Spanning Tree Enables disables STA on this interface Default Enabled Priority Defines the priority used for this port in the Spanning Tree Protocol If the path cost for all ports on a switch are the same the port with t...

Page 213: ...ly one other bridge Shared A connection to two or more bridges Auto The switch automatically determines if the interface is attached to a point to point link or to shared media This is the default setting Admin Edge Port Fast Forwarding You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwardi...

Page 214: ...eb Click Spanning Tree STA Port Configuration or Trunk Configuration Modify the required attributes then click Apply Figure 3 68 Configuring Spanning Tree Algorithm per Port CLI This example sets STA attributes for port 7 Console config interface ethernet 1 7 4 144 Console config if no no spanning tree spanning disabled 4 188 Console config if spanning tree port priority 0 4 189 Console config if ...

Page 215: ...ut having to change any physical connections VLANs can be easily organized to reflect departmental groups such as Marketing or R D usage groups such as e mail or multicast groups used for multimedia applications such as videoconferencing VLANs provide greater network efficiency by reducing broadcast traffic and allow you to make network changes without having to update IP addresses or IP subnets V...

Page 216: ...rticipate in one or more VLANs but none of the intermediate network devices nor the host at the other end of the connection supports VLANs then you should add this port to the VLAN as an untagged port Note VLAN tagged frames can pass through VLAN aware or VLAN unaware network interconnection devices but the VLAN tags should be stripped off before passing it on to any end node host that does not su...

Page 217: ... switch can automatically learn the VLANs to which each end station should be assigned If an end station or its network adapter supports the IEEE 802 1Q VLAN protocol it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join When this switch receives these messages it will automatically place the receiving port in the specified VLANs and then forward t...

Page 218: ...ached directly to a single switch you can assign ports to the same untagged VLAN However to participate in a VLAN group that crosses several switches you should create a VLAN for that group and enable tagging on all ports Ports can be assigned to multiple tagged VLANs but are only allowed one untagged VLAN Each port on the switch is capable of passing tagged or untagged frames When forwarding a fr...

Page 219: ...formation The VLAN Basic Information page displays basic information on the VLAN type supported by the switch Field Attributes VLAN Version Number The VLAN version used by this switch as specified in the IEEE 802 1Q standard Maximum VLAN ID Maximum VLAN ID recognized by this switch Maximum Number of Supported VLANs Maximum number of VLANs that can be configured on this switch Web Only Web Click VL...

Page 220: ...ID ID of configured VLAN 1 4093 Up Time at Creation Time this VLAN was created i e System Up Time Status Shows how this VLAN was added to the switch Dynamic GVRP Automatically learned via GVRP Permanent Added as a static entry Engress Ports Shows the engress VLAN port members Untagged Ports Shows the untagged VLAN port members Console show bridge ext 4 215 Max support VLAN numbers 256 Max support ...

Page 221: ...AN ID of configured VLAN 1 4093 no leading zeroes Type Shows how this VLAN was added to the switch Dynamic Automatically learned via GVRP Static Added as a static entry Name Name of the VLAN 1 to 32 characters Status Shows if this VLAN is enabled or disabled Active VLAN is operational Suspend VLAN is suspended i e does not pass packets Ports Channel groups Shows the VLAN interface members ...

Page 222: ...is only used for management on this system it is not added to the VLAN tag VLAN ID ID of configured VLAN 1 4094 no leading zeroes VLAN Name Name of the VLAN 1 to 32 characters Status Web Enables or disables the specified VLAN Enable VLAN is operational Disable VLAN is suspended i e does not pass packets State CLI Enables or disables the specified VLAN Active VLAN is operational Suspend VLAN is sus...

Page 223: ...lick Add Figure 3 71 Creating Virtual LANs CLI This example creates a new VLAN Console config vlan database 4 196 Console config vlan vlan 2 name R D media ethernet state active 4 197 Console config vlan end Console show vlan 4 206 VLAN Type Name Status Ports Channel groups 1 Static DefaultVlan Active Eth1 1 Eth1 2 Eth1 3 Eth1 4 Eth1 5 Eth1 6 Eth1 7 Eth1 8 Eth1 9 Eth1 10 Eth1 11 Eth1 12 Eth1 13 Et...

Page 224: ...d ports to a VLAN as tagged members 2 VLAN 1 is the default untagged VLAN containing all ports on the switch and can only be modified by first reassigning the default port VLAN ID as described under Configuring VLAN Behavior for Interfaces on page 3 173 Command Attributes VLAN ID of configured VLAN 1 4093 no leading zeroes Name Name of the VLAN 1 to 32 characters Status Enables or disables the spe...

Page 225: ...g the VLAN via GVRP For more information see Automatic VLAN Registration on page 3 163 None Interface is not a member of the VLAN Packets associated with this VLAN will not be transmitted by the interface Trunk Member Indicates if a port is a member of a trunk To add a trunk to the selected VLAN use the last table on the VLAN Static Table page Web Click VLAN 802 1Q VLAN Static Table Select a VLAN ...

Page 226: ...LAN Static Membership Select an interface from the scroll down box Port or Trunk Click Query to display membership information for the interface Select a VLAN ID and then click Add to add the interface as a tagged member or click Remove to remove the interface After configuring VLAN membership for each interface click Apply Console config interface ethernet 1 1 4 144 Console config if switchport a...

Page 227: ...tering Command Attributes PVID VLAN ID assigned to untagged frames received on the interface Default 1 If an interface is not a member of VLAN 1 and you assign its PVID to this VLAN the interface will automatically be added to VLAN 1 as an untagged member For all other VLANs the PVID must be defined first then the status of the VLAN can be configured as a tagged or untagged member Console config i...

Page 228: ...hese frames will be discarded Ingress filtering does not affect VLAN independent BPDU frames such as GVRP or STP However they do affect VLAN dependent BPDU frames such as GMRP Mode Indicates VLAN membership mode for an interface Default Hybrid 1Q Trunk Specifies a port as an end point for a VLAN trunk A trunk is a direct link between two switches so the port transmits tagged frames that identify t...

Page 229: ... accept only tagged frames assigns PVID 3 as the native VLAN ID and then sets the switchport mode to hybrid Console config interface ethernet 1 3 4 144 Console config if switchport acceptable frame types tagged 4 200 Console config if switchport ingress filtering 4 202 Console config if switchport native vlan 3 4 203 Console config if switchport gvrp 4 216 Console config if switchport mode hybrid ...

Page 230: ...al users Multiple primary VLANs can be configured on this switch and multiple community VLANs can be associated with each primary VLAN Note that private VLANs and normal VLANs can exist simultaneously within the same switch To configure primary secondary associated groups follow these steps 1 Use the Private VLAN Configuration menu to designate one or more community VLANs and the primary VLAN that...

Page 231: ... primary and community VLANs and their assigned interfaces Command Attributes VLAN ID ID of configured VLAN 1 4093 and VLAN type Primary VLAN The VLAN with which the selected VLAN ID is associated A primary VLAN displays its own ID and a community VLAN displays the associated primary VLAN Ports List The list of ports and assigned port type in the selected private VLAN ...

Page 232: ... configured with primary VLAN 5 and secondary VLAN 6 Port 3 has been configured as a promiscuous port and mapped to VLAN 5 while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6 This means that traffic for port 4 and 5 can only pass through port 3 Console show vlan private vlan 4 153 Primary Secondary Type Interfaces 5 primary Eth1 3 5 6 community Eth1 4 Eth1 5 ...

Page 233: ...associated primary VLAN Current Displays a list of the currently configured VLANs Web Click VLAN Private VLAN Configuration Enter the VLAN ID number select Primary or Community type then click Add To remove a private VLAN from the switch highlight an entry in the Current list box and then click Remove Note that all member ports must be removed from the VLAN before it can be deleted Figure 3 76 Pri...

Page 234: ...ociation Select the required primary VLAN from the scroll down box highlight one or more community VLANs in the Non Association list box and click Add to associate these entries with the selected primary VLAN A community VLAN can only be associated with one primary VLAN Figure 3 77 Private VLAN Association CLI This example associates community VLANs 6 and 7 with primary VLAN 5 Console config vlan ...

Page 235: ...t The port is a community port and can only communicate with other ports in its own community VLAN and with the designated promiscuous port s Promiscuous A promiscuous port can communicate with all the interfaces within a private VLAN Primary VLAN Conveys traffic between promiscuous ports and between promiscuous ports and community ports within the associated secondary VLANs Community VLAN A commu...

Page 236: ...iated with VLAN 6 This means that traffic for port 4 and 5 can only pass through port 3 Configuring Private VLAN Interfaces Use the Private VLAN Port Configuration and Private VLAN Trunk Configuration menus to set the private VLAN interface type and assign the interfaces to a private VLAN Command Attributes Port Trunk The switch interface PVLAN Port Type Sets private VLAN port types Normal The por...

Page 237: ... Promiscuous then specify the associated primary VLAN Community VLAN A community VLAN conveys traffic between community ports and from community ports to their designated promiscuous ports Set PVLAN Port Type to Host and then specify the associated Community VLAN Trunk The trunk identifier Port Information only Web Click VLAN Private VLAN Port Configuration or Trunk Configuration Set the PVLAN Por...

Page 238: ...e the Protocol VLAN Configuration menu to create or remove protocol VLANs Command Attributes Protocol Group IP Protocol Group ID assigned to the Protocol VLAN Group Range 1 2147483647 Frame Type Ethernet frame type Protocol Type The options for Ethernet frame type includes IP ARP or RARP Console config interface ethernet 1 3 Console config if switchport mode private vlan promiscuous 4 200 Console ...

Page 239: ... VLAN System Configuration menu to set the protocol VLAN settings for the switch Command Attributes Protocol Group ID Protocol Group ID assigned to the Protocol VLAN Group Range 1 2147483647 VLAN ID VLAN to which matching protocol traffic is forwarded Range 1 4094 Web Click VLAN Protocol VLAN System Configuration Figure 3 81 Protocol VLAN Port Configuration ...

Page 240: ...en sorted into the appropriate priority queue at the output port Command Usage This switch provides eight priority queues for each port It uses Weighted Round Robin to prevent head of queue blockage The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged frames This priority does not apply to IEEE 802 1Q VLAN tagged ...

Page 241: ...strict or Weighted Round Robin WRR Up to eight separate traffic Console config interface ethernet 1 3 4 144 Console config if switchport priority default 5 4 220 Console config if end Console show interfaces switchport ethernet 1 3 4 154 Information of Eth 1 3 Broadcast threshold Enabled 500 packets second LACP status Disabled Ingress rate limit enable K bits per second 25 VLAN membership mode Hyb...

Page 242: ...its application traffic for your own network Command Attributes Interface Select port or trunk identifier Priority CoS value Range 0 7 where 7 is the highest priority Traffic Class Output queue buffer Range 0 3 where 3 is the highest CoS priority queue CLI shows Queue ID Table 3 12 Egress Queue Priority Mapping Queue 0 1 2 3 Priority 1 2 0 3 4 5 6 7 Table 3 13 CoS Priority Levels Priority Level Tr...

Page 243: ...Mapping specific values for CoS priorities is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Console config interface ethernet 1 1 4 144 Console config if queue cos map 0 0 4 223 Console config if queue cos map 1 1 Console config if queue cos map 2 2 Console config if exit Console config exit Console show queue cos map ethernet 1 1 ...

Page 244: ... Weighted Round Robin WRR queuing that specifies a relative weight of each queue WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue This prevents the head of line blocking that can occur with strict priority queuing Command Attributes WRR Weighted Round Robin shares bandwidth at the e...

Page 245: ...ess Queues on page 3 187 the traffic classes are mapped to one of the four egress queues provided for each port You can assign a weight to each of these queues and thereby to the corresponding traffic priorities This weight sets the frequency at which each queue will be polled for service and subsequently affects the response time for software applications assigned a specific priority value Comman...

Page 246: ... Traffic priorities can be specified in the IP header of a frame using the number of the TCP port When these service is enabled the priorities are mapped to a Class of Service value by the switch and the traffic then sent to the corresponding output queue Because different priority information may be contained in the traffic this switch maps priority values to the output queues in the following ma...

Page 247: ...lick Priority IP DSCP Priority Status Select IP DSCP then click Apply Figure 3 87 IP DSCP Priority Status Mapping DSCP Priority The DSCP is six bits wide allowing coding for up to 64 different forwarding behaviors The DSCP retains backward compatibility with the three precedence bits so that non DSCP compliant will not conflict with the DSCP mapping Based on network policies different kinds of tra...

Page 248: ... and 7 represent high priority Note IP DSCP settings apply to all interfaces Web Click Priority IP DSCP Priority Select an entry from the DSCP table enter a value in the Class of Service Value field then click Apply Figure 3 88 Mapping IP DSCP Priority to Class of Service Values Table 3 14 Mapping DSCP Priority IP DSCP Value CoS Value 0 0 8 1 10 12 14 16 2 18 20 22 24 3 26 28 30 32 34 36 4 38 40 4...

Page 249: ...ed for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis Each packet is classified upon entry into the network based on access lists IP Precedence DSCP values or VLAN lists Using access lists allows you select traffic based on Layer 2 Layer 3 or Layer 4 information contained in each packet Based on configured network policies different kinds of tr...

Page 250: ...a consistent end to end QoS solution Notes 1 You can configure up to 16 rules per Class Map You can also include multiple classes in a Policy Map 2 You should create a Class Map before creating a Policy Map Otherwise you will not be able to select a Class Map from the Policy Rule Settings screen Configuring Quality of Service Parameters To create a service policy for a specific category or ingress...

Page 251: ...iteria You can specify up to 16 items to match when assigning ingress traffic to a class map The class map is used with a policy map to create a service policy for a specific interface that defines packet classification service tagging and bandwidth policing Note that one or more class maps can be assigned to a policy map Command Attributes Class Map Modify Name and Description Configures the name...

Page 252: ...revious page without making any changes Match Class Settings Class Name List of the class maps ACL List Name of an access control list Any type of ACL can be specified including standard or extended IP ACLs and MAC ACLs Range 1 16 characters IP DSCP A DSCP value Range 0 63 IP Precedence An IP Precedence value Range 0 7 VLAN A VLAN Range 1 4094 Add Adds specified criteria to the class Up to 16 item...

Page 253: ...9 Configuring Class Maps CLI This example creates a class map call rd class and sets it to match packets marked for DSCP service value 3 Console config class map rd_class match any Console config cmap match ip dscp 3 Console config cmap ...

Page 254: ... finally click Add to register the new policy A policy map can contain multiple class statements that can be applied to the same interface with the Service Policy Settings page 3 153 You can configure up to 64 policers i e meters or class maps for each of the following access list types MAC ACL IP ACL including Standard ACL and Extended ACL IPv6 Standard ACL and IPv6 Extended ACL This limitation a...

Page 255: ...n this page Remove Policy Deletes a specified policy Policy Configuration Policy Name Name of the policy map Range 1 16 characters Description A brief description of a policy map Range 1 64 characters Add Adds the specified policy Back Returns to previous page without making any changes Policy Rule Settings Class Settings Class Name Name of class map Action Shows the service provided to ingress tr...

Page 256: ...rom a policy violation Rate kbps Rate in kilobits per second Range 1 100000 kbps or maximum port speed whichever is lower Burst byte Burst in bytes Range 64 1522 Exceed Specifies whether the traffic that exceeds the specified rate or burst will be dropped or the DSCP service level will be reduced Set Decreases DSCP priority for out of conformance traffic Range 0 63 Drop Drops out of conformance tr...

Page 257: ...QUALITY OF SERVICE 3 203 Figure 3 90 Configuring Policy Maps ...

