background image

Basic Configuration

2-7

2

The default strings are:

public

 - with read-only access. Authorized management stations are only able to 

retrieve MIB objects. 

private

 - with read-write access. Authorized management stations are able to both 

retrieve and modify MIB objects. 

To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is 
recommended that you change the default community strings.

To configure a community string, complete the following steps:

1.

From the Privileged Exec level global configuration mode prompt, type 
“snmp-server community 

string

 

mode

,” where “string” is the community access 

string and “mode” is 

rw

 (read/write) or 

ro

 (read only). Press <Enter>. (Note that 

the default mode is read only.)

2.

To remove an existing string, simply type “no snmp-server community 

string

,” 

where “string” is the community access string to remove. Press <Enter>.

Note:

If you do not intend to support access to SNMP version 1 and 2c clients, we 
recommend that you delete both of the default community strings. If there are no 
community strings, then SNMP management access from SNMP v1 and v2c 
clients is disabled.

Trap Receivers

You can also specify SNMP stations that are to receive traps from the switch. To 
configure a trap receiver, use the “snmp-server host” command. From the Privileged 
Exec level global configuration mode prompt, type:

“snmp-server host 

host-address

 

community-string

    

[version {1 | 2c | 3 {auth | noauth | priv}}]” 

where “host-address” is the IP address for the trap receiver, “community-string” 
specifies access rights for a version 1/2c host, or is the user name of a version 3 
host, “version” indicates the SNMP client version, and “auth | noauth | priv” means 
that authentication, no authentication, or authentication and privacy is used for v3 
clients. Then press <Enter>. For a more detailed description of these parameters, 
see “snmp-server host” on page 4-153. The following example creates a trap host 
for each type of SNMP client.

Console(config)#snmp-server community admin rw

4-152

Console(config)#snmp-server community private
Console(config)#

Console(config)#snmp-server host 10.1.19.23 batman

4-153

Console(config)#snmp-server host 10.1.19.98 robin version 2c
Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth
Console(config)#

Summary of Contents for 6128PL2

Page 1: ...MANAGEMENT GUIDE TigerSwitchTM 10 100 24 Port 10 100 Managed Switch with PoE IP Clustering and 4 Gigabit Ports SMC6128PL2 ...

Page 2: ......

Page 3: ...20 Mason Irvine CA 92618 Phone 949 679 8000 TigerSwitch 10 100 Management Guide From SMC s Tiger line of feature rich workgroup LAN solutions March 2008 Pub 149100032800A E032008 EK R04 ...

Page 4: ... implication or otherwise under any patent or patent rights of SMC SMC reserves the right to change specifications at any time without notice Copyright 2008 by SMC Networks Inc 20 Mason Irvine CA 92618 All rights reserved Printed in Taiwan Trademarks SMC is a registered trademark and EZ Switch TigerStack TigerSwitch and TigerAccess are trademarks of SMC Networks Inc Other product and company names...

Page 5: ...become the property of SMC Replacement products may be either new or reconditioned Any replaced or repaired product carries either a 30 day limited warranty or the remainder of the initial warranty whichever is longer SMC is not responsible for any custom software or firmware configuration information or memory data of Customer contained in stored on or integrated with any products returned to SMC...

Page 6: ...ON WITH THE SALE INSTALLATION MAINTENANCE USE PERFORMANCE FAILURE OR INTERRUPTION OF ITS PRODUCTS EVEN IF SMC OR ITS AUTHORIZED RESELLER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR THE LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES FOR CONSUMER PRODUCTS SO THE ABOVE LIMITATIONS AND EXCLUSIONS MAY NOT APPLY TO YOU THIS WARRA...

Page 7: ...our attention to related features or instructions Caution Alerts you to a potential hazard that could cause loss of data or damage the system or equipment Warning Alerts you to a potential hazard that could cause personal injury Related Publications The following publication details the hardware features of the switch including the physical and performance related characteristics and how to instal...

Page 8: ...viii ...

Page 9: ...n 1 and 2c clients 2 6 Trap Receivers 2 7 Configuring Access for SNMP Version 3 Clients 2 8 Saving Configuration Settings 2 8 Managing System Files 2 9 Chapter 3 Configuring the Switch 3 1 Using the Web Interface 3 1 Navigating the Web Browser Interface 3 2 Home Page 3 2 Configuration Options 3 3 Panel Display 3 3 Main Menu 3 4 Basic Configuration 3 12 Displaying System Information 3 12 Displaying...

Page 10: ...ss 3 43 Setting the Local Engine ID 3 43 Specifying a Remote Engine ID 3 44 Configuring SNMPv3 Users 3 44 Configuring Remote SNMPv3 Users 3 46 Configuring SNMPv3 Groups 3 47 Setting SNMPv3 Views 3 50 User Authentication 3 52 Configuring User Accounts 3 52 Configuring Local Remote Logon Authentication 3 54 Configuring Encryption Keys 3 58 AAA Authorization and Accounting 3 60 Configuring AAA RADIUS...

Page 11: ... 99 MAC Authentication 3 101 Configuring MAC authentication parameters for ports 3 101 Access Control Lists 3 102 Configuring Access Control Lists 3 102 Setting the ACL Name and Type 3 102 Configuring a Standard IP ACL 3 103 Configuring an Extended IP ACL 3 104 Configuring a MAC ACL 3 107 Binding a Port to an Access Control List 3 109 Filtering IP Addresses for Management Access 3 110 Port Configu...

Page 12: ... VLAN Information 3 167 Displaying Current VLANs 3 168 Creating VLANs 3 169 Adding Static Members to VLANs VLAN Index 3 170 Adding Static Members to VLANs Port Index 3 172 Configuring VLAN Behavior for Interfaces 3 173 Configuring IEEE 802 1Q Tunneling 3 175 Enabling QinQ Tunneling on the Switch 3 178 Adding an Interface to a QinQ Tunnel 3 180 Private VLANs 3 181 Displaying Current Private VLANs 3...

Page 13: ...yer 2 IGMP Snooping and Query 3 220 Configuring IGMP Snooping and Query Parameters 3 221 Enabling IGMP Immediate Leave 3 223 Displaying Interfaces Attached to a Multicast Router 3 225 Specifying Static Interfaces for a Multicast Router 3 226 Displaying Port Members of Multicast Services 3 227 Assigning Ports to Multicast Services 3 228 IGMP Filtering and Throttling 3 229 Enabling IGMP Filtering an...

Page 14: ...e 4 1 Accessing the CLI 4 1 Console Connection 4 1 Telnet Connection 4 2 Entering Commands 4 3 Keywords and Arguments 4 3 Minimum Abbreviation 4 3 Command Completion 4 3 Getting Help on Commands 4 3 Showing Commands 4 4 Partial Keyword Lookup 4 5 Negating the Effect of Commands 4 5 Using Command History 4 5 Understanding Command Modes 4 5 Exec Commands 4 6 Configuration Commands 4 7 Command Line P...

Page 15: ...t 4 31 banner configure equipment info 4 31 banner configure equipment location 4 32 banner configure ip lan 4 33 banner configure lp number 4 33 banner configure manager info 4 34 banner configure mux 4 35 banner configure note 4 35 show banner 4 36 User Access Commands 4 37 username 4 37 enable password 4 38 IP Filter Commands 4 39 management 4 39 show management 4 40 Web Server Commands 4 41 ip...

Page 16: ... show log 4 59 SMTP Alert Commands 4 60 logging sendmail host 4 60 logging sendmail level 4 61 logging sendmail source email 4 62 logging sendmail destination email 4 62 logging sendmail 4 63 show logging sendmail 4 63 Time Commands 4 64 sntp client 4 64 sntp server 4 65 sntp poll 4 66 show sntp 4 66 ntp client 4 67 ntp server 4 68 ntp poll 4 69 ntp authenticate 4 69 ntp authentication key 4 70 sh...

Page 17: ...4 94 radius server auth port 4 95 radius server key 4 95 radius server retransmit 4 96 radius server timeout 4 96 show radius server 4 96 TACACS Client 4 97 tacacs server host 4 98 tacacs server port 4 98 tacacs server key 4 99 tacacs server retransmit 4 99 tacacs server timeout 4 100 show tacacs server 4 100 AAA Commands 4 101 aaa group server 4 101 server 4 102 aaa accounting dot1x 4 102 aaa acc...

Page 18: ...k access dynamic qos 4 124 network access dynamic vlan 4 125 network access guest vlan 4 125 network access link detection 4 126 network access link detection link down 4 126 network access link detection link up 4 127 network access link detection link up down 4 127 mac authentication reauth time 4 128 clear network access 4 129 show network access 4 129 show network access mac address table 4 13...

Page 19: ...MP Commands 4 150 snmp server 4 150 show snmp 4 151 snmp server community 4 152 snmp server contact 4 152 snmp server location 4 153 snmp server host 4 153 snmp server enable traps 4 155 snmp server engine id 4 156 show snmp engine id 4 157 snmp server view 4 158 show snmp view 4 159 snmp server group 4 159 show snmp group 4 161 snmp server user 4 162 show snmp user 4 163 Interface Commands 4 166 ...

Page 20: ...wer inline priority 4 193 show power inline status 4 194 show power mainpower 4 195 Address Table Commands 4 195 mac address table static 4 196 clear mac address table dynamic 4 197 show mac address table 4 197 mac address table aging time 4 198 show mac address table aging time 4 198 Spanning Tree Commands 4 199 spanning tree 4 200 spanning tree mode 4 200 spanning tree forward time 4 202 spannin...

Page 21: ...garp timer 4 222 show garp timer 4 223 Editing VLAN Groups 4 224 vlan database 4 224 vlan 4 225 Configuring VLAN Interfaces 4 226 interface vlan 4 226 switchport mode 4 227 switchport acceptable frame types 4 227 switchport ingress filtering 4 228 switchport native vlan 4 229 switchport allowed vlan 4 230 switchport forbidden vlan 4 231 Displaying VLAN Information 4 232 show vlan 4 232 Configuring...

Page 22: ...dp basic tlv port description 4 255 lldp basic tlv system capabilities 4 255 lldp basic tlv system description 4 256 lldp basic tlv system name 4 256 lldp dot1 tlv proto ident 4 257 lldp dot1 tlv proto vid 4 257 lldp dot1 tlv pvid 4 258 lldp dot1 tlv vlan name 4 258 lldp dot3 tlv link agg 4 259 lldp dot3 tlv mac phy 4 259 lldp dot3 tlv max frame 4 260 lldp dot3 tlv poe 4 260 lldp medtlv extpoe 4 2...

Page 23: ...itchport voice vlan rule 4 288 switchport voice vlan security 4 288 switchport voice vlan priority 4 289 show voice vlan 4 290 Multicast Filtering Commands 4 291 IGMP Snooping Commands 4 291 ip igmp snooping 4 292 ip igmp snooping vlan static 4 292 ip igmp snooping version 4 293 ip igmp snooping leave proxy 4 293 ip igmp snooping immediate leave 4 294 show ip igmp snooping 4 295 show mac address t...

Page 24: ...15 ip dhcp restart 4 315 show ip interface 4 316 show ip redirects 4 316 ping 4 317 IP Source Guard Commands 4 318 ip source guard 4 318 ip source guard binding 4 320 show ip source guard 4 321 show ip source guard binding 4 321 DHCP Snooping Commands 4 322 ip dhcp snooping 4 322 ip dhcp snooping vlan 4 324 ip dhcp snooping trust 4 325 ip dhcp snooping verify mac address 4 325 ip dhcp snooping inf...

Page 25: ...34 upnp device advertise duration 4 334 show upnp 4 335 Appendix A Software Specifications A 1 Software Features A 1 Management Features A 2 Standards A 2 Management Information Bases A 3 Appendix B Troubleshooting B 1 Problems Accessing the Management Interface B 1 Using System Logs B 2 Glossary Index ...

Page 26: ...Contents xviii ...

Page 27: ...Command Groups 4 9 Table 4 5 Line Commands 4 10 Table 4 6 General Commands 4 19 Table 4 7 System Management Commands 4 25 Table 4 8 Device Designation Commands 4 26 Table 4 9 Banner Commands 4 27 Table 4 10 User Access Commands 4 37 Table 4 11 Default Login Settings 4 37 Table 4 12 IP Filter Commands 4 39 Table 4 13 Web Server Commands 4 41 Table 4 14 HTTPS System Support 4 42 Table 4 15 Telnet Se...

Page 28: ...ds 4 177 Table 4 50 Rate Limit Commands 4 179 Table 4 51 Link Aggregation Commands 4 180 Table 4 52 show lacp counters display description 4 187 Table 4 53 show lacp internal display description 4 187 Table 4 54 show lacp neighbors display description 4 189 Table 4 55 show lacp sysid display description 4 189 Table 4 59 Address Table Commands 4 195 Table 4 60 Spanning Tree Commands 4 199 Table 4 6...

Page 29: ...ttling Commands 4 301 Table 4 82 Multicast VLAN Registration Commands 4 308 Table 4 83 show mvr display description 4 312 Table 4 84 show mvr interface display description 4 312 Table 4 85 show mvr members display description 4 313 Table 4 86 IP Interface Commands 4 313 Table 4 87 IP Source Guard Commands 4 318 Table 4 88 DHCP Snooping Commands 4 322 Table 4 89 Switch Cluster Commands 4 328 Table ...

Page 30: ...Tables xxii ...

Page 31: ...tion 3 36 Figure 3 21 NTP Client Configuration 3 37 Figure 3 22 Setting the System Clock 3 38 Figure 3 23 Configuring SNMP Community Strings 3 41 Figure 3 24 Configuring IP Trap Managers 3 42 Figure 3 25 Enabling SNMP Agent Status 3 42 Figure 3 26 Setting an Engine ID 3 43 Figure 3 27 Setting a Remote Engine ID 3 44 Figure 3 28 Configuring SNMPv3 Users 3 45 Figure 3 29 Configuring Remote SNMPv3 Us...

Page 32: ... Network Access MAC Address Information 3 100 Figure 3 64 MAC Authentication Port Configuration 3 101 Figure 3 65 Selecting ACL Type 3 103 Figure 3 66 Configuring Standard IP ACLs 3 104 Figure 3 67 Configuring Extended IP ACLs 3 106 Figure 3 68 Configuring MAC ACLs 3 108 Figure 3 69 Configuring ACL Port Binding 3 109 Figure 3 70 Creating an IP Filter List 3 111 Figure 3 71 Displaying Port Trunk In...

Page 33: ...80 Figure 3 107 Private VLAN Information 3 182 Figure 3 108 Private VLAN Configuration 3 183 Figure 3 109 Private VLAN Association 3 184 Figure 3 110 Private VLAN Port Information 3 185 Figure 3 111 Private VLAN Port Configuration 3 186 Figure 3 112 Protocol VLAN Configuration 3 188 Figure 3 113 Protocol VLAN System Configuration 3 188 Figure 3 114 LLDP Configuration 3 191 Figure 3 115 LLDP Port C...

Page 34: ...IP Information 3 237 Figure 3 146 MVR Port Configuration 3 239 Figure 3 147 MVR Group Member Configuration 3 240 Figure 3 148 DHCP Snooping Configuration 3 242 Figure 3 149 DHCP Snooping VLAN Configuration 3 242 Figure 3 150 DHCP Snooping Information Option Configuration 3 243 Figure 3 151 DHCP Snooping Port Configuration 3 244 Figure 3 152 DHCP Snooping Binding Information 3 245 Figure 3 153 IP S...

Page 35: ...ole Telnet web User name password RADIUS TACACS Web HTTPS Telnet SSH SNMP v1 2c Community strings SNMP version 3 MD5 or SHA password Port IEEE 802 1X MAC address filtering Web Authentication Access Control Lists Supports IP and MAC ACLs 100 rules per system DHCP Client Supported DHCP Snooping Supported with Option 82 relay information Port Configuration Speed duplex mode and flow control Rate Limi...

Page 36: ...hentication Protocol over LANs EAPOL to request user credentials from the 802 1X client and then verifies the client s right to access the network via an authentication server Other authentication options include HTTPS for secure management access via the web SSH for secure management access over a Telnet equivalent connection IP address filtering for SNMP web Telnet management access and MAC addr...

Page 37: ...he level falls back beneath the threshold Static Addresses A static address can be assigned to a specific interface on this switch Static addresses are bound to the assigned interface and will not be moved When a static address is seen on another interface the address will be ignored and will not be written to the address table Static addresses can be used to provide network security by restrictin...

Page 38: ...h to restrict traffic to the VLAN groups to which a user has been assigned By segmenting your network into VLANs you can Eliminate broadcast storms which severely degrade performance in a flat network Simplify network management for node changes moves by remotely configuring VLAN membership for any port rather than having to manually change the network connection Provide data security by restricti...

Page 39: ...es different kinds of traffic can be marked for different kinds of forwarding Multicast Filtering Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real time delivery by setting the required priority level for the designated VLAN The switch uses IGMP Snooping and Query to manage multicast group registration ...

Page 40: ...isabled Authentication Privileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privileged Exec from Normal Exec Level Password super RADIUS Authentication Disabled TACACS Authentication Disabled 802 1X Port Authentication Disabled Web Authentication Disabled MAC Authentication Disabled HTTPS Enabled SSH Disabled Port Security Disabled IP Filtering...

Page 41: ... 300 seconds Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Enabled Switchport Mode Egress Mode Hybrid tagged untagged frames GVRP global Disabled GVRP port interface Disabled Traffic Prioritization Ingress Port Priority 0 Weighted Round Robin Queue 0 1 2 3 Weight 1 2 4 8 IP DSCP Priority Disabled IP Settings IP Address DHCP assigned otherwise 192 168 1 1 Subnet Mas...

Page 42: ...P Email Alerts Event Handler Enabled but no server defined SNTP Clock Synchronization Disabled NTP Clock Synchronization Disabled DHCP Snooping Status Disabled IP Source Guard Status Disabled all ports Switch Clustering Status Enabled Commander Disabled Table 1 2 System Defaults Continued Function Parameter Default ...

Page 43: ...e RS 232 serial console port on the switch or remotely by a Telnet connection over the network The switch s management agent also supports SNMP Simple Network Management Protocol This SNMP agent permits the switch to be managed from any system in the network using network management software such as HP OpenView The switch s web interface CLI configuration program and SNMP agent allow you to perfor...

Page 44: ...serial port on a terminal or a PC running terminal emulation software and tighten the captive retaining screws on the DB 9 connector 2 Connect the other end of the cable to the RS 232 serial port on the switch 3 Make sure the terminal emulation software is set as follows Select the appropriate serial port COM port 1 or COM port 2 Set the baud rate to 9600 bps Set the data format to 8 data bits 1 s...

Page 45: ... basic configuration functions To access the full range of SNMP management functions you must use SNMP based network management software Basic Configuration Console Connection The CLI program provides two different command levels normal access level Normal Exec and privileged access level Privileged Exec The commands available at the Normal Exec level are a limited subset of those available at the...

Page 46: ...rmation for the stack to obtain management access through the network This can be done in either of the following ways Manual You have to input the information including IP address and subnet mask If your management station is not in the same IP subnet as the stack s master unit you will also need to specify the default gateway router Dynamic The switch sends IP configuration requests to BOOTP or ...

Page 47: ... therefore need to use the ip dhcp restart command to start broadcasting service requests Requests will be sent periodically in an effort to obtain IP configuration information BOOTP and DHCP values can include the IP address subnet mask and default gateway If the bootp or dhcp option is saved to the startup config file step 6 then the switch will start broadcasting service requests as soon as it ...

Page 48: ... clients To provide management access for version 1 or 2c clients you must specify a community string The switch provides a default MIB View i e an SNMPv3 construct for the default public community string that provides read access to the entire MIB tree and a default view for the private community string that provides read write access to the entire MIB tree However you may assign new views to ver...

Page 49: ...are no community strings then SNMP management access from SNMP v1 and v2c clients is disabled Trap Receivers You can also specify SNMP stations that are to receive traps from the switch To configure a trap receiver use the snmp server host command From the Privileged Exec level global configuration mode prompt type snmp server host host address community string version 1 2c 3 auth noauth priv wher...

Page 50: ...ork Management Protocol on page 3 39 or refer to the specific CLI commands for SNMP starting on page 4 150 Saving Configuration Settings Configuration commands only modify the running configuration file and are not saved when the switch is rebooted To save all your configuration changes in nonvolatile storage you must copy the running configuration file to the start up configuration file using the...

Page 51: ...aces See Managing Firmware on page 3 19 for more information Diagnostic Code Software that is run during system boot up also known as POST Power On Self Test Due to the size limit of the flash memory the switch supports only one operation code file However you can have as many diagnostic code files and configuration files as available flash memory space allows Transferring a new operation code fil...

Page 52: ...Initial Configuration 2 10 2 ...

Page 53: ... user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Setting Passwords on page 2 4 3 After you enter a user name and password you will have access to the system configuration program Notes 1 You are allowed three attempts to enter the correct password on the third failed ...

Page 54: ...statistics The default user name and password for the administrator is admin Home Page When your web browser connects with the switch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used to navigate to other menus and display configuration parameters and statis...

Page 55: ...plorer 7 x This option is available under Tools Internet Options General Browsing History Settings Temporary Internet Files 2 You may have to manually refresh the screen after making configuration changes by pressing the browser s refresh button Panel Display The web agent displays an image of the switch s ports The Mode can be set to display different information for the ports including Active i ...

Page 56: ... copying of files 3 19 Delete Allows deletion of files from the flash memory 3 20 Set Start Up Sets the startup file 3 20 Line 3 23 Console Sets console port connection parameters 3 23 Telnet Sets Telnet connection parameters 3 25 Log 3 28 Logs Stores and displays error messages 3 28 System Logs Sends error messages to a logging process 3 28 Remote Logs Configures the logging of messages to a remo...

Page 57: ...t which accounting updates are sent to RADIUS AAA servers 3 64 802 1X Port Settings Applies the specified accounting method to an interface 3 65 Command Privileges Specifies a method name to apply to commands entered at specific CLI privilege levels 3 66 Exec Settings Specifies console or Telnet authentication method 3 67 Summary Displays accounting information and statistics 3 67 Authorization 3 ...

Page 58: ...ion parameters 3 98 MAC Address Information Displays Network Access statistics sorted by various attributes 3 99 MAC Authentication 3 101 Port Configuration Configures MAC Authentication parameters for ports 3 101 ACL 3 102 Configuration Configures packet filtering based on IP or MAC addresses 3 102 Port Binding Binds a port to the specified ACL 3 109 IP Filter Sets IP addresses of clients allowed...

Page 59: ...get for the switch 3 137 Power Port Status Displays the status of port power parameters 3 137 Power Port Config Configures port power parameters 3 138 Address Table 3 140 Static Addresses Displays entries for interface address or VLAN 3 140 Dynamic Addresses Displays or edits static entries in the Address Table 3 141 Address Aging Sets timeout for dynamically learned entries 3 142 Spanning Tree 3 ...

Page 60: ...3 172 Port Configuration Specifies default PVID and VLAN attributes 3 173 Trunk Configuration Specifies default trunk VID and VLAN attributes 3 173 Tunnel Port Configuration Adds an interface to a QinQ Tunnel 3 180 Tunnel Trunk Configuration Adds an interface to a QinQ Tunnel 3 180 Private VLAN 3 181 Information Displays Private VLAN feature information 3 182 Configuration This page is used to cre...

Page 61: ...Default Port Priority Sets the default priority for each port 3 199 Default Trunk Priority Sets the default priority for each trunk 3 199 Traffic Classes Maps IEEE 802 1p priority tags to output queues 3 201 Traffic Classes Status Enables disables traffic class priorities not implemented 3 202 Queue Mode Sets queue mode to strict priority or Weighted Round Robin 3 203 Queue Scheduling Configures W...

Page 62: ...es IGMP Filtering and Throttling for trunks 3 196 MVR 3 234 Configuration Globally enables MVR sets the MVR VLAN adds multicast stream addresses 3 235 Port Information Displays MVR interface type MVR operational and activity status and immediate leave status 3 236 Trunk Information Displays MVR interface type MVR operational and activity status and immediate leave status 3 236 Group IP Information...

Page 63: ...rd binding table for a selected interface 3 249 Cluster 3 250 Configuration Globally enables clustering for the switch 3 250 Member Configuration Adds switch Members to the cluster 3 251 Member Information Displays cluster Member switch information 3 252 Candidate Information Displays network Candidate switch information 3 253 UPNP 3 254 Configuration Enables UPNP and defines timeout values 3 254 ...