Page 258: ...u can only bind one policy map to an interface The current firmware does not allow you to bind a policy map to an egress queue Command Attributes Ports Specifies a port Ingress Applies the rule to ingress traffic Enabled Check this to enable a policy map on the specified port Policy Map Select the appropriate policy map from the scroll down box Web Click QoS DiffServ Service Policy Check Enabled a...

Page 259: ...CE 3 205 Figure 3 91 Service Policy Settings CLI This example applies a service policy to an ingress interface Console config interface ethernet 1 5 Console config if service policy input rd_policy 3 Console config if ...

Page 260: ...assed on to the hosts which subscribed to this service This switch uses IGMP Internet Group Management Protocol to query for any attached hosts that want to receive a specific multicast service It identifies the ports containing hosts requesting to join the service and sends data out to those ports only It then propagates the service request up to any neighboring multicast switch router to ensure ...

Page 261: ...appropriate interfaces within the switch Static IGMP Host Interface For multicast applications that you need to control more carefully you can manually assign a multicast service to specific interfaces on the switch page 3 215 Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently Based on the IGMP query and report messages the switch...

Page 262: ...is is also referred to as IGMP Snooping Default Enabled Act as IGMP Querier When enabled the switch can serve as the Querier which is responsible for asking hosts if they want to receive multicast traffic Default Enabled IGMP Query Count Sets the maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group Range 2 10...

Page 263: ...his example modifies the settings for multicast filtering and then displays the current status Console config ip igmp snooping 4 230 Console config ip igmp snooping querier 4 235 Console config ip igmp snooping query count 10 4 236 Console config ip igmp snooping query interval 100 4 237 Console config ip igmp snooping query max response time 20 4 238 Console config ip igmp snooping query time out...

Page 264: ...67295 Web Click IGMP Snooping IGMP Filter Configuration Figure 3 93 Enabling IGMP Filter Enabling IGMP Immediate Leave The IGMP snooping immediate leave feature enables a Layer 2 LAN interface to be removed from the multicast forwarding table without first sending an IGMP group specific query to the interface Upon receiving a group specific IGMPv2 leave message the switch immediately removes the i...

Page 265: ...Leave CLI This example enables IGMP immediate leave for VLAN 1 and then displays the current IGMP snooping status Console config interface vlan 1 Console config if ip igmp snooping immediate leave 4 233 Console config if end Console show ip igmp snooping 4 233 Service Status Enabled Querier Status Disabled Leave proxy status Enabled Query Count 2 Query Interval 125 sec Query Max Response Time 10 s...

Page 266: ...on the switch You can use the Multicast Router Port Information page to display the ports on this switch attached to a neighboring multicast router switch for each VLAN ID Command Attributes VLAN ID ID of configured VLAN 1 4093 Multicast Router List Multicast routers dynamically discovered by this switch or those that are statically assigned to an interface on this switch Web Click IGMP Snooping M...

Page 267: ...ensure that multicast traffic is passed to all the appropriate interfaces within the switch Command Attributes Interface Activates the Port or Trunk scroll down list VLAN ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router Port or Trunk Specifies the interface attached to a multicast router Web Click IGMP Snooping Static Multicast Router Port Configurat...

Page 268: ...up Port List Shows the interfaces that have already been assigned to the selected VLAN to propagate a specific multicast service Web Click IGMP Snooping IP Multicast Registration Table Select a VLAN ID and the IP address for a multicast service from the scroll down lists The switch will display all the interfaces that are propagating this multicast service Figure 3 97 Displaying Port Members of Mu...

Page 269: ...t add all the ports attached to participating hosts to a common VLAN and then assign the multicast service to that VLAN group Command Usage Static multicast addresses are never aged out When a multicast address is assigned to an interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN Command Attribute Interface Activates the Port or Trunk scroll down ...

Page 270: ...ices supported on VLAN 1 IGMP Filtering and Throttling In certain switch applications the administrator may want to control the multicast services that are available to end users For example an IP TV service based on a specific subscription plan The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port and IGMP throttling limits the...

Page 271: ...n is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group Note IGMP filtering and throttling only applies to dynamically learned multicast groups it does not apply to statically configured groups Configuring IGMP Profile Group When you have created an IGMP profile number you ...

Page 272: ...the profile Specify a multicast group range by entering a start and end IP address Specify a single multicast group by entering the same IP address for the start and end of the range Click the Add button to add a range to the current list Web Click IGMP Snooping IGMP Filter Profile Configuration Select the profile number you want to configure then click Query to display the current settings Specif...

Page 273: ...P throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can take one of two actions either deny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast gr...

Page 274: ... The new multicast group replaces an existing group Throttling Status Indicates if the throttling action has been implemented on the interface Trunk Indicates if a port is a trunk member only for IGMP Filter Throttling Port Configuration Web Click IGMP Snooping IGMP Filter Throttling Port Trunk Configuration Select a profile to assign to an interface then set the throttling number and action Click...

Page 275: ...r a wide part of the network without having to use any multicast routing protocol MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong Even though common multicast streams are passed onto different VLAN groups from the MVR VLAN users in different IEEE 802 1Q or private VLANs cannot exchang...

Page 276: ... to a allow a subscriber to dynamically join or leave an MVR group see Configuring IGMP Snooping and Query Parameters on page 3 207 Note that only IGMP version 2 or 3 hosts can issue multicast join or leave messages 4 For multicast streams that will run for a long term and be associated with a stable set of hosts you can statically bind the multicast group to the participating interfaces see Assig...

Page 277: ... ports and to all receiver ports that have registered to receive data from that multicast group Default Disabled MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied MVR VLAN Identifier of the VLAN that serves as the channel for streaming multicast services using MVR Range 1 4093 Default 1 MVR Group IP IP address for an MVR multicast group The I...

Page 278: ...range of MVR group addresses Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN Field Attributes Type Shows the MVR port type Oper Status Shows the link status MVR Status Shows the MVR status MVR status for source ports is ACTIVE if MVR is globally enabled on the switch MVR status for receiver ports is ACTIVE only if there are subscribers rece...

Page 279: ...r Trunk Information Figure 3 102 MVR Port Information CLI This example shows information about interfaces attached to the MVR VLAN Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration Field Attributes Group IP Multicast groups assigned to the MVR VLAN Console show mvr interface 4 255 Port Type...

Page 280: ...following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN Console show mvr interface 4 255 MVR Group IP Status Members 225 0 0 1 ACTIVE eth1 1 d eth1 2 s 225 0 0 2 INACTIVE None 225 0 0 3 INACTIVE None 225 0 0 4 INACTIVE None 225 0 0 5 INACTIVE None 225 0 0 6 INACTIVE None 225 0 0 7 INACTIVE None 225 0 0 8 INACTIVE None 225 0 0 9 INACTIVE None 225 0...

Page 281: ... see Assigning Static Multicast Groups to Interfaces on page 3 229 Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message When immediate leave is disabled the switch follows the standard rules by sending a group specific query to the receiver port and waiting for a response to determine if there ...

Page 282: ...not participate in the MVR VLAN This is the default type Immediate Leave Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group Trunk Shows if port is a trunk member Port Configuration only Web Click MVR Port or Trunk Configuration Figure 3 104 MVR Port Configuration ...

Page 283: ...ngs on page 3 223 The IP address range from 224 0 0 0 to 239 255 255 255 is used for multicast streams MVR group addresses cannot fall within the reserved IP multicast address range of 224 0 0 x Command Attributes Interface Indicates a port or trunk Member Shows the IP addresses for MVR multicast groups which have been statically assigned to the selected interface Non Member Shows the IP addresses...

Page 284: ... rogue DHCP servers or other devices which send port related information to a DHCP server This information can be useful in tracking an IP address back to a physical port Network traffic may be disrupted when malicious DHCP messages are received from an outside source DHCP snooping is used to filter DHCP messages received on a non secure interface from outside the network or firewall When DHCP sno...

Page 285: ...packet is dropped If the DHCP packet is from a client such as a DECLINE or RELEASE message the switch forwards the packet only if the corresponding entry is found in the binding table If the DHCP packet is from a client such as a DISCOVER REQUEST INFORM DECLINE or RELEASE message the packet is forwarded if MAC address verification is disabled However if MAC address verification is enabled then the...

Page 286: ...ny packets received from untrusted ports are dropped DHCP Snooping Configuration Command Attributes DHCP Snooping Status Enables or disables DHCP snooping globally DHCP Snooping MAC Address Verification Enables or disables MAC address verification DHCP packets will be dropped if the source MAC address in the Ethernet header of the packet is not same as the client s hardware address in the DHCP pac...

Page 287: ...ed on any untrusted ports within the VLAN Web Click DHCP Snooping VLAN Configuration Figure 3 107 DHCP Snooping VLAN Configuration CLI This example first enables DHCP Snooping for VLAN 1 DHCP Snooping Information Option Configuration DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server Known as DHCP Option 82 it allows compatible DHCP ser...

Page 288: ...r the switch can discard the Option 82 information keep the existing information or replace it with the switch s relay information Note DHCP snooping must be enabled on the switch for the DHCP Option 82 information to be inserted into packets Command Attributes DHCP Snooping Information Option Status Enables or disables DHCP Option 82 information relay DHCP Snooping Information Option Policy Sets ...

Page 289: ...gures switch ports as trusted or untrusted An untrusted interface is an interface that is configured to receive messages from outside the network or firewall A trusted interface is an interface that is configured to receive only messages from within the network Command Attributes Trust Status Enables or disables port as trusted Console config ip dhcp snooping information option 4 275 Console confi...

Page 290: ...ing information Command Attributes No Entry number for DHCP snooping binding information Unit Stack unit Port Port number VLAN ID ID of a configured VLAN Range 1 4093 MAC Address A valid unicast MAC address IP Address A valid unicast IP address IP Address Type Indicates an IPv4 or IPv6 address type Lease Time Seconds The time after which an entry is removed from the table Console config interface ...

Page 291: ...CP Snooping on page 3 230 IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network This section describes commands used to configure IP Source Guard IP Source Guard Port Configuration IP Source Guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall and therefor...

Page 292: ...entry is found the packet is dropped Command Attributes Filter Type Configures the switch to filter inbound traffic based source IP address or source IP address and corresponding MAC address Default None None Disables IP source guard filtering on the port SIP Enables traffic filtering based on IP addresses stored in the binding table SIP MAC Enables traffic filtering based on IP addresses and corr...

Page 293: ...e Command Attributes Static Binding Table Counts The total number of static entries in the table Current Static Binding Table The list of current static entries in the table Port Switch port number Range 1 28 VLAN ID ID of a configured VLAN Range 1 4093 MAC Address A valid unicast MAC address IP Address A valid unicast IP address including classful types A B or C Console config interface ethernet ...

Page 294: ...uard binding table for a selected interface Command Attributes Query by Select an interface to display the source guard binding Options Port VLAN MAC Address or IP Address Dynamic Binding Table Counts Displays the number of IP addresses in the source guard binding table Current Dynamic Binding Table Displays the IP addresses in the source guard binding table Console config ip source guard binding ...

Page 295: ...113 Dynamic IP Source Guard Binding Information CLI This example shows how to configure a static source guard binding on port 5 Console show ip source guard binding 4 269 MacAddress IpAddress Lease sec Type VLAN Interface 11 22 33 44 55 66 192 168 0 99 0 Static 1 Eth 1 5 Console ...

Page 296: ...a switch has been configured to be a cluster Commander it automatically discovers other cluster enabled switches in the network These Candidate switches only become cluster Members when manually selected by the administrator through the management station Note Cluster Member switches can be managed through only using a Telnet connection to the Commander From the Commander CLI prompt use the rcomma...

Page 297: ...d 36 Note that you cannot change the cluster IP pool when the switch is currently in Commander mode Commandoer mode must first be disabled Number of Members The current number of Member switches in the cluster Number of Candidates The current number of Candidate switches discovered in the network that are available to become Members Web Click Cluster Configuration Figure 3 114 Cluster Configuratio...

Page 298: ... MAC Address Select a discoverd switch MAC address from the Candidate Table or enter a specific MAC address of a known switch Web Click Cluster Member Configuration Figure 3 115 Cluster Member Configuration CLI This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID Console config cluster member mac address 00 12 34 56 78 9a id 5 4 282 Conso...

Page 299: ... IP address assigned to the Member switch MAC Address The MAC address of the Member switch Description The system description string of the Member switch Web Click Cluster Member Information Figure 3 116 Cluster Member Information CLI This example shows information about cluster Member switches Vty 0 show cluster members 4 283 Cluster Members ID 1 Role Active member IP Address 10 254 254 2 MAC Add...

Page 300: ...us of Candidate switches in the network MAC Address The MAC address of the Candidate switch Description The system description string of the Candidate switch Web Click Cluster Candidate Information Figure 3 117 Cluster Candidate Information CLI This example shows information about cluster Candidate switches Vty 0 show cluster candidates 4 284 Cluster Candidates Role Mac Description ACTIVE MEMBER 0...

Page 301: ... on a UNIX system Console Connection To access the switch through the console port perform these steps 1 At the console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec Bu...

Page 302: ... address for the switch and set the default gateway if you are managing the switch from a different IP subnet For example If your corporate network is connected to another network outside your office or to the Internet you need to apply for a registered IP address However if you are attached to an isolated network then you can use any IP address that matches the network segment to which you are at...

Page 303: ...et command the login screen displays Note You can open up to four sessions to the device via Telnet Entering Commands This section describes how to enter CLI commands Keywords and Arguments A CLI command is a series of keywords and arguments Keywords identify a command and arguments specify configuration parameters For example in the command show interfaces status ethernet 1 5 show interfaces and ...

Page 304: ... CLI will accept a minimum number of characters that uniquely identify a command For example the command configure can be entered as con If an entry is ambiguous the system will prompt for further input Command Completion If you terminate input with a Tab key the CLI will print the remaining characters of a partial keyword up to the point of ambiguity In the logging history example typing log foll...

Page 305: ... interfaces Interface information ip IP information lacp LACP statistics line TTY line information log Login records logging Login setting mac address table Configuration of the address table management Management IP filter map Maps priority port Port characteristics public key Public key information queue Priority queue information radius server RADIUS server information running config Informatio...

Page 306: ...mmand will log system messages to a host server To disable logging specify the no logging command This guide describes the negation effect for all applicable commands Using Command History The CLI maintains a history of commands that have been entered You can scroll back through the history of commands by pressing the up arrow key Any command displayed in the history list can be executed again or ...

Page 307: ...Commands When you open a new console session on the switch with the user name and password guest the system enters the Normal Exec command mode or guest mode displaying the Console command prompt Only a limited number of the commands are available in this mode You can access all commands only from the Privileged Exec command mode or administrator mode To access Privilege Exec mode open a new conso...

Page 308: ...ing config startup config command The configuration commands are organized into different modes Global Configuration These commands modify the system level configuration and include commands such as hostname and snmp server community Access Control List Configuration These commands are used for packet filtering Interface Configuration These commands modify the port configuration such as speed dupl...

Page 309: ... one of the following commands Use the exit or end command to return to the Privileged Exec mode For example you can use the following commands to enter interface configuration mode and then return to Privileged Exec mode Console configure Console config Table 4 2 Configuration Commands Mode Command Prompt Page Line line console vty Console config line 4 14 Access Control List access list ip stand...

Page 310: ...ne Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor to the right one character Ctrl K Deletes all characters from the cursor to the end of the line Ctrl L Repeats current command line on a new line Ctrl N Enters the next command line in the history buffer Ctrl P Enters ...

Page 311: ...on access using local or remote authentication also configures port security and IEEE 802 1X port access control 4 91 Access Control List Provides filtering for IP frames based on address protocol TCP UDP port number or TCP control code or non IP frames based on MAC address or Ethernet type 4 113 SNMP Activates authentication failure traps configures community access strings and trap managers also...

Page 312: ... settings and defines port membership for VLAN groups also enables or configures private VLANs 4 196 GVRP and Bridge Extension Configures GVRP settings that permit automatic VLAN learning shows the configuration for the bridge extension MIB 4 214 Priority Sets port priority for untagged frames selects strict priority or weighted round robin relative weight for each priority queue also sets priorit...

Page 313: ...COMMAND GROUPS 4 13 PE Privileged Exec VC VLAN Database Configuration ...

Page 314: ...eout Sets the interval that the command interpreter waits until user input is detected LC 4 19 password thresh Sets the password intrusion threshold which limits the number of failed logon attempts LC 4 20 silent time These commands only apply to the serial port Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set ...

Page 315: ...efault Setting There is no default line Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as Vty in screen displays such as show users However the serial communication parameters e g databits do not affect Telnet connections Example To enter console line mode enter the following command Related Commands show line 4 25 show users 4 ...

Page 316: ...ified by the password line configuration command When using this method the management interface starts in Normal Exec NE mode login local selects authentication via the user name and password specified by the username command i e default setting When using this method the management interface starts in Normal Exec NE or Privileged Exec PE mode depending on the user s privilege level 0 or 15 respe...

Page 317: ...on is started on a line with password protection the system prompts for the password If you enter the correct password the system shows a prompt You can use the password thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state The encrypted password is required for compatibility with...

Page 318: ... Default Setting CLI Disabled 0 seconds Telnet 600 seconds Command Mode Line Configuration Command Usage If a login attempt is not detected within the timeout interval the connection is terminated for the session This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the default setting...

Page 319: ...g CLI No timeout Telnet 10 minutes Command Mode Line Configuration Command Usage If user input is detected within the timeout interval the session is kept open otherwise the session is terminated This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the default setting Example To set t...

Page 320: ...empts Command Mode Line Configuration Command Usage When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time before allowing the next logon attempt Use the silent time command to set this interval When this threshold is reached for Telnet the Telnet logon interface shuts down This command applies to both the local console and Telnet connections...

Page 321: ...nsole response Range 0 65535 0 no silent time Default Setting The default value is no silent time Command Mode Line Configuration Example To set the silent time to 60 seconds enter this command Related Commands password thresh 4 20 databits This command sets the number of data bits per character that are interpreted and generated by the console port Use the no form to restore the default value Syn...

Page 322: ...fy 7 data bits per character If no parity is required specify 8 data bits per character Example To specify 7 data bits enter this command Related Commands parity 4 22 parity This command defines the generation of a parity bit Use the no form to restore the default setting Syntax parity none even odd no parity none No parity even Even parity odd Odd parity Default Setting No parity Command Mode Lin...

Page 323: ...d bps no speed bps Baud rate in bits per second Options 9600 19200 38400 57600 115200 bps or auto Default Setting auto Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port Some baud rates available on devices connected to the port might not be supported The system indicates if the speed you selected is not supported If you se...

Page 324: ... stop bits Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits enter this command disconnect Use this command to terminate an SSH Telnet or console connection Syntax disconnect session id session id The session identifier for an SSH Telnet or console connection Range 0 4 Command Mode Privileged Exec Console config line speed 57600 Console config line Console c...

Page 325: ...nnect an SSH or Telnet connection Example Related Commands show ssh 4 54 show users 4 81 show line This command displays the terminal line s parameters Syntax show line console vty console Console terminal line vty Virtual terminal for remote console access i e Telnet Default Setting Shows all lines Command Mode Normal Exec Privileged Exec Console disconnect 1 Console ...

Page 326: ...c Console Table 4 6 General Commands Command Function Mode Page enable Activates privileged mode NE 4 27 disable Returns to normal mode from privileged mode PE 4 28 configure Activates global configuration mode PE 4 28 show history Shows the command history buffer NE PE 4 29 reload Restarts the system PE 4 30 end Returns to Privileged Exec mode any config mode 4 30 exit Returns to the previous con...

Page 327: ...0 Normal Exec 15 Privileged Exec Enter level 15 to access Privileged Exec mode Default Setting Level 15 Command Mode Normal Exec Command Usage super is the default password required to change the command mode from Normal Exec to Privileged Exec To set this password see the enable password command on page 4 36 The character is appended to the end of the prompt to indicate that the system is in priv...

Page 328: ...and Usage The character is appended to the end of the prompt to indicate that the system is in normal access mode Example Related Commands enable 4 27 configure This command activates Global Configuration mode You must enter this mode to modify any settings on the switch You must also enter Global Configuration mode prior to enabling some of the other configuration modes including Interface Config...

Page 329: ... Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands Example In this example the show history command lists the contents of the command history buffer Console configure Console config Console show history Execution command history 2 config 1 show history Configuration command history 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console ...

Page 330: ...ad This command restarts the system Note When the system is restarted it will always run the Power On Self Test It will also retain all configuration information stored in non volatile memory by the copy running config startup config command Default Setting None Command Mode Privileged Exec Command Usage This command resets the entire system Example This example shows how to reset the switch end T...

Page 331: ...mmand returns to the previous configuration mode or exit the configuration program Default Setting None Command Mode Any Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session quit This command exits the configuration program Default Setting None Console config if end Console Console config exit Console exit Press ENTER...

Page 332: ...able 4 7 System Management Commands Command Group Function Page Device Designation Configures information that uniquely identifies this switch 4 33 User Access Configures the basic user names and passwords for management access 4 34 IP Filter Configures IP addresses that are allowed management access 4 37 Web Server Enables management access via a web browser 4 40 Telnet Server Enables management ...

Page 333: ...ration System Status Displays system configuration active managers and version information 4 76 Frame Size Enables support for jumbo frames 4 82 Table 4 8 Device Designation Commands Command Function Mode Page prompt Customizes the prompt used in PE and NE mode GC 4 33 hostname Specifies the host name for the switch GC 4 34 snmp server contact Sets the system contact string GC 4 127 snmp server lo...

Page 334: ...t access are listed in this section This switch also includes other options for password checking via the console or a Telnet connection page 4 14 user authentication via a remote authentication server page 4 91 and host access authentication for specific ports page 4 104 Console config prompt RD2 RD2 config Console config hostname RD 1 Console config Table 4 9 User Access Commands Command Functio...

Page 335: ...imum users 16 access level level Specifies the user level The device has two predefined privilege levels 0 Normal Exec 15 Privileged Exec nopassword No password is required for this user to log in 0 7 0 means plain password 7 means encrypted password password password The authentication password for the user Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting The def...

Page 336: ...vileged Exec level from the Normal Exec level Use the no form to reset the default password Syntax enable password level level 0 7 password no enable password level level level level Level 15 for Privileged Exec Levels 0 14 are not used 0 7 0 means plain password 7 means encrypted password password password for this privilege level Maximum length 8 characters plain text 32 encrypted case sensitive...

Page 337: ...arious protocols Use the no form to restore the default setting Syntax no management all client http client snmp client telnet client start address end address all client Adds IP address es to the SNMP web and Telnet groups http client Adds IP address es to the web group snmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group start address A single IP ...

Page 338: ...ither individual addresses or address ranges When entering addresses for the same group i e SNMP web or Telnet the switch will not accept overlapping address ranges When entering addresses for different groups the switch will accept overlapping address ranges You cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses You can delete an ...

Page 339: ...ress es to the web group snmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group Command Mode Privileged Exec Example Console show management all client Management Ip Filter Http Client Start ip address End ip address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 Snmp Client Start ip address End ip address 1 192 168 1 19 192 168 1 19 2 192 16...

Page 340: ... Setting 80 Command Mode Global Configuration Example Related Commands ip http server 4 41 Table 4 12 Web Server Command Command Function Mode Page ip http port Specifies the port to be used by the web browser interface GC 4 40 ip http server Allows the switch to be monitored or configured from a browser GC 4 41 ip http secure server Enables HTTPS SSL for encrypted communications GC 4 41 ip http s...

Page 341: ...Configuration Example Related Commands ip http port 4 40 ip http secure server This command enables the secure hypertext transfer protocol HTTPS over the Secure Socket Layer SSL providing secure access i e an encrypted connection to the switch s web interface Use the no form to disable this function Syntax no ip http secure server Default Setting Enabled Command Mode Global Configuration Console c...

Page 342: ...ata The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 5 x and Netscape Navigator 4 x or later versions The following web browsers and operating systems currently support HTTPS To specify a secure site certificate see Replacing the Default Secure site Certificate on page 3 76 Also refer to the copy command on page 4 84...

Page 343: ...rt_number The UDP port used for HTTPS SSL Range 1 65535 Default Setting 443 Command Mode Global Configuration Command Usage You cannot configure the HTTP and HTTPS servers to use the same port If you change the HTTPS port number clients attempting to connect to the HTTPS server must specify the port number in the URL in this format https device port_number Example Related Commands ip http secure s...

Page 344: ...rt This command specifies the TCP port number used by the Telnet interface Use the no form to use the default port Syntax no ip telnet port port number port number The TCP port to be used by the browser interface Range 1 65535 Table 4 14 Telnet Server Commands Command Function Mode Page ip telnet server Allows the switch to be monitored or configured from Telnet GC 4 44 ip telnet port Specifies th...

Page 345: ...er Berkley remote access tools SSH can also provide remote management access to this switch as a secure replacement for Telnet When a client contacts the switch via the SSH protocol the switch uses a public key that the client must match along with a local user name and password for access authentication SSH also encrypts all data transfers passing between the switch and SSH enabled management sta...

Page 346: ...he SSH server GC 4 49 ip ssh authentication retries Specifies the number of retries allowed by a client GC 4 50 ip ssh server key size Sets the SSH server key size GC 4 51 copy tftp public key Copies the user s public key from a TFTP server to the switch PE 4 84 delete public key Deletes the public key for the specified user PE 4 51 ip ssh crypto host key generate Generates the host key PE 4 52 ip...

Page 347: ...6782 59566410486957427888146206 519417467729848654686157177393901647793559423035774130980227370877945452408397 1752646358058176716709574804776117 3 Import Client s Public Key to the Switch Use the copy tftp public key command to copy a file containing the public key for all the SSH client s granted management access to the switch Note that these clients must be configured locally on the switch wit...

Page 348: ...itch uses the public key to encrypt a random sequence of bytes and sends this string to the client d The client uses its private key to decrypt the bytes and sends the decrypted bytes back to the switch e The switch compares the decrypted bytes to the original bytes it sent If the two sets match this means that the client s private key corresponds to an authorized public key and the client is auth...

Page 349: ...ES 56 bit or 3DES 168 bit for data encryption You must generate the host key before enabling the SSH server Example Related Commands ip ssh crypto host key generate 4 52 show ssh 4 54 ip ssh timeout This command configures the timeout for the SSH server Use the no form to restore the default setting Syntax ip ssh timeout seconds no ip ssh timeout seconds The timeout for client response during SSH ...

Page 350: ... ip ssh authentication retries This command configures the number of times the SSH server attempts to reauthenticate a user Use the no form to restore the default setting Syntax ip ssh authentication retries count no ip ssh authentication retries count The number of authentication attempts permitted after which the interface is reset Range 1 5 Default Setting 3 Command Mode Global Configuration Ex...

Page 351: ...ation Command Usage The server key is a private key that is never shared outside the switch The host key is shared with the SSH client and is fixed at 1024 bits Example delete public key This command deletes the specified user s public key Syntax delete public key username dsa rsa username Name of an SSH user Range 1 8 characters dsa DSA public key type rsa RSA public key type Default Setting Dele...

Page 352: ...AM Use the ip ssh save host key command to save the host key pair to flash memory Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process Otherwise you must manually create a known hosts file and place the host public key in it The SSH server uses this host key to negotiate a session key and encryption method with the client trying to ...

Page 353: ...rs the host key from volatile memory RAM Use the no ip ssh save host key command to clear the host key from flash memory The SSH server must be disabled before you can execute this command Example Related Commands ip ssh crypto host key generate 4 52 ip ssh save host key 4 53 no ip ssh server 4 48 ip ssh save host key This command saves the host key from RAM to flash memory Syntax ip ssh save host...

Page 354: ...SSH server Command Mode Privileged Exec Example show ssh This command displays the current SSH server connections Command Mode Privileged Exec Example Console ip ssh save host key dsa Console Console show ip ssh SSH Enabled version 1 99 Negotiation timeout 120 secs Authentication retries 3 Server key size 768 bits Console Console show ssh Connection Version State Username Encryption 0 2 0 Session ...

Page 355: ... 3DES Options for SSHv2 0 can include different algorithms for the client to server ctos and server to client stoc aes128 cbc hmac sha1 aes192 cbc hmac sha1 aes256 cbc hmac sha1 3des cbc hmac sha1 blowfish cbc hmac sha1 aes128 cbc hmac md5 aes192 cbc hmac md5 aes256 cbc hmac md5 3des cbc hmac md5 blowfish cbc hmac md5 Terminology DES Data Encryption Standard 56 bit key 3DES Triple DES Uses three i...

Page 356: ... is the encoded modulus Example Console show public key host Host RSA 1024 65537 1568499540186766925933394677505461732531367489083654725415020245593 199868544358361651999923329781766065830958610825913212890233765468017262725714 134287629413011961955667825956641048695742788814620651941746772984865468615717 739390164779355942303577413098022737087794545240839717526463580581767167095748 04776117 DSA s...

Page 357: ...s that are stored Table 4 17 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages GC 4 57 logging history Limits syslog messages saved to switch memory based on severity GC 4 58 logging host Adds a syslog server host IP address that will receive logging messages GC 4 59 logging facility Sets the facility type for remote logging of syslog messages GC 4 60 ...

Page 358: ...n power reset level One of the levels listed below Messages sent include the selected level down to level 0 Range 0 7 Console config logging on Console config Table 4 18 Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition such as cold start 4 warnings Warning conditions e g return...

Page 359: ... server host IP address that will receive logging messages Use the no form to remove a syslog server host Syntax no logging host host_ip_address host_ip_address The IP address of a syslog server Default Setting None Command Mode Global Configuration 1 alerts Immediate action needed 0 emergencies System unusable Console config logging history ram 0 Console config Table 4 18 Logging Levels Continued...

Page 360: ... A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service Range 16 23 Default Setting 23 Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog messages See RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to sort me...

Page 361: ... logging trap level One of the level arguments listed below Messages sent include the selected level up through level 0 Refer to the table on page 4 58 Default Setting Disabled Level 7 0 Command Mode Global Configuration Command Usage Using this command with a specified level enables remote logging and sets the minimum severity level to be saved Using this command without a specified level also en...

Page 362: ...s show log 4 64 show logging This command displays the configuration settings for logging messages to local switch memory to an SMTP event handler or to a remote syslog server Syntax show logging flash ram sendmail trap flash Displays settings for storing event messages in flash memory i e permanent memory ram Displays settings for storing event messages in temporary RAM i e memory flushed on powe...

Page 363: ...RAM level debugging Console Table 4 19 show logging flash ram display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command History logging in FLASH The message level s reported based on the logging history command History logging in RAM The message level s reported based on the logging history command Console show logging trap Syslog logg...

Page 364: ...w logging trap display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command REMOTELOG status Shows if remote logging has been enabled via the logging trap command REMOTELOG facility type The facility type for remote logging of syslog messages as specified in the logging facility command REMOTELOG level type The severity threshold for sysl...