Page 64: ...his switch Web server Shows if management access via HTTP is enabled Web server port Shows the TCP port number used by the web interface Web secure server Shows if management access via HTTPS is enabled Web secure server port Shows the TCP port used by the HTTPS interface Telnet server Shows if management access via Telnet is enabled Telnet port Shows the TCP port used by the Telnet interface Jumb...

Page 65: ...elf Test POST and boot code Operation Code Version Version number of runtime code Role Shows that this switch is operating as Master or Slave Console config hostname R D 5 4 26 Console config snmp server location WC 9 4 153 Console config snmp server contact Ted 4 152 Console config exit Console show system 4 81 System description 24 10 100 ports and 4 gigabit ports with PoE System OID string 1 3 ...

Page 66: ...lowing command to display version information Console show version 4 82 Unit 1 Serial number Hardware version EPLD Version 0 02 Number of ports 28 Main power status Up Redundant power status Not present Agent master Unit ID 1 Loader version 1 0 0 1 Boot ROM version 1 0 0 2 Operation code version 1 1 0 3 Console ...

Page 67: ...ic filtering for unicast and multicast addresses Refer to Setting Static Addresses on page 3 140 VLAN Learning This switch uses Shared VLAN Learning SVL where all VLANs share the same address table Configurable PVID Tagging This switch allows you to override the default Port VLAN ID PVID used in frame tags and egress status VLAN Tagged or Untagged on each port Refer to VLAN Configuration on page 3...

Page 68: ... has been assigned an IP address IP Address Mode Specifies whether IP functionality is enabled via manual configuration Static Dynamic Host Configuration Protocol DHCP or Boot Protocol BOOTP If DHCP BOOTP is enabled IP will not function until a reply has been received from the server Requests will be broadcast periodically by the switch for an IP address DHCP BOOTP values can include the IP addres...

Page 69: ...o Static enter the IP address subnet mask and gateway then click Apply Figure 3 6 Manual IP Configuration CLI Specify the management interface IP address and default gateway Console config Console config interface vlan 1 4 166 Console config if ip address 192 168 1 1 255 255 255 0 4 314 Console config if exit Console config ip default gateway 0 0 0 0 4 315 Console config ...

Page 70: ...connection and enter show ip interface to determine the new switch address CLI Specify the management interface and set the IP address mode to DHCP or BOOTP and then enter the ip dhcp restart command Renewing DCHP DHCP may lease addresses to clients indefinitely or for a specific period of time If the address expires or the switch is moved to another network segment you will lose management access...

Page 71: ...d firmware to or from a TFTP server or copy files to and from switch units in a stack By saving runtime code to a file on a TFTP server that file can later be downloaded to the switch to restore operation When downloading runtime code the new firmware file will overwrite the existing file You must specify the method of file transfer along with the file type and file names as required Command Attri...

Page 72: ...fer to succeed Downloading System Software from a Server When downloading runtime code the new operation code file will overwrite the existing file Versions of the code prior to 1 1 0 3 require the operation code file being transferred to have the same destination file name as the existing code file for the transfer to succeed Web Click System File Management Copy Operation Select tftp to file as ...

Page 73: ...he switch directory assigning it a new name file to running config Copies a file in the switch to the running configuration file to startup config Copies a file in the switch to the startup configuration file to tftp Copies a file from the switch to a TFTP server running config to file Copies the running configuration to a file running config to startup config Copies the running config to the star...

Page 74: ...figuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file or you can specify the current startup configuration file as the destination file to directly replace it Note that the file Factory_Default_Config cfg can be copied to the TFTP server but cannot be used as the destination on the switch Web Click System File Copy Opera...

Page 75: ...onfigured via the web or CLI interface Command Attributes Login Timeout Sets the interval that the system waits for a user to log into the CLI If a login attempt is not detected within the timeout interval the connection is terminated for the session Range 0 300 seconds Default 0 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input is not detected...

Page 76: ...Specify Even Odd or None Default None Speed Sets the terminal line s baud rate for transmit to terminal and receive from terminal Set the speed to match the baud rate of the device connected to the serial port Range 9600 19200 38400 baud or Auto Default Auto Stop Bits Sets the number of the stop bits transmitted per byte Range 1 2 Default 1 stop bit Password1 Specifies a password for the line conn...

Page 77: ...eout interval the connection is terminated for the session Range 0 300 seconds Default 300 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is terminated Range 0 65535 seconds Default 600 seconds Console config line console 4 11 Console config line login local 4 11 Console config ...

Page 78: ...fies a password for the line connection When a connection is started on a line with password protection the system prompts for the password If you enter the correct password the system shows a prompt Default No password Login2 Enables password checking at login You can select authentication by a single global password as configured for the Password parameter or by passwords set up for specific use...

Page 79: ...11 Console config line password 0 secret 4 12 Console config line timeout login response 300 4 13 Console config line exec timeout 600 4 14 Console config line password thresh 3 4 14 Console config line end Console show line 4 18 Console configuration Password threshold 3 times Interactive timeout Disabled Login timeout Disabled Silent time Disabled Baudrate 9600 Databits 8 Parity none Stopbits 1 ...

Page 80: ... Log Logs Figure 3 15 Displaying Logs CLI This example shows the event messages stored in RAM System Log Configuration The system allows you to enable or disable event logging and specify which levels are logged to RAM or flash memory Severe error messages that are logged to flash memory are permanently stored in the switch to assist in troubleshooting network problems Up to 4096 log entries can b...

Page 81: ...pecified level For example if level 7 is specified all messages from level 0 to level 7 will be logged to RAM Range 0 7 Default 6 Note The Flash Level must be equal to or less than the RAM Level Web Click System Log System Logs Specify System Log Status set the level of event messages to be logged to RAM and flash memory then click Apply Figure 3 16 System Logs Table 3 3 Logging Levels Level Sever...

Page 82: ...n appropriate service The attribute specifies the facility type tag sent in syslog messages See RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to process messages such as sorting or storing messages in the corresponding database Range 16 23 Default 23 Logging Trap Limits log messages that are sent to the remote syslog ser...

Page 83: ...the facility type and set the logging trap Console config logging host 192 168 1 15 4 56 Console config logging facility 23 4 56 Console config logging trap 4 4 57 Console config end Console show logging trap 4 57 Syslog logging Enabled REMOTELOG status Enabled REMOTELOG facility type local use 7 REMOTELOG level type Warning conditions REMOTELOG server ip address 192 168 1 15 REMOTELOG server ip a...

Page 84: ...art Level 5 Warning Sends notification of a warning condition such as return false or unexpected return Level 4 Error Sends notification that an error conditions has occurred such as invalid input or default used Level 3 Critical Sends notification that a critical condition has occurred such as memory allocation or free memory error resource exhausted Level 2 Alert Sends urgent notification that i...

Page 85: ... SMTP CLI Enter the host ip address followed by the mail severity level source and destination email addresses and enter the sendmail command to complete the action Use the show logging command to display SMTP information Console config logging sendmail host 192 168 1 19 Console config logging sendmail level 3 Console config logging sendmail source email bill this company com Console config loggin...

Page 86: ...r of a pending delayed reset Cancel Cancels a pending delayed reset Web Click System Reset Enter the amount of time the switch should wait before rebooting Click the Reset button to reboot the switch or click the Cancel button to cancel a configured reset If prompted confirm that you want reset the switch or cancel a configured reset Figure 3 19 Resetting the System CLI Use the reload command to r...

Page 87: ...ime on the switch manually without using SNTP CLI This example sets the system clock time and then displays the current time and date Configuring SNTP You can configure the switch to send time synchronization requests to time servers Command Attributes SNTP Client Configures the switch to operate as an SNTP client This requires at least one time server to be specified in the SNTP Server field Defa...

Page 88: ...ers Default Disabled NTP Server Sets the IP address for an NTP server to be polled The switch requests an update from all configured servers then determines the most accurate time update from the responses received Version Specifies the NTP version supported by the server Range 1 3 Default 3 Authenticate Key Specifies the number of the key in the NTP Authentication Key List to use for authenticati...

Page 89: ...8 4 22 version 2 Console config ntp server 192 168 5 23 version 3 key 19 Console config ntp poll 60 4 69 Console config ntp client 4 67 Console config ntp authenticate 4 69 Console config exit Console show ntp 4 71 Current time Jan 1 02 58 58 2001 Poll interval 60 Current mode unicast NTP status Enabled NTP Authenticate status Enabled Last Update NTP Server 0 0 0 0 Port 0 Last Update time Dec 31 0...

Page 90: ...es it s offset from UTC and lists at least one major city or location covered by the time zone User defined Configuration Allows the user to define all parameters of the local time zone Direction Configures the time zone to be before east or after west UTC Name Assigns a name to the time zone Range 1 29 characters Hours 0 13 The number of hours before after UTC The maximum value before UTC is 12 T...

Page 91: ...uously monitors the status of the switch hardware as well as the traffic passing through its ports A network management station can access this information using software such as HP OpenView Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings To communicate with the switch the management station must first submit a valid community string for authentica...

Page 92: ...fies read write access Authorized management stations are able to both retrieve and modify MIB objects Table 3 4 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security v1 noAuthNoPriv public read only defaultview none none Community string only v1 noAuthNoPriv private read write defaultview defaultview none Community string only v1 noAuthNoPriv user defined u...

Page 93: ...om the switch Command Attributes Trap Manager Capability This switch supports up to five trap managers Current Displays a list of the trap managers currently configured Trap Manager IP Address IP address of the host the targeted recipient Trap Manager Community String Community string sent with the notification operation Range 1 32 characters case sensitive Trap UDP Port Sets the UDP port number D...

Page 94: ...e 3 24 Configuring IP Trap Managers CLI This example adds a trap manager and enables both authentication and link up link down traps Enabling SNMP Agent Status Enables SNMPv3 service for all management clients i e versions 1 2c 3 Command Attributes SNMP Agent Status Check the box to enable or disable the SNMP Agent Web Click SNMP Agent Status Figure 3 25 Enabling SNMP Agent Status Console config s...

Page 95: ...hat resides on the switch This engine protects against message replay delay and redirection The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A local engine ID is automatically generated that is unique to the switch This is referred to as the default engine ID If the local engine ID is deleted or changed all...

Page 96: ...value 123456789 is equivalent to 1234567890 Web Click SNMP SNMPv3 Remote Engine ID Figure 3 27 Setting a Remote Engine ID Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name Users must be configured with a specific security level and assigned to a group The SNMPv3 group restricts users to a specific read write and notify view Command Attributes User Name The name of user connecti...

Page 97: ... to another SNMPv3 group Web Click SNMP SNMPv3 Users Click New to configure a user name In the New User page define a name and assign it to a group then click Add to save the configuration and return to the User Name list To delete a user check the box next to the user name then click Delete To change the assigned group of a user click Change Group in the Actions column of the users table and sele...

Page 98: ...t the remote engine identifier must be specified before you configure a remote user See Specifying a Remote Engine ID on page 44 Model The user security model SNMP v1 v2c or v3 Level The security level used for the user noAuthNoPriv There is no authentication or encryption used in SNMP communications This is the default for SNMPv3 AuthNoPriv SNMP communications use authentication but the data is n...

Page 99: ...view for write access Range 1 64 characters Notify View The configured view for notifications Range 1 64 characters Table 3 5 Supported Notification Messages Object Label Object ID Description RFC 1493 Traps newRoot 1 3 6 1 2 1 17 0 1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree the trap is sent by a bridge soon after its election as the new root e...

Page 100: ...nableAuthenTraps object indicates whether this trap will be generated RMON Events V2 risingAlarm 1 3 6 1 2 1 16 0 1 The SNMP trap that is generated when an alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps fallingAlarm 1 3 6 1 2 1 16 0 2 The SNMP trap that is generated when an alarm entry crosses its falling threshold and generates an event t...

Page 101: ...ps pethMainPower UsageOnNotification 1 3 6 1 4 1 202 20 65 173 2 1 0 45 This notification indicates PSE Threshold usage indication is on the power usage is above the threshold pethMainPower UsageOffNotification 1 3 6 1 4 1 202 20 65 173 2 1 0 46 This notification indicates that the PSE Threshold usage indication is off the usage power is below the threshold a These are legacy notifications and the...

Page 102: ... of the SNMP view Range 1 64 characters View OID Subtrees Shows the currently configured object identifiers of branches within the MIB tree that define the SNMP view Edit OID Subtrees Allows you to configure the object identifiers of branches within the MIB tree Wild cards can be used to mask a specific portion of the OID string Type Indicates if the object identifier of a branch within the MIB tr...

Page 103: ...itch MIB to be included or excluded in the view Click Back to save the new view and return to the SNMPv3 Views list For a specific view click on View OID Subtrees to display the current configuration or click on Edit OID Subtrees to make changes to the view settings To delete a view check the box next to the view name then click Delete Figure 3 31 Configuring SNMPv3 Views ...

Page 104: ...nt access to the web SNMP or Telnet interface Port Security Configures notification and automatic shutdown options for ports Configuring User Accounts The guest only has read access for most configuration parameters However the administrator has write access for all parameters governing the onboard agent You should therefore assign a new administrator password as soon as possible and store it in a...

Page 105: ...w user account and add it to the Account List To change the password for a specific user enter the user name and new password confirm the password by entering it again then click Apply Figure 3 32 Access Levels CLI Assign a user name to access level 15 i e administrator then specify the password Console config username bob access level 15 4 37 Console config username bob password 0 smith Console c...

Page 106: ...ed you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol Local and remote logon authentication control management access via the console port web browser or Telnet RADIUS and TACACS logon authentication assign a specific privilege level for each user name password pair The user name password and privilege level must be configured on th...

Page 107: ...umber of Server Transmits Number of times the switch tries to authenticate logon access via the authentication server Range 1 30 Default 2 Timeout for a reply The number of seconds the switch waits for a reply from the RADIUS server before it resends the request Range 1 65535 Default 5 TACACS Settings Global Provides globally applicable TACACS settings ServerIndex Specifies the index number of the...

Page 108: ...tication Settings To configure local or remote authentication preferences specify the authentication sequence i e one to three methods fill in the parameters for RADIUS or TACACS authentication if selected and click Apply Figure 3 33 Authentication Settings ...

Page 109: ...DIUS Server Auth Port 181 Acct port 1813 Retransmit Times 5 Request Timeout 10 Radius server group Group Name Member Index radius 1 Console Console configure Console config authentication login tacacs 4 91 Console config tacacs server 1 host 10 20 30 40 4 98 Console config tacacs server port 200 4 98 Console config tacacs server retransmit 5 4 99 Console config tacacs server timeout 10 4 100 Conso...

Page 110: ...match Change Clicking this button adds or modifies the selected encryption key TACACS Settings Global Provides globally applicable TACACS encryption key settings ServerIndex Specifies the index number of the TACACS server for which an encryption key may be configured The switch currently supports only one TACACS server Secret Text String Encryption key used to authenticate logon access for client ...

Page 111: ...Communication key with RADIUS server Auth Port 181 Acct port 1813 Retransmit times 5 Request timeout 10 Radius server group Group Name Member Index radius 1 Console config tacacs server key green 4 99 Console config end Console show tacacs server 4 100 Remote TACACS server configuration Global Settings Communication Key with TACACS Server Server Port Number 200 Retransmit Times 5 Request Times 10 ...

Page 112: ...he switch supports the following AAA features Accounting for IEEE 802 1X authenticated users that access the network through the switch Accounting for users that access management interfaces on the switch through the console and Telnet Accounting for commands that users enter at specific CLI privilege levels Authorization of users that access management interfaces on the switch through the console...

Page 113: ...f the server then click Add Figure 3 35 AAA Radius Group Settings CLI Specify the group name for a list of RADIUS servers and then specify the index number of a RADIUS server to add it to the group Configuring AAA TACACS Group Settings The AAA TACACS Group Settings screen defines the configured TACACS servers to use for accounting and authorization Command Attributes Group Name Defines a name for ...

Page 114: ...cters The method name is only used to describe the accounting method s configured on the specified accounting servers and do not actually send any information to the servers about the methods to use Service Request Specifies the service as either 802 1X user accounting or Exec administrative accounting for local console Telnet or SSH connections Accounting Notice Records user activity from log in ...

Page 115: ... configure a new accounting method specify a method name and a group name then click Add Figure 3 37 AAA Accounting Settings CLI Specify the accounting method required followed by the chosen parameters Console config aaa accounting dot1x tps start stop group radius 4 102 Console config ...

Page 116: ...which the local accounting service updates information to the accounting server Range 1 2147483647 minutes Default Disabled Web Click Security AAA Accounting Periodic Update Enter the required update interval and click Apply Figure 3 38 AAA Accounting Update CLI This example sets the periodic accounting update interval at 10 minutes Console config aaa accounting update periodic 10 4 105 Console co...

Page 117: ...e to apply to the interface This method must be defined in the AAA Accounting Settings menu page 3 61 Range 1 255 characters Web Click Security AAA Accounting 802 1X Port Settings Enter the required accounting method and click Apply Figure 3 39 AAA Accounting 802 1X Port Settings CLI Specify the accounting method to apply to the selected interface Console config interface ethernet 1 2 Console conf...

Page 118: ...red at the specified CLI privilege level Web Click Security AAA Accounting Command Privileges Enter a defined method name for console and Telnet privilege levels Click Apply Figure 3 40 AAA Accounting Exec Command Privileges CLI Specify the accounting method to use for console and Telnet privilege levels Console config line console 4 11 Console config line accounting commands 15 tps method 4 107 C...

Page 119: ...ting information recorded for user sessions Command Attributes AAA Accounting Summary Accounting Type Displays the accounting service Method List Displays the user defined or default accounting method Group List Displays the accounting server group Interface Displays the port or trunk to which these rules apply This field is null if the accounting method and associated server group has not been as...

Page 120: ...ly applied accounting methods and registered users Console show accounting 4 109 Accounting Type dot1x Method List default Group List radius Interface Method List tps method Group List tps radius Interface Accounting Type Exec Method List default Group List tacacs Interface Accounting Type Commands 0 Method List default Group List tacacs Interface ...

Page 121: ...onfiguring Local Remote Logon Authentication on page 3 54 Any other group name refers to a server group configured on the TACACS Group Settings page Authorization is only supported for TACACS servers Web Click Security AAA Authorization Settings To configure a new authorization method specify a method name and a group name select the service then click Add Figure 3 43 AAA Authorization Settings CL...

Page 122: ...orization Summary The Authorization Summary displays the configured authorization methods and the interfaces to which they are applied Command Attributes Authorization Type Displays the authorization service Method List Displays the user defined or default authorization method Group List Displays the authorization server group Interface Displays the console or Telnet interface to which the authori...

Page 123: ...s way The client authenticates the server using the server s digital certificate The client and server negotiate a set of security protocols to use for the connection The client and server generate session keys for encrypting and decrypting data The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 5 x or above and Netsca...

Page 124: ...face using HTTPS for secure access a Secure Sockets Layer SSL certificate appears for the switch By default the certificate that Netscape and Internet Explorer display will be associated with a warning that the site is not recognized as a secure site This is because the certificate has not been signed by an approved certification authority If you want this warning to be replaced by a message confi...

Page 125: ...e as stored on the TFTP server Private Password The password for the private key file Web Click Security HTTPS Settings Fill in the TFTP server certificate and private file name details then click Copy Certificate Figure 3 47 HTTPS Settings CLI This example copies the certificate file from the designated TFTP server Note The switch must be reset for the new certificate to be activated To reset the...

Page 126: ...ord authentication is specified by the SSH client then the password can be authenticated either locally or via a RADIUS or TACACS remote authentication server as specified on the Authentication Settings page page 3 54 If public key authentication is specified by the client then you must configure authentication keys on both the client and the switch as described in the following section Note that ...

Page 127: ...thentication for SSH v1 5 or V2 Clients a The client sends its password to the server b The switch compares the client s password to those stored in memory c If a match is found the connection is allowed Note To use SSH with only password authentication the host public key must still be given to the client either during initial connection or manually entered into the known host file However you do...

Page 128: ...sions Configuring the SSH Server The SSH server includes basic settings for authentication Field Attributes SSH Server Status Allows you to enable disable the SSH server on the switch Default Disabled Version The Secure Shell version number Version 2 0 is displayed but the switch supports management access via either SSH Version 1 5 or 2 0 clients SSH Authentication Timeout Specifies the time inte...

Page 129: ... the host public key to SSH clients and import the client s public key to the switch as described in the section Importing User Public Keys on page 3 79 Field Attributes Public Key of Host Key The public key for the host RSA Version 1 The first field indicates the size of the host key e g 1024 the second field is the encoded public exponent e g 65537 and the last string is the encoded modulus Cons...

Page 130: ...ve Host Key from Memory to Flash Saves the host key from RAM i e volatile memory to flash memory Otherwise the host key pair is stored to RAM by default Note that you must select this item prior to generating the host key pair Generate This button is used to generate the host key pair Note that you must first generate the host key pair before you can enable the SSH server on the SSH Server Setting...

Page 131: ...own box selects the type of public key you wish to upload RSA The switch will accept an SSH version 1 formatted RSA encrypted public key DSA The switch will accept an SSH version 2 formatted DSA encrypted public key TFTP Server IP Address The IP address of the TFTP server that contains the public key file you wish to import Default 0 0 0 0 Console ip ssh crypto host key generate 4 47 Console ip ss...

Page 132: ...essary to first delete the original key from the switch The import process will overwrite the existing key Delete This button deletes a selected RSA or DSA public key that has already been imported to the switch Web Click Security SSH SSH User Public Key Settings Select the user name and the public key type from the respective drop down boxes input the TFTP server IP address and the public key sou...

Page 133: ...337422103356695026441903823445835730 88823472889690842821665429031315937652815279387868298539820466143474130023 09979848162607182657 rsa key 20071106 DSA BEGIN SSH2 PUBLIC KEY Comment dsa key 20071105 AAAAB3NzaC1kc3MAAA CAeqNnwpAVz82Z3zFif0KGF846S5m5useW8rQp8DBv1IQ sLYRuoCtW hllIaUu2F9Ps6D5gJdKj yEPKRutJv1rAwq1YZ61 fat9OGpM3oaqM f6UiVUK4gEsaq8T6UqrGsIDcXWyvmbI02 R owN43kwE JCfmpBXelhU962AA2G0A AAA...

Page 134: ...ort will stop learning The MAC addresses already in the address table will be retained and will not age out Any other device that attempts to use the port will be prevented from accessing the switch Command Usage A secure port has the following restrictions It cannot use port monitoring It cannot be a multi VLAN port It cannot be used as a member of a static or dynamic trunk It should not be conne...

Page 135: ...work resources by simply attaching a client PC Although this automatic configuration and access is a desirable feature it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data The IEEE 802 1X dot1X standard defines a port based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for...

Page 136: ...e non EAP traffic on the port is blocked or assigned to a guest VLAN based on the intrusion action setting In multi host mode only one host connected to a port needs to pass authentication for all other hosts to be granted network access Similarly a port can become unauthorized for all hosts if one attached host fails re authentication or sends an EAPOL logoff message The operation of 802 1X on th...

Page 137: ... Information Figure 3 52 802 1X Global Information CLI This example shows the default global setting for 802 1X Console show dot1x 4 117 Global 802 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 disabled Single Host ForceAuthorized n a 802 1X Port Details 802 1X is disabled on port 1 1 80...

Page 138: ...e switch and authentication server These parameters are described in this section Command Attributes Port Port number Status Indicates if authentication is enabled or disabled on the port Default Disabled Operation Mode Allows single or multiple hosts clients to connect to an 802 1X authorized port Options Single Host Multi Host Default Single Host Max Count The maximum number of hosts that can co...

Page 139: ...eriod Sets the time period during an authentication session that the switch waits before re transmitting an EAP packet Range 1 65535 Default 30 seconds Intrusion Action Sets the port s response to a failed authentication Block Traffic Blocks all non EAP traffic on the port This is the default setting Guest VLAN All traffic for the port is assigned to a guest VLAN The guest VLAN must be separately ...

Page 140: ...ot1x 4 117 Global 802 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 enabled Single Host auto yes 1 28 disabled Single Host ForceAuthorized n a 802 1X Port Details 802 1X is disabled on port 1 1 802 1X is enabled on port 1 2 reauth enabled Enable reauth period 1800 quiet period 30 tx peri...

Page 141: ...number of EAP Resp Id frames that have been received by this Authenticator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx EAP LenError The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid Rx Last EAPOLVer The protocol version number carried in the...

Page 142: ... DHCP assigned IP address and perform DNS queries All other traffic except for HTTP protocol traffic is blocked The switch intercepts HTTP protocol traffic and redirects it to a switch generated web page that facilitates username and password authentication via RADIUS Once authentication is successful the web browser is forwarded on to the originally requested web page Successful authentication is...

Page 143: ...at apply globally to all ports on the switch Command Attributes System Authentication Control Enables Web Authentication for the switch Default Disabled Session Timeout Configures how long an authenticated session stays active before it must re authenticate itself Default 3600 seconds Range 300 3600 seconds Quiet Period Configures how long a host must wait to attempt authentication again after it ...

Page 144: ...t Authenticated Host Counts Indicates how many authenticated hosts are connected to the port Web Click Security Web Authentication Port Configuration Figure 3 57 Web Authentication Port Configuration Console config mac authentication reauth time 3000 4 128 Console config web auth system auth control 4 135 Console config web auth session timeout 1800 4 134 Console config web auth quiet period 20 4 ...

Page 145: ...ing time until the current authorization session for the host expires Console config interface ethernet 1 5 4 166 Console config if web auth 4 135 Console config if end Console show web auth summary 4 138 Global Web Auth Parameters System Auth Control Enabled Port Status Authenticated Host Count 1 1 Disabled 0 1 2 Enabled 0 1 3 Disabled 0 1 4 Disabled 0 1 5 Enabled 0 1 6 Disabled 0 1 7 Disabled 0 ...

Page 146: ... manually force re authentication of any web authenticated host connected to any port Command Attributes Interface Indicates the ethernet port to query Host IP Indicates the IP address of the host selected for re authentication Web Click Security Web Authentication Re authentication Figure 3 59 Web Authentication Port Re authentication Console show web auth interface ethernet 1 5 4 136 Web Auth St...

Page 147: ...n successful authentication the RADIUS server may optionally assign VLAN settings for the switch port When enabled on a port interface the authentication process sends a Password Authentication Protocol PAP request to a configured RADIUS server The username and password are both equal to the MAC address being authenticated On the RADIUS server PAP username and passwords must be configured in the M...

Page 148: ...authenticated When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server During the reauthentication process traffic through the port remains unaffected Default 1800 seconds Range 120 1000000 seconds Web Click Security Network Access Configuration Figure 3 60 Network Access Configuration CLI This example sets and displays the reauthentication time ...

Page 149: ...thentication fails The VLAN must already be created and active Default Disabled Range 1 to 4092 Dynamic VLAN Enables dynamic VLAN assignment for an authenticated port When enabled any VLAN identifiers returned by the RADIUS server are applied to the port providing the VLANs have already been created on the switch GVRP is not used to create the VLANs The VLAN settings specified by the first authent...

Page 150: ... port is shut down Trunk Indicates if the port is a trunk member Console config interface ethernet 1 1 Console config if network access mode mac authentication 4 122 Console config if network access max mac count 10 4 123 Console config if mac authentication max mac count 24 4 123 Console config if network access dynamic vlan 4 125 Console config if network access dynamic qos 4 124 Console config ...

Page 151: ...ss MAC Address Count The number of MAC addresses currently in the secure MAC address table Query By Specifies parameters to use in the MAC address query Port Specifies a port interface MAC Address Specifies a single MAC address information Attribute Displays static or dynamic addresses Address Table Sort Key Sorts the information displayed based on MAC address or port interface Unit Port The port ...

Page 152: ...ethod of sorting the displayed addresses Click Query Figure 3 63 Network Access MAC Address Information CLI This example displays all entries currently in the secure MAC address table Console show network access mac address table 4 130 Port MAC Address RADIUS Server Attribute Time 1 1 00 00 01 02 03 04 172 155 120 17 Static 00d06h32m50s 1 1 00 00 01 02 03 05 172 155 120 17 Dynamic 00d06h33m20s 1 1...

Page 153: ...ort Max MAC Count The maximum allowed amount of MAC authenticated MAC addresses on the port Default 1024 Range 1 1024 Intrusion Action The switch can respond in two ways to an intrusion Block Traffic All traffic for the unauthenticated host is blocked Pass Traffic All traffic for the unauthenticated host is allowed Trunk Indicates if the port is a trunk member Web Click Security MAC Authentication...

Page 154: ... of rules bound to the ports should not exceed 20 When an ACL is bound to an interface as an egress filter all entries in the ACL must be deny rules Otherwise the bind operation will fail The switch does not support the explicit deny any any rule for the egress IP ACL If these rules are included in ACL and you attempt to bind the ACL to an interface for egress checking the bind operation will fail...

Page 155: ...Type Specifies the source IP address Use Any to include all possible addresses Host to specify a specific host address in the Address field or IP to specify a range of addresses with the Address and SubMask fields Options Any Host IP Default Any IP Address Source IP address Subnet Mask A subnet mask containing four integers from 0 to 255 each separated by a period The mask uses 1 bits to indicate ...

Page 156: ...s Host to specify a specific host address in the Address field or IP to specify a range of addresses with the Address and SubMask fields Options Any Host IP Default Any Source Destination IP Address Source or destination IP address Source Destination Subnet Mask Subnet mask for source or destination address Service Type Packet priority settings based on the following criteria Precedence IP precede...

Page 157: ...ivalent binary bit mask that is applied to the control code Enter a decimal number where the equivalent binary bit 1 means to match a bit and 0 means to ignore a bit The following bits may be specified 1 fin Finish 2 syn Synchronize 4 rst Reset 8 psh Push 16 ack Acknowledgement 32 urg Urgent pointer For example use the code value and mask below to catch packets with the following flags set SYN fla...

Page 158: ...re 3 67 Configuring Extended IP ACLs CLI This example adds two rules 1 Accept any incoming packets if the source address is in subnet 10 7 1 x For example if the rule is matched i e the rule 10 7 1 0 255 255 255 0 equals the masked address 10 7 1 2 255 255 255 0 the packet passes through 2 Allow TCP packets from class C addresses 192 168 1 0 to any destination address when set for destination TCP ...

Page 159: ...k for source or destination MAC address VID VLAN ID Range 1 4094 VID Mask VLAN bitmask Range 1 4095 Ethernet Type This option can only be used to filter Ethernet II formatted packets Range 600 fff hex A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX Ethernet Type Bitmask Protocol bitmask Range 600 fff hex Packet...

Page 160: ...ddress range Set any other required criteria such as VID Ethernet type or packet format Then click Add Figure 3 68 Configuring MAC ACLs CLI This example configures one permit rule for all source mac addresses to communicate with all destination mac addresses on VLAN 12 and another permit rule for source mac address to communicate with all destination mac addresses Console config mac acl permit any...

Page 161: ... to any port for ingress filtering In other words only one ACL can be bound to an interface Ingress IP ACL Command Attributes Port Fixed port or SFP module Range 1 28 IP Specifies the IP ACL to bind to a port MAC Specifies the MAC ACL to bind to a port IN ACL for ingress packets Web Click Security ACL Port Binding Click Edit to open the configuration page for the ACL type Mark the Enable field for...

Page 162: ...ddresses for the same group i e SNMP web or Telnet the switch will not accept overlapping address ranges When entering addresses for different groups the switch will accept overlapping address ranges You cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses You can delete an address range just by specifying the start address or by spe...

Page 163: ... the filter list Figure 3 70 Creating an IP Filter List CLI This example allows SNMP access for a specific client Console config management snmp client 10 1 2 3 4 39 Console config end Console show management all client Management IP Filter HTTP Client Start IP address End IP address SNMP Client Start IP address End IP address 1 10 1 2 3 10 1 2 3 TELNET Client Start IP address End IP address Conso...

Page 164: ...plex Status Shows the current speed and duplex mode Auto or fixed choice Flow Control Status Indicates the type of flow control currently in use IEEE 802 3x Back Pressure or None Autonegotiation Shows if auto negotiation is enabled or disabled Media Type5 Media type used for the combo ports Options Coppper Forced SFP Forced or SFP Preferred Auto Default SFP Preferred Auto Trunk Member6 Shows if po...

Page 165: ...l duplex operation 1000full Supports 1000 Mbps full duplex operation Sym Transmits and receives pause frames for flow control FC Supports flow control Broadcast storm Shows if broadcast storm control is enabled or disabled Broadcast storm limit Shows the broadcast storm threshold 240 1488100 packets per second Flow control Shows if flow control is enabled or disabled LACP Shows if LACP is enabled ...

Page 166: ...tion is enabled you need to specify the capabilities to be advertised When auto negotiation is disabled you can force the settings for speed mode and flow control The following capabilities are supported 10half Supports 10 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 100half Supports 100 Mbps half duplex operation 100full Supports 100 Mbps full duplex operation 1000full...

Page 167: ...only operate at 1000full when auto negotiation is enabled Web Click Port Port Configuration or Trunk Configuration Modify the required interface settings and click Apply Figure 3 72 Port Trunk Configuration CLI Select the interface and then enter the required settings Console config interface ethernet 1 13 4 166 Console config if description RD SW 13 4 167 Console config if shutdown 4 171 Console ...

Page 168: ...placed in a standby mode Should one link in the trunk fail one of the standby ports will automatically be activated to replace it Command Usage Besides balancing the load across each port in the trunk the other ports provide redundancy by taking over the load if a port in the trunk fails However before making any physical connections between devices use the web interface or CLI to specify the trun...

Page 169: ...fore connecting the ports and also disconnect the ports before removing a static trunk via the configuration interface Command Attributes Member List Current Shows configured trunks Trunk ID Unit Port New Includes entry fields for creating new trunks Trunk Trunk identifier Range 1 8 Port Port identifier Web Click Port Trunk Membership Enter a trunk ID of 1 8 in the Trunk field select any of the sw...

Page 170: ...f an LACP trunk must be configured for full duplex and auto negotiation Trunks dynamically established through LACP will also be shown in the Member List on the Trunk Membership menu see page 3 117 Console config interface port channel 2 4 166 Console config if exit Console config interface ethernet 1 1 4 166 Console config if channel group 2 4 181 Console config if exit Console config interface e...

Page 171: ...New Includes entry fields for creating new trunks Port Port identifier Range 1 28 Web Click Port LACP Configuration Select any of the switch ports from the scroll down port list and click Add After you have completed adding ports to the member list click Apply Figure 3 74 LACP Trunk Configuration ...

Page 172: ...mand Attributes Set Port Actor This menu sets the local side of an aggregate link i e the ports on this switch Port Port number Range 1 28 System Priority LACP system priority is used to determine link aggregation group LAG membership and to identify this device to other switches during LAG negotiations Range 0 65535 Default 32768 Ports must be configured with the same system priority to join the ...

Page 173: ...ched device The command attributes have the same meaning as those used for the port actor However configuring LACP settings for the partner only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with the partner Web Click Port LACP Aggregation Port Set the System Priority Admin Key and Port Priority for the Port A...

Page 174: ...Console show lacp sysid 4 186 Port Channel System Priority System MAC Address 1 3 00 12 CF 31 31 31 2 32768 00 12 CF 31 31 31 3 32768 00 12 CF 31 31 31 4 32768 00 12 CF 31 31 31 Console show lacp 1 internal 4 186 Port channel 1 Oper Key 120 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP System Priority 3 LACP Port Priority 128 Admin Key 120 Oper Key 120 Admin State defaulted aggregation long tim...

Page 175: ...e value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type Marker Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value but contain a badly formed PDU or an illegal value of Protocol Subtype Console show lacp counters 4 186 Port channel 1 Eth 1 1 LACPDUs Sent 91 LACPDUs Receive 43 Marker ...

Page 176: ...information administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is...

Page 177: ... LACP configuration settings and operational state for the local side of port channel 1 Console show lacp 1 internal 4 186 Port channel 1 Oper Key 120 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP System Priority 3 LACP Port Priority 128 Admin Key 120 Oper Key 120 Admin State defaulted aggregation long timeout LACP activity Oper State distributing collecting synchronization aggregation long tim...

Page 178: ...ssigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port Oper Priority Priority value assigned to this aggregation ...

Page 179: ...lt Broadcast control does not effect IP multicast traffic Command Attributes Port Port number Type Indicates the port type 100BASE TX 1000BASE T or SFP Protect Status Shows whether or not broadcast storm control has been enabled Default Enabled Threshold Threshold as percentage of port bandwidth Range 64 100000 kilobits per second for Fast Ethernet ports 64 1000000 kilobits per second for Gigabit ...

Page 180: ...4 172 Console config if exit Console config interface ethernet 1 2 Console config if switchport broadcast packet rate 500 4 172 Console config if end Console show interfaces switchport ethernet 1 2 4 175 Information of Eth 1 2 Broadcast threshold Enabled 500 Kbits second LACP status Disabled Ingress Rate Limit Disabled 100000 Kbits per second Egress Rate Limit Disabled 100000 Kbits per second VLAN...

Page 181: ...and Attributes Mirror Sessions Displays a list of current mirror sessions Source Port The port whose traffic will be monitored Range 1 28 Type Allows you to select which traffic to mirror to the target port Rx receive or Tx transmit Default Rx Target Port The port that will mirror the traffic on the source port Range 1 28 Web Click Port Mirror Port Configuration Specify the source port the traffic...

Page 182: ...arded without any changes Rate Limit Configuration Use the rate limit configuration pages to apply rate limiting Command Usage Input and output rate limits can be enabled or disabled for individual interfaces Command Attributes Port Trunk Displays the port trunk number Input Output Rate Limit Status Enables or disables the rate limit Default Enabled Input Output Rate Limit Sets the rate limit leve...

Page 183: ...at this sub layer Received Broadcast Packets The number of packets delivered by this sub layer to a higher sub layer which were addressed to a broadcast address at this sub layer Received Discarded Packets The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher layer protocol One possible reason for disc...

Page 184: ...articular interface fails due to an internal MAC sublayer transmit error Multiple Collision Frames A count of successfully transmitted frames for which transmission is inhibited by more than one collision Carrier Sense Errors The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame SQE Test Errors A count of times that the SQE TEST ERROR m...

Page 185: ...er of frames received that were longer than 1518 octets excluding framing bits but including FCS octets and were otherwise well formed Fragments The total number of frames received that were less than 64 octets in length excluding framing bits but including FCS octets and had either an FCS or alignment error 64 Bytes Frames The total number of frames including bad packets received and transmitted ...

Page 186: ...ing the Switch 3 134 3 Web Click Port Port Statistics Select the required interface and click Query You can also use the Refresh button at the bottom of the page to update the screen Figure 3 82 Port Statistics ...

Page 187: ...n the switch s budget ports set at critical or high priority have power enabled in preference to those ports set at low priority For example when a device is connected to a port set to critical priority the switch supplies the required power if necessary by dropping power to ports set for a lower priority If power is Console show interfaces counters ethernet 1 13 4 174 Ethernet 1 13 Iftable stats ...

Page 188: ...sumption The amount of power being consumed by PoE devices connected to the switch Thermal Temperature8 The internal temperature of the switch Software Version The version of software running on the PoE controller subsystem in the switch Web Click PoE Power Status Figure 3 83 Displaying the Global PoE Status CLI This example displays the current power status for the switch 8 This parameter is not ...

Page 189: ...l the supplied power Range 37 180 watts Default 180 Watts Web Click PoE Power Config Specify the desired power budget for the switch Click Apply Figure 3 84 Setting the Switch Power Budget CLI Use the power mainpower maximum allocation command to set the PoE power budget for the switch Displaying Port Power Status Use the Power Port Status page to display the current PoE power status for all ports...

Page 190: ...ice is connected to a low priority port and causes the switch to exceed its budget port power is not turned on If a device is connected to a critical or high priority port and causes the switch to exceed its budget port power is turned on but the switch drops power to one or more lower priority ports Note Power is dropped from low priority ports in sequence starting from port number 1 Console show...

Page 191: ...l Default low Power Allocation Sets the power budget for the port Range 3000 15400 milliwatts Default 15400 milliwatts Web Click PoE Power Port Configuration Enable PoE power on selected ports set the priority and the power budget and then click Apply Figure 3 86 Configuring Port PoE Power CLI This example sets the PoE power budget for port 1 to 8 watts the priority to high 2 and then enables the ...

Page 192: ...are bound to the assigned interface and will not be moved When a static address is seen on another interface the address will be ignored and will not be written to the address table Command Attributes Static Address Counts9 The number of manually configured addresses Current Static Address Table Lists all the static addresses Interface Port or trunk associated with the device assigned a static add...

Page 193: ...e Indicates a port or trunk MAC Address Physical address associated with this interface VLAN ID of configured VLAN 1 4093 Address Table Sort Key You can sort the information displayed based on MAC address VLAN or interface port or trunk Dynamic Address Counts The number of addresses dynamically learned Current Dynamic Address Table Lists all the dynamic addresses Web Click Address Table Dynamic Ad...

Page 194: ...learned entry is discarded Range 10 630 seconds Default 300 seconds Web Click Address Table Address Aging Specify the new aging time click Apply Figure 3 89 Setting the Address Aging Time CLI This example sets the aging time to 300 seconds Console show mac address table interface ethernet 1 1 4 197 Interface Mac Address Vlan Type Eth 1 1 00 12 CF 48 82 93 1 Delete on reset Eth 1 1 00 12 CF 94 34 D...

Page 195: ...orwarding a packet from that LAN to the root device All ports connected to designated bridging devices are assigned as designated ports After determining the lowest cost spanning tree it enables all root ports and designated ports and disables all other ports Network packets are therefore only forwarded between root ports and designated ports eliminating any possible network loops Once a stable ne...

Page 196: ...ds a Internal Spanning Tree IST for the Region containing all commonly configured MSTP bridges An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers including the Region Name Revision Level and Configuration Digest see Configuring Multiple Spanning Trees on page 11 18 An MST Region may contain multiple MSTP Instances An Internal Spanning Tree ...

Page 197: ...BPDU then the port will drop the loopback BPDU according to IEEE Standard 802 1W 2001 9 3 4 Note 1 2 Port Loopback Detection will not be active if Spanning Tree is disabled on the switch 3 When configured for manual release mode then a link down up event will not release the port from the discarding state Field Attributes Port Indicates the interface to be configured Status Enables Loopback Detect...

Page 198: ...llo Time Interval in seconds at which the root device transmits a configuration message Forward Delay The maximum time in seconds the root device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for confli...

Page 199: ...n messages at regular intervals If the root port ages out STA information provided in the last configuration message a new root port is selected from among the device ports attached to the network References to ports in this section means interfaces which includes both ports and trunks Root Forward Delay The maximum time in seconds this device will wait before changing states i e discarding to lea...

Page 200: ...adjusting the type of protocol messages the RSTP node transmits as described below STP Mode If the switch receives an 802 1D BPDU i e STP BPDU after a port s migration delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires RSTP restart...

Page 201: ... root port and designated port The device with the highest priority becomes the STA root device However if all devices have the same priority the device with the lowest MAC address will then become the root device Note that lower numeric values indicate higher priority Default 32768 Range 0 61440 in steps of 4096 Options 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248...

Page 202: ...ath cost method is used to determine the range of values that can be assigned to each interface Long Specifies 32 bit based values that range from 1 200 000 000 This is the default Short Specifies 16 bit based values that range from 1 65535 Transmission Limit The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol messag...

Page 203: ...d then configures the STA and RSTP parameters Console config spanning tree 4 200 Console config spanning tree mode rstp 4 200 Console config spanning tree priority 45056 4 204 Console config spanning tree hello time 5 4 202 Console config spanning tree max age 38 4 203 Console config spanning tree forward time 20 4 202 Console config spanning tree pathcost method long 4 204 Console config spanning...

Page 204: ...ate to the Forwarding state Designated Cost The cost for a packet to travel from this port to the root in the current Spanning Tree configuration The slower the media the higher the cost Designated Bridge The bridge priority and MAC address of the device through which this port must communicate to reach the root of the Spanning Tree Designated Port The port priority and number of the port on the d...

Page 205: ...port is assigned the highest priority the port with the lowest numeric identifier will be enabled Designated root The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device Fast forwarding This field provides the same information as Admin Edge port and is only included for backward compatibility with earlier products Admin Edge Port You can ena...

Page 206: ...switch automatically determines if the interface is attached to a point to point link or to shared media Web Click Spanning Tree STA Port Information or STA Trunk Information Figure 3 93 Displaying Spanning Tree Port Information CLI This example shows the STA attributes for port 5 Console show spanning tree ethernet 1 5 4 217 Eth 1 5 information Admin status enabled Role disable State discarding P...

Page 207: ...unk Indicates if a port is a member of a trunk STA Port Configuration only The following interface attributes can be configured Spanning Tree Enables disables STA on this interface Default Enabled Priority Defines the priority used for this port in the Spanning Tree Protocol If the path cost for all ports on a switch are the same the port with the highest priority i e lowest value will be configur...

Page 208: ...initiate reconfiguration when the interface changes state and also overcomes other STA related timeout problems However remember that Edge Port should only be enabled for ports connected to an end node device Default Disabled Migration If at any time the switch detects STP BPDUs including Configuration or Topology Change Notification BPDUs it will automatically set the selected interface to forced...

Page 209: ...s Also note that RSTP treats each MSTI region as a single node connecting all regions to the Common Spanning Tree To use multiple spanning trees 1 Set the spanning tree type to MSTP STA Configuration page 3 130 2 Enter the spanning tree priority for the selected MST instance MSTP VLAN Configuration 3 Add the VLANs that will share this MSTI MSTP VLAN Configuration Note All VLANs are automatically a...

Page 210: ...LAN members to an MSTI instance enter the instance identifier the VLAN identifier and click Add Figure 3 95 Configuring Multiple Spanning Trees CLI This example sets the priority for MSTI 1 and adds VLANs 1 5 to this MSTI Console config spanning tree mst configuration 4 205 Console config mst mst 1 priority 4096 4 207 Console config mstp mst 1 vlan 1 5 4 206 Console config mst ...

Page 211: ...c 15 Max hops 20 Remaining hops 20 Designated Root 4096 2 0000E9313131 Current root port 0 Current root cost 0 Number of topology changes 0 Last topology changes time sec 646 Transmission limit 3 Path Cost Method long Eth 1 7 information Admin status enable Role disable State discarding External path cost 10000 Internal path cost 10000 Priority 128 Designated cost 0 Designated port 128 7 Designate...

Page 212: ... in the selected MST instance Command Attributes MST Instance ID Instance identifier to configure Default 0 Note The other attributes are described under Displaying Interface Settings on page 3 152 Web Click Spanning Tree MSTP Port or Trunk Information Select the required MST instance to display the current spanning tree values Figure 3 96 Displaying MSTP Interface Settings ...

Page 213: ... sec 15 Root Hello Time sec 2 Root Max Age sec 20 Root Forward Delay sec 15 Max hops 20 Remaining hops 20 Designated Root 32768 0 0000ABCD0000 Current root port 1 Current root cost 200000 Number of topology changes 1 Last topology changes time sec 645 Transmission limit 3 Path Cost Method long Eth 1 1 information Admin status enable Role root State forwarding External path cost 100000 Internal pat...

Page 214: ...for all ports on a switch are the same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Default 128 Ran...

Page 215: ...2 1Q VLAN is a group of ports that can be located anywhere in the network but communicate as though they belong to the same physical segment VLANs help to simplify network management by allowing you to move devices to a new VLAN without having to change any physical connections VLANs can be easily organized to reflect departmental groups such as Marketing or R D usage groups such as e mail or mult...

Page 216: ...ame VLAN s either manually or dynamically using GVRP However if you want a port on this switch to participate in one or more VLANs but none of the intermediate network devices nor the host at the other end of the connection supports VLANs then you should add this port to the VLAN as an untagged port Note VLAN tagged frames can pass through VLAN aware or VLAN unaware network interconnection devices...

Page 217: ...e message arrives at another switch that supports GVRP it will also place the receiving port in the specified VLANs and pass the message on to all other ports VLAN requirements are propagated in this way throughout the network This allows GVRP compliant devices to be automatically configured for VLAN groups based solely on endstation requests To implement GVRP in a network first add the host devic...