Page 365: ...notification level 6 module 5 function 1 and event no 1 Console Table 4 21 SMTP Alert Commands Command Function Mode Page loggingsendmailhost Specifies SMTP servers that will be sent alert messages GC 4 66 logging sendmail level Sets the severity threshold used to trigger alert messages GC 4 67 logging sendmail source email Sets the email address used for From field of alert messages GC 4 67 loggi...

Page 366: ...and to specify each server To send email alerts the switch first opens a connection sends all the email alerts waiting in the queue one by one and finally closes the connection To open a connection the switch first selects the server that successfully sent mail during the last connection or the first server configured by this command If it fails to send mail the switch selects the next server in t...

Page 367: ...icates an event threshold All events at this level or higher will be sent to the configured email recipients For example using Level 7 will report all events from level 7 to level 0 Example This example will send email alerts for system errors from level 3 through 0 logging sendmail source email This command sets the email address used for the From field in alert messages Syntax logging sendmail s...

Page 368: ...of alert messages Use the no form to remove a recipient Syntax no logging sendmail destination email email address email address The source email address used in alert messages Range 1 41 characters Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages However you must enter a separate command to specify each recipient Example...

Page 369: ...ration Example show logging sendmail This command displays the settings for the SMTP event handler Command Mode Normal Exec Privileged Exec Example Console config logging sendmail Console config Console show logging sendmail SMTP servers 192 168 1 19 SMTP minimum severity level 7 SMTP destination email addresses ted this company com SMTP source email address bill this company com SMTP status Enabl...

Page 370: ...ervers specified with the sntp servers command Use the no form to disable SNTP client requests Syntax no sntp client Default Setting Disabled Command Mode Global Configuration Table 4 22 Time Commands Command Function Mode Page sntp client Accepts time from specified time servers GC 4 70 sntp server Specifies one or more time servers GC 4 70 sntp poll Sets the interval at which the client polls fo...

Page 371: ...Related Commands sntp client 4 70 sntp poll 4 72 show sntp 4 73 sntp server This command sets the IP address of the servers to which SNTP time requests are issued Use the this command with no arguments to clear all time servers from the current list Syntax sntp server ip1 ip2 ip3 ip IP address of an time server NTP or SNTP Range 1 3 addresses Default Setting None Console config sntp server 10 1 0 ...

Page 372: ...on the interval set via the sntp poll command Example Related Commands Related Commands 4 71 sntp poll 4 72 show sntp 4 73 sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode Use the no form to restore to the default Syntax sntp poll seconds no sntp poll seconds Interval between time requests Range 16 16384 seconds Default Setting 16 se...

Page 373: ...xample clock timezone This command sets the time zone for the switch s internal clock Syntax clock timezone name hour hours minute minutes before utc after utc name Name of timezone usually an acronym Range 1 29 characters hours Number of hours before after UTC Range 1 13 hours minutes Number of minutes before after UTC Range 0 59 minutes before utc Sets the local time zone before east of UTC afte...

Page 374: ... after of UTC Example Related Commands show sntp 4 73 calendar set This command sets the system clock It may be used if there is no time server on your network or if you have not configured the switch to receive signals from a time server Syntax calendar set hour min sec day month year month day year hour Hour in 24 hour format Range 0 23 min Minute Range 0 59 sec Second Range 0 59 day Day of mont...

Page 375: ...mple shows how to set the system clock to 15 12 34 February 1st 2002 show calendar This command displays the system clock Default Setting None Command Mode Normal Exec Privileged Exec Example Console calendar set 15 12 34 1 February 2002 Console Console show calendar 15 12 34 February 1 2002 Console ...

Page 376: ... group is separated by symbols and includes the configuration mode command and corresponding commands This command displays the following information SNMP community strings Users names and access levels VLAN database VLAN ID name and state VLAN configuration settings for each interface Table 4 23 System Status Commands Command Function Mode Page show running config Displays the configuration data ...

Page 377: ...se Default Setting None Command Mode Privileged Exec Command Usage Console show startup config building startup config please wait username admin access level 15 username admin password 0 admin username guest access level 0 username guest password 0 guest enable password level 15 0 super snmp server community public ro snmp server community private rw vlan database vlan 1 name DefaultVlan media et...

Page 378: ... modes Each mode group is separated by symbols and includes the configuration mode command and corresponding commands This command displays the following information SNMP community strings Users names access levels and encrypted passwords VLAN database VLAN ID name and state VLAN configuration settings for each interface IP address configured for the switch Spanning tree settings Any configured se...

Page 379: ...r community private rw username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethernet state active interface ethernet 1 1 switchport allowed vlan add 1 untagged switchport...

Page 380: ... for assistance Example Console show system System description SMC Networks SMC6128L2 System OID string 1 3 6 1 4 1 259 6 10 94 System Information System Up Time 0 days 0 hours 7 minutes and 22 65 seconds System Name NONE System Location NONE System Contact NONE MAC Address Unit1 00 00 35 28 00 03 Web Server Enabled Web Server Port 80 Web Secure Server Enabled Web Secure Server Port 443 Telnet Ser...

Page 381: ... i e session index number Example show version This command displays hardware and software version information for the system Default Setting None Console show users Username accounts Username Privilege Public Key admin 15 None guest 0 None steve 15 RSA Online users Line Username Idle time h m s Remote IP addr 0 console admin 0 14 14 1 VTY 0 admin 0 00 00 192 168 1 19 2 SSH 1 steve 0 00 06 192 168...

Page 382: ...upport for jumbo frames Use the no form to disable it Syntax no jumbo frame Default Setting Disabled Console show version Unit 1 Serial Number Hardware Version EPLD Version 0 01 Number of Ports 28 Main Power Status Up Redundant Power Status Not present Agent Master Unit ID 1 Loader Version 1 0 0 0 Boot ROM Version 1 0 0 3 Operation Code Version 1 0 0 8 Console Table 4 24 Frame Size Commands Comman...

Page 383: ...tination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extended frame size And for half duplex connections all devices in the collision domain would need to support jumbo frames Enabling jumbo frames will limit the maximum threshold for broadcast ...

Page 384: ... config file startup config tftp copy startup config file running config tftp copy tftp file running config startup config https certificate public key copy unit file file Keyword that allows you to copy to from a file running config Keyword that allows you to copy to from the current running configuration startup config The configuration used for system initialization tftp Keyword that allows you...

Page 385: ...ch Valid characters A Z a z 0 9 _ Due to the size limit of the flash memory the switch supports only two operation code files The maximum number of user defined configuration files depends on available memory You can use Factory_Default_Config cfg as the source to copy from the factory default configuration file but you cannot use it as the destination To replace the startup configuration you must...

Page 386: ...e file name startup TFTP server ip address 10 1 0 99 Destination file name startup 01 TFTP completed Success Console Console copy running config file destination file name startup Write to FLASH Programming Write to FLASH finish Success Console Console copy tftp startup config TFTP server ip address 10 1 0 99 Source configuration file name startup 01 Startup configuration file name startup Write t...

Page 387: ...iguration file or image name unit Stack unit Range 1 8 Default Setting None Command Mode Privileged Exec Command Usage If the file type is used for system startup then this file cannot be deleted Factory_Default_Config cfg cannot be deleted A colon is required after the specified unit number Console copy tftp public key TFTP server IP address 192 168 1 19 Choose public key type 1 RSA 2 DSA 1 2 1 S...

Page 388: ...ax dir unit boot rom config opcode filename The type of file or image to display includes boot rom Boot ROM or diagnostic image file config Switch configuration file opcode Run time operation code image file filename Name of the file or image If this file exists but contains errors information on this file cannot be shown unit Stack unit Range 1 8 Default Setting None Command Mode Privileged Exec ...

Page 389: ...hboot unit unit Stack unit Range 1 8 Default Setting None Table 4 26 File Directory Information Column Heading Description file name The name of the file file type File types Boot Rom Operation Code and Config file startup Shows if this file is used when the system is started size The length of the file in bytes Console dir file name file type startup size byte Unit1 diag_0060 Boot Rom image Y 111...

Page 390: ...pe of file or image to set as a default includes boot rom Boot ROM config Configuration file opcode Run time operation code filename Name of the configuration file or image name unit Stack unit Range 1 8 The colon is required Default Setting None Command Mode Global Configuration Command Usage A colon is required after the specified file type If the file contains an error it cannot be set as the d...

Page 391: ...ommand Group Function Page Authentication Sequence Defines logon authentication method and precedence 4 91 RADIUS Client Configures settings for authentication via a RADIUS server 4 94 TACACS Client Configures settings for authentication via a TACACS server 4 99 Port Security Configures secure addresses for a port 4 101 Port Authentication Configures host authentication on specific ports using 802...

Page 392: ...ts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command t...

Page 393: ...IUS server password only tacacs Use TACACS server password Default Setting Local Command Mode Global Configuration Command Usage RADIUS uses UDP while TACACS uses TCP UDP only offers best effort delivery while TCP offers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body o...

Page 394: ...entication protocol that uses software running on a central server to control access to RADIUS aware devices on the network An authentication server contains a database of multiple user name password pairs with associated privilege levels for each user or group that require management access to a switch Console config authentication enable radius Console config Table 4 29 RADIUS Client Commands Co...

Page 395: ...nce until a server responds or the retransmit period expires host_ip_address IP address of server host_alias Symbolic name of server Maximum length 20 characters port_number RADIUS server UDP port used for authentication messages Range 1 65535 timeout Number of seconds the switch waits for a reply before resending a request Range 1 65535 retransmit Number of times the switch will try to authentica...

Page 396: ...1812 Command Mode Global Configuration Example radius server key This command sets the RADIUS encryption key Use the no form to restore the default Syntax radius server key key_string no radius server key key_string Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 20 characters Console config radius server 1 host 192 168 1 20 port 181...

Page 397: ...tore the default Syntax radius server retransmit number_of_retries no radius server retransmit number_of_retries Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 Default Setting 2 Command Mode Global Configuration Example Console config radius server key green Console config Console config radius server retransmit 5 Console config ...

Page 398: ...tch waits for a reply before resending a request Range 1 65535 Default Setting 5 Command Mode Global Configuration Example show radius server This command displays the current settings for the RADIUS server Default Setting None Command Mode Privileged Exec Example Console config radius server timeout 10 Console config Console show radius server Remote RADIUS server configuration Global settings Co...

Page 399: ...r host This command specifies the TACACS server Use the no form to restore the default Syntax tacacs server host host_ip_address no tacacs server host host_ip_address IP address of a TACACS server Default Setting 10 11 12 13 Command Mode Global Configuration Example Table 4 30 TACACS Client Commands Command Function Mode Page tacacs server host Specifies the TACACS server GC 4 99 tacacs server por...

Page 400: ...1 65535 Default Setting 49 Command Mode Global Configuration Example tacacs server key This command sets the TACACS encryption key Use the no form to restore the default Syntax tacacs server key key_string no tacacs server key key_string Encryption key used to authenticate logon access for the client Do not use blank spaces in the string Maximum length 20 characters Default Setting None Command Mo...

Page 401: ...ready stored in the dynamic or static address table for this port will be authorized to access the network The port will drop any incoming frames with a source MAC address that is unknown or has been previously learned from another port If a device with an unauthorized MAC address attempts to use the switch port the intrusion will be detected and the switch can automatically take action by disabli...

Page 402: ...ake when port security is violated shutdown Disable port only trap Issue SNMP trap message only trap and shutdown Issue SNMP trap message and disable port max mac count address count The maximum number of MAC addresses that can be learned on a port Range 0 1024 where 0 means disabled Default Setting Status Disabled Action None Maximum Addresses 0 Command Mode Interface Configuration Ethernet Table...

Page 403: ...set the maximum number of addresses to the default You can also manually add secure addresses with the mac address table static command A secure port has the following restrictions Cannot use port monitoring Cannot be a multi VLAN port Cannot be connected to a network interconnection device Cannot be a trunk port If a port is disabled due to a security violation it must be manually re enabled usin...

Page 404: ...t identity packet to the client before it times out the authentication session IC 4 106 dot1x port control Sets dot1x mode for a port interface IC 4 106 dot1x operation mode Allows single or multiple hosts on a dot1x port IC 4 107 dot1x re authenticate Forces re authentication on specific ports PE 4 108 dot1x re authentication Enables re authentication for all ports IC 4 108 dot1x timeout quiet pe...

Page 405: ...t Syntax no dot1x system auth control Default Setting Disabled Command Mode Global Configuration Example dot1x default This command sets all configurable dot1x global and port settings to their default values Syntax dot1x default Command Mode Global Configuration Example Console config dot1x system auth control Console config Console config dot1x default Console config ...

Page 406: ...control This command sets the dot1x mode on a port interface Use the no form to restore the default Syntax dot1x port control auto force authorized force unauthorized no dot1x port control auto Requires a dot1x aware connected client to be authorized by the RADIUS server Clients that are not dot1x aware will be denied access force authorized Configures the port to grant access to all clients eithe...

Page 407: ...ingle host Allows only a single host to connect to this port multi host Allows multiple host to connect to this port max count Keyword for the maximum number of hosts count The maximum number of hosts that can connect to a port Range 1 1024 Default 5 Default Single host Command Mode Interface Configuration Command Usage The max count parameter specified by this command is only effective if the dot...

Page 408: ...unit Always unit 1 port Port number Range 1 28 Command Mode Privileged Exec Example dot1x re authentication This command enables periodic re authentication globally for all ports Use the no form to disable re authentication Syntax no dot1x re authentication Command Mode Interface Configuration Example Console config interface eth 1 2 Console config if dot1x operation mode multi host max count 10 C...

Page 409: ...od seconds The number of seconds Range 1 65535 Default 60 seconds Command Mode Interface Configuration Example dot1x timeout re authperiod This command sets the time period after which a connected client must be re authenticated Syntax dot1x timeout re authperiod seconds no dot1x timeout re authperiod seconds The number of seconds Range 1 65535 Default 3600 seconds Command Mode Interface Configura...

Page 410: ... seconds Command Mode Interface Configuration Example show dot1x This command shows general port authentication related settings on the switch or a specific interface Syntax show dot1x statistics interface interface statistics Displays dot1x status for each port interface ethernet unit port unit Stack unit Always unit 1 port Port number Range 1 28 Console config interface eth 1 2 Console config if...

Page 411: ...thenticated page 4 109 quiet period Time a port waits after Max Request Count is exceeded before attempting to acquire a new client page 4 109 tx period Time a port waits during authentication session before re transmitting EAP packet page 4 110 supplicant timeout Supplicant timeout server timeout Server timeout reauth max Maximum number of reauthentication attempts max req Maximum number of times...

Page 412: ... Reauthentication State Machine State Current state including initialize reauthenticate Example Console show dot1x Global 802 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 disabled Single Host ForceAuthorized n a 1 25 disabled Single Host ForceAuthorized yes 1 26 enabled Single Host Auto...

Page 413: ...L one by one A packet will be accepted as soon as it matches a permit rule or dropped as soon as it matches a deny rule If no rules match for a list of all permit rules the packet is dropped and if no rules match for a list of all deny rules the packet is accepted There are three filtering modes Standard IP ACL mode STD ACL filters packets based on the source IP address Extended IP ACL mode EXT AC...

Page 414: ...atched the implicit default is permit all IP ACLs Table 4 33 Access Control List Commands Command Groups Function Page IP ACLs Configure ACLs based on IP addresses TCP UDP port number protocol type and TCP control code 4 114 ACL Information Display ACLs and associated rules shows ACLs assigned to each port 4 122 Table 4 34 IP ACL Commands Command Function Mode Page access list ip Creates an IP ACL...