Page 218: ... the VLAN tag before forwarding the frame When the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag However when this switch receives an untagged frame from a VLAN unaware device it first decides where to forward the frame and then inserts a VLAN tag reflecting the ingress port s default VID Enabling or Disabling GVRP Global Setting GARP VLAN Regist...

Page 219: ...ch Maximum Number of Supported VLANs Maximum number of VLANs that can be configured on this switch Web Click VLAN 802 1Q VLAN Basic Information Figure 3 99 Displaying Basic VLAN Information CLI Enter the following command 11 Web Only Console show bridge ext 4 221 Max support vlan numbers 256 Max support vlan ID 4092 Extended multicast filtering services No Static entry individual port Yes VLAN lea...

Page 220: ...d VLAN 1 4093 Up Time at Creation Time this VLAN was created i e System Up Time Status Shows how this VLAN was added to the switch Dynamic GVRP Automatically learned via GVRP Permanent Added as a static entry Egress Ports Shows all the VLAN port members Untagged Ports Shows the untagged VLAN port members Web Click VLAN 802 1Q VLAN Current Table Select any ID from the scroll down list Figure 3 100 ...

Page 221: ...ew VLAN group The VLAN name is only used for management on this system it is not added to the VLAN tag VLAN ID ID of configured VLAN 1 4092 no leading zeroes VLAN Name Name of the VLAN 1 to 32 characters no spaces Status Web Enables or disables the specified VLAN Enabled VLAN is operational Disabled VLAN is suspended i e does not pass packets State CLI Enables or disables the specified VLAN Active...

Page 222: ...e VLAN groups based on the port index page 3 172 However note that this configuration page can only add ports to a VLAN as tagged members 2 VLAN 1 is the default untagged VLAN containing all ports on the switch and can only be modified by first reassigning the default port VLAN ID as described under Configuring VLAN Behavior for Interfaces on page 3 173 Console config vlan database 4 224 Console c...

Page 223: ...and therefore not carry VLAN or CoS information Note that an interface can only have one untagged VLAN which must be the same as the Port VID See Configuring VLAN Behavior for Interfaces on page 3 173 for configuring PVID Forbidden Interface is forbidden from automatically joining the VLAN via GVRP For more information see Automatic VLAN Registration on page 3 165 None Interface is not a member of...

Page 224: ...nformation for the interface Select a VLAN ID and then click Add to add the interface as a tagged member or click Remove to remove the interface After configuring VLAN membership for each interface click Apply Figure 3 103 VLAN Static Membership by Port CLI This example adds Port 3 to VLAN 1 as a tagged port and removes Port 3 from VLAN 2 Console config interface ethernet 1 1 4 166 Console config ...

Page 225: ...ccept all frame types including tagged or untagged frames or only tagged frames When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Options All Tagged Default All Ingress Filtering Determines how to process frames tagged for VLANs for which the ingress port is not a member Ingress Filtering is always enabled Default Enabled Ingress filtering o...

Page 226: ...ed as tagged frames Hybrid Specifies a hybrid VLAN interface The port may transmit tagged or untagged frames Trunk Member Indicates if a port is a member of a trunk To add a trunk to the selected VLAN use the last table on the VLAN Static Table page Web Click VLAN 802 1Q VLAN Port Configuration or Trunk Configuration Fill in the required settings for each interface click Apply Figure 3 104 Configu...

Page 227: ...Ds QinQ tunneling expands VLAN space by using a VLAN in VLAN hierarchy preserving the customer s original tagged packets and adding SPVLAN tags to each frame also called double tagging A port configured to support QinQ tunneling must be set to tunnel port mode The Service Provider VLAN SPVLAN ID for the specific customer must be assigned to the QinQ tunnel access port on the edge switch where the ...

Page 228: ...iority tagged packet 2 After successful source and destination lookup the ingress process sends the packet to the switching process with two tags If the incoming packet is untagged the outer tag is an SPVLAN tag and the inner tag is a dummy tag 8100 0000 If the incoming packet is tagged the outer tag is an SPVLAN tag and the inner tag is a CVLAN tag 3 After packet classification through the switch...

Page 229: ...bled If ingress filtering is not enabled the packet will still be forwarded If the VLAN is not listed in the VLAN table the packet will be dropped 4 After successful source and destination lookups the packet is double tagged The switch uses the TPID of 0x8100 to indicate that an incoming packet is double tagged If the outer tag of an incoming double tagged packet is equal to the port TPID and the ...

Page 230: ... to as an SPVLAN see Creating VLANs on page 3 169 4 Configure the QinQ tunnel access port to 802 1Q Tunnel mode see Adding an Interface to a QinQ Tunnel on page 3 180 5 Configure the QinQ tunnel access port to join the SPVLAN as an untagged member see Adding Static Members to VLANs VLAN Index on page 3 170 6 Configure the SPVLAN ID as the native VID on the QinQ tunnel access port see Configuring V...

Page 231: ...t 8100 Web Click VLAN 802 1Q VLAN 802 1Q Tunnel Status Check the Enabled box set the TPID of the ports if the client is using a non standard ethertype to identify 802 1Q tagged frames and click Apply Figure 3 105 802 1Q Tunnel Status and Ethernet Type CLI This example sets the switch to operate in QinQ mode Console config dot1q tunnel system tunnel control 4 234 Console config exit Console show do...

Page 232: ...d Attributes Mode Set the VLAN membership mode of the port Default None None The port operates in its normal VLAN mode 802 1Q Tunnel Configures IEEE 802 1Q tunneling QinQ for a client access port to segregate and preserve customer VLAN IDs for traffic crossing the service provider network 802 1Q Tunnel Uplink Configures IEEE 802 1Q tunneling QinQ for an uplink port to another device within the ser...

Page 233: ... Note that private VLANs and normal VLANs can exist simultaneously within the same switch To configure primary secondary associated groups follow these steps 1 Use the Private VLAN Configuration menu page 3 183 to designate one or more community VLANs and the primary VLAN that will channel traffic outside of the VLAN groups 2 Use the Private VLAN Association menu page 3 184 to map the secondary i ...

Page 234: ...ngle channel to the external network or isolated i e having access only to the promiscuous port in its own VLAN Then assign the promiscuous port and all host ports to an isolated VLAN Displaying Current Private VLANs The Private VLAN Information page displays information on the private VLANs configured on the switch including primary community and isolated VLANs and their assigned interfaces Comma...

Page 235: ...s Community VLANs Conveys traffic between community ports and to their promiscuous ports in the associated primary VLAN Current Displays a list of the currently configured VLANs Web Click VLAN Private VLAN Configuration Enter the VLAN ID number select Primary Isolated or Community type then click Add To remove a private VLAN from the switch highlight an entry in the Current list box and then click...

Page 236: ...ty VLANs 6 and 7 with primary VLAN 5 Displaying Private VLAN Interface Information Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interfaces associated with private VLANs Command Attributes Port Trunk The switch interface PVLAN Port Type Displays private VLAN port types Normal The port is not configured in a private VLAN Host The port is a community p...

Page 237: ...nd 5 have been configured as host ports and associated with VLAN 6 This means that traffic for port 4 and 5 can only pass through port 3 Configuring Private VLAN Interfaces Use the Private VLAN Port Configuration and Private VLAN Trunk Configuration menus to set the private VLAN interface type and assign the interfaces to a private VLAN Command Attributes Port Trunk The switch interface PVLAN Port...

Page 238: ...the associated primary VLAN Community VLAN A community VLAN conveys traffic between community ports and from community ports to their designated promiscuous ports Set PVLAN Port Type to Host and then specify the associated Community VLAN Trunk The trunk identifier Port Information only Web Click VLAN Private VLAN Port Configuration or Trunk Configuration Set the PVLAN Port Type for each port that ...

Page 239: ...C Other is chosen for the Frame Type the only available Protocol Type is IPX Raw Note Traffic which matches IP Protocol Ethernet Frames is mapped to the VLAN VLAN 1 that has been configured with the switch s administrative IP IP Protocol Ethernet traffic must not be mapped to another VLAN or you will lose administrative network connectivity to the switch If lost in this manner network access can b...

Page 240: ...ocol VLAN System Configuration menu to map a Protocol VLAN Group to a VLAN Command Attributes Protocol Group ID Protocol Group ID assigned to the Protocol VLAN Group Range 1 2147483647 VLAN ID VLAN to which matching protocol traffic is forwarded Range 1 4092 Web Click VLAN Protocol VLAN System Configuration Figure 3 113 Protocol VLAN System Configuration Console config protocol vlan protocol group...

Page 241: ...n can be used by SNMP applications to simplify troubleshooting enhance network management and maintain an accurate network topology Setting LLDP Timing Attributes Use the LLDP Configuration screen to set attributes for general functions such as globally enabling LLDP on the switch setting the message ageout time and setting the frequency for broadcasting general advertisements or reports about cha...

Page 242: ... interval for sending SNMP notifications about LLDP MIB changes Range 5 3600 seconds Default 5 seconds This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted Only state changes that exist at the time of a notification are included...

Page 243: ... Admin Status Enables LLDP message transmit and receive modes for LLDP Protocol Data Units Options Tx only Rx only TxRx Disabled Default TxRx SNMP Notification Enables the transmission of SNMP trap notifications about LLDP and LLDP MED changes Default Enabled Console config lldp 4 248 Console config lldp refresh interval 60 4 250 Console config lldp holdtime multiplier 10 4 248 Console config lldp...

Page 244: ... networking software Management Address The management address protocol packet includes the IPv4 address of the switch If no management address is available the address should be the MAC address for the CPU or for the port sending this advertisement The management address TLV may also include information about the specific interface associated with this address and an object identifier indicating ...

Page 245: ...tails such as power availability from the switch and power state of the switch including whether the switch is operating from primary or backup power the Endpoint Device could use this information to decide to enter power conservation mode Note that this device does not support PoE capabilities Inventory This option advertises device details useful for inventory management such as manufacturer mod...

Page 246: ...nsole config if lldp basic tlv port description 4 255 Console config if lldp basic tlv system description 4 256 Console config if lldp basic tlv management ip address 4 254 Console config if lldp basic tlv system name 4 256 Console config if lldp basic tlv system capabilities 4 255 Console config if lldp medtlv extPoe 4 261 Console config if lldp medtlv inventory 4 261 Console config if lldp medtl...

Page 247: ... 02 03 04 05 System Name System Description 24 10 100 ports and 4 gigabit ports with PoE switch System Capabilities Support Bridge System Capabilities Enable Bridge Management Address 192 168 0 101 IPv4 LLDP Port Information Interface PortID Type PortID PortDesc Eth 1 1 MAC Address 00 01 02 03 04 06 Ethernet Port on unit 1 port 1 Eth 1 2 MAC Address 00 01 02 03 04 07 Ethernet Port on unit 1 port 2...

Page 248: ...on Details screen to display detailed information about an LLDP enabled device connected to a specific port on the local switch Web Click LLDP Remote Information Details Select an interface from the drop down lists and click Query Figure 3 118 LLDP Remote Information Details Console show lldp info remote device 4 266 LLDP Remote Devices Information Interface ChassisId PortId SysName Eth 1 1 00 01 ...

Page 249: ... Click LLDP Device Statistics Figure 3 119 LLDP Device Statistics Console show lldp info remote device detail ethernet 1 1 4 266 LLDP Remote Devices Information Detail Local PortName Eth 1 1 Chassis Type MAC Address Chassis Id 00 01 02 03 04 05 PortID Type MAC Address PortID 00 01 02 03 04 06 SysName SysDescr 24 10 100 ports and 4 gigabit ports with PoE switch PortDescr Ethernet Port on unit 1 por...

Page 250: ...h all attached LLDP enabled interfaces Web Click LLDP Device Statistics Details Figure 3 120 LLDP Device Statistics Details switch show lldp info statistics 4 267 LLDP Device Statistics Neighbor Entries List Last Updated 2450279 seconds New Neighbor Entries Count 1 Neighbor Entries Deleted Count 0 Neighbor Entries Dropped Count 0 Neighbor Entries Ageout Count 0 Interface NumFramesRecvd NumFramesSe...

Page 251: ...switch All untagged packets entering the switch are tagged with the specified default port priority and then sorted into the appropriate priority queue at the output port Command Usage This switch provides four priority queues for each port It uses Weighted Round Robin to prevent head of queue blockage The default priority applies for an untagged frame received on a port set to accept all frame ty...

Page 252: ...rity of 5 to port 3 13 CLI displays this information as Priority for untagged traffic Console config interface ethernet 1 3 4 166 Console config if switchport priority default 5 4 269 Console config if end Console show interfaces switchport ethernet 1 3 4 175 Information of Eth 1 3 Broadcast threshold Enabled 500 packets second LACP status Disabled Ingress rate limit enable K bits per second 25 VL...

Page 253: ...work applications are shown in the following table However you can map the priority levels to the switch s output queues in any way that benefits application traffic for your own network Command Attributes Priority CoS value Range 0 7 where 7 is the highest priority Traffic Class14 Output queue buffer Range 0 3 where 3 is the highest CoS priority queue Table 3 12 Mapping CoS Values to Egress Queue...

Page 254: ...nted as an interface configuration command but any changes will apply to the all interfaces on the switch Enabling CoS Enable or disable Class of Service CoS Command Attributes Traffic Classes Click to enable Class of Service Default Enabled Console config interface ethernet 1 1 4 166 Console config if queue cos map 0 0 4 271 Console config if queue cos map 1 1 Console config if queue cos map 2 2 ...

Page 255: ... with strict priority queuing Command Attributes WRR Weighted Round Robin shares bandwidth at the egress ports by using scheduling weights 1 2 4 8 for queues 0 through 3 respectively This is the default selection Strict Services the egress queues in sequential order transmitting all traffic in the higher priority queues before servicing lower priority queues Web Click Priority Queue Mode Select St...

Page 256: ...ing Table15 Displays a list of weights for each traffic class i e queue Weight Value Set a new weight for the selected traffic class Range 1 15 Web Click Priority Queue Scheduling Select the required interface highlight a traffic class i e output queue enter a weight then click Apply Figure 3 125 Configuring Queue Scheduling CLI The following example shows how to display the WRR weights assigned t...

Page 257: ...riority mapping is IP DSCP Priority and then Default Port Priority Enabling IP DSCP Priority The switch allows you to enable or disable the IP DSCP priority Command Attributes IP DSCP Priority Status The following options are Disabled Disables the priority service Default Setting Disabled IP DSCP Maps layer 3 4 priorities using Differentiated Services Code Point Mapping Web Click Priority IP DSCP ...

Page 258: ...he DSCP values that are not specified are mapped to CoS value 0 Command Attributes DSCP Priority Table Shows the DSCP Priority to CoS map Class of Service Value Maps a CoS value to the selected DSCP Priority value Note that 0 represents low priority and 7 represent high priority Note IP DSCP settings apply to all interfaces Web Click Priority IP DSCP Priority Select an entry from the DSCP table en...

Page 259: ...ters that access the Internet rely on class information to provide the same forwarding treatment to packets in the same class Class information can be assigned by end hosts or switches or routers along the path Priority can then be assigned based on a general policy or a detailed examination of the packet However note that detailed examination of packets should take place close to the network edge...

Page 260: ...ervice Policy to assign a policy map to a specific interface Configuring a Class Map A class map is used for matching packets to a specified class Command Usage To configure a Class Map follow these steps Open the Class Map page and click Add Class When the Class Configuration page opens fill in the Class Name field and click Add When the Match Class Settings page opens specify type of traffic for...

Page 261: ... to the criteria specified by the lone match command Description A brief description of a class map Range 1 64 characters Add Adds the specified class Back Returns to previous page with making any changes Match Class Settings Class Name List of class maps ACL List Name of an access control list Any type of ACL can be specified including standard or extended IP ACLs and MAC ACLs Range 1 16 characte...

Page 262: ...Rules to change the rules of an existing class Figure 3 128 Configuring Class Maps CLI This example creates a class map call rd_class and sets it to match packets marked for DSCP service value 3 Console config class map rd_class match any 4 198 Console config cmap match ip dscp 3 4 199 Console config cmap ...

Page 263: ...o note that the maximum number of classes that can be applied to a policy map is 16 Policing is based on a token bucket where bucket depth i e the maximum burst before the bucket overflows is specified by the Burst field and the average rate at which tokens are removed from the bucket is specified by the Rate option After using the policy map to define packet classification service tagging and ban...

Page 264: ...ap Action Configures the service provided to ingress traffic by setting a CoS DSCP or IP Precedence value in a matching packet as specified in Match Class Settings on page 3 208 Range CoS 0 7 DSCP 0 63 IP Precedence 0 7 IPv6 DSCP 0 63 Meter Check this to define the maximum throughput burst rate and the action that results from a policy violation Rate kbps Rate in kilobits per second Range 1 100000...

Page 265: ...3 213 3 Web Click QoS DiffServ Policy Map to display the list of existing policy maps To add a new policy map click Add Policy To configure the policy rule settings click Edit Classes Figure 3 129 Configuring Policy Maps ...

Page 266: ... Command Attributes Ports Specifies a port Ingress Applies the rule to ingress traffic Enabled Check this to enable a policy map on the specified port Policy Map Select the appropriate policy map from the scroll down box Web Click QoS DiffServ Service Policy Settings Check Enabled and choose a Policy Map for a port from the scroll down box then click Apply Figure 3 130 Service Policy Settings CLI ...

Page 267: ...by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the switch automatically assigns the port as a tagged member the Voice VLAN Alternatively switch ports can be manually configured Configuring VoIP Traffic To configure the switch for VoIP traffic first enable the automatic detection of VoIP ...

Page 268: ...d member to the Voice VLAN when VoIP traffic is detected on the port You must select a method for detecting VoIP traffic either OUI or 802 1ab LLDP When OUI is selected be sure to configure the MAC address ranges in the Telephony OUI list Manual The Voice VLAN feature is enabled on the port but the port must be manually added to the Voice VLAN Security Enables security filtering that discards any ...

Page 269: ...ed on See Link Layer Discovery Protocol on page 3 189 for more information on LLDP Priority Defines a CoS priority for the port traffic on the Voice VLAN The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port Web Click QoS VoIP Traffic Setting Port Configuration Set the mode for a VoIP traffic port select the detection mecha...

Page 270: ...ed OUI 5 Eth 1 3 Manual Enabled OUI 5 Eth 1 4 Auto Enabled OUI 6 Eth 1 5 Disabled Disabled OUI 6 Eth 1 6 Disabled Disabled OUI 6 Eth 1 7 Disabled Disabled OUI 6 Eth 1 8 Disabled Disabled OUI 6 Eth 1 9 Disabled Disabled OUI 6 Eth 1 10 Disabled Disabled OUI 6 Eth 1 11 Disabled Disabled OUI 6 Eth 1 12 Disabled Disabled OUI 6 Eth 1 13 Disabled Disabled OUI 6 Eth 1 14 Disabled Disabled OUI 6 Eth 1 15 D...

Page 271: ...rst three octets Other masks restrict the MAC address range Selecting FF FF FF FF FF FF specifies a single MAC address Default FF FF FF 00 00 00 Description User defined text that identifies the VoIP devices Web Click QoS VoIP Traffic Setting OUI Configuration Enter a MAC address that specifies the OUI for VoIP devices in the network Select a mask from the pull down list to define a MAC address ra...

Page 272: ...rmance so multicast packets will only be forwarded to those ports containing multicast group hosts or multicast routers switches instead of flooding traffic to all ports in the subnet VLAN Layer 2 IGMP Snooping and Query IGMP Snooping and Query If multicast routing is not supported on other switches in your network you can use IGMP Snooping and Query page 3 221 to monitor IGMP service requests pas...

Page 273: ...ces to the requesting hosts Static IGMP Router Interface If IGMP snooping cannot locate the IGMP querier you can manually designate a known IGMP querier i e a multicast router switch connected over the network to an interface on your switch page 3 226 This interface will then join all the current multicast groups supported by the attached router switch to ensure that multicast traffic is passed to...

Page 274: ...r which is responsible for asking hosts if they want to receive multicast traffic This feature is not supported for IGMPv3 snooping Default Disabled IGMP Query Count Sets the maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group Range 2 10 Default 2 IGMP Query Interval Sets the frequency at which the switch se...

Page 275: ...message is received The router querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout perid Note that the timeout period Console config ip igmp snooping 4 292 Console config ip igmp snooping querier 4 296 Console config ip igmp snooping query count 10 4 297 Console config ip igmp snooping query interval 100 4 297 Console config ip igmp sno...

Page 276: ...mmediate Leave Sets the status for immediate leave on the specified VLAN Default Disabled Web Click IGMP Snooping IGMP Immediate Leave Select the VLAN interface to configure set the status for immediate leave and click Apply Figure 3 135 IGMP Immediate Leave CLI This example enables IGMP immediate leave for VLAN 1 and then displays the current IGMP snooping status Console config interface vlan 1 C...

Page 277: ...hed to a neighboring multicast router switch for each VLAN ID Command Attributes VLAN ID ID of configured VLAN 1 4093 Multicast Router List Multicast routers dynamically discovered by this switch or those that are statically assigned to an interface on this switch Web Click IGMP Snooping Multicast Router Port Information Select the required VLAN ID from the scroll down list to display the associat...

Page 278: ...ort or Trunk scroll down list VLAN ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router Port or Trunk Specifies the interface attached to a multicast router Web Click IGMP Snooping Static Multicast Router Port Configuration Specify the interfaces attached to a multicast router indicate the VLAN which will forward all the corresponding multicast traffic a...

Page 279: ...ast service Web Click IGMP Snooping IP Multicast Registration Table Select a VLAN ID and the IP address for a multicast service from the scroll down lists The switch will display all the interfaces that are propagating this multicast service Figure 3 138 IP Multicast Registration Table CLI This example displays all the known multicast services supported on VLAN 1 along with the ports propagating t...

Page 280: ...n interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN Command Attributes Interface Activates the Port or Trunk scroll down list VLAN ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router switch Range 1 4093 Multicast IP The IP address for a specific multicast service Port or Trunk Specifies the interface ...

Page 281: ...d as normal If a requested multicast group is denied the IGMP join report is dropped IGMP throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can take one of two actions either deny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace...

Page 282: ...e Command Usage Each profile has only one access mode either permit or deny When the access mode is set to permit IGMP join reports are processed when a multicust group falls within the controlled range When the access mode is set to deny IGMP join reports are only processed when the multicast group is not in the controlled range Command Attributes Profile ID Selects an existing profile number to ...

Page 283: ...re then click Query to display the current settings Specify the access mode for the profile and then add multicast groups to the profile list Click Apply Figure 3 141 IGMP Profile Configuration CLI This example configures profile number 19 by setting the access mode to permit and then specifying a range of multicast groups that a user can join The current profile configuration is then displayed Co...

Page 284: ...o actions either deny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group Command Attributes Profile Selects an existing profile number to assign to an interface Max Multicast Groups Sets the maximum number of multicast groups an interface can joi...

Page 285: ...ent IGMP filtering and throttling settings for the interface are then displayed Console config interface ethernet 1 1 4 166 Console config if ip igmp filter 19 4 304 Console config if ip igmp max groups 64 4 305 Console config if ip igmp max groups action deny 4 305 Console config if end Console show ip igmp filter interface ethernet 1 1 4 306 Information of Eth 1 1 IGMP Profile 19 permit range 23...

Page 286: ...to other VLANs to which the subscribers belong Even though common multicast streams are passed onto different VLAN groups from the MVR VLAN users in different IEEE 802 1Q or private VLANs cannot exchange any information except through upper level routing services General Configuration Guidelines for MVR 1 Enable MVR globally on the switch select the MVR VLAN and add the multicast groups that will ...

Page 287: ...designated source ports and to all receiver ports that have registered to receive data from that multicast group Default Disabled MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied MVR VLAN Identifier of the VLAN that serves as the channel for streaming multicast services using MVR Range 1 4093 Default 1 MVR Group IP IP address for an MVR mult...

Page 288: ... there are subscribers receiving multicast traffic from one of the MVR groups or a multicast group has been statically assigned to an interface Immediate Leave Shows if immediate leave is enabled or disabled Trunk Member16 Shows if port is a trunk member Web Click MVR Port or Trunk Information Figure 3 144 MVR Port Information CLI This example shows information about interfaces attached to the MVR...

Page 289: ...vided through the MVR VLAN Web Click MVR Group IP Information Figure 3 145 MVR Group IP Information CLI This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN Console show mvr interface 4 311 MVR Group IP Status Members 225 0 0 1 ACTIVE eth1 1 d eth1 2 s 225 0 0 2 INACTIVE None 225 0 0 3 INACTIVE None 225 0 0 4 INACTIVE None 225 0 0 ...

Page 290: ...ntified in the leave message When immediate leave is disabled the switch follows the standard rules by sending a group specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list Using immediate leave can speed up leave latency but should only be enabled on a port attached t...

Page 291: ...on menu see Configuring Global MVR Settings on page 3 235 The IP address range from 224 0 0 0 to 239 255 255 255 is used for multicast streams MVR group addresses cannot fall within the reserved IP multicast address range of 224 0 0 x Command Attributes Interface Indicates a port or trunk Member Shows the IP addresses for MVR multicast groups which have been statically assigned to the selected int...

Page 292: ...om an outside source DHCP snooping is used to filter DHCP messages received on a non secure interface from outside the network or firewall When DHCP snooping is enabled globally and enabled on a VLAN interface DHCP messages received on an untrusted interface from a device not listed in the DHCP snooping table will be dropped When enabled DHCP messages entering an untrusted interface are filtered b...

Page 293: ...will only be forwarded to trusted ports in the same VLAN If a DHCP packet is from server is received on a trusted port it will be forwarded to both trusted and untrusted ports in the same VLAN If the DHCP snooping is globally disabled all dynamic bindings are removed from the binding table Additional considerations when the switch itself is a DHCP client The port s through which the switch submits...

Page 294: ...CP Snooping Status Enables or disables DHCP snooping for the selected VLAN When DHCP snooping is enabled globally on the switch and enabled on the specified VLAN DHCP packet filtering will be performed on any untrusted ports within the VLAN Web Click DHCP Snooping VLAN Configuration Figure 3 149 DHCP Snooping VLAN Configuration CLI This example first enables DHCP Snooping for VLAN 1 Console config...

Page 295: ...HCP Option 82 information The switch can be configured to set the action policy for these packets Either the switch can drop the DHCP packets keep the existing information or replace it with the switch s relay information Note DHCP snooping must be enabled on the switch for the DHCP Option 82 information to be inserted into packets Command Attributes DHCP Snooping Information Option Status Enables...

Page 296: ...hat is configured to receive only messages from within the network Command Attributes Trust Status Enables or disables port as trusted Web Click DHCP Snooping Information Option Configuration Figure 3 151 DHCP Snooping Port Configuration CLI This example shows how to enable the DHCP Snooping Trust Status for ports Console config ip dhcp snooping information option 4 326 Console config ip dhcp snoo...

Page 297: ...ddress A valid unicast IP address IP Address Type Indicates an IPv4 or IPv6 address type Lease Time Seconds The time after which an entry is removed from the table Web Click DHCP Snooping DHCP Snooping Binding Information Figure 3 152 DHCP Snooping Binding Information CLI This example shows how to display the DHCP Snooping binding table entries Console show ip dhcp snooping binding 4 328 MacAddres...

Page 298: ...ed by a host trying to use the IP address of a neighbor When enabled traffic is filtered based upon dynamic entries learned via DHCP snooping or static addresses configured in the source guard binding table An inbound packet s IP address sip option or both its IP address and corresponding MAC address sip mac option are checked against the binding table If no matching entry is found the packet is d...

Page 299: ...icated with a value of zero in the table Command Attributes Static Binding Table Counts The total number of static entries in the table Port Switch port number Range 1 28 VLAN ID ID of a configured VLAN Range 1 4093 MAC Address A valid unicast MAC address IP Address A valid unicast IP address including classful types A B or C Console config interface ethernet 1 5 Console config if ip source guard ...

Page 300: ...figuration Figure 3 154 Static IP Source Guard Binding Configuration CLI This example shows how to configure a static source guard binding on port 5 Console config ip source guard binding 11 22 33 44 55 66 vlan 1 192 168 0 99 interface ethernet 1 5 4 320 Console config ...

Page 301: ...isplays the number of IP addresses in the source guard binding table Current Dynamic Binding Table Displays the IP addresses in the source guard binding table Web Click IP Source Guard Dynamic Information Figure 3 155 Dynamic IP Source Guard Binding Information CLI This example shows how to configure a static source guard binding on port 5 Console show ip source guard binding 4 321 MacAddress IpAd...

Page 302: ...en configured any switch in the cluster can be managed from the web agent by choosing the desired Member ID from the Cluster drop down menu From the Commander CLI prompt use the rcommand command see page 4 331 to connect to the Member switch Figure 3 156 Cluster Member Choice Cluster Configuration To create a switch cluster first be sure that clustering is enabled on the switch the default is enab...

Page 303: ...er Configuration CLI This example first enables clustering on the switch sets the switch as the cluster Commander and then configures the cluster IP pool Cluster Member Configuration Adds Candidate switches to the cluster as Members Command Attributes Member ID Specify a Member ID number for the selected Candidate switch Range 1 36 MAC Address Select a discoverd switch MAC address from the Candida...

Page 304: ...information Command Attributes Member ID The ID number of the Member switch Range 1 36 Role Indicates the current status of the switch in the cluster IP Address The internal cluster IP address assigned to the Member switch MAC Address The MAC address of the Member switch Description The system description string of the Member switch Web Click Cluster Member Information Figure 3 159 Cluster Member ...

Page 305: ...h Description The system description string of the Candidate switch Web Click Cluster Candidate Information Figure 3 160 Cluster Candidate Information CLI This example shows information about cluster Candidate switches Vty 0 show cluster members 4 332 Cluster Members ID 1 Role Active member IP Address 10 254 254 2 MAC Address 00 12 cf 23 49 c0 Description 24 48 L2 L4 IPV4 IPV6 GE Switch Vty 0 Vty ...

Page 306: ...ed a description of the device it can send actions to the device s service To do this a control point sends a suitable control message to the control URL for the service provided in the device description When a device is known to the control point periodic event notication messages are sent A UPnP description for a service includes a list of actions the service responds to and a list of variables...

Page 307: ... advertise duration to 200 seconds the device TTL to 6 and displays information about basic UPnP configuration Console config upnp device 4 333 Console config upnp device advertise duration 200 4 334 Console config upnp device ttl 6 4 334 Console config end Console sh upnp 4 335 UPnP global settings Status Enabled Advertise duration 200 TTL 6 Console ...

Page 308: ...Configuring the Switch 3 256 3 ...

Page 309: ...the console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec But when the guest user name and password is entered the CLI displays the Console prompt and enters normal acc...

Page 310: ... isolated network then you can use any IP address that matches the network segment to which you are attached After you configure the switch with an IP address you can open a Telnet session by performing these steps 1 From the remote host enter the Telnet command and the IP address of the device you want to access 2 At the prompt enter the user name and system password The CLI will display the Vty ...

Page 311: ...how startup config To enter commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username admin password 0 smith Minimum Abbreviation The CLI will accept a minimum number of characters that uniquely identify a command For example the command configure can be entered as con If an entry is am...

Page 312: ...ldp LLDP log Login records logging Logging setting mac MAC access list mac address table Shows the MAC address table management Show management information map Maps priority memory Memory utilization mvr Shows MVR global parameters network access Shows the entries of the secure port ntp Network Time Protocol configuration policy map Displays policy maps port Port characteristics privilege Shows cu...

Page 313: ...mands by pressing the up arrow key Any command displayed in the history list can be executed again or first modified and then executed Using the show history command displays a longer list of recently executed commands Understanding Command Modes The command set is divided into Exec and Configuration classes Exec commands generally display information on system status or clear statistical counters...

Page 314: ... Exec mode from within Normal Exec mode by entering the enable command followed by the privileged level password super page 4 38 To enter Privileged Exec mode enter the following user names and passwords Table 4 1 Command Modes Class Mode Exec Normal Privileged Configuration Global Access Control List Class Map Interface Line Multiple Spanning Tree Policy Map Server Group VLAN Database You must be...

Page 315: ...the command to create VLAN groups To enter the Global Configuration mode enter the command configure in Privileged Exec mode The system prompt will change to Console config which gives you access privilege to all Global Configuration commands To enter the other modes at the configuration prompt type one of the following commands Use the exit or end command to return to the Privileged Exec mode Con...

Page 316: ... config Table 4 3 Command Line Processing Keystroke Function Ctrl A Shifts cursor to start of command line Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor to the right one character Ctrl K Deletes all characters from the cursor to the end of the line Ctrl L Repeats cur...

Page 317: ...e performance of the monitored port 4 177 Rate Limiting Controls the maximum rate for traffic transmitted or received on a port 4 179 Link Aggregation Statically groups multiple ports into a single logical trunk configures Link Aggregation Control Protocol for port trunks 4 180 PoE Configures power output for connected evices 4 184 Address Table Configures the address table for filtering specified...

Page 318: ...word checking at login LC 4 11 password Specifies a password on a line LC 4 12 timeout login response Sets the interval that the system waits for a user to log into the CLI LC 4 13 exec timeout Sets the interval that the command interpreter waits until user input is detected LC 4 14 password thresh Sets the password intrusion threshold which limits the number of failed logon attempts LC 4 14 silen...

Page 319: ...een displays such as show users However the serial communication parameters e g databits do not affect Telnet connections Example To enter console line mode enter the following command Related Commands show line 4 18 show users 4 81 login This command enables password checking at login Use the no form to disable password checking and allow connections without a password Syntax login local no login...

Page 320: ...and controls login authentication via the switch itself To configure user names and passwords for remote authentication servers you must use the RADIUS or TACACS software installed on those servers Example Related Commands username 4 37 password 4 12 password This command specifies the password for a line Use the no form to remove the password Syntax password 0 7 password no password 0 7 0 means p...

Page 321: ...CLI Use the no form to restore the default Syntax timeout login response seconds no timeout login response seconds Integer that specifies the timeout interval Range 0 300 seconds 0 disabled Default Setting CLI Disabled 0 seconds Telnet 600 seconds Command Mode Line Configuration Command Usage If a login attempt is not detected within the timeout interval the connection is terminated for the sessio...

Page 322: ...his command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the default setting Example To set the timeout to two minutes enter this command Related Commands silent time 4 15 timeout login response 4 13 password thresh This command sets the password intrusion threshold which limits the number...

Page 323: ...ent time 4 15 timeout login response 4 13 silent time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password thresh command Use the no form to remove the silent time value Syntax silent time seconds no silent time seconds The number of seconds to disable console response Range 0 65535 0 n...

Page 324: ...and can be used to mask the high bit on input from devices that generate 7 data bits with parity If parity is being generated specify 7 data bits per character If no parity is required specify 8 data bits per character Example To specify 7 data bits enter this command Related Commands parity 4 16 parity This command defines the generation of a parity bit Use the no form to restore the default sett...

Page 325: ...00 38400 bps Default Setting 9600 Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port Some baud rates available on devices connected to the port might not be supported The system indicates if the speed you selected is not supported Example To specify 38400 bps enter this command stopbits This command sets the number of the s...

Page 326: ...ng session identifier 0 will disconnect the console connection Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection Example Related Commands show ssh 4 52 show users 4 81 show line This command displays the terminal line s parameters Syntax show line console vty console Console terminal line vty Virtual terminal for remote console access i e Telnet Def...

Page 327: ...vates privileged mode NE 4 20 disable Returns to normal mode from privileged mode PE 4 20 configure Activates global configuration mode PE 4 21 show history Shows the command history buffer NE PE 4 21 reload Restarts the system PE 4 22 reload cancel Cancels a delayed reset of the system PE 4 23 show reload Displays the time remaining until a delayed reset will take place PE 4 23 end Returns to Pri...

Page 328: ...to Privileged Exec To set this password see the enable password command on page 4 38 The character is appended to the end of the prompt to indicate that the system is in privileged access mode Example Related Commands disable 4 20 enable password 4 38 disable This command returns to Normal Exec mode from privileged mode In normal access mode you can only display basic information on the switch s c...

Page 329: ...nterface Configuration Line Configuration and VLAN Database Configuration See Understanding Command Modes on page 4 5 Default Setting None Command Mode Privileged Exec Example Related Commands end 4 24 show history This command shows the contents of the command history buffer Default Setting None Command Mode Normal Exec Privileged Exec Command Usage The history buffer size is fixed at 10 Executio...

Page 330: ...pecified amount of time Syntax reload in hour hours minute minutes hours Specifies the amount of hours to wait combined with the minutes before the switch resets Range 0 576 Default 0 minutes Specifies the amount of minutes to wait combined with the hours before the switch resets Range 1 34560 Default 0 Note When the system is restarted it will always run the Power On Self Test It will also retain...

Page 331: ...fied then the switch will reboot immediately Example This example shows how to reset the switch reload cancel This command cancels a pending delayed reset Syntax reload cancel Default Setting None Command Mode Privileged Exec Example This example shows how to cancel a configured delayed reset of the switch show reload This command displays the remaining time until a pending delayed reset will take...

Page 332: ...Privileged Exec mode from the Interface Configuration mode exit This command returns to the previous configuration mode or exit the configuration program Default Setting None Command Mode Any Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console show reload The switch will be rebooted at Nov 23 22 52 14 2007 Re...

Page 333: ...n Page Device Designation Configures information that uniquely identifies this switch 4 26 Banner Configures administrative contact and device indentification and location information 4 27 User Access Configures the basic user names and passwords for management access 4 37 IP Filter Configures IP addresses that are allowed management access 4 39 Web Server Enables management access via a web brows...

Page 334: ...odifies the host name for this device Use the no form to restore the default host name Syntax hostname name no hostname name The name of this host Maximum length 255 characters Default Setting None Command Mode Global Configuration Table 4 8 Device Designation Commands Command Function Mode Page prompt Customizes the prompt used in PE and NE mode GC 4 26 hostname Specifies the host name for the sw...

Page 335: ... info Configures the DC Power information that is displayed by banner GC 4 30 banner configure department Configures the Department information that is displayed by banner GC 4 31 banner configure equipment info Configures the Equipment information that is displayed by banner GC 4 31 banner configure equipment location Configures the Equipment Location information that is displayed by banner GC 4 ...

Page 336: ...me and presses the enter key the script prompts for the next piece of information and so on until all information has been entered Pressing enter without inputting information at any prompt during the script s operation will leave the field empty Spaces can be used during script mode because pressing the enter key signifies the end of data input The delete and left arrow keys terminate the script ...

Page 337: ... telephone to Contact the management people Manager1 name Sr Network Admin phone number 123 555 1212 Manager2 name Wile E Coyote phone number 123 555 1213 Manager3 name Night shift Net Admin Janitor phone number 123 555 1214 The physical location of the equipment City and street address 12 Straight St Motown Zimbabwe Information about this equipment Manufacturer SMC Networks ID 123_unique_id_numbe...

Page 338: ...id rack rack id electrical circuit ec id no banner configure dc power info floor row rack electrical circuit floor id The floor number row id The row number rack id The rack number ec id The electrical circuit ID Maximum length of each parameter 32 characters Default Setting None Command Mode Global Configuration Command Usage The user entered data cannot contain spaces The banner configure dc pow...

Page 339: ...r characters is suggested for situations where whitespace is necessary for clarity Example banner configure equipment info This command allows the administrator to configure the equipment information displayed in the banner Use the no form to remove the equipment information from the banner display Syntax banner configure equipment info manufacturer id mfr id floor floor id row row id rack rack id...

Page 340: ... the banner display Syntax banner configure equipment location location no banner configure equipment location location The address location of the device Maximum length 32 characters Default Setting None Command Mode Global Configuration Command Usage The user entered data cannot contain spaces The banner configure equipment location command interprets spaces as data input boundaries The use of u...

Page 341: ...annot contain spaces The banner configure ip lan command interprets spaces as data input boundaries The use of underscores _ or other unobtrusive non letter characters is suggested for situations where whitespace is necessary for clarity Example banner configure lp number This command allows the administrator to configure the LP number information displayed in the banner Use the no form to remove ...

Page 342: ...onfigure manager info name1 name2 name3 mgr1 name The name of the first manager mgr1 number The phone number of the first manager mgr2 name The name of the second manager mgr2 number The phone number of the second manager mgr3 name The name of the third manager mgr3 number The phone number of the third manager Maximum length of each parameter 32 characters Default Setting None Command Mode Global ...

Page 343: ...s as data input boundaries The use of underscores _ or other unobtrusive non letter characters is suggested for situations where whitespace is necessary for clarity Example banner configure note This command allows the administrator to configure the note information displayed in the banner Use the no form to remove the note information from the banner display Syntax banner configure note note info...

Page 344: ...igure note ROUTINE_MAINTENANCE_firmware upgrade_0100 0500_GMT 0500_20071022 _20min_network_impact_expected Console config Console show banner Acme_Corporation WARNING MONITORED ACTIONS AND ACCESSES R D_Dept Albert_Einstein 123 555 1212 Wile_E _Coyote 123 555 9876 Lamar 123 555 3322 Station s information 710_Network_Path Indianapolis Acme_Corporation 2852ACME PoE Floor Row Rack Sub Rack 7 10 15 6 D...

Page 345: ...name of the user Maximum length 8 characters case sensitive Maximum users 16 access level level Specifies the user level The device has two predefined privilege levels 0 Normal Exec 15 Privileged Exec nopassword No password is required for this user to log in 0 7 0 means plain password 7 means encrypted password password password The authentication password for the user Maximum length 8 characters...

Page 346: ...level Level 15 for Privileged Exec Levels 0 14 are not used 0 7 0 means plain password 7 means encrypted password password password for this privilege level Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting The default is level 15 The default password is super Command Mode Global Configuration Command Usage You cannot set a null password You will have to enter a pa...

Page 347: ...ommand Usage If anyone tries to access a management interface on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respectively Each of these groups can include up to five different sets of addresses either individual addresses or a...

Page 348: ...elnet groups http client Adds IP address es to the web group snmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group Command Mode Privileged Exec Example Console config management all client 192 168 1 19 Console config management all client 192 168 1 25 192 168 1 30 Console config Console show management all client Management IP Filter HTTP Client Star...

Page 349: ...rver This command allows this device to be monitored or configured from a browser Use the no form to disable this function Syntax no ip http server Default Setting Enabled Command Mode Global Configuration Table 4 13 Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the web browser interface GC 4 41 ip http server Allows the switch to be monitored or conf...

Page 350: ...he client authenticates the server using the server s digital certificate The client and server negotiate a set of security protocols to use for the connection The client and server generate session keys for encrypting and decrypting data The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 5 x and Netscape Navigator 6 2...

Page 351: ...p secure port port_number The UDP port used for HTTPS Range 1 65535 Default Setting 443 Command Mode Global Configuration Command Usage You cannot configure the HTTP and HTTPS servers to use the same port If you change the HTTPS port number clients attempting to connect to the HTTPS server must specify the port number in the URL in this format https device port_number Example Related Commands ip h...

Page 352: ...d Commands ip telnet server 4 44 ip telnet server This command allows this device to be monitored or configured from Telnet Use the no form to disable this function Syntax no ip telnet server Default Setting Enabled Command Mode Global Configuration Example Table 4 15 Telnet Server Commands Command Function Mode Page ip telnet port Specifies the port to be used by the Telnet interface GC 4 41 ip t...

Page 353: ...te that you also need to install a SSH client on the management station when using this protocol to configure the switch Note The switch supports both SSH Version 1 5 and 2 0 Table 4 16 SSH Commands Command Function Mode Page ip ssh server Enables the SSH server on the switch GC 4 47 ip ssh timeout Specifies the authentication timeout for the SSH server GC 4 48 ip ssh authentication retries Specif...

Page 354: ...329781766065830956 10825913212890233 76546801726272571413428762941301196195566782 59566410486957427888146206 51941746772984865468615717739390164779355942303577413098022737087794545 24083971752646358058176716709574804776117 3 Import Client s Public Key to the Switch Use the copy tftp public key command to copy a file containing the public key for all the SSH client s granted management access to th...

Page 355: ...key must still be given to the client either during initial connection or manually entered into the known host file However you do not need to configure the client s keys ip ssh server This command enables the Secure Shell SSH server on this switch Use the no form to disable this service Syntax no ip ssh server Default Setting Disabled Command Mode Global Configuration Command Usage The SSH server...

Page 356: ...negotiation phase Once an SSH session has been established the timeout for user input is controlled by the exec timeout command for vty sessions Example Related Commands exec timeout 4 14 show ip ssh 4 51 ip ssh authentication retries This command configures the number of times the SSH server attempts to reauthenticate a user Use the no form to restore the default setting Syntax ip ssh authenticat...

Page 357: ...mand Usage The server key is a private key that is never shared outside the switch The host key is shared with the SSH client and is fixed at 1024 bits Example delete public key This command deletes the specified user s public key Syntax delete public key username dsa rsa username Name of an SSH user Range 1 8 characters dsa DSA public key type rsa RSA public key type Default Setting Deletes both ...

Page 358: ...t programs automatically add the public key to the known hosts file as part of the configuration process Otherwise you must manually create a known hosts file and place the host public key in it The SSH server uses this host key to negotiate a session key and encryption method with the client trying to connect to it Example Related Commands ip ssh crypto zeroize 4 50 ip ssh save host key 4 51 ip s...

Page 359: ...h save host key 4 51 no ip ssh server 4 47 ip ssh save host key This command saves host key from RAM to flash memory Syntax ip ssh save host key dsa rsa dsa DSA key type rsa RSA key type Default Setting Saves both the DSA and RSA key Command Mode Privileged Exec Example Related Commands ip ssh crypto host key generate 4 50 show ip ssh This command displays the connection settings used when authent...

Page 360: ...hentication Started Session Started Username The user name of the client Encryption The encryption method is automatically negotiated between the client and server Options for SSHv1 5 include DES 3DES Options for SSHv2 0 can include different algorithms for the client to server ctos and server to client stoc aes128 cbc hmac sha1 aes192 cbc hmac sha1 aes256 cbc hmac sha1 3des cbc hmac sha1 blowfish...

Page 361: ...ring is the encoded modulus Example Console show public key host Host RSA 1024 35 1568499540186766925933394677505461732531367489083654725415020245593199868 5443583616519999233297817660658309586108259132128902337654680172627257141 3428762941301196195566782595664104869574278881462065194174677298486546861 5717739390164779355942303577413098022737087794545240839717526463580581767 16709574804776117 DSA ...

Page 362: ...tory 4 55 clear logging 4 57 Table 4 18 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages GC 4 54 logging history Limits syslog messages saved to switch memory based on severity GC 4 55 logging host Adds a syslog server host IP address that will receive logging messages GC 4 56 logging facility Sets the facility type for remote logging of syslog messag...

Page 363: ...d Mode Global Configuration Command Usage The message level specified for flash memory must be a higher priority i e numerically lower than that specified for RAM Example Table 4 19 Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition such as cold start 4 warnings Warning condition...

Page 364: ...ts the facility type for remote logging of syslog messages Use the no form to return the type to the default Syntax no logging facility type type A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service Range 16 23 Default Setting 23 Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog me...

Page 365: ...ing Enabled Level 6 0 Command Mode Global Configuration Command Usage Using this command with a specified level enables remote logging and sets the minimum severity level to be saved Using this command without a specified level also enables remote logging but restores the minimum severity level to the default Example clear logging This command clears messages from the log buffer Syntax clear loggi...

Page 366: ...efault Setting None Command Mode Privileged Exec Example The following example shows that system logging is enabled the message level for flash memory is errors i e default level 3 0 the message level for RAM is informational i e default level 6 0 Console show logging flash Syslog logging Enabled History logging in FLASH level errors Console show logging ram Syslog logging Enabled History logging ...

Page 367: ... show logging trap Syslog logging Enable REMOTELOG status disable REMOTELOG facility type local use 7 REMOTELOG level type Debugging messages REMOTELOG server IP address 1 2 3 4 REMOTELOG server IP address 0 0 0 0 REMOTELOG server IP address 0 0 0 0 REMOTELOG server IP address 0 0 0 0 REMOTELOG server IP address 0 0 0 0 Console Table 4 21 show logging trap display description Field Description Sys...

Page 368: ... 01 STA root change notification level 6 module 6 function 1 and event no 1 3 00 00 54 2001 01 01 STA root change notification level 6 module 6 function 1 and event no 1 2 00 00 50 2001 01 01 STA topology change notification level 6 module 6 function 1 and event no 1 1 00 00 48 2001 01 01 VLAN 1 link up notification level 6 module 6 function 1 and event no 1 Console Table 4 22 SMTP Alert Commands ...