Page 415: ...aracters Default Setting None Command Mode Global Configuration Command Usage An egress ACL must contain all deny rules When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to show ip access list Displays the rules for configured IP ACLs PE 4 118 ip access group Adds a port to an IP ACL IC 4 119 show ip access group Shows port as...

Page 416: ... rule sets a filter condition for packets emanating from the specified source Use the no form to remove a rule Syntax no permit deny any source bitmask host source any Any source IP address source Source IP address bitmask Decimal number representing the address bits to match host Keyword followed by a specific IP address Default Setting None Command Mode Standard ACL Command Usage New rules are a...

Page 417: ...ination IP addresses protocol types source or destination protocol ports or TCP control codes Use the no form to remove a rule Syntax no permit deny protocol number udp any source address bitmask host source any destination address bitmask host destination source port sport end destination port dport end no permit deny tcp any source address bitmask host source any destination address bitmask host...

Page 418: ... for each IP packet entering the port s to which this ACL has been assigned Example This example accepts any incoming packets if the source address is within subnet 10 7 1 x For example if the rule is matched i e the rule 10 7 1 0 255 255 255 0 equals the masked address 10 7 1 2 255 255 255 0 the packet passes through This allows TCP packets from class C addresses 192 168 1 0 to any destination ad...

Page 419: ...oup This command binds a port to an IP ACL Use the no form to remove the port Syntax no ip access group acl_name in out acl_name Name of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets out Indicates that this list applies to egress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL...

Page 420: ...mands ip access group 4 119 map access list ip This command sets the output queue for packets matching an ACL rule The specified CoS value is only used to map the matching packet to an output queue it is not written to the packet itself Use the no form to remove the CoS mapping Syntax no map access list ip acl_name cos cos value acl_name Name of the ACL Maximum length 16 characters cos value CoS v...

Page 421: ...ee queue cos map on 4 223 Example Related Commands queue cos map 4 223 show map access list ip 4 121 show map access list ip This command shows the CoS value mapped to an IP ACL for the current interface The CoS value determines the output queue for packets matching an ACL rule Syntax show map access list ip interface interface ethernet unit port unit Stack unit Always unit 1 Table 4 35 Egress Que...

Page 422: ... Command Mode Privileged Exec Command Usage Once the ACL is bound to an interface i e the ACL is active the order in which the rules are displayed is determined by the associated mask Console show map access list ip Access list to COS of Eth 1 24 Access list ALS1 cos 0 Console Table 4 36 ACL Information Command Function Mode Page show access list Shows all ACLs and associated rules PE 4 122 show a...

Page 423: ... specify read and write access views for the MIB tree configure SNMP user groups with the required security model i e SNMP Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 0 0 0 0 15 255 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 255 255 255 0 any destination port 80 80 permit 192 168 1 0 255 255 255 0 any protocol tcp...

Page 424: ...em contact string GC 4 127 snmp server location Sets the system location string GC 4 128 snmp server host Specifies the recipient of an SNMP notification operation GC 4 129 snmp server enable traps Enables the device to send SNMP traps i e SNMP notifications GC 4 132 snmp server engine id Sets the SNMPv3 engine ID GC 4 133 show snmp engine id Shows the SNMPv3 engine ID PE 4 134 snmp server view Ad...

Page 425: ...nfiguration Example show snmp This command can be used to check the status of SNMP communications Default Setting None Command Mode Normal Exec Privileged Exec Command Usage This command provides information on the community access strings counter information for SNMP input and output protocol data units and whether or not SNMP logging has been enabled with the snmp server enable traps command Con...

Page 426: ...ead only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get request PDUs 0 Get next PDUs 0 Set request PDUs 0 SNMP packets output 0 Too big errors 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP loggin...

Page 427: ...stations are only able to retrieve MIB objects rw Specifies read write access Authorized management stations are able to both retrieve and modify MIB objects Default Setting public Read only access Authorized management stations are only able to retrieve MIB objects private Read write access Authorized management stations are able to both retrieve and modify MIB objects Command Mode Global Configu...

Page 428: ...on This command sets the system location string Use the no form to remove the location string Syntax snmp server location text no snmp server location text String that describes the system location Maximum length 255 characters Default Setting None Command Mode Global Configuration Example Related Commands snmp server contact 4 127 Console config snmp server contact Paul Console config Console con...

Page 429: ...eceipt Range 0 255 Default 3 seconds The number of seconds to wait for an acknowledgment before resending an inform message Range 0 2147483647 centiseconds Default 1500 centiseconds community string Password like community string sent with the notification operation to SNMP V1 and V2c hosts Although you can set this string using the snmp server host command by itself we recommend that you define t...

Page 430: ... least one snmp server enable traps command and the snmp server host command for that host must be enabled Some notification types cannot be controlled with the snmp server enable traps command For example some notification types are always enabled Notifications are issued by the switch as trap messages by default The recipient of a trap message does not send a response to the switch Traps are the...

Page 431: ...hat includes the required notify view page 4 137 6 Specify a remote engine ID where the user resides page 4 133 7 Then configure a remote user page 4 140 The switch can send SNMP version 1 2c or 3 notifications to a host IP address depending on the SNMP version that the management station supports If the snmp server host command does not specify the SNMP version the default is to send SNMP version...

Page 432: ...tion Command Usage If you do not enter an snmp server enable traps command no notifications controlled by this command are sent In order to configure this device to send SNMP notifications you must enter at least one snmp server enable traps command If you enter the command with no keywords both authentication and link up down notifications are enabled If you enter the command with a keyword only ...

Page 433: ...orm to restore the default Syntax snmp server engine id local remote ip address engineid string no snmp server engine id local remote address local Specifies the SNMP engine on this switch remote Specifies an SNMP engine on a remote device ip address The Internet address of the remote device engineid string String identifying the engine ID Range 1 26 hexadecimal characters Default Setting A unique...

Page 434: ... You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it Trailing zeroes need not be entered to uniquely specify a engine ID In other words the value 1234 is equivalent to 1234 followed by 22 zeroes A local engine ID is automatically generated that is unique to the switch This is referred to as the default engine ID If the local engineI...

Page 435: ... an included view excluded Defines an excluded view Default Setting defaultview includes access to the entire MIB tree Console show snmp engine id Local SNMP engineID 8000002a8000000000e8666672 Local SNMP engineBoots 1 Remote SNMP engineID IP address 80000000030004e2b316c54321 192 168 1 19 Console Table 4 38 show snmp engine id display description Field Description Local SNMP engineID String ident...

Page 436: ...B 2 interfaces table ifDescr The wild card is used to select all the index values in this table This view includes the MIB 2 interfaces table and the mask selects all index entries show snmp view This command shows information on the SNMP views Command Mode Privileged Exec Console config snmp server view mib 2 1 3 6 1 2 1 included Console config Console config snmp server view ifEntry 2 1 3 6 1 2 ...

Page 437: ... with authentication and privacy See Simple Network Management Protocol on page 3 44 for further information about these authentication and encryption options Console show snmp view View Name mib 2 Subtree OID 1 2 2 3 6 2 1 View Type included Storage Type nonvolatile Row Status active View Name defaultview Subtree OID 1 View Type included Storage Type nonvolatile Row Status active Console Table 4 ...

Page 438: ... algorithm is used as specified in the snmp server user command When privacy is selected the DES 56 bit algorithm is used for data encryption For additional information on the notification messages supported by this switch see Supported Notification Messages on page 3 61 Also note that the authentication link up and link down messages are legacy traps and must therefore be enabled in conjunction w...

Page 439: ...aultview Write View none Notify View none Storage Type volatile Row Status active Group Name private Security Model v1 Read View defaultview Write View defaultview Notify View none Storage Type volatile Row Status active Group Name private Security Model v2c Read View defaultview Write View defaultview Notify View none Storage Type volatile Row Status active Console Table 4 40 show snmp group disp...

Page 440: ... ip address The Internet address of the remote device v1 v2c v3 Use SNMP version 1 2c or 3 encrypted Accepts the password as encrypted input auth Uses SNMPv3 with authentication md5 sha Uses MD5 or SHA authentication auth password Authentication password Enter as plain text if the encrypted option is not used Otherwise enter an encrypted password A minimum of eight characters is required priv des5...

Page 441: ... device where the user resides The remote agent s SNMP engine ID is used to compute authentication privacy digests from the user s password If the remote engine ID is not first configured the snmp server user command specifying a remote user will fail SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefo...

Page 442: ... Name mark Authentication Protocol mdt Privacy Protocol des56 Storage Type nonvolatile Row Status active Console Table 4 41 show snmp user display description Field Description EngineId String identifying the engine ID User Name Name of user connecting to the SNMP agent Authentication Protocol The authentication protocol used with SNMPv3 Privacy Protocol The privacy protocol used with SNMPv3 Stora...

Page 443: ...rface when autonegotiation is disabled IC 4 145 negotiation Enables autonegotiation of a given interface IC 4 146 capabilities Advertises the capabilities of a given interface for use in autonegotiation IC 4 147 flowcontrol Enables flow control on a given interface IC 4 148 shutdown Disables an interface IC 4 149 clear counters Clears statistics on an interface PE 4 150 show interfaces status Disp...

Page 444: ...28 port channel channel id Range 1 8 vlan vlan id Range 1 4093 Default Setting None Command Mode Global Configuration Example To specify port 24 enter the following command description This command adds a description to an interface Use the no form to remove the description Syntax description string no description string Comment or a description to help you remember what is attached to this interf...

Page 445: ...ll duplex operation 100half Forces 100 Mbps half duplex operation 10full Forces 10 Mbps full duplex operation 10half Forces 10 Mbps half duplex operation Default Setting Auto negotiation is enabled by default When auto negotiation is disabled the default speed duplex setting is 1000full for Gigabit Ethernet ports Command Mode Interface Configuration Ethernet Port Channel Command Usage To force ope...

Page 446: ... for a given interface Use the no form to disable autonegotiation Syntax no negotiation Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage When auto negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command When auto negotiation is disabled you must manually specify the link attributes with the spee...

Page 447: ...n 100full Supports 100 Mbps full duplex operation 100half Supports 100 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 10half Supports 10 Mbps half duplex operation flowcontrol Supports flow control symmetric Gigabit only When specified the port transmits and receives pause frames when not specified the port will auto negotiate to determine the sender and receiver for asym...

Page 448: ...peed duplex 4 145 flowcontrol 4 148 flowcontrol This command enables flow control Use the no form to disable flow control Syntax no flowcontrol Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage Flow control can eliminate frame loss by blocking traffic from end stations or segments connected directly to the switch when its buffers fill When enabled bac...

Page 449: ...l on a port connected to a hub unless it is actually required to solve a problem Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub Example The following example enables flow control on port 5 Related Commands negotiation 4 146 capabilities flowcontrol symmetric 4 147 shutdown This command disables an interface To restart a disabled interfac...

Page 450: ...nterface interface ethernet unit port unit Stack unit Always unit 1 port Port number Range 1 28 port channel channel id Range 1 8 Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset This command sets the base value for displayed statistics to zero for the current management session However if you log out and back into the management int...

Page 451: ...k unit Always unit 1 port Port number Range 1 28 port channel channel id Range 1 8 vlan vlan id Range 1 4093 Default Setting Shows the status for all interfaces Command Mode Normal Exec Privileged Exec Command Usage If no interface is specified information on all interfaces is displayed For a description of the items displayed by this command see Displaying Connection Status on page 3 108 Console ...

Page 452: ...s ethernet 1 5 Information of Eth 1 5 Basic information Port type 1000T Mac address 00 30 F1 D4 73 A5 Configuration Name Port admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full 1000full Broadcast storm Enabled Broadcast storm limit 500 packets second Flow control Disabled LACP Disabled Port security Disabled Max MAC count 0 Port security action None Media type None Current statu...

Page 453: ...064 Broadcast input 262 Broadcast output 1 Ether like stats Alignment errors 0 FCS errors 0 Single Collision frames 0 Multiple collision frames 0 SQE Test errors 0 Deferred transmissions 0 Late collisions 0 Excessive collisions 0 Internal mac transmit errors 0 Internal mac receive errors 0 Frame too longs 0 Carrier sense errors 0 Symbol errors 0 RMON stats Drop events 0 Octets 227208 Packets 3338 ...

Page 454: ...ged Exec Command Usage If no interface is specified information on all interfaces is displayed Example This example shows the configuration setting for port 24 Console show interfaces switchport ethernet 1 24 Broadcast threshold Enabled 500 packets second LACP status Enabled Ingress rate limit disable Level 30 VLAN membership mode Hybrid Ingress rule Enabled Acceptable frame type All frames Native...

Page 455: ...enabled Acceptable frame type Shows if acceptable VLAN frames include all types or tagged frames only page 4 200 Native VLAN Indicates the default Port VLAN ID page 4 203 Priority for untagged traffic Indicates the default priority for untagged frames page 4 219 GVRP status Shows if GARP VLAN Registration Protocol is enabled or disabled page 4 216 Allowed VLAN Shows the VLANs this interface has jo...

Page 456: ...ng 500 packets per second Command Mode Global Configuration Command Usage When broadcast traffic exceeds the specified threshold packets above that threshold are dropped The specified threshold value applies to all ports on the switch Table 4 44 Broadcast Commands Command Function Mode Page broadcast packet rate Configures the global threshold level GC 4 156 switchport broadcast Enables broadcast ...

Page 457: ...broadcast storm control on an interface Use the no form to disable broadcast storm control on an interface Syntax no switchport broadcast Default Setting Enabled Command Mode Interface Configuration Example The following shows how to disable broadcast storm control on an interface Console config broadcast packet rate 600 Console config if no switchport broadcast ...

Page 458: ...rt unit Stack unit Always unit 1 port Port number Range 1 28 rx Mirror received packets tx Mirror transmitted packets both Mirror both received and transmitted packets Default Setting No mirror session is defined When enabled the default mirroring is for both received and transmitted packets Command Mode Interface Configuration Ethernet destination port Table 4 45 Mirror Port Commands Command Func...

Page 459: ...s must share the same destination port However you should avoid sending too much traffic to the destination port from multiple source ports Example The following example configures the switch to mirror all packets from port 6 to 11 show port monitor This command displays mirror information Syntax show port monitor interface interface ethernet unit port source port unit Stack unit Always unit 1 por...

Page 460: ...y the hardware to verify conformity Non conforming traffic is dropped conforming traffic is forwarded without any changes rate limit This command defines the rate limit for a specific interface Use this command without specifying a rate to restore the default rate Use the no form to restore the default status of disabled Syntax rate limit input rate no rate limit input Console config interface eth...

Page 461: ...61 input Input rate rate Percentage Default Setting 100 percent Command Mode Interface Configuration Ethernet Port Channel Example Console config interface ethernet 1 1 Console config if rate limit input 600 Console config if ...

Page 462: ...perating at full duplex Table 4 47 Link Aggregation Commands Command Function Mode Page Manual Configuration Commands interfaceport channel Configures a trunk and enters interface configuration mode for the trunk GC 4 144 channel group Adds a port to a trunk IC Ethernet 4 164 Dynamic Configuration Commands lacp Configures LACP for the current interface IC Ethernet 4 164 lacp system priority Config...

Page 463: ...channel STP VLAN and IGMP settings can only be made for the entire trunk via the specified port channel Dynamically Creating a Port Channel Ports assigned to a common port channel must meet the following criteria Ports must have the same LACP system priority Ports must have the same port admin key Ethernet Interface If the port channel admin key lacp admin key Port Channel is not set when a channe...