Page 369: ...the process at a periodic interval A trap will be triggered if the switch cannot successfully open a connection Example logging sendmail level This command sets the severity threshold used to trigger alert messages Syntax logging sendmail level level level One of the system message levels page 4 55 Messages sent include the selected level down to level 0 Range 0 7 Default 7 Default Setting Level 7...

Page 370: ... the switch Example This example will set the source email john acme com logging sendmail destination email This command specifies the email recipients of alert messages Use the no form to remove a recipient Syntax no logging sendmail destination email email address email address The source email address used in alert messages Range 1 41 characters Default Setting None Command Mode Global Configur...

Page 371: ...onfiguration Example show logging sendmail This command displays the settings for the SMTP event handler Command Mode Normal Exec Privileged Exec Example Console config logging sendmail Console config Console show logging sendmail SMTP servers 1 192 168 1 200 SMTP minimum severity level 4 SMTP destination email addresses 1 geoff acme com SMTP source email address john acme com SMTP status Enabled ...

Page 372: ...t SNTP configuration settings NE PE 4 66 ntp client Enables the NTP client for time updates from specified servers GC 4 67 ntp server Specifies NTP servers to poll for time updates GC 4 68 ntp poll Sets the interval at which the NTP client polls for time GC 4 69 ntp authenticate Enables authentication for NTP traffic GC 4 69 ntp authentication key Configures authentication keys GC 4 70 show ntp Sh...

Page 373: ... the this command with no arguments to clear all time servers from the current list Syntax sntp server ip1 ip2 ip3 ip IP address of a time server NTP or SNTP Range 1 3 addresses Default Setting None Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode The client will poll the time servers i...

Page 374: ...econds Default Setting 16 seconds Command Mode Global Configuration Example Related Commands sntp client 4 64 show sntp This command displays the current time and configuration settings for the SNTP client and indicates whether or not the local time has been properly updated Command Mode Normal Exec Privileged Exec Command Usage This command displays the current time the poll interval used for sen...

Page 375: ... is used to record accurate dates and times for log events Without NTP the switch only records the time starting from the factory default set at the last bootup i e 00 00 00 Jan 1 2001 This command enables client time requests to time servers specified via the ntp servers command It issues time synchronization requests based on the interval set via the ntp poll command Example Related Commands snt...

Page 376: ...ode It issues time synchronization requests based on the interval set with the ntp poll command The client will poll all the time servers configured the responses received are filtered and compared to determine the most reliable and accurate time update for the switch You can configure up to 50 NTP servers on the switch Re enter this command for each server you want to configure NTP authentication...

Page 377: ...tp authenticate This command enables authentication for NTP client server communications Use the no form to disable authentication Syntax no ntp authenticate Default Setting Disabled Command Mode Global Configuration Command Usage You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers The authentication keys and their associated key number m...

Page 378: ...2 case sensitive printable ASCII characters no spaces Default Setting None Command Mode Global Configuration Command Usage The key number specifies a key value in the NTP authentication key list Up to 255 keys can be configured on the switch Re enter this command for each server you want to configure Note that NTP authentication key numbers and values must match on both the server and client NTP a...

Page 379: ...elect the city associated with the chosen GMT offset After the offset has been entered use the tab complete function to display the available city options Default Setting GMT Greenwich Mean Time Dublin Edinburgh Lisbon London Command Mode Global Configuration Console show ntp Current time Jan 1 02 58 58 2001 Poll interval 16 Current mode unicast NTP status Enabled NTP Authenticate status Enabled L...

Page 380: ...racters hours Number of hours before after UTC Range 0 12 hours minutes Number of minutes before after UTC Range 0 59 minutes before utc Sets the local time zone before east of UTC after utc Sets the local time zone after west of UTC Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time UTC formerly Gre...

Page 381: ...ime will begin b hour The hour summer time will begin Range 0 23 hours b minute The minute summer time will begin Range 0 59 minutes e month The month when summer time will end Options january february march april may june july august september october november december e day The day summer time will end Options sunday monday tuesday wednesday thursday friday saturday e year The year summer time w...

Page 382: ...hen summer time is in effect select the predefined summer time time zone appropriate for your location or manually configure summer time if these predefined configurations do not apply to your location see clock summer time date on page 4 73 or clock summer time recurring on page 4 75 Example Console config clock summer time DEST date april 1 2007 23 23 april 23 2007 23 23 60 Console config Table ...

Page 383: ...er october november december b hour The hour when summer time will begin Range 0 23 hours b minute The minute when summer time will begin Range 0 59 minutes e week The week of the month when summer time will end Range 1 5 e day The day of the week summer time will end Options sunday monday tuesday wednesday thursday friday saturday e month The month when summer time will end Options january februa...

Page 384: ...0 59 sec Second Range 0 59 day Day of month Range 1 31 month january february march april may june july august september october november december year Year 4 digit Range 2001 2100 Default Setting None Command Mode Privileged Exec Example show calendar This command displays the system clock Default Setting None Command Mode Normal Exec Privileged Exec Example Console config clock summer time MESZ ...

Page 385: ... the following information SNMP community strings Users names and access levels VLAN database VLAN ID name and state VLAN configuration settings for each interface IP address configured for the switch Spanning tree settings Any configured settings for the console port and Telnet Table 4 25 System Status Commands Command Function Mode Page show startup config Displays the contents of the configurat...

Page 386: ... private rw username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethernet state active vlan 4093 media ethernet state active spanning tree mst configuration interface vla...

Page 387: ...lays settings for key command modes Each mode group is separated by symbols and includes the configuration mode command and corresponding commands This command displays the following information MAC address for each switch in the stack SNTP server settings Local time zone SNMP community strings Users names access levels and encrypted passwords Event log settings VLAN database VLAN ID name and stat...

Page 388: ...mmunity private rw username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethernet state active vlan 4093 media ethernet state active spanning tree mst configuration access...

Page 389: ...P address of Telnet client Default Setting None Command Mode Normal Exec Privileged Exec Console show system System Description 24 10 100 ports and 4 gigabit ports with PoE switch System OID String 1 3 6 1 4 1 202 20 65 System Information System Up Time 0 days 0 hours 1 minutes and 32 18 seconds System Name NONE System Location NONE System Contact NONE MAC Address Unit1 00 00 35 28 10 03 Web Serve...

Page 390: ...d Exec Command Usage See Displaying Switch Hardware Software Versions on page 3 13 for detailed information on the items displayed by this command Console show users Username accounts Username Privilege Public Key admin 15 None guest 0 None steve 15 RSA Online users Line Username Idle time h m s Remote IP addr 0 console admin 0 14 14 1 VTY 0 admin 0 00 00 192 168 1 19 2 SSH 1 steve 0 00 06 192 168...

Page 391: ...the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extended frame size And for half duplex connections all devices in the collision domain would need to support jumbo frames Console show version Unit1 Serial number S416000937...

Page 392: ...e quality of the network connection Syntax copy file file running config startup config tftp unit copy running config file startup config tftp copy startup config file running config tftp copy tftp file running config startup config https certificate public key copy unit file file Keyword that allows you to copy to from a file running config Keyword that allows you to copy to from the current runn...

Page 393: ...only two operation code files The maximum number of user defined configuration files depends on available memory You can use Factory_Default_Config cfg as the source to copy from the factory default configuration file but you cannot use it as the destination To replace the startup configuration you must use startup config as the destination Use the copy file unit command to copy a local file to an...

Page 394: ...ce file name startup TFTP server ip address 10 1 0 99 Destination file name startup 01 TFTP completed Success Console Console copy running config file destination file name startup Write to FLASH Programming Write to FLASH finish Success Console Console copy tftp startup config TFTP server ip address 10 1 0 99 Source configuration file name startup 01 Startup configuration file name startup Write ...

Page 395: ...leged Exec Command Usage If the file type is used for system startup then this file cannot be deleted Factory_Default_Config cfg cannot be deleted A colon is required after the specified unit number Example This example shows how to delete the test2 cfg configuration file from flash memory for unit 1 Related Commands dir 4 88 delete public key 4 49 Console copy tftp public key TFTP server IP addre...

Page 396: ...and dir without any parameters the system displays all files A colon is required after the specified unit number File information is shown below Example The following example shows how to display all file information Table 4 28 File Directory Information Column Heading Description file name The name of the file file type File types Boot Rom Operation Code and Config file startup Shows if this file...

Page 397: ...oot system unit boot rom config opcode filename The type of file or image to set as a default includes boot rom Boot ROM config Configuration file opcode Run time operation code filename Name of the configuration file or code image unit Specifies the unit number Range 1 The colon is required Default Setting None Command Mode Global Configuration Command Usage A colon is required after the specifie...

Page 398: ...DIUS Client Configures settings for authentication via a RADIUS server 4 93 TACACS Client Configures settings for authentication via a TACACS server 4 97 AAA Configures authentication authorization and accounting for network access 4 101 Port Security Configures secure addresses for a port 4 110 Port Authentication Configures host authentication on specific ports using 802 1X 4 112 Network Access ...

Page 399: ...he server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command to indicate the authentication sequence For example if you enter authen...

Page 400: ...ssword in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command to indicate the...

Page 401: ... group that require management access to a switch Table 4 31 RADIUS Client Commands Command Function Mode Page radius server host Specifies the RADIUS server GC 4 94 radius server acct port Sets the RADIUS server network port GC 4 94 radius server auth port Sets the RADIUS server network port GC 4 95 radius server key Sets the RADIUS encryption key GC 4 95 radius server retransmit Sets the number ...

Page 402: ...35 timeout Number of seconds the switch waits for a reply before resending a request Range 1 65535 retransmit Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 key Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 20 characters Default Setting auth port 1812 timeout 5 seconds retransmit 2...

Page 403: ...tting 1812 Command Mode Global Configuration Example radius server key This command sets the RADIUS encryption key Use the no form to restore the default Syntax radius server key key_string no radius server key key_string Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 20 characters Default Setting None Command Mode Global Configurat...

Page 404: ... command sets the interval between transmitting authentication requests to the RADIUS server Use the no form to restore the default Syntax radius server timeout number_of_seconds no radius server timeout number_of_seconds Number of seconds the switch waits for a reply before resending a request Range 1 65535 Default Setting 5 Command Mode Global Configuration Example show radius server This comman...

Page 405: ...mote RADIUS Server Configuration Global Settings Communication Key with RADIUS Server Auth Port 1812 Acct port 1813 Retransmit Times 2 Request Timeout 5 Radius server group Group Name Member Index radius Console Table 4 32 TACACS Commands Command Function Mode Page tacacs server host Specifies the TACACS server GC 4 98 tacacs server port Specifies the TACACS server network port GC 4 98 tacacs serv...

Page 406: ...40 seconds retransmit Number of times the switch will resend an authentication request to the TACACS server Range 1 30 key Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 20 characters Default Setting port 49 timeout 5 seconds retransmit 2 Command Mode Global Configuration Example tacacs server port This command specifies the TACACS ...

Page 407: ...ommand Mode Global Configuration Example tacacs server retransmit This command sets the number of retries Use the no form to restore the default Syntax tacacs server retransmit number_of_retries no tacacs server retransmit number_of_retries Number of times the switch will try to authenticate logon access via the TACACS server Range 1 30 Default Setting 2 Command Mode Global Configuration Example C...

Page 408: ...ore resending a request Range 1 540 Default Setting 5 seconds Command Mode Global Configuration Example show tacacs server This command displays the current settings for the TACACS server Default Setting None Command Mode Privileged Exec Example Console config tacacs server timeout 10 Console config Console show tacacs server Remote TACACS server configuration Global Settings Communication Key wit...

Page 409: ...rver Groups security servers in to defined lists GC 4 101 server Configures the IP address of a server in a group list SG 4 102 aaa accounting dot1x Enables accounting of 802 1X services GC 4 102 aaa accounting exec Enables accounting of Exec services GC 4 103 aaa accounting commands Enables accounting of Exec mode commands GC 4 104 aaa accounting update Enables periodoc updates to be sent to the ...

Page 410: ...ge 4 98 Example aaa accounting dot1x This command enables the accounting of requested 802 1X services for network access Use the no form to disable the accounting service Syntax aaa accounting dot1x default method name start stop group radius tacacs server group no aaa accounting dot1x default method name default Specifies the default accounting method for service requests method name Specifies an...

Page 411: ...ervices for network access Use the no form to disable the accounting service Syntax aaa accounting exec default method name start stop group radius tacacs server group no aaa accounting exec default method name default Specifies the default accounting method for service requests method name Specifies an accounting method for service requests Range 1 255 characters start stop Records accounting fro...

Page 412: ...fault method name start stop group tacacs server group no aaa accounting commands level default method name level The privilege level for executing commands Range 0 15 default Specifies the default accounting method for service requests method name Specifies an accounting method for service requests Range 1 255 characters start stop Records accounting from starting point and stopping point group S...

Page 413: ...le accounting updates Syntax aaa accounting update periodic interval no aaa accounting update interval Sends an interim accounting record to the server at this interval Range 1 2147483647 minutes Default Setting 1 minute Command Mode Global Configuration Command Usage When accounting updates are enabled the switch issues periodic interim accounting records for all users on the system Using the com...

Page 414: ...exec This command applies an accounting method to local console or Telnet connections Use the no form to disable accounting on the line Syntax accounting exec default list name no accounting exec default Specifies the default method list created with the aaa accounting exec command page 4 103 list name Specifies a method list created with the aaa accounting exec command Default Setting None Comman...

Page 415: ...the authorization for Exec access Use the no form to disable the authorization service Syntax aaa authorization exec default method name group tacacs server group no aaa authorization exec default method name default Specifies the default authorization method for Exec access method name Specifies an authorization method for Exec access Range 1 255 characters group Specifies the server group to use...

Page 416: ...applies an authorization method to local console or Telnet connections Use the no form to disable authorization on the line Syntax authorization exec default list name no authorization exec default Specifies the default method list created with the aaa authorization exec command page 4 107 list name Specifies a method list created with the aaa authorization exec command Default Setting None Comman...

Page 417: ...a specifiable command level dot1x Displays dot1x accounting information exec Displays Exec accounting records statistics Displays accounting records user name Displays accounting records for a specifiable username interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 Default Setting None Command Mode Privileged Exec Example Console show accounting Accounting type dot1x M...

Page 418: ...e the no form without any keywords to disable port security Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses Syntax port security action shutdown trap trap and shutdown max mac count address count no port security action max mac count action Response to take when port security is violate...

Page 419: ...eset the maximum number of addresses to the default You can also manually add secure addresses with the mac address table static command A secure port has the following restrictions Cannot use port monitoring Cannot be a multi VLAN port Cannot be connected to a network interconnection device Cannot be a trunk port If a port is disabled due to a security violation it must be manually re enabled usi...

Page 420: ...hat the switch retransmits an EAP request identity packet to the client before it times out the authentication session IC 4 113 dot1x port control Sets dot1x mode for a port interface IC 4 113 dot1x operation mode Allows single or multiple hosts on an dot1x port IC 4 114 dot1x re authenticate Forces re authentication on specific ports PE 4 115 dot1x re authentication Enables re authentication for ...

Page 421: ...and Mode Interface Configuration Example dot1x port control This command sets the dot1x mode on a port interface Use the no form to restore the default Syntax dot1x port control auto force authorized force unauthorized no dot1x port control auto Requires a dot1x aware connected client to be authorized by the RADIUS server Clients that are not dot1x aware will be denied access force authorized Conf...

Page 422: ...Keyword for the maximum number of hosts count The maximum number of hosts that can connect to a port Range 1 1024 Default 5 Default Single host Command Mode Interface Configuration Command Usage The max count parameter specified by this command is only effective if the dot1x mode is set to auto by the dot1x port control command page 4 113 In multi host mode only one host connected to a port needs ...

Page 423: ...he no form to disable re authentication Syntax no dot1x re authentication Command Mode Interface Configuration Example dot1x timeout quiet period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client Use the no form to reset the default Syntax dot1x timeout quiet period seconds no dot1x timeout quiet period secon...

Page 424: ...ple dot1x timeout tx period This command sets the time that an interface on the switch waits during an authentication session before re transmitting an EAP packet Use the no form to reset to the default value Syntax dot1x timeout tx period seconds no dot1x timeout tx period seconds The number of seconds Range 1 65535 Default 30 seconds Command Mode Interface Configuration Console config interface ...

Page 425: ...nfigured and set as active vlan database on page 4 224 and assigned as the guest VLAN for the port network access guest vlan on page 4 125 Example show dot1x This command shows general port authentication related settings on the switch or a specific interface Syntax show dot1x statistics interface interface statistics Displays dot1x status for each port interface ethernet unit port unit Stack unit...

Page 426: ...entication session before re transmitting EAP packet page 4 116 supplicant timeout Supplicant timeout server timeout Server timeout reauth max Maximum number of reauthentication attempts max req Maximum number of times a port will retransmit an EAP request identity packet to the client before it times out the authentication session page 4 113 Status Authorization status authorized or not Operation...

Page 427: ...onse success fail timeout idle initialize Request Count Number of EAP Request packets sent to the Supplicant without receiving a response Identifier Server Identifier carried in the most recent EAP Success Failure or Request packet received from the Authentication Server Reauthentication State Machine State Current state including initialize reauthenticate ...

Page 428: ... port 1 1 802 1X is enabled on port 1 2 reauth enabled Enable reauth period 1800 quiet period 30 tx period 40 supplicant timeout 30 server timeout 10 reauth max 2 max req 5 Status Authorized Operation mode Single Host Max count 5 Port control Auto Supplicant 00 12 cf 49 5e dc Current Identifier 3 Intrusion action Guest VLAN Authenticator State Machine State Authenticated Reauth Count 0 Backend Sta...

Page 429: ...authentication autenticated MAC addresses on an interface IC 4 124 network access dynamic qos Enables dynamic quality of service feature IC 4 124 network access dynamic vlan Enables dynamic VLAN assignment from a RADIUS server IC 4 125 network access guest vlan Specifies the guest VLAN IC 4 125 network access link detection Enables the link detection feature IC 4 125 network access link detection ...

Page 430: ...contain multiple VLAN identifiers in the format 1u 2t where u indicates untagged VLAN and t tagged VLAN The Tunnel Type attribute should be set to VLAN and the Tunnel Medium Type attribute set to 802 Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires The maximum number of secure MAC addresses supported for th...

Page 431: ...f MAC addresses per port is 2048 and the maximum number of secure MAC addresses supported for the switch system is 1024 When the limit is reached all new MAC addresses are treated as authentication failed Example mac authentication intrusion action Use this command to configure the port response to a host MAC authentication failure Use the no form of this command to restore the default Syntax mac ...

Page 432: ...thenticated MAC addresses allowed Range 1 1024 Default Setting 1024 Command Mode Interface Config Example network access dynamic qos Use this command to enable the dynamic QoS feature for an authenticated port Use the no form to restore the default Syntax no network access dynamic qos Default Setting Disabled Command Mode Interface Configuration Example The following example enables the dynamic Qo...

Page 433: ...ated as authentication failure If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration the authentication is still treated as a success When the dynamic VLAN assignment status is changed on a port all authenticated addresses are cleared from the secure MAC address table Example The following example enables dynamic VLAN assignment on port 1 network acces...

Page 434: ...ommand Mode Interface Configuration Example network access link detection link down Use this command to configure the link detection feature to detect and link down events When a link down event is detected the feature can shut down the port send an SNMP trap or both Use the no form of this command to disable this feature Syntax network access link detection link down action shutdown trap trap and...

Page 435: ...tection link up down Use this command to configure the link detection feature to detect link up and link down events When either a link up or link down event is detected the feature can shut down the port send an SNMP trap or both Use the no form of this command to disable this feature Syntax network access link detection link up down action shutdown trap trap and shutdown no network access link d...

Page 436: ...ange 120 1000000 seconds Default Setting 1800 Command Mode Global Configuration Command Usage The reauthentication time is a global setting and applies to all ports When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server During the reauthentication process traffic through the port remains unaffected Example Console config interface ethernet 1 1 ...

Page 437: ...nterface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 28 Default Setting None Command Mode Privileged Exec Example show network access Use this command to display the MAC authentication settings for port interfaces Syntax show network access interface interface interface Specifies a port interface ethernet unit port unit This is unit 1 port Port number...

Page 438: ...umber Range 1 28 sort Sorts displayed entries by either MAC address or interface Default Setting Displays all filters Command Mode Privileged Exec Command Usage When using a bit mask to filter displayed MAC addresses a 1 means care and a 0 means don t care For example a MAC of 00 00 01 02 03 04 and mask FF FF FF 00 00 00 would result in all MACs in the range 00 00 01 00 00 00 to 00 00 01 FF FF FF ...

Page 439: ...mote Logon Authentication on page 3 48 3 Web authentication cannot be configured on trunk ports Console show network access mac address table Port MAC Address RADIUS Server Attribute Time 1 1 00 00 01 02 03 04 172 155 120 17 Static 00d06h32m50s 1 1 00 00 01 02 03 05 172 155 120 17 Dynamic 00d06h33m20s 1 1 00 00 01 02 03 06 172 155 120 17 Static 00d06h35m10s 1 3 00 00 01 02 03 07 172 155 120 17 Dyn...

Page 440: ...l url no web auth login fail page url fail url The URL to which a host is directed after a failed web authentication attempt Default Setting None web auth Enables web authentication for an interface IC 4 135 show web auth Displays global web authentication parameters PE 4 136 show web auth interface Displays interface specific web authentication parameters and statistics PE 4 136 web auth re authe...

Page 441: ...Switch generated login page Command Mode Global Configuration Command Usage This command is not supported in the current release of the firmware Example web auth login success page url This command defines the external URL to which a host is directed after a successful web authentication attempt Use the no form to restore the default Syntax web auth login success page url success url no web auth l...

Page 442: ...e 1 180 seconds Default Setting 60 seconds Command Mode Global Configuration Example web auth session timeout This command defines the amount of time a web authentication session remains valid When the session timeout time has been reached the host is logged off and must re authenticate itself the next time data transmission takes place Use the no form to restore the default Syntax web auth sessio...

Page 443: ...rface must be enabled for the web authentication feature to be active Example web auth This command enables web authentication for an interface Use the no form to restore the default Syntax no web auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web auth system auth control for the switch and web auth for an interface must be enabled for the web authentication ...

Page 444: ...cific web authentication parameters and statistics Syntax show web auth interface interface interface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 28 Default Setting None Command Mode Privileged Exec Console sh web auth Global Web Auth Parameters System Auth Control Enabled Login Page URL Login Fail Page URL Login Success Page URL Session Timeout 3600 ...

Page 445: ...Example web auth re authenticate IP This command ends the web authentication session associated with the designated IP address and forces the user to re authenticate Syntax web auth re authenticate interface interface ip interface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 28 ip IPv4 formatted IP address Default Setting None Console show web auth int...

Page 446: ... None Command Mode Privileged Exec Example Console web auth re authenticate interface ethernet 1 2 192 168 1 5 Failed to reauth port Console Console show web auth summary Global Web Auth Parameters System Auth Control Enabled Port Status Authenticated Host Count 1 1 Disabled 0 1 2 Enabled 0 1 3 Disabled 0 1 4 Disabled 0 1 5 Disabled 0 1 6 Disabled 0 1 7 Disabled 0 1 8 Disabled 0 1 9 Disabled 0 1 1...

Page 447: ...d on the source IP address Extended IP ACL mode EXT ACL filters packets based on source or destination IP address as well as protocol type and protocol port number The following restrictions apply to ACLs Each ACL can have up to 100 rules However due to resource restrictions the average number of rules bound the ports should not exceed 20 This switch supports ACLs for ingress filtering only You ca...

Page 448: ...deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 100 rules Example Table 4 39 IP ACLs Command Function Mode Page access list ip Creates an IP ACL and enters configuration mode GC 4 140 permit den...

Page 449: ...nd Mode Standard ACL Command Usage New rules are appended to the end of the list Address bitmasks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering th...

Page 450: ...nge 0 255 source Source IP address destination Destination IP address address bitmask Decimal number representing the address bits to match host Keyword followed by a specific IP address sport Protocol18 source port number Range 0 65535 dport Protocol18 destination port number Range 0 65535 end Upper bound of the protocol port range Range 0 65535 Default Setting None Command Mode Extended ACL Comm...

Page 451: ...cess list This command displays the rules for configured IP ACLs Syntax show ip access list standard extended acl_name standard Specifies a standard IP ACL extended Specifies an extended IP ACL acl_name Name of the ACL Maximum length 16 characters no spaces Command Mode Privileged Exec Example Related Commands permit deny 4 141 ip access group 4 144 Console config ext acl permit 10 7 1 1 255 255 2...

Page 452: ...to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one You must configure a mask for an ACL rule before you can bind it to a port Example Related Commands show ip access list 4 143 show ip access group This command shows the ports assigned to IP ACLs Command Mode Privileged Exec Example Related Commands ip access ...

Page 453: ... permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 32 rules Example Related Commands permit deny 4 146 mac access group 4 148 show mac access list 4 147 Table 4 40 MAC ACL Commands Comma...

Page 454: ...ination address bitmask ethertype protocol protocol bitmask no permit deny tagged 802 3 any host source source address bitmask any host destination destination address bitmask vid vid vid bitmask no permit deny untagged 802 3 any host source source address bitmask any host destination destination address bitmask tagged eth2 Tagged Ethernet II packets untagged eth2 Untagged Ethernet II packets tagg...

Page 455: ...om any source MAC address to the destination address 00 e0 29 94 34 de where the Ethernet type is 0800 Related Commands access list mac 4 145 show mac access list This command displays the rules for configured MAC ACLs Syntax show mac access list acl_name acl_name Name of the ACL Maximum length 16 characters Command Mode Privileged Exec Example Related Commands permit deny 4 146 mac access group 4...

Page 456: ... A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one Example Related Commands show mac access list 4 147 show mac access group This command shows the ports assigned to MAC ACLs Command Mode Privileged Exec Example Related Commands mac access group 4 148 Console config interface ethernet...

Page 457: ...ble 4 41 ACL Information Command Function Mode Page show access list Show all ACLs and associated rules PE 4 149 show access group Shows the ACLs assigned to each port PE 4 149 Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 16 0 255 255 240 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 255 255 255 0 any destination po...

Page 458: ... the server Syntax no snmp server Default Setting Enabled Command Mode Global Configuration Table 4 42 SNMP Commands Command Function Mode Page snmp server Enables the SNMP agent GC 4 150 show snmp Displays the status of SNMP communications NE PE 4 151 snmp server community Sets up the community access string to permit access to SNMP commands GC 4 152 snmp server contact Sets the system contact st...

Page 459: ...ig snmp server Console config Console show snmp SNMP Agent enabled SNMP traps Authentication enable Link up down enable SNMP communities 1 private and the privilege is read write 2 public and the privilege is read only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of...

Page 460: ...t stations are able to both retrieve and modify MIB objects Default Setting public Read only access Authorized management stations are only able to retrieve MIB objects private Read write access Authorized management stations are able to both retrieve and modify MIB objects Command Mode Global Configuration Example snmp server contact This command sets the system contact string Use the no form to ...

Page 461: ...1 2c 3 auth noauth priv udp port port no snmp server host host addr host addr Internet address of the host the targeted recipient Maximum host addresses 5 trap destination IP address entries inform Notifications are sent as inform messages Note that this option is only available for version 2c and 3 hosts Default traps are used retries The maximum number of times to resend an inform message if the...

Page 462: ...o enable the sending of traps or informs and to specify which SNMP notifications are sent globally For a host to receive notifications at least one snmp server enable traps command and the snmp server host command for that host must be enabled Some notification types cannot be controlled with the snmp server enable traps command For example some notification types are always enabled Notifications ...

Page 463: ...cify an SNMP Version 3 host then the community string is interpreted as an SNMP user name If you use the V3 auth or priv options the user name must first be defined with the snmp server user command Otherwise the authentication password and or privacy password will not exist and the switch will not authorize SNMP access for the host However if you specify a V3 host with the noauth option an SNMP u...

Page 464: ...njunction with the corresponding entries in the Notify View assigned by the snmp server group command page 4 159 Example Related Commands snmp server host 4 153 snmp server engine id This command configures an identification string for the SNMPv3 engine Use the no form to restore the default Syntax snmp server engine id local remote ip address engineid string no snmp server engine id local remote ...

Page 465: ...l characters is specified A local engine ID is automatically generated that is unique to the switch This is referred to as the default engine ID If the local engine ID is deleted or changed all SNMP users will be cleared You will need to reconfigure all existing users page 4 162 Example Related Commands snmp server host 4 153 show snmp engine id This command shows the SNMP engine ID Command Mode P...

Page 466: ...rver group command to restrict user access to specified portions of the MIB tree The predefined view defaultview includes access to the entire MIB tree Examples This view includes MIB 2 This view includes the MIB 2 interfaces table ifDescr The wild card is used to select all the index values in this table This view includes the MIB 2 interfaces table and the mask selects all index entries Remote S...

Page 467: ...ple Network Management Protocol on page 3 39 for further information about these authentication and encryption options readview Defines the view for read access 1 64 characters writeview Defines the view for write access 1 64 characters notifyview Defines the view for notifications 1 64 characters Console show snmp view View Name mib 2 Subtree OID 1 2 2 3 6 2 1 View Type included Storage Type perm...

Page 468: ... the assigned users When authentication is selected the MD5 or SHA algorithm is used as specified in the snmp server user command When privacy is selected the DES 56 bit algorithm is used for data encryption Note that the authentication link up and link down messages are legacy traps and must therefore be enabled in conjunction with the snmp server enable traps command page 4 155 Example 20 No vie...

Page 469: ...ctive Group Name public Security Model v1 Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name public Security Model v2c Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name private Security Model v1 Read View defaultview Write View defaultview Notify View none Storage Type volatile Row Status...

Page 470: ...ion 1 2c or 3 encrypted Accepts the password as encrypted input auth Uses SNMPv3 with authentication md5 sha Uses MD5 or SHA authentication auth password Authentication password Enter as plain text if the encrypted option is not used Otherwise enter an encrypted password A minimum of eight characters is required priv des56 Uses SNMPv3 with privacy with DES56 encryption priv password Privacy passwo...

Page 471: ...te user will fail SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it Example show snmp user This command shows information on SNMP users Command Mode Privileged Exec Example Console config snmp se...

Page 472: ...D User Name Name of user connecting to the SNMP agent Authentication Protocol The authentication protocol used with SNMPv3 Privacy Protocol The privacy protocol used with SNMPv3 Storage Type The storage type for this entry Row Status The row status of this entry SNMP remote user A user associated with an SNMP engine on a remote device ...

Page 473: ...SNMP Commands 4 165 4 ...

Page 474: ... mode GC 4 166 description Adds a description to an interface configuration IC 4 167 speed duplex Configures the speed and duplex operation of a given interface when autonegotiation is disabled IC 4 167 negotiation Enables autonegotiation of a given interface IC 4 168 capabilities Advertises the capabilities of a given interface for use in autonegotiation IC 4 169 flowcontrol Enables flow control ...

Page 475: ...igures the speed and duplex mode of a given interface when autonegotiation is disabled Use the no form to restore the default Syntax speed duplex 1000full 100full 100half 10full 10half no speed duplex 1000full Forces 1000 Mbps full duplex operation 100full Forces 100 Mbps full duplex operation 100half Forces 100 Mbps half duplex operation 10full Forces 10 Mbps full duplex operation 10half Forces 1...

Page 476: ...he optimal settings will be determined by the capabilities command To set the speed duplex mode under auto negotiation the required mode must be specified in the capabilities list for an interface Example The following example configures port 5 to 100 Mbps half duplex operation Related Commands negotiation 4 168 capabilities 4 169 negotiation This command enables autonegotiation for a given interf...

Page 477: ...ll 100half 10full 10half flowcontrol symmetric 1000full Supports 1000 Mbps full duplex operation 100full Supports 100 Mbps full duplex operation 100half Supports 100 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 10half Supports 10 Mbps half duplex operation flowcontrol Supports flow control symmetric Gigabit only When specified the port transmits and receives pause frame...

Page 478: ...on Ethernet Port Channel Command Usage Flow control can eliminate frame loss by blocking traffic from end stations or segments connected directly to the switch when its buffers fill When enabled back pressure is used for half duplex operation and IEEE 802 3x for full duplex operation To force flow control on or off with the flowcontrol or no flowcontrol command use the no negotiation command to di...

Page 479: ...art a disabled interface use the no form Syntax no shutdown Default Setting All interfaces are enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This command allows you to disable a port due to abnormal behavior e g excessive collisions and then reenable it after the problem has been resolved You may also want to disable a port for security reasons Example The follow...

Page 480: ...Control Enabled packet rate limit 64 kbps Multicast Storm Control Enabled packet rate limit 64 kbps Unknown Unicast Storm Control Enabled packet rate limit 64 kbps Command Mode Interface Configuration Ethernet Command Usage When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic packets exceeding the threshold are dropped until the rate falls back down b...

Page 481: ...g example clears statistics on port 5 show interfaces status This command displays the status for an interface Syntax show interfaces status interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 8 vlan vlan id Range 1 4092 Default Setting Shows the status for all interfaces Command Mode Normal Exec Privileged Exec Command Usage I...

Page 482: ...e items displayed by this command see Showing Port Statistics on page 3 131 Console show interfaces status ethernet 1 5 Information of Eth 1 5 Basic information Port type 100TX Mac address 00 12 CF 12 34 61 Configuration Name Port admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full Broadcast storm Enabled Broadcast storm limit 64 Kbits second Flow control Disabled Lacp Disabled P...

Page 483: ...0 Error input 0 Error output 0 Unknown protos input 0 QLen output 0 Extended iftable stats Multi cast input 0 Multi cast output 3064 Broadcast input 262 Broadcast output 1 Ether like stats Alignment errors 0 FCS errors 0 Single Collision frames 0 Multiple collision frames 0 SQE Test errors 0 Deferred transmissions 0 Late collisions 0 Excessive collisions 0 Internal mac transmit errors 0 Internal m...

Page 484: ...d the current rate limit page 4 179 Egress rate limit Shows if egress rate limiting is enabled and the current rate limit page 4 179 VLAN membership mode Indicates membership mode as Trunk or Hybrid page 4 227 Ingress rule Shows if ingress filtering is enabled or disabled page 4 228 Note Ingress filtering is always enabled Acceptable frame type Shows if acceptable VLAN frames include all types or ...

Page 485: ... Usage You can mirror traffic from any source port to a destination port for real time analysis You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner The destination port is set by specifying an Ethernet interface The mirror port and monitor port speeds should match otherwise traffic may be dropp...

Page 486: ...mmand Mode Privileged Exec Command Usage This command displays the currently configured source port destination port and mirror mode i e RX TX Example The following shows mirroring configured from port 6 to port 11 Console config interface ethernet 1 11 Console config if port monitor ethernet 1 6 rx Console config if Console config interface ethernet 1 11 Console config if port monitor ethernet 1 ...

Page 487: ...his command without specifying a rate to restore the default rate limit level Use the no form to restore the default status of disabled Syntax rate limit input output rate no rate limit input output input Input rate limit output Input rate limit rate The traffic rate limit level Range 64 100000 kilobits per second for 100 Mbps ports 64 1000000 kilobits per second for 1 Gbps ports Default Setting I...

Page 488: ...nfigured in an identical manner including communication mode i e speed duplex mode and flow control VLAN assignments and CoS settings All the ports in a trunk have to be treated as a whole when moved from to added or deleted from a VLAN via the specified port channel STP VLAN and IGMP settings can only be made for the entire trunk via the specified port channel Table 4 51 Link Aggregation Commands...

Page 489: ...ed to select the backup link channel group This command adds a port to a trunk Use the no form to remove a port from a trunk Syntax channel group channel id no channel group channel id Trunk index Range 1 8 Default Setting The current port will be added to this trunk Command Mode Interface Configuration Ethernet Command Usage When configuring static trunks the switches must comply with the Cisco E...

Page 490: ...cause LACP has also been enabled on the ports at the other end of the links the show interfaces status port channel 1 command shows that Trunk 1 has been established Console config interface ethernet 1 11 Console config if lacp Console config if exit Console config interface ethernet 1 12 Console config if lacp Console config if exit Console config interface ethernet 1 13 Console config if lacp Co...

Page 491: ... This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a link has been established LACP operational settings are already in use on that side Configuring LACP settings for the partner only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with the par...

Page 492: ...he partner only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with the partner Example lacp admin key Port Channel This command configures a port channel s LACP administration key string Use the no form to restore the default setting Syntax lacp actor partner admin key key no lacp actor partner admin key key T...

Page 493: ...up link Range 0 65535 Default Setting 32768 Command Mode Interface Configuration Ethernet Command Usage Setting a lower value indicates a higher effective priority If an active port link goes down the backup port with the highest priority is selected to replace the downed link However if two or more ports have the same LACP port priority the port with the lowest physical port number will be select...

Page 494: ...ntifier for a link aggregation group Range 1 8 counters Statistics for LACP protocol messages internal Configuration settings and operational state for local side neighbors Configuration settings and operational state for remote side sysid Summary of system priority and MAC address for all channel groups Default Setting Port Channel all Command Mode Privileged Exec ...

Page 495: ...low Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type LACPDUs Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value but contain a badly formed PDU or an illegal value of Protocol Subtype Console show lacp 1 internal Port channel 1 Oper Key 4 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP System Priority 32768 LACP Port Priority 32768 Admin Ke...

Page 496: ...The System considers this link to be IN_SYNC i e it has been allocated to the correct Link Aggregation Group the group has been associated with a compatible Aggregator and the identity of the Link Aggregation Group is consistent with the System ID and operational Key information transmitted Aggregation The system considers this link to be aggregatable i e a potential candidate for aggregation Long...

Page 497: ...he partner Admin Key Current administrative value of the Key for the protocol partner Oper Key Current operational value of the Key for the protocol partner Admin State Administrative values of the partner s state parameters See preceding table Oper State Operational values of the partner s state parameters See preceding table Console show lacp sysid Port Channel System Priority System MAC Address...

Page 498: ... watts The power budget for the switch Range 37 180 watts unit Specifies the stack unit Range 1 8 Default Setting 180 watts Command Mode Global Configuration Command Usage Setting a maximum power budget for the switch enables power to be centrally managed preventing overload conditions at the power source If the power demand from devices connected to the switch exceeds the power budget setting the...

Page 499: ...y then turn on the power to this device When the power inline compatible command is used this switch can detect 802 3af compliant devices and the more recent 802 3af non compliant devices that also reflect the test voltages back to the switch It cannot detect other legacy devices that do not reflect back the test voltages For legacy devices to be supported by this switch they must be able to accep...

Page 500: ...et Example power inline maximum allocation This command limits the power allocated to specific ports Use the no form to restore the default setting Syntax power inline maximum allocation milliwatts no power inline maximum allocation milliwatts The maximum power budget for the port Range 3000 15400 milliwatts Default Setting 15400 milliwatts Command Mode Interface Configuration Command Usage If a d...

Page 501: ...riority settings to control the supplied power For example A device connected to a low priority port that causes the switch to exceed its budget is not supplied power A device connected to a critical or high priority port that causes the switch to exceed its budget is supplied power but the switch drops power to one or more lower priority ports Power is dropped from low priority ports in sequence ...

Page 502: ...n 15400 7505 low Eth 1 4 enable off 15400 0 low Eth 1 5 enable off 15400 0 low Eth 1 6 enable off 15400 0 low Eth 1 7 enable on 15400 8597 low Eth 1 23 enable off 15400 0 low Eth 1 24 enable off 15400 0 low Console Table 4 57 show power inline status parameters Parameter Description Admin The power mode set on the port see power inline on page 192 Oper The current operating power status displays o...

Page 503: ...ch see power mainpower maximum allocation on page 190 System Operation Status The current operating power status displays on or off Mainpower Consumption The current power consumption on the switch in watts Software Version The version of software running on the PoE controller subsystem in the switch This software can be updated using the copy file controller command see page 4 82 Table 4 59 Addre...

Page 504: ...efault mode is permanent Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add static addresses to the MAC Address Table Static addresses have the following characteristics Static addresses will not be removed from the address table when a given interface link is down Static addresses a...

Page 505: ...face ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 8 vlan id VLAN ID Range 1 4092 sort Sort by address vlan or interface Default Setting None Command Mode Privileged Exec Command Usage The MAC Address Table contains the MAC addresses associated with each interface Note that the Type field may include the following types Learned Dynamic addre...

Page 506: ...conds Aging time Range 10 30000 seconds 0 to disable aging Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information Example show mac address table aging time This command shows the aging time for entries in the address table Default Setting None Command Mode Privileged Exec Example Console show mac addr...

Page 507: ...igures the priority of a spanning tree instance MST 4 207 name Configures the name for the multiple spanning tree MST 4 207 revision Configures the revision number for the multiple spanning tree MST 4 208 max hops Configures the maximum number of hops allowed in the region before a BPDU is discarded MST 4 208 spanning tree spanning disabled Disables spanning tree for an interface IC 4 209 spanning...

Page 508: ...le This example shows how to enable the Spanning Tree Algorithm for the switch spanning tree mode This command selects the spanning tree mode for this switch Use the no form to restore the default Note MSTP is not supported in the current software Syntax spanning tree mode stp rstp mstp no spanning tree mode stp Spanning Tree Protocol IEEE 802 1D rstp Rapid Spanning Tree Protocol IEEE 802 1w mstp ...

Page 509: ...igration delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port Multiple Spanning Tree Protocol To allow multiple spanning trees to operate over the netwo...

Page 510: ...ce must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to the discarding state otherwise temporary data loops might result Example spanning tree hello time This command configures the spanning tree bridge hello time globally for this switch Use the no form to restore the ...

Page 511: ...nd Mode Global Configuration Command Usage This command sets the maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message becomes the designated port for ...

Page 512: ...e lower numeric value becomes the STA root device However if all devices have the same priority the device with the lowest MAC address will then become the root device Example spanning tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree Use the no form to restore the default Syntax spanning tree pathcost method long short no spa...

Page 513: ...ntax spanning tree transmission limit count no spanning tree transmission limit count The transmission limit in seconds Range 1 10 Default Setting 3 Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs Example spanning tree mst configuration This command changes to Multiple Spanning Tree MST configuration mode Default Setting No VLANs are mapp...

Page 514: ...s multiple pathways across the network thereby balancing the traffic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new topology for the failed instance By default all VLANs are assigned to the Internal Spanning Tree MSTI 0 that connects all bridges and LANs within the MST region This switch supports up to 58 instances Y...

Page 515: ...ecting the root bridge and alternate bridge of the specified instance The device with the highest priority i e lowest numerical value becomes the MSTI root device However if all devices have the same priority the device with the lowest MAC address will then become the root device You can set this switch to act as the MSTI root device by specifying a priority of 0 or as the MSTI alternate device by...

Page 516: ...n number of the spanning tree Range 0 65535 Default Setting 0 Command Mode MST Configuration Command Usage The MST region name page 4 207 and revision number are used to designate a unique MST region A bridge i e spanning tree compliant device such as this switch can only belong to one MST region And all bridges in the same region must be configured with the same MST instances Example Related Comm...

Page 517: ...ning disabled This command disables the spanning tree algorithm for the specified interface Use the no form to reenable the spanning tree algorithm for the specified interface Syntax no spanning tree spanning disabled Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Example This example disables the spanning tree algorithm for port 5 spanning tree cost This comman...

Page 518: ...on Ethernet Port Channel Command Usage This command is used by the Spanning Tree Algorithm to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Path cost takes precedence over port priority When the spanning tree pathcost method page 4 204 is set to short the maximum value for pa...

Page 519: ...to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or servers retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables durin...

Page 520: ...ervers and also overcome other STA related timeout problems Remember that fast forwarding should only be enabled for ports connected to a LAN segment that is at the end of a bridged LAN or for an end node device This command is the same as spanning tree edge port and is only included for backward compatibility with earlier products Note that this command may be removed for future software versions...

Page 521: ...sion of RSTP this same restriction applies Example spanning tree loopback detection This command enables the detection and response to Spanning Tree loopback BPDU packets on the port Use the no form to disable this feature Syntax spanning tree loopback detection no spanning tree loopback detection Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage If P...

Page 522: ...ons is satisfied The port receives any other BPDU except for it s own or The port s link status changes to link down and then link up again or The port ceases to receive it s own BPDUs in a forward delay interval If Port Loopback Detection is not enabled and a port receives it s own BPDU then the port will drop the loopback BPDU according to IEEE Standard 802 1W 2001 9 3 4 Note 1 Port Loopback Det...

Page 523: ... cost according to the values shown below Path cost 0 is used to indicate auto configuration mode Ethernet half duplex 2 000 000 full duplex 1 000 000 trunk 500 000 Fast Ethernet half duplex 200 000 full duplex 100 000 trunk 50 000 Gigabit Ethernet full duplex 10 000 trunk 5 000 10 Gigabit Ethernet full duplex 1000 trunk 500 Command Mode Interface Configuration Ethernet Port Channel Command Usage ...

Page 524: ...d Mode Interface Configuration Ethernet Port Channel Command Usage This command defines the priority for the use of an interface in the multiple spanning tree If the path cost for all interfaces on a switch are the same the interface with the highest priority that is lowest value will be configured as an active link in the spanning tree Where more than one interface is assigned the highest priorit...

Page 525: ...ompatible mode However you can also use the spanning tree protocol migration command at any time to manually re check the appropriate BPDU format to send on the selected interfaces i e RSTP or STP compatible Example show spanning tree This command shows the configuration for the common spanning tree CST or for an instance within the multiple spanning tree MST Syntax show spanning tree interface ms...

Page 526: ...on page 3 152 Example Console show spanning tree Spanning tree information Spanning tree mode MSTP Spanning tree enable disable enable Instance 0 Vlans configuration 1 4092 Priority 32768 Bridge Hello Time sec 2 Bridge Max Age sec 20 Bridge Forward Delay sec 15 Root Hello Time sec 2 Root Max Age sec 20 Root Forward Delay sec 15 Max hops 20 Remaining hops 20 Designated Root 32768 0 0000ABCD0000 Cur...

Page 527: ...tion Information Configuration name R D Revision level 0 Instance Vlans 1 2 Console Table 4 61 VLANs Command Groups Function Page GVRP and Bridge Extension Configures GVRP settings that permit automatic VLAN learning shows the configuration for bridge extension MIB 4 220 Editing VLAN Groups Sets up VLAN groups including name VID and state 4 224 Configuring VLAN Interfaces Configures VLAN interface...

Page 528: ...to exchange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration and to support VLANs which extend beyond the local switch Example Table 4 62 GVRP and Bridge Extension Commands Command Function Mode Page bridge ext gvrp Enables GVRP globally for the switch GC 4 220 show bridge ext Shows the global bridg...

Page 529: ... enables GVRP for a port Use the no form to disable it Syntax no switchport gvrp Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Example Console show bridge ext Max support vlan numbers 256 Max support vlan ID 4092 Extended multicast filtering services No Static entry individual port Yes VLAN learning IVL Configurable PVID tagging Yes Local VLAN capable No Traff...

Page 530: ...mmand sets the values for the join leave and leaveall timers Use the no form to restore the timers default values Syntax garp timer join leave leaveall timer_value no garp timer join leave leaveall join leave leaveall Which timer to set timer_value Value of timer Ranges join 20 1000 centiseconds leave 60 3000 centiseconds leaveall 500 18000 centiseconds Default Setting join 20 centiseconds leave 6...

Page 531: ...e Set GVRP timers on all Layer 2 devices connected in the same network to the same values Otherwise GVRP may not operate successfully Example Related Commands show garp timer 4 223 show garp timer This command shows the GARP timers for the selected interface Syntax show garp timer interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Ran...

Page 532: ...N settings by entering the show vlan command Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN The results of these commands are written to the running configuration file and you can display this file by entering the show running config command Example Related Commands show vlan 4 232 Table 4 63 Editing VLAN Groups Command Function Mode Page...

Page 533: ...uspended VLANs do not pass packets Default Setting By default only VLAN 1 exists and is active Command Mode VLAN Database Configuration Command Usage no vlan vlan id deletes the VLAN no vlan vlan id name removes the VLAN name no vlan vlan id state returns the VLAN to the default state i e active You can configure up to 255 VLANs on the switch Note The switch allows 255 user manageable VLANs One ex...

Page 534: ...s interface configuration mode for a specified VLAN GC 4 226 switchport mode Configures VLAN membership mode for an interface IC 4 227 switchport acceptable frame types Configures frame types to be accepted by an interface IC 4 227 switchport ingress filtering Enables ingress filtering on an interface IC 4 228 switchport native vlan Configures the PVID native VLAN of an interface IC 4 229 switchpo...