Page 464: ...ic trunks the switches must comply with the Cisco EtherChannel standard Use no channel group to remove a port group from a trunk Use no interfaces port channel to remove a trunk from the switch Example The following example creates trunk 1 and then adds port 11 lacp This command enables 802 3ad Link Aggregation Control Protocol LACP for the current interface Use the no form to disable it Syntax no...

Page 465: ...ormed with another switch using LACP will automatically be assigned the next available port channel ID If the target switch has also enabled LACP on the connected ports the trunk will be activated automatically If more than eight ports attached to the same target switch have LACP enabled the additional ports will be placed in standby mode and will only be enabled if one of the active links fails ...

Page 466: ...11 Console config if lacp Console config if exit Console config interface ethernet 1 12 Console config if lacp Console config if end Console show interfaces status port channel 1 Information of Trunk 1 Basic information Port type 1000T Mac address 00 30 F1 D4 73 A4 Configuration Name Port admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full 1000full Flow control Disabled Port secu...

Page 467: ...ode Interface Configuration Ethernet Command Usage Port must be configured with the same system priority to join the same LAG System priority is combined with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a link has been established LACP operational settings are already in u...

Page 468: ...m priority matches 2 the LACP port admin key matches and 3 the LACP port channel admin key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group Once the remote side ...

Page 469: ... Command Usage Ports are only allowed to join the same LAG if 1 the LACP system priority matches 2 the LACP port admin key matches and 3 the LACP port channel key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Inte...

Page 470: ...ates a higher effective priority If an active port link goes down the backup port with the highest priority is selected to replace the downed link However if two or more ports have the same LACP port priority the port with the lowest physical port number will be selected as the backup port Once the remote side of a link has been established LACP operational settings are already in use on that side...

Page 471: ...messages internal Configuration settings and operational state for local side neighbors Configuration settings and operational state for remote side sys id Summary of system priority and MAC address for all channel groups Default Setting Port Channel all Command Mode Privileged Exec Example Console show lacp 1 counters Channel group 1 Eth 1 2 LACPDUs Sent 10 LACPDUs Receive 5 Marker Sent 0 Marker ...

Page 472: ...s group MAC Address but do not carry the Slow Protocols Ethernet Type LACPDUs Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value but contain a badly formed PDU or an illegal value of Protocol Subtype Console show lacp internal Channel group 1 Oper Key 3 Admin Key 0 Eth 1 2 LACPDUs Internal 30 sec LACP System Priority 32768 LACP Port Priority 32768 Admin Key 3 Oper Key ...

Page 473: ...administrative changes or changes in received protocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information Synchronization The System considers this link to be IN_SYNC i e it has been allocated to the correct Link Aggre...

Page 474: ...igned by the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partn...

Page 475: ...A0 10 32768 00 30 F1 D4 73 A0 11 32768 00 30 F1 D4 73 A0 12 32768 00 30 F1 D4 73 A0 Table 4 51 show lacp sysid display description Field Description Channel group A link aggregation group configured on this switch System Priority LACP system priority for this channel group System MAC Address System MAC address The LACP system priority and system MAC address are concatenated to form the LAG system ...

Page 476: ...k unit Always unit 1 port Port number Range 1 28 port channel channel id Range 1 8 vlan id VLAN ID Range 1 4093 action delete on reset Assignment lasts until the switch is reset permanent Assignment is permanent Default Setting No static addresses are defined The default mode is permanent Command Mode Global Configuration mac address table aging time Sets the aging time of the address table GC 4 1...

Page 477: ...ddress is seen on another interface the address will be ignored and will not be written to the address table A static address cannot be learned on another port until the address is removed with the no form of this command Example clear mac address table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system ...

Page 478: ...e Command Mode Privileged Exec Command Usage The MAC Address Table contains the MAC addresses associated with each interface Note that the Type field may include the following types Learned Dynamic address entries Permanent Static entry Delete on reset Static entry to be deleted when system is reset The mask should be hexadecimal numbers representing an equivalent bit mask in the form xx xx xx xx ...

Page 479: ...aging time seconds Aging time Range 10 1000000 seconds 0 to disable aging Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information Example Console show mac address table Interface Mac Address Vlan Type Eth 1 1 00 00 00 00 00 17 1 Learned Eth 1 1 00 E0 29 94 34 DE 1 Delete on reset Console Console config...

Page 480: ...3 Spanning Tree Commands Command Function Mode Page spanning tree Enables the spanning tree protocol GC 4 181 spanning tree mode Configures STP or RSTP mode GC 4 182 spanning tree forward time Configures the spanning tree bridge forward time GC 4 183 spanning tree hello time Configures the spanning tree bridge hello time GC 4 184 spanning tree max age Configures the spanning tree bridge maximum ag...

Page 481: ...ee spanning disabled Disables spanning tree for an interface IC 4 188 spanning tree cost Configures the spanning tree path cost of an interface IC 4 188 spanning tree port priority Configures the spanning tree priority of an interface IC 4 189 spanning tree edge port Enables fast forwarding for edge ports IC 4 190 spanning tree portfast Sets an interface to fast forwarding IC 4 191 spanning tree l...

Page 482: ... Spanning Tree Protocol IEEE 802 1D rstp Rapid Spanning Tree Protocol IEEE 802 1w Default Setting rstp Command Mode Global Configuration Command Usage Spanning Tree Protocol Uses RSTP for the internal state machine but sends only 802 1D BPDUs This creates one spanning tree instance for the entire network If multiple VLANs are implemented on a network the path between specific VLAN members may be i...

Page 483: ...expires RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port Example The following example configures the switch to use Rapid Spanning Tree spanning tree forward time This command configures the spanning tree bridge forward time globally for this switch Use the no form to restore the default Syntax spanning tree forward time seconds no spanning tree forward time seconds...

Page 484: ...ry data loops might result Example spanning tree hello time This command configures the spanning tree bridge hello time globally for this switch Use the no form to restore the default Syntax spanning tree hello time time no spanning tree hello time time Time in seconds Range 1 10 seconds The maximum value is the lower of 10 or max age 2 1 Default Setting 2 seconds Command Mode Global Configuration...

Page 485: ...Setting 20 seconds Command Mode Global Configuration Command Usage This command sets the maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message becomes ...

Page 486: ...ridge priority is used in selecting the root device root port and designated port The device with the highest priority becomes the STA root device However if all devices have the same priority the device with the lowest MAC address will then become the root device Example spanning tree pathcost method This command configures the path cost method used for Rapid Spanning Tree Use the no form to rest...

Page 487: ...ned to ports with slower media Note that path cost page 4 188 takes precedence over port priority page 4 189 Example spanning tree transmission limit This command configures the minimum interval between the transmission of consecutive RSTP BPDUs Use the no form to restore the default Syntax spanning tree transmission limit count no spanning tree transmission limit count The transmission limit in s...

Page 488: ...Channel Example spanning tree cost This command configures the spanning tree path cost for the specified interface Use the no form to restore the default Syntax spanning tree cost cost no spanning tree cost cost cost The path cost for the port Range 1 200 000 000 The recommended range is Ethernet 200 000 20 000 000 Fast Ethernet 20 000 2 000 000 Gigabit Ethernet 2 000 200 000 Console config spanni...

Page 489: ...o ports attached to faster media and higher values assigned to ports with slower media Path cost takes precedence over port priority When the spanning tree pathcost method page 4 186 is set to short the maximum value for path cost is 65 535 Example spanning tree port priority This command configures the priority for the specified interface Use the no form to restore the default Syntax spanning tre...

Page 490: ...anning tree edge port This command specifies an interface as an edge port Use the no form to restore the default Syntax no spanning tree edge port Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause ...

Page 491: ...to disable fast forwarding Syntax no spanning tree portfast Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This command is used to enable disable the fast spanning tree mode for the selected port In this mode ports skip the Discarding and Learning states and proceed straight to Forwarding Since end nodes cannot cause forwarding loops they can be p...

Page 492: ...orm to restore the default Syntax spanning tree link type auto point to point shared no spanning tree link type auto Automatically derived from the duplex mode setting point to point Point to point link shared Shared medium Default Setting auto Command Mode Interface Configuration Ethernet Port Channel Command Usage Specify a point to point link if the interface can only be connected to exactly on...

Page 493: ...lways unit 1 port Port number Range 1 28 port channel channel id Range 1 8 Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs including Configuration or Topology Change Notification BPDUs it will automatically set the selected interface to forced STP compatible mode However you can also use the spanning tree protocol migration command at any time to manually re ...

Page 494: ...e show spanning tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree CST and for every interface in the tree Use the show spanning tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree CST For a description of the items displayed under Spanning tree information see Configu...

Page 495: ... Current root cost 10000 Number of topology changes 1 Last topology changes time sec 21561 Transmission limit 3 Path Cost Method long Eth 1 1 information Admin status enabled Role root State forwarding External admin path cost 10000 Internal admin path cost 10000 External oper path cost 10000 Internal oper path cost 10000 Priority 128 Designated cost 0 Designated port 128 1 Designated root 32768 0...

Page 496: ...ly Default Setting None Table 4 54 VLAN Commands Command Groups Function Page Editing VLAN Groups Sets up VLAN groups including name VID and state 4 196 Configuring VLAN Interfaces Configures VLAN interface parameters including ingress and egress tagging mode ingress filtering PVID and GVRP 4 198 Displaying VLAN Information Displays VLAN groups status port members and MAC addresses 4 206 Configuri...

Page 497: ...y entering the show running config command Example Related Commands show vlan 4 206 vlan This command configures a VLAN Use the no form to restore the default settings or delete a VLAN Syntax vlan vlan id name vlan name media ethernet state active suspend no vlan vlan id name state vlan id ID of configured VLAN Range 1 4093 no leading zeroes name Keyword to be followed by the VLAN name vlan name A...

Page 498: ... name RD5 The VLAN is activated by default Related Commands show vlan 4 206 Configuring VLAN Interfaces Console config vlan database Console config vlan vlan 105 name RD5 media ethernet Console config vlan Table 4 56 Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN IC 4 199 switchport mode Configures VLAN membership mode...

Page 499: ...gn an IP address to the VLAN Related Commands shutdown 4 149 switchport native vlan Configures the PVID native VLAN of an interface IC 4 203 switchport allowed vlan Configures the VLANs associated with an interface IC 4 204 switchport gvrp Enables GVRP for an interface IC 4 216 switchport forbidden vlan Configures forbidden VLANs for an interface IC 4 205 switchport priority default Sets a port pr...

Page 500: ...with the PVID set to VLAN 1 Command Mode Interface Configuration Ethernet Port Channel Example The following shows how to set the configuration mode to port 1 and then set the switchport mode to hybrid Related Commands switchport acceptable frame types 4 200 switchport acceptable frame types This command configures the acceptable frame types for a port Use the no form to restore the default Syntax...

Page 501: ...sage When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Example The following example shows how to restrict the traffic received on port 1 to tagged frames Related Commands switchport mode 4 200 Console config interface ethernet 1 1 Console config if switchport acceptable frame types tagged Console config if ...

Page 502: ...ngress filtering Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage Ingress filtering only affects tagged frames With ingress filtering enabled a port will discard received frames tagged for VLANs for it which it is not a member Ingress filtering does not affect VLAN independent BPDU frames such as GVRP or STA However they do affect VLAN dependent BPDU...

Page 503: ...l Command Usage Setting the native VLAN for a port can only be performed when the port is a member of the VLAN and the VLAN is untagged The no switchport native vlan command will set the native VLAN of the port to untagged VLAN 1 If acceptable frame types is set to all or switchport mode is set to hybrid the PVID will be inserted into all untagged frames entering the ingress port Example The follo...

Page 504: ...t List of VLAN identifiers to remove vlan list Separate nonconsecutive VLAN identifiers with a comma and no spaces use a hyphen to designate a range of IDs Do not enter leading zeros Range 1 4093 Default Setting All ports are assigned to VLAN 1 by default The default frame type is untagged Command Mode Interface Configuration Ethernet Port Channel Command Usage A port or a trunk with switchport mo...

Page 505: ...e following example shows how to add VLANs 1 2 5 and 6 to the allowed list as tagged VLANs for port 1 switchport forbidden vlan This command configures forbidden VLANs Use the no form to remove the list of forbidden VLANs Syntax switchport forbidden vlan add vlan list remove vlan list no switchport forbidden vlan add vlan list List of VLAN identifiers to add remove vlan list List of VLAN identifie...

Page 506: ...tax show vlan id vlan id name vlan name id Keyword to be followed by the VLAN ID vlan id ID of the configured VLAN Range 1 4093 no leading zeroes name Keyword to be followed by the VLAN name vlan name ASCII string from 1 to 32 characters Console config interface ethernet 1 1 Console config if switchport forbidden vlan add 3 Console config if Table 4 57 Displaying VLAN Information Command Function ...

Page 507: ...th any of the promiscuous ports in the associated primary VLAN In both cases the promiscuous ports are designed to provide open access to an external network such as the Internet while the community ports provide restricted access to local users Multiple primary VLANs can be configured on this switch and multiple community VLANs can be associated with each primary VLAN Note that private VLANs and ...

Page 508: ... secondary VLAN 5 Use the switchport private vlan mapping command to assign a port to a primary VLAN 6 Use the show vlan private vlan command to verify your configuration settings Table 4 58 Private VLAN Commands Command Function Mode Page Edit Private VLAN Groups private vlan Adds or deletes primary or community VLANs VC 4 209 private vlan association Associates a community VLAN with a primary VL...

Page 509: ...community VLANs and serves to channel traffic between community VLANs and other locations Default Setting None Command Mode VLAN Configuration Command Usage Private VLANs are used to restrict traffic to ports within the same community VLAN and channel traffic passing outside the community through promiscuous ports When using community VLANs they must be mapped to an associated primary VLAN that co...

Page 510: ...s secondary vlan id ID of secondary i e community VLAN Range 1 4093 no leading zeroes Default Setting None Command Mode VLAN Configuration Command Usage Secondary VLANs provide security for group members The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN e g servers configured with promiscuous ports and to resources outside of the ...

Page 511: ...s Default Setting Normal VLAN Command Mode Interface Configuration Ethernet Port Channel Command Usage To assign a promiscuous port to a primary VLAN use the switchport private vlan mapping command To assign a host port to a community VLAN use the private vlan host association command Example switchport private vlan host association Use this command to associate an interface with a secondary VLAN ...

Page 512: ...ers but must communicate with resources outside of the group via promiscuous ports in the associated primary VLAN Example switchport private vlan mapping Use this command to map an interface to a primary VLAN Use the no form to remove this mapping Syntax switchport private vlan mapping primary vlan id no switchport private vlan mapping primary vlan id ID of primary VLAN Range 1 4093 no leading zer...

Page 513: ... show vlan private vlan mapping community primary community Displays all community VLANs along with their associated primary VLAN and assigned host interfaces primary Displays all primary VLANs along with any assigned promiscuous interfaces Default Setting None Command Mode Privileged Executive Example Console config interface ethernet 1 2 Console config if switchport private vlan mapping 2 Consol...

Page 514: ...or the switch Use the no form to disable it Syntax no bridge ext gvrp Default Setting Disabled Table 4 59 GVRP and Bridge Extension Commands Command Function Mode Page bridge ext gvrp Enables GVRP globally for the switch GC 4 214 show bridge ext Shows the global bridge extension configuration PE 4 215 switchport gvrp Enables GVRP for an interface IC 4 216 switchport forbidden vlan Configures forbi...

Page 515: ...ion for bridge extension commands Default Setting None Command Mode Privileged Exec Command Usage See Displaying Basic VLAN Information on page 4 165 and Displaying Bridge Extension Capabilities on page 4 17 for a description of the displayed items Example Console config bridge ext gvrp Console config Console show bridge ext Max support VLAN numbers 256 Max support VLAN ID 4093 Extended multicast ...