Page 535: ... of this command see switchport mode private vlan on page 4 239 Default Setting All ports are in hybrid mode with the PVID set to VLAN 1 Command Mode Interface Configuration Ethernet Port Channel Example The following shows how to set the configuration mode to port 1 and then set the switchport mode to hybrid Related Commands switchport acceptable frame types 4 227 switchport acceptable frame type...

Page 536: ...ore trying to disable the filtering with the no switchport ingress filtering command will produce this error message Note Failed to ingress filtering on ethernet interface Syntax switchport ingress filtering no switchport ingress filtering Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage Ingress filtering only affects tagged frames With ingress filte...

Page 537: ...mand Usage Setting the native VLAN for a port can only be performed when the port is a member of the VLAN and the VLAN is untagged The no switchport native vlan command will set the native VLAN of the port to untagged VLAN 1 If acceptable frame types is set to all or switchport mode is set to hybrid the PVID will be inserted into all untagged frames entering the ingress port Example The following ...

Page 538: ... untagged Command Mode Interface Configuration Ethernet Port Channel Command Usage A port or a trunk with switchport mode set to hybrid must be assigned to a VLAN as untagged If a trunk has switchport mode set to trunk i e 1Q Trunk then you can only assign an interface to VLAN groups as a tagged member Frames are always tagged within the switch The tagged untagged parameter used when adding a VLAN...

Page 539: ...gnate a range of IDs Do not enter leading zeros Range 1 4092 Default Setting No VLANs are included in the forbidden list Command Mode Interface Configuration Ethernet Port Channel Command Usage This command prevents a VLAN from being automatically added to the specified interface via GVRP If a VLAN has been added to the set of allowed VLANs for an interface then you cannot add it to the set of for...

Page 540: ...de Normal Exec Privileged Exec Example The following example shows how to display information for VLAN 1 Table 4 65 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE PE 4 232 show interfaces status vlan Displays status for the specified VLAN interface NE PE 4 173 show interfaces switchport Displays the administrative and operational status of an interface NE PE 4 17...

Page 541: ...p is required if the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is 0x8100 See switchport dot1q tunnel tpid page 4 235 5 Configure the QinQ tunnel access port to join the SPVLAN as an untagged member switchport allowed vlan page 4 230 6 Configure the SPVLAN ID as the native VID on the QinQ tunnel access port switchport nativ...

Page 542: ...ow interfaces switchport 4 175 switchport dot1q tunnel mode This command configures an interface as a QinQ tunnel port Use the no form to disable QinQ on the interface Syntax switchport dot1q tunnel mode access uplink no switchport dot1q tunnel mode access Sets the port as an 802 1Q tunnel access port uplink Sets the port as an 802 1Q tunnel uplink port Default Setting Disabled Command Mode Interf...

Page 543: ...2 1Q ethertype value on the selected interface This feature allows the switch to interoperate with third party switches that do not use the standard 0x8100 ethertype to identify 802 1Q tagged frames For example 0x1234 is set as the custom 802 1Q ethertype on a trunk port incoming frames containing that ethertype are assigned to the VLAN contained in the tag following the ethertype field as they wo...

Page 544: ...ed access to local users Multiple primary VLANs can be configured on this switch and multiple community VLANs can be associated with each primary VLAN One or more isolated VLANs can also be configured Note that private VLANs and normal VLANs can exist simultaneously within the same switch Console config dot1q tunnel system tunnel control Console config interface ethernet 1 1 Console config if swit...

Page 545: ...contain a single promiscuous port and one or more isolated ports 2 Use the switchport mode private vlan command to configure one port as promiscuous i e having access to all ports in the isolated VLAN one or more ports as host i e isolated port 3 Use the switchport private vlan isolated command to assign a port to an isolated VLAN 4 Use the show vlan private vlan command to verify your configurati...

Page 546: ...municate with the promiscuous port within their own VLAN Default Setting None Command Mode VLAN Configuration Command Usage Private VLANs are used to restrict traffic to ports within the same community or isolated VLAN and channel traffic passing outside the community through promiscuous ports When using community VLANs they must be mapped to an associated primary VLAN that contains promiscuous po...

Page 547: ...group members The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN e g servers configured with promiscuous ports and to resources outside of the primary VLAN via promiscuous ports Example switchport mode private vlan Use this command to set the private VLAN mode for an interface Use the no form to restore the default setting Syntax s...

Page 548: ...tion secondary vlan id no switchport private vlan host association secondary vlan id ID of secondary i e community VLAN Range 1 4092 no leading zeroes Default Setting None Command Mode Interface Configuration Ethernet Port Channel Command Usage All ports assigned to a secondary i e community VLAN can pass traffic between group members but must communicate with resources outside of the group via pr...

Page 549: ...outside of the group via a promiscuous port Example switchport private vlan mapping Use this command to map an interface to a primary VLAN Use the no form to remove this mapping Syntax switchport private vlan mapping primary vlan id no switchport private vlan mapping primary vlan id ID of primary VLAN Range 1 4092 no leading zeroes Default Setting None Command Mode Interface Configuration Ethernet...

Page 550: ...isolated VLAN along with the assigned promiscuous interface and host interfaces The Primary and Secondary fields both display the isolated VLAN ID primary Displays all primary VLANs along with any assigned promiscuous interfaces Default Setting None Command Mode Privileged Executive Example Console config interface ethernet 1 2 Console config if switchport private vlan mapping 2 Console config if ...

Page 551: ...t add port members at this time 2 Create a protocol group for each of the protocols you want to assign to a VLAN using the protocol vlan protocol group add command 3 Then map the protocol group to the appropriate VLAN using the protocol vlan protocol group vlan command Note Traffic which matches IP Protocol Ethernet Frames is mapped to the VLAN VLAN 1 that has been configured with the switch s adm...

Page 552: ...etting No protocol groups are configured Command Mode Global Configuration Example The following creates protocol group 2 and specifies Ethernet frames transmitting ARP protocol type traffic protocol vlan protocol group Configuring VLANs This command globally maps a protocol group to a VLAN Use the no form to remove the protocol mapping Syntax protocol vlan protocol group group id vlan vlan id no ...

Page 553: ...o the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the default VLAN for the interface Example The following example maps traffic matching the protocol type specified in protocol group 2 to VLAN 2 show protocol vlan protocol group This command shows the frame and protocol type associated with protocol groups Syntax show protocol vlan proto...

Page 554: ...efines how to store and maintain information gathered about the neighboring network nodes it discovers Link Layer Discovery Protocol Media Endpoint Discovery LLDP MED is an extension of LLDP intended for managing endpoint devices such as Voice over IP phones and network switches The LLDP MED TLVs advertise information such as network policy power inventory and device location details The LLDP and ...

Page 555: ...enabled port to advertise the system description IC 4 256 lldp basic tlv system name Configures an LLDP enabled port to advertise its system name IC 4 256 lldp dot1 tlv proto ident Configures an LLDP enabled port to advertise the supported protocols IC 4 257 lldp dot1 tlv proto vid Configures an LLDP enabled port to advertise port related VLAN information IC 4 257 lldp dot1 tlv pvid Configures an ...

Page 556: ... MED enabled port to advertise its location identification details IC 4 262 lldp medtlv med cap Configures an LLDP MED enabled port to advertise its Media Endpoint Device capabilities IC 4 262 lldp medtlv network policy Configures an LLDP MED enabled port to advertise its network policy configuration IC 4 263 show lldp config Shows LLDP configuration settings for all ports PE 4 263 show lldp info ...

Page 557: ... Configuration Command Usage The MEDFastStartCount parameter is part of the timer which ensures that the LLDP MED Fast Start mechanism is active for the port LLDP MED Fast Start is critical to the timely startup of LLDP and therefore integral to the rapid availability of Emergency Call Service Example lldp notification interval This command configures the allowed interval for sending SNMP notifica...

Page 558: ...geTime to detect any lldpRemTablesChange notification events missed due to throttling or transmission loss Example lldp refresh interval This command configures the periodic transmit interval for LLDP advertisements Use the no form to restore the default setting Syntax lldp refresh interval seconds no lldp refresh delay seconds Specifies the periodic interval at which LLDP advertisements are sent ...

Page 559: ...ated with this port is deleted Example lldp tx delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables Use the no form to restore the default setting Syntax lldp tx delay seconds no lldp tx delay seconds Specifies the transmit delay Range 1 8192 seconds Default Setting 2 seconds Command Mode Global Configuration ...

Page 560: ...Mode Interface Configuration Ethernet Port Channel Example lldp notification This command enables the transmission of SNMP trap notifications about LLDP changes Use the no form to disable LLDP notifications Syntax no lldp notification Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option sends out SNMP trap notifications to designated target s...

Page 561: ... Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification interval command page 4 249 Trap notifications include information about state changes in the LLDP MIB IEEE 802 1AB the LLDP MED MIB ANSI TIA 1057 or oganization specific LLDP EXT DOT...

Page 562: ...ardware component or protocol entity associated with this address The interface number and OID are included to assist SNMP applications to perform network discovery by indicating enterprise specific or other starting points for the search such as the Interface or Entity MIB Since there are typically a number of different addresses associated with a Layer 3 device an individual LLDP PDU may contain...

Page 563: ...basic tlv system capabilities This command configures an LLDP enabled port to advertise its system capabilities Use the no form to disable this feature Syntax no lldp basic tlv system capabilities Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The system capabilities identifies the primary function s of the system and whether or not these primary f...

Page 564: ...ystem and networking software Example lldp basic tlv system name This command configures an LLDP enabled port to advertise the system name Use the no form to disable this feature Syntax no lldp basic tlv system name Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The system name is taken from the sysName object in RFC 3418 which contains the system ...

Page 565: ...es an LLDP enabled port to advertise port related VLAN information Use the no form to disable this feature Syntax no lldp dot1 tlv proto vid Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises the port based and protocol based VLANs configured on this interface see Configuring VLAN Interfaces on page 4 226 and Configuring Protocol...

Page 566: ...lldp dot1 tlv vlan name This command configures an LLDP enabled port to advertise its VLAN name Use the no form to disable this feature Syntax no lldp dot1 tlv vlan name Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises the name of all VLANs to which this interface has been assigned See switchport allowed vlan on page 4 230 and ...

Page 567: ...mber Example lldp dot3 tlv mac phy This command configures an LLDP enabled port to advertise its MAC and physical layer capabilities Use the no form to disable this feature Syntax no lldp dot3 tlv mac phy Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises MAC PHY configuration status which includes information about auto negotiat...

Page 568: ...DP enabled port to advertise its Power over Ethernet PoE capabilities Use the no form to disable this feature Syntax no lldp dot3 tlv poe Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises Power over Ethernet capabilities including whether or not PoE is supported currently enabled if the port pins through which power is delivered...

Page 569: ...backup power the Endpoint Device could use this information to decide to enter power conservation mode Example lldp medtlv inventory This command configures an LLDP MED enabled port to advertise its inventory identification details Use the no form to disable this feature Syntax no lldp medtlv inventory Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage...

Page 570: ...res an LLDP MED enabled port to advertise its Media Endpoint Device capabilities Use the no form to disable this feature Syntax no lldp medtlv med cap Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises LLDP MED TLV capabilities allowing Media Endpoint and Connectivity Devices to efficiently discover which LLDP MED related TLVs ar...

Page 571: ...the discovery and diagnosis of VLAN configuration mismatches on a port Improper network policy configurations frequently result in voice quality degradation or complete service disruption Example show lldp config This command shows LLDP configuration settings for all ports Syntax show lldp config detail interface detail Shows configuration summary interface ethernet unit port unit Stack unit Range...

Page 572: ... 1 3 Tx Rx True Eth 1 4 Tx Rx True Eth 1 5 Tx Rx True Console show lldp config detail ethernet 1 1 LLDP Port Configuration Detail Port Eth 1 1 Admin Status Tx Rx Notification Enabled True Basic TLVs Advertised port description system name system description system capabilities management ip address 802 1 specific TLVs Advertised port vid vlan name proto vlan proto ident 802 3 specific TLVs Adverti...

Page 573: ...me System Description 24 10 100 ports and 4 gigabit ports with PoE switch System Capabilities Support Bridge System Capabilities Enable Bridge Management Address 192 168 0 101 IPv4 LLDP Port Information Interface PortID Type PortID PortDesc Eth 1 1 MAC Address 00 01 02 03 04 06 Ethernet Port on unit 1 port 1 Eth 1 2 MAC Address 00 01 02 03 04 07 Ethernet Port on unit 1 port 2 Eth 1 3 MAC Address 0...

Page 574: ...eged Exec Example Console show lldp info remote device LLDP Remote Devices Information Interface ChassisId PortId SysName Eth 1 1 00 01 02 03 04 05 00 01 02 03 04 06 Console show lldp info remote device detail ethernet 1 1 LLDP Remote Devices Information Detail Local PortName Eth 1 1 Chassis Type MAC Address Chassis Id 00 01 02 03 04 05 PortID Type MAC Address PortID 00 01 02 03 04 06 SysName SysD...

Page 575: ...ch show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated 2450279 seconds New Neighbor Entries Count 1 Neighbor Entries Deleted Count 0 Neighbor Entries Dropped Count 0 Neighbor Entries Ageout Count 0 Interface NumFramesRecvd NumFramesSent NumFramesDiscarded Eth 1 1 10 11 0 Eth 1 2 0 0 0 Eth 1 3 0 0 0 Eth 1 4 0 0 0 Eth 1 5 0 0 0 switch show lldp info statistics detail ...

Page 576: ... lower priority queues wrr Weighted Round Robin shares bandwidth at the egress ports by using scheduling weights 1 2 4 8 for queues 0 3 respectively Table 4 70 Priority Commands Command Groups Function Page Priority Layer 2 Configures default priority for untagged frames sets queue weights and maps class of service tags to hardware queues 4 268 Priority Layer 3 and 4 Maps IP DSCP tags to class of ...

Page 577: ...mand sets a priority for incoming untagged frames Use the no form to restore the default value Syntax switchport priority default default priority id no switchport priority default default priority id The priority number for untagged ingress traffic The priority is a number from 0 to 7 Seven is the highest priority Default Setting The priority is not set and the default value for untagged frames r...

Page 578: ...to 5 queue bandwidth This command assigns weighted round robin WRR weights to the four class of service CoS priority queues Use the no form to restore the default weights Note This switch does not allow the queue service weights to be set The weights are fixed as 1 2 4 8 for queues 0 through 3 respectively Syntax queue bandwidth weight1 weight4 no queue bandwidth weight1 weight4 The ratio of weigh...

Page 579: ...rate traffic classes are defined in IEEE 802 1p The default priority levels are assigned according to recommendations in the IEEE 802 1p standard as shown below Command Mode Interface Configuration Ethernet Port Channel Command Usage CoS values assigned at the ingress port are also used at the egress port This command sets the CoS priority for all interfaces Example The following example shows how...

Page 580: ...ocation for the four priority queues Default Setting None Command Mode Privileged Exec Example show queue cos map This command shows the class of service priority map Syntax show queue cos map interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 8 Console show queue mode Queue mode wrr Console Console show queue bandwidth Queue ...

Page 581: ...e The precedence for priority mapping is IP DSCP and default switchport priority Example The following example shows how to enable IP DSCP mapping globally Console show queue cos map ethernet 1 1 Information of Eth 1 1 Traffic Class 0 1 2 3 4 5 6 7 Priority Queue 1 0 0 1 2 2 3 3 Console Table 4 73 Priority Commands Layer 3 and 4 Command Function Mode Page map ip dscp Enables IP DSCP class of servi...

Page 582: ...Mode Interface Configuration Ethernet Port Channel Command Usage The precedence for priority mapping is IP DSCP and default switchport priority DSCP priority values are mapped to default Class of Service values according to recommendations in the IEEE 802 1p standard and then subsequently mapped to the four hardware priority queues This command sets the IP DSCP priority for all interfaces Example ...

Page 583: ... number Range 1 28 port channel channel id Range 1 8 Default Setting None Command Mode Privileged Exec Example Related Commands map ip dscp Global Configuration 4 273 map ip dscp Interface Configuration 4 274 Console show map ip dscp ethernet 1 1 DSCP mapping status disabled Port DSCP COS Eth 1 1 0 0 Eth 1 1 1 0 Eth 1 1 2 0 Eth 1 1 3 0 Eth 1 1 61 0 Eth 1 1 62 0 Eth 1 1 63 0 Console ...

Page 584: ... command to modify the QoS value for matching traffic class and use the policer command to monitor the average flow and burst rate and drop any traffic that exceeds the specified rate or just reduce the DSCP service level for traffic exceeding the specified rate 7 Use the service policy command to assign a policy map to a specific interface Table 4 75 Quality of Service Commands Command Function M...

Page 585: ... a class map class map name Name of the class map Range 1 16 characters Default Setting None Command Mode Global Configuration Command Usage First enter this command to designate a class map and enter the Class Map configuration mode Then use the match command page 4 278 to specify the criteria for ingress traffic that will be classified under this class map Up to 16 match commands are permitted p...

Page 586: ...p configuration mode Then use the match command to specify the fields within ingress packets that must match to qualify for this class map Only one match command can be entered per class map Example This example creates a class map called rd_class 1 and sets it to match packets marked for DSCP service value 3 This example creates a class map call rd_class 2 and sets it to match packets marked for ...

Page 587: ...te a Class Map page 4 279 before assigning it to a Policy Map Example This example creates a policy called rd_policy uses the class command to specify the previously defined rd_class uses the set command to classify the service that incoming packets will receive and then uses the police command to limit the average bandwidth to 100 000 Kbps the burst rate to 1522 bytes and configure the response t...

Page 588: ...mand to classify the service that incoming packets will receive and then uses the police command to limit the average bandwidth to 100 000 Kbps the burst rate to 1522 bytes and configure the response to drop any violating packets set This command services IP traffic by setting a CoS DSCP or IP Precedence value in a matching packet as specified by the match command on page 4 278 Use the no form to ...

Page 589: ...ower burst byte Burst in bytes Range 64 1522 bytes drop Drop packet when specified rate or burst are exceeded set Set DSCP service to the specified value Range 0 63 Default Setting Drop out of profile packets Command Mode Policy Map Class Configuration Command Usage You can configure up to 64 policers i e meters or class maps for each of the following access list types MAC ACL IP ACL including Sta...

Page 590: ...licy map name input Apply to the input traffic policy map name Name of the policy map for this interface Range 1 16 characters Default Setting No policy map is attached to an interface Command Mode Interface Configuration Ethernet Port Channel Command Usage You can only assign one policy map to an interface You must first define a class map then define a policy map and finally use the service poli...

Page 591: ...e QoS policy maps which define classification criteria for incoming traffic and may include policers for bandwidth limitations Syntax show policy map policy map name class class map name policy map name Name of the policy map Range 1 16 characters class map name Name of the class map Range 1 16 characters Default Setting Displays all policy maps and all classes Command Mode Privileged Exec Console...

Page 592: ... VoIP traffic is detected on a configured port the switch automatically assigns the port to the Voice VLAN Alternatively switch ports can be manually configured Console show policy map Policy Map rd_policy class rd_class set ip dscp 3 Console show policy map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console Console show policy map interface ethernet 1 5 Service pol...

Page 593: ...tected on switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the switch automatically assigns the port as a tagged member of the Voice VLAN Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN The Voice VLAN I...

Page 594: ...igures the Voice VLAN aging time as 3000 minutes voice vlan mac address This command specifies MAC address ranges to add to the OUI Telephony list Use the no form to remove an entry from the list Syntax voice vlan mac address mac address mask mask address description description no voice vlan mac address mac address mask mask address mac address Defines a MAC address OUI that identifies VoIP devic...

Page 595: ...ecifies the Voice VLAN mode for ports Use the no form to disable the Voice VLAN feature on the port Syntax switchport voice vlan manual auto no switchport voice vlan manual The Voice VLAN feature is enabled on the port but the port must be manually added to the Voice VLAN auto The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port Default Setting Disa...

Page 596: ...anges in the Telephony OUI list MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device LLDP checks that the telephone bit in the system capability TLV is turned on See Spanning Tree Commands on page 4 199 for more information on LLDP Example The following example enables the OUI method on port 1 for detecting VoIP ...

Page 597: ... priority for VoIP traffic on a port Use the no form to restore the default priority on a port Syntax switchport voice vlan priority priority value no switchport voice vlan priority priority value The CoS priority value Range 0 6 Default Setting 6 Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN The priority of any rece...

Page 598: ...ID 1234 Voice VLAN aging time 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority Eth 1 1 Auto Enabled OUI 6 Eth 1 2 Disabled Disabled OUI 6 Eth 1 3 Manual Enabled OUI 5 Eth 1 4 Auto Enabled OUI 6 Eth 1 5 Disabled Disabled OUI 6 Eth 1 6 Disabled Disabled OUI 6 Eth 1 7 Disabled Disabled OUI 6 Eth 1 8 Disabled Disabled OUI 6 Eth 1 9 Disabled Disabled OUI 6 Eth 1 10 Disabled Disable...

Page 599: ...Query Configures IGMP query parameters for multicast filtering at Layer 2 4 296 Static Multicast Routing Configures static multicast router ports 4 299 IGMP Filtering and Throttling Configures IGMP filtering and throttling 4 301 Multicast VLAN Registration Configures a single network wide multicast VLAN shared by hosts residing in other standard or private VLAN groups preserving security and data ...

Page 600: ...o form to remove the port Syntax no ip igmp snooping vlan vlan id static ip address interface vlan id VLAN ID Range 1 4092 ip address IP address for multicast group interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 8 Default Setting None Command Mode Global Configuration Example The following shows how to statically configure a multica...

Page 601: ...ur network that only support Version 1 you will also have to configure this switch to use Version 1 Some commands are only enabled for IGMPv2 and or v3 including ip igmp snooping querier ip igmp snooping query max response time ip igmp snooping query interval and ip igmp snooping immediate leave Example The following configures the switch to use IGMP Version 1 ip igmp snooping leave proxy This com...

Page 602: ... is not used a multicast router or querier will send a group specific query message when an IGMPv2 or IGMPv3 group leave message is received The router querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period Note that the timeout period is determined by ip igmp snooping query max response time see 4 298 If immediate leave is enabled ...

Page 603: ... mac address table multicast vlan vlan id user igmp snooping vlan id VLAN ID 1 to 4092 user Display only the user configured multicast entries igmp snooping Display only entries learned through IGMP snooping Default Setting None Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER depending on selected options Console show ip igmp snooping Service status Enabled Q...

Page 604: ...page 4 293 If enabled the switch will serve as querier if elected The querier is responsible for asking hosts if they want to receive multicast traffic Console show mac address table multicast vlan 1 igmp snooping VLAN M cast IP addr Member ports Type 1 224 1 2 3 Eth1 11 IGMP Console Table 4 79 IGMP Query Commands Layer 2 Command Function Mode Page ip igmp snooping querier Allows this device to ac...

Page 605: ...ies defined by this command but a client has not responded a countdown timer is started using the time defined by ip igmp snooping query max response time If the countdown finishes and the client still has not responded then that client is considered to have left the multicast group Example The following shows how to configure the query count to 10 Related Commands ip igmp snooping query max respo...

Page 606: ...e using IGMPv2 or v3 snooping for this command to take effect This command defines the time after a query during which a response is expected from a multicast client If a querier has sent a number of queries defined by the ip igmp snooping query count but a client has not responded a countdown timer is started using an initial value set by this command If the countdown finishes and the client stil...

Page 607: ...300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 or v3 snooping for this command to take effect Example The following shows how to configure the default timeout to 300 seconds Related Commands ip igmp snooping version 4 293 Static Multicast Routing Commands This section describes commands used to configure static multicast routing on the switch Console config ...

Page 608: ...ys be able to locate the IGMP querier Therefore if the IGMP querier is a known multicast router switch connected over the network to an interface port or trunk on your router you can manually configure that interface to join all the current multicast groups Example The following shows how to configure port 11 as a multicast router port within VLAN 1 show ip igmp snooping mrouter This command displ...

Page 609: ...Type 1 Eth 1 11 Static 2 Eth 1 12 Static Console Table 4 81 IGMP Filtering and Throttling Commands Command Function Mode Page ip igmp filter Enables IGMP filtering and throttling on the