Page 516: ... GVRP is enabled Syntax show gvrp configuration interface interface ethernet unit port unit Stack unit Always unit 1 port Port number Range 1 28 port channel channel id Range 1 8 Default Setting Shows both global and interface specific configuration Command Mode Normal Exec Privileged Exec Example Console config interface ethernet 1 1 Console config if switchport gvrp Console config if Console sho...

Page 517: ... Mode Interface Configuration Ethernet Port Channel Command Usage Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are independent of the media access method or data rate These values should not be changed unless you are experiencing difficulties with GMRP or GVRP...

Page 518: ...nit 1 port Port number Range 1 28 port channel channel id Range 1 8 Default Setting Shows all GARP timers Command Mode Normal Exec Privileged Exec Example Related Commands garp timer 4 217 Console config interface ethernet 1 1 Console config if garp timer join 100 Console config if Console show garp timer ethernet 1 1 Eth 1 1 GARP timer status Join timer 20 centiseconds Leave timer 60 centiseconds...

Page 519: ...mands Command Groups Function Page Priority Layer 2 Configures default priority for untagged frames sets queue weights and maps class of service tags to hardware queues 4 219 Priority Layer 3 and 4 Maps IP DSCP tags to class of service values 4 226 Table 4 61 Priority Commands Layer 2 Command Function Mode Page queue mode Sets the queue mode to strict priority or Weighted Round Robin WRR GC 4 220 ...

Page 520: ...e Global Configuration Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced or use Weighted Round Robin WRR queuing that specifies a relative weight of each queue WRR uses a predefined relative weight for each queue that determines the percentage of service ti...

Page 521: ...mmand Usage The precedence for priority mapping is IP DSCP and default switchport priority The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged frames This priority does not apply to IEEE 802 1Q VLAN tagged frames If the incoming frame is an IEEE 802 1Q VLAN tagged frame the IEEE 802 1p User Priority bits will be ...

Page 522: ...t weights Syntax queue bandwidth weight1 weight4 no queue bandwidth weight1 weight4 The ratio of weights for queues 0 3 determines the weights used by the WRR scheduler Range 1 15 Default Setting Weights 1 2 4 6 8 10 12 14 are assigned to queues 0 7 respectively Command Mode Interface Configuration Ethernet Port Channel Command Usage WRR controls bandwidth sharing at the egress port by defining sc...

Page 523: ...ist of numbers The CoS value is a number from 0 to 7 where 7 is the highest priority Default Setting This switch supports Class of Service by using eight priority queues with Weighted Round Robin queuing for each port Eight separate traffic classes are defined in IEEE 802 1p The default priority levels are assigned according to recommendations in the IEEE 802 1p standard as shown below Command Mod...

Page 524: ...queue bandwidth This command displays the weighted round robin WRR bandwidth allocation for the eight priority queues Default Setting None Console config interface ethernet 1 1 Console config if queue cos map 0 0 Console config if queue cos map 1 1 Console config if queue cos map 2 2 Console config if exit Console show queue cos map ethernet 1 1 Information of Eth 1 1 Traffic Class 0 1 2 3 4 5 6 7...

Page 525: ...unit port unit Stack unit Always unit 1 port Port number Range 1 28 port channel channel id Range 1 8 Default Setting None Command Mode Privileged Exec Example Console show queue bandwidth Information of Eth 1 1 Queue ID Weight 0 1 1 2 2 4 3 6 4 8 5 10 6 12 7 14 Console show queue cos map ethernet 1 1 Information of Eth 1 1 CoS Value 0 1 2 3 4 5 6 7 Priority Queue 2 0 1 3 4 5 6 7 Console ...

Page 526: ...itchport priority Example The following example shows how to enable IP DSCP mapping globally Table 4 63 Priority Commands Layer 3 and 4 Command Function Mode Page map ip dscp Enables IP DSCP class of service mapping GC 4 226 map ip dscp Maps IP DSCP value to a class of service IC 4 227 map access list ip Sets the CoS value and corresponding output queue for packets matching an ACL rule IC 4 120 sh...

Page 527: ... all the DSCP values that are not specified are mapped to CoS value 0 Command Mode Interface Configuration Ethernet Port Channel Command Usage The precedence for priority mapping is IP DSCP and default switchport priority DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802 1p standard and then subsequently mapped to the eight hardware pri...

Page 528: ...mand shows the IP DSCP priority map Syntax show map ip dscp interface interface ethernet unit port unit Stack unit Always unit 1 port Port number Range 1 28 port channel channel id Range 1 8 Default Setting None Command Mode Privileged Exec Console config interface ethernet 1 5 Console config if map ip dscp 1 cos 0 Console config if ...

Page 529: ...itch router to ensure that it will continue to receive the multicast service Console show map ip dscp ethernet 1 1 DSCP mapping status disabled Port DSCP COS Eth 1 1 0 0 Eth 1 1 1 0 Eth 1 1 2 0 Eth 1 1 3 0 Eth 1 1 61 0 Eth 1 1 62 0 Eth 1 1 63 0 Console Table 4 65 Multicast Filtering Commands Command Groups Function Page IGMP Snooping Configures multicast groups via IGMP snooping or static assignme...

Page 530: ...nction Mode Page ip igmp snooping Enables IGMP snooping GC 4 230 ip igmp snooping vlan static Adds an interface as a member of a multicast group GC 4 231 ip igmp snooping version Configures the IGMP version for snooping GC 4 232 ip igmp snooping immediate leave Enables IGMP immediate leave for a VLAN interface IC 4 233 show ip igmp snooping Shows the IGMP snooping and query configuration PE 4 233 ...

Page 531: ...vlan id VLAN ID Range 1 4093 ip address IP address for multicast group interface ethernet unit port unit Stack unit Always unit 1 port Port number Range 1 28 port channel channel id Range 1 8 Default Setting None Command Mode Global Configuration Example The following shows how to statically configure a multicast group on a port Console config ip igmp snooping vlan 1 static 224 0 0 12 ethernet 1 5...

Page 532: ...2 Command Mode Global Configuration Command Usage All systems on the subnet must support the same version If there are legacy devices in your network that only support Version 1 you will also have to configure this switch to use Version 1 Some commands are only enabled for IGMPv2 including ip igmp query max response time and ip igmp query timeout Example The following configures the switch to use ...

Page 533: ...terface to be removed from the multicast forwarding table without first sending an IGMP group specific query to the interface Upon receiving a group specific IGMPv2 leave message the switch immediately removes the interface from the Layer 2 forwarding table entry for that multicast group unless a multicast router was learned on the port Example show ip igmp snooping This command shows the IGMP sno...

Page 534: ...t vlan vlan id user igmp snooping vlan id VLAN ID 1 to 4093 user Display only the user configured multicast entries igmp snooping Display only entries learned through IGMP snooping Default Setting None Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER depending on selected options Console show ip igmp snooping Service status Enabled Querier status Disabled Quer...

Page 535: ...c address table multicast vlan 1 igmp snooping VLAN M cast IP addr Member ports Type 1 224 1 2 3 Eth1 11 IGMP Console Table 4 67 IGMP Query Commands Layer 2 Command Function Mode Page ip igmp snooping querier Allows this device to act as the querier for IGMP snooping GC 4 235 ip igmp snooping query count Configures the query count GC 4 236 ip igmp snooping query interval Configures the query inter...

Page 536: ...ponse before the switch takes action to drop a client from the multicast group Range 2 10 Default Setting 2 times Command Mode Global Configuration Command Usage The query count defines how long the querier waits for a response from a multicast client before taking action If a querier has sent a number of queries defined by this command but a client has not responded a countdown timer is started u...

Page 537: ...to restore the default Syntax ip igmp snooping query interval seconds no ip igmp snooping query interval seconds The frequency at which the switch sends IGMP host query messages Range 60 125 Default Setting 125 seconds Command Mode Global Configuration Example The following shows how to configure the query interval to 100 seconds Console config ip igmp snooping query count 10 Console config Consol...

Page 538: ...mand defines the time after a query during which a response is expected from a multicast client If a querier has sent a number of queries defined by the ip igmp snooping query count but a client has not responded a countdown timer is started using an initial value set by this command If the countdown finishes and the client still has not responded then that client is considered to have left the mu...

Page 539: ...after the previous querier stops before it considers the router port i e the interface which had been receiving query packets to have expired Range 300 500 Default Setting 300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 for this command to take effect Example The following shows how to configure the default timeout to 300 seconds Related Commands ip igmp snoo...

Page 540: ... static multicast router ports are configured Command Mode Global Configuration Command Usage Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore if the IGMP querier is a known multicast router switch connected over the network to an interface port or trunk on your router you can manually configure that interface to join all the current m...

Page 541: ... vlan vlan id vlan id VLAN ID Range 1 4093 Default Setting Displays multicast router ports for all configured VLANs Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static or Dynamic Example The following shows that port 11 in VLAN 1 is attached to a multicast router Console config ip igmp snooping vlan 1 mrouter ethernet 1 11 Console config Console show ip ...

Page 542: ...er Enables IGMP filtering and throttling on the switch GC 4 243 ip igmp profile Sets a profile number and enters IGMP filter profile configuration mode GC 4 244 permit deny Sets a profile access mode to permit or deny IPC 4 244 range Specifies one or a range of multicast addresses for a profile IPC 4 245 ip igmp filter Assigns an IGMP filter profile to an interface IC 4 246 ipigmpmax groups Specif...

Page 543: ...le can contain one or more or a range of multicast addresses but only one profile can be assigned to a port When enabled IGMP join reports received on the port are checked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP filtering and throttling only appli...

Page 544: ...ubscriber is permitted or denied to join The same profile can be applied to many interfaces but only one profile can be assigned to one interface Each profile has only one access mode either permit or deny Example permit deny This command sets the access mode for an IGMP filter profile Use the no form to delete a profile number Syntax permit deny Default Setting Deny Command Mode IGMP Profile Conf...

Page 545: ...le Syntax no range low ip address high ip address low ip address A valid IP address of a multicast group or start of a group range high ip address A valid IP address for the end of a multicast group range Default Setting None Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile Example Cons...

Page 546: ...etting None Command Mode Interface Configuration Command Usage The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface Only one profile can be assigned to an interface A profile can be assigned to a trunk interface When ports are configured as trunk members the trunk uses the filtering profile assigned to the first port membe...

Page 547: ...ulticast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can take one of two actions either deny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group IGMP throttling can also be set on ...

Page 548: ... the switch can take one of two actions either deny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group Example show ip igmp filter This command displays the global and interface settings for IGMP filtering Syntax show ip igmp filter interface int...

Page 549: ...r profile number Range 1 4294967295 Default Setting None Command Mode Privileged Exec Example Console show ip igmp filter IGMP filter enable Console show ip igmp filter interface ethernet 1 1 Information of Eth 1 1 IGMP Profile 19 deny range 239 1 1 1 239 1 1 1 range 239 2 3 1 239 2 3 100 Console Console show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console show ip igmp profile 19 IGMP Prof...

Page 550: ...s Example Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration MVR A single network wide VLAN can be used to transmit multicast traffic such as television channels across a service provider s network Any multicast traffic entering an MVR VLAN is sent to all subscribers This can significantly reduce to processing overhead required to dyn...

Page 551: ...f addresses Or use the no form with the vlan keyword restore the default MVR VLAN Syntax no mvr group ip address count vlan vlan id ip address IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 count The number of contiguous MVR group addresses Range 1 255 vlan id MVR VLAN ID Range 1 4094 Table 4 70 Multicast VLAN Registration Commands Command Function Mode Page mvr Globally ena...

Page 552: ...have registered to receive data from that multicast group The IP address range from 224 0 0 0 to 239 255 255 255 is used for multicast streams MVR group addresses cannot fall within the reserved IP multicast address range of 224 0 0 x IGMP snooping must be enabled to a allow a subscriber to dynamically join or leave an MVR group see ip igmp snooping on page 4 230 Note that only IGMP version 2 or 3...

Page 553: ... an interface from a multicast stream as soon as it receives a leave message for that group ip address Statically configures an interface to receive multicast traffic from the IP address specified for an MVR multicast group Range 224 0 1 0 239 255 255 255 Default Setting The port type is not defined Immediate leave is disabled No receiver port is a member of any configured multicast group Command ...

Page 554: ...from the multicast group identified in the leave message When immediate leave is disabled the switch follows the standard rules by sending a group specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list Using immediate leave can speed up leave latency but should only be ...

Page 555: ...ntax show mvr interface interface members ip address interface ethernet unit port unit This is unit 1 port Port number Range 1 28 port channel channel id Range 1 12 ip address IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 Default Setting Displays global configuration settings for MVR when no keywords are used Command Mode Privileged Exec Console config interface ethernet 1 ...

Page 556: ...st groups 10 Console Table 4 71 show mvr display description Field Description MVR status Shows if MVR is globally enabled on the switch MVR running status Indicates whether or not all necessary conditions in the MVR environment are satisfied MVR multicast vlan Shows the VLAN used to transport all MVR multicast traffic MVR max multicast groups Shows the maximum number of multicast groups which can...

Page 557: ...s enabled or disabled Console show mvr members MVR Group IP Status Members 225 0 0 1 ACTIVE eth1 1 d eth1 2 s 225 0 0 2 INACTIVE None 225 0 0 3 INACTIVE None 225 0 0 4 INACTIVE None 225 0 0 5 INACTIVE None 225 0 0 6 INACTIVE None 225 0 0 7 INACTIVE None 225 0 0 8 INACTIVE None 225 0 0 9 INACTIVE None 225 0 0 10 INACTIVE None Console Table 4 73 show mvr members display description Field Description...

Page 558: ...ent stations or other devices that exist on another network segment Basic IP Configuration Table 4 74 IP Interface Commands Command Function Mode Page ip address Sets the IP address for the current interface IC 4 259 ip dhcp restart Submits a BOOTP or DCHP client request PE 4 260 ip default gateway Defines the default gateway through which this switch can reach other subnetworks GC 4 260 show ip i...

Page 559: ... configure a specific IP address or direct the device to obtain an address from a BOOTP or DHCP server Valid IP addresses consist of four numbers 0 to 255 separated by periods Anything outside this format will not be accepted by the configuration program If you select the bootp or dhcp option IP is enabled but will not function until a BOOTP or DHCP reply has been received Requests will be broadca...

Page 560: ...CP client request Default Setting None Command Mode Privileged Exec Command Usage This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command DHCP requires the server to reassign the client s last address if available If the BOOTP or DHCP server has been moved to a different domain the network portion of the address pro...

Page 561: ... address of the default gateway Default Setting No static route is established Command Mode Global Configuration Command Usage A gateway must be defined if the management station is located in a different IP segment Example The following example defines a default gateway for this device Console config interface vlan 1 Console config if ip address dhcp Console config if exit Console ip dhcp restart...

Page 562: ...d shows the default gateway configured for this device Default Setting None Command Mode Privileged Exec Example Related Commands If the BOOTP or DHCP server has been moved to a different domain the network portion of the address provided to the client will be based on this new domain 4 260 Console show ip interface IP address and netmask 192 168 1 54 255 255 255 0 on VLAN 1 and address mode User ...

Page 563: ...etting This command has no default for the host Command Mode Normal Exec Privileged Exec Command Usage Use the ping command to see if another site on the network can be reached Following are some results of the ping command Normal response The normal response occurs in one to ten seconds depending on network traffic Destination does not respond If the host does not respond a timeout appears in ten...

Page 564: ...o 10 1 0 9 by 5 32 byte payload ICMP packets timeout is 5 seconds response time 10 ms response time 10 ms response time 10 ms response time 10 ms response time 0 ms Ping statistics for 10 1 0 9 5 packets transmitted 5 packets received 100 0 packets lost 0 Approximate round trip times Minimum 0 ms Maximum 10 ms Average 8 ms Console Table 4 75 IP Source Guard Commands Command Function Mode Page ip s...

Page 565: ...l and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor Setting source guard mode to sip or sip mac enables this function on the selected port Use the sip option to check the VLAN ID source IP address and port number against all entries in the binding table Use the sip mac option to check these same parameters plus the source MAC address Use th...

Page 566: ...ip mac option If a matching entry is found in the binding table and the entry type is static IP source guard binding the packet will be forwarded If the DHCP snooping is enabled IP source guard will check the VLAN ID source IP address port number and source MAC address for the sip mac option If a matching entry is found in the binding table and the entry type is static IP source guard binding stat...

Page 567: ...nfiguration Command Usage Table entries include a MAC address IP address lease time entry type Static IP SG Binding Dynamic DHCP Binding Static DHCP Binding VLAN identifier and port identifier All static entries are configured with an infinite lease time which is indicated with a value of zero by the show ip source guard command page 4 268 When source guard is enabled traffic is filtered based upo...

Page 568: ...IP source guard binding Example This example configures a static source guard binding on port 5 Related Command ip source guard 4 265 ip dhcp snooping 4 270 ip dhcp snooping vlan 4 272 show ip source guard This command shows whether source guard is enabled or disabled on each interface Command Mode Privileged Exec Example Console config ip source guard binding 11 22 33 44 55 66 vlan 1 192 168 0 99...

Page 569: ...ase sec Type VLAN Interface 11 22 33 44 55 66 192 168 0 99 0 Static 1 Eth 1 5 Console Table 4 76 DHCP Snooping Commands Command Function Mode Page ip dhcp snooping Enables DHCP snooping globally GC 4 270 ip dhcp snooping vlan Deletes entries from the host name to address table GC 4 272 ip dhcp snooping trust Defines a default domain name for incomplete host names IC 4 273 ip dhcp snooping verify m...

Page 570: ...ng vlan command page 4 272 DHCP messages received on an untrusted interface as specified by the no ip dhcp snooping trust command page 4 273 from a device not listed in the DHCP snooping table will be dropped When enabled DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping Table entries are only learned for untrusted interfaces Each entry...

Page 571: ...DHCP packet is a reply packet from a DHCP server including OFFER ACK or NAK messages the packet is dropped If the DHCP packet is from a client such as a DECLINE or RELEASE message the switch forwards the packet only if the corresponding entry is found in the binding table If the DHCP packet is from client such as a DISCOVER REQUEST INFORM DECLINE or RELEASE message the packet is forwarded if MAC a...

Page 572: ...rver Also when the switch sends out DHCP client packets for itself no filtering takes place However when the switch receives any messages from a DHCP server any packets received from untrusted ports are dropped Example This example enables DHCP snooping globally for the switch Related Command ip dhcp snooping vlan 4 272 ip dhcp snooping trust 4 273 ip dhcp snooping vlan This command enables DHCP s...

Page 573: ... re enabled When DHCP snooping is globally enabled configuration changes for specific VLANs have the following effects If DHCP snooping is disabled on a VLAN all dynamic bindings learned for this VLAN are removed from the binding table Example This example enables DHCP snooping for VLAN 1 Related Command ip dhcp snooping 4 270 ip dhcp snooping trust 4 273 ip dhcp snooping trust This command config...

Page 574: ...hen an untrusted port is changed to a trusted port all the dynamic DHCP snooping bindings associated with this port are removed Additional considerations when the switch itself is a DHCP client The port s through which it submits a client request to the DHCP server must be configured as trusted Example This example sets port 5 to untrusted Related Commands ip dhcp snooping 4 270 ip dhcp snooping v...

Page 575: ... 4 273 ip dhcp snooping information option This command enables the DHCP Option 82 information relay for the switch Use the no form to disable this function Syntax no ip dhcp snooping information option Default Setting Disabled Command Mode Global Configuration Command Usage DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server Known as DH...

Page 576: ...g information option policy for DHCP client packets that include Option 82 information Syntax ip dhcp snooping information policy drop keep replace drop Discards all DHCP client packets with Option 82 information keep Retains the client s DHCP information replace Overwrites the DHCP client packet information with the switch s relay information Default Setting replace Command Mode Global Configurat...

Page 577: ...tries to flash memory These entries will be restored to the snooping table when the switch is reset However note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid Example show ip dhcp snooping This command shows the DHCP snooping configuration settings Command Mode Privileged Exec Console config ip dhcp snooping information policy drop C...

Page 578: ...elnet to communicate directly with the Commander throught its IP address and the Commander manages Member switches using cluster internal IP addresses There can be up to 36 Member switches in one cluster Cluster switches are limited to within a single IP subnet Console show ip dhcp snooping Global DHCP Snooping status disable DHCP Snooping is configured on the following VLANs 1 Verify Source Mac A...

Page 579: ...hen they become Members and are used for communication between Member switches and the Commander Table 4 77 Switch Cluster Commands Command Function Mode Page cluster Configures clustering on the switch GC 4 270 cluster commander Configures the switch as a cluster Commander GC 4 272 cluster ip pool Sets the cluster IP address pool for Members GC 4 273 cluster member Sets Candidate switches as clus...

Page 580: ...ting Disabled Command Mode Global Configuration Command Usage Once a switch has been configured to be a cluster Commander it automatically discovers other cluster enabled switches in the network These Candidate switches only become cluster Members when manually selected by the administrator through the management station Cluster Member switches can be managed through only using a Telnet connection...

Page 581: ...gn IP addresses to Member switches in the cluster Internal cluster IP addresses are in the form 10 x x member ID Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 36 Set a Cluster IP Pool that does not conflict with addresses in the network IP subnet Cluster IP addresses are assigned to switches when they become Members and are used for communication b...

Page 582: ...mber id The ID number to assign to the Member switch Range 1 36 Default Setting No Members Command Mode Global Configuration Command Usage The maximum number of cluster Members is 36 The maximum number of switch Candidates is 100 Example rcommand This command provides access to a cluster Member CLI for configuration Syntax rcommand id member id member id The ID number to assign to the Member switc...

Page 583: ...to the Member switch CLI Example show cluster This command shows the switch clustering configuration Command Mode Privileged Exec Example show cluster members This command shows the current switch cluster members Command Mode Privileged Exec Vty 0 rcommand id 1 CLI session with the SMC6128L2 is opened To end the CLI session enter Exit Vty 0 Console show cluster Role commander Interval heartbeat 30...

Page 584: ...ode Privileged Exec Example Console show cluster members Cluster Members ID 1 Role Active member IP Address 10 254 254 2 MAC Address 00 12 cf 23 49 c0 Description SMC6128L2 Console Console show cluster candidates Cluster Candidates Role Mac Description ACTIVE MEMBER 00 12 cf 23 49 c0 SMC6128L2 CANDIDATE 00 12 cf 0b 47 a0 SMC6128L2 Console ...

Page 585: ... at half full duplex 1000 Mbps at full duplex 1000BASE SX LX LH 1000 Mbps at full duplex SFP Flow Control Full Duplex IEEE 802 3x Half Duplex Back pressure Broadcast Storm Control Traffic throttled above a critical threshold Port Mirroring One source ports one destination port Rate Limits Input Limit Port Trunking Static trunks Cisco EtherChannel compliant Dynamic trunks Link Aggregation Control P...

Page 586: ...an be configured by VLAN tag or port Layer 3 4 priority mapping IP DSCP Multicast Filtering IGMP Snooping Layer 2 Additional Features BOOTP client SNTP Simple Network Time Protocol SNMP Simple Network Management Protocol RMON Remote Monitoring groups 1 2 3 9 SMTP Email Alerts Management Features In Band Management Telnet Web based HTTP or HTTPS SNMP manager or Secure Shell Out of Band Management R...

Page 587: ...thentication IEEE 802 3 2005 Ethernet Fast Ethernet Gigabit Ethernet Link Aggregation Control Protocol LACP Full duplex flow control ISO IEC 8802 3 IEEE 802 3ac VLAN tagging DHCP Client RFC 1541 HTTPS IGMP RFC 1112 IGMPv2 RFC 2236 RADIUS RFC 2618 RMON RFC 1757 groups 1 2 3 9 SNMP RFC 1157 SNMPv2c RFC 2571 SNMPv3 RFC DRAFT 3414 3410 2273 3411 3415 SNTP RFC 2030 SSH Version 2 0 TFTP RFC 1350 Managem...

Page 588: ...ty MIB IEEE 802 1X Port Access Entity Equipment MIB Private MIB RADIUS Authentication Client MIB RFC 2621 RMON MIB RFC 2819 RMON II Probe Configuration Group RFC 2021 partial implementation SNMPv2 IP MIB RFC 2011 SNMP Framework MIB RFC 3411 SNMP MPD MIB RFC 3412 SNMP Target MIB SNMP Notification MIB RFC 3413 SNMP User Based SM MIB RFC 3414 SNMP View Based ACM MIB RFC 3415 SNMP Community MIB RFC 35...

Page 589: ... the VLAN interface through which the management station is connected with a valid IP address subnet mask and default gateway Be sure the management station has an IP address in the same subnet as the switch s IP interface to which it is connected If you are trying to connect to the switch via the IP address for a tagged VLAN group your management station and the ports connecting intermediate swit...

Page 590: ...p an account on the switch for each SSH user including user name authentication level and password Be sure you have imported the client s public key to the switch if public key authentication is used Cannot access the on board configuration program via a serial port connection Be sure you have set the terminal emulator program to VT100 compatible 8 data bits 1 stop bit no parity and the baud rate ...

Page 591: ...r messages reported to include all categories 3 Designate the SNMP host that is to receive the error messages 4 Repeat the sequence of commands or other actions that lead up to the error 5 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 6 Contact your distributor s service engineer For example Console config logging on Console con...

Page 592: ...TROUBLESHOOTING B 4 ...

Page 593: ...hem in the appropriate output queue Data is transmitted from the queues using weighted round robin service to enforce priority service and prevent blockage of lower level queues Priority may be set according to the port default the packet s priority bit in the VLAN tag TCP UDP port number or DSCP priority bit Differentiated Services Code Point Service DSCP DSCP uses a six bit tag to provide for up...

Page 594: ...on Protocol GVRP Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network Generic Attribute Registration Protocol GARP GARP is a protocol that can be used by endstations and switches to register and propagate multicast group membership...

Page 595: ...vice QoS in Ethernet networks The standard uses packet tags that define up to eight traffic classes and allows switches to transmit packets based on the tagged priority value IEEE 802 1s An IEEE standard for the Multiple Spanning Tree Protocol MSTP which provides independent spanning trees for VLAN groups IEEE 802 1X Port Authentication controls access to the switch ports by requiring users to fir...

Page 596: ...t Protocol IGMP A protocol through which hosts can register with their local router for multicast services If there is more than one multicast switch router on a given subnetwork one of the devices is made the querier and assumes responsibility for keeping track of group membership In Band Management Management of the network from a station attached directly to the network IP Multicast Filtering A...

Page 597: ...ction meaning that it takes a message and converts it into a fixed string of digits also called a message digest Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered or forwards them to all ports contained within the designated multicast VLAN group Network Time Protocol NTP NTP provides the mechanisms to synchroni...

Page 598: ...s Remote Authentication Dial in User Service RADIUS RADIUS is a logon authentication protocol that uses software running on a central server to control access to RADIUS compliant devices on the network Remote Monitoring RMON RMON provides comprehensive network monitoring capabilities It eliminates the polling required in standard SNMP and can set alarms on a variety of traffic conditions including...

Page 599: ... Tree Protocol STP A technology that checks your network for any loops A loop can often occur in complicated or backup linked network systems Spanning Tree detects and directs data along the shortest available path maximizing the performance and efficiency of the network Telnet Defines a remote communication facility for interfacing to a terminal device over TCP IP Terminal Access Controller Acces...

Page 600: ...s that may be discarded before reaching their targets UDP is useful when TCP would be too complex too slow or just unnecessary Virtual LAN VLAN A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network A VLAN serves as a logical workgroup with no physical barriers and allows users to share informatio...

Page 601: ...3 186 3 195 4 219 DSCP 3 193 4 226 layer 3 4 priorities 3 192 4 226 queue mapping 3 187 4 223 queue mode 3 190 4 220 traffic class weights 3 191 4 222 D default gateway configuration 3 20 4 261 default priority ingress port 3 186 4 221 default settings system 1 7 DHCP 3 22 4 259 client 3 20 dynamic configuration 2 7 Differentiated Code Point Service See DSCP downloading software 3 25 4 84 DSCP ena...

Page 602: ...CACS client 3 69 3 70 4 99 TACACS server 3 69 3 70 4 99 logon authentication sequence 3 71 4 92 4 93 M main menu 3 5 Management Information Bases MIBs A 3 mirror port configuring 3 131 4 158 multicast filtering 3 206 3 221 3 242 4 229 multicast groups 3 214 4 234 displaying 4 234 static 3 214 4 231 4 234 multicast services configuring 3 215 3 223 3 224 3 227 4 231 displaying 3 214 4 234 multicast ...

Page 603: ... displaying version 3 15 4 81 downloading 3 25 4 84 Spanning Tree Protocol See STA specifications software A 1 SSH configuring 3 77 4 49 4 50 STA 3 144 4 180 edge port 3 156 3 159 4 190 global settings configuring 3 149 4 181 4 187 global settings displaying 3 146 4 194 interface settings 3 153 4 193 4 194 link type 3 156 3 159 4 192 path cost 3 147 3 155 path cost method 3 152 4 186 port priority...

Page 604: ...10 adding static members 3 170 3 172 4 204 creating 3 168 4 197 description 3 161 displaying basic information 3 165 4 215 displaying port members 3 166 4 206 egress mode 3 174 4 200 interface configuration 3 173 4 200 4 205 private 3 176 3 184 4 207 W Web interface access requirements 3 1 configuration buttons 3 4 home page 3 3 menu list 3 4 3 5 panel display 3 4 ...

Page 605: ......

Page 606: ...39 02 739 12 68 Fax 39 02 739 14 17 Benelux 31 0 654 776 790 Fax 31 0 172 242 393 Central Europe 49 0 89 92861 0 Fax 49 0 89 92861 230 Nordic and Baltics 46 0 566 622 83 Fax 45 0 566 622 86 Eastern Europe 420 266 794 421 Fax 420 266 794 423 Sub Saharian Africa 27 012 661 0232 Fax 34 93 471 3374 North West Africa 34 93 477 4920 Fax 34 93 477 3774 CIS 34 93 477 4920 Fax 34 93 477 3774 PRC 86 10 6235...

Reviews:

No comments

Related manuals for 6128L2

DUB-H4 - Hub - USB

Brand: D-Link Pages: 4

Brand: D-Link Pages: 2

xStack DGS-3420 Series

Brand: D-Link Pages: 2

Brand: D-Link Pages: 29

Brand: D-Link Pages: 454

Brand: D-Link Pages: 502

Brand: D-Link Pages: 244

Brand: D-Link Pages: 20

Brand: D-Link Pages: 2

Brand: D-Link Pages: 37

Brand: D-Link Pages: 28

Brand: AAVARA Pages: 23

Brand: Qlogic Pages: 4

dominion kx III

Brand: Raritan Pages: 6

Brand: Raritan Pages: 5

DOMINION KSX II

Brand: Raritan Pages: 7

Brand: Raritan Pages: 2

Brand: Cabletron Systems Pages: 120

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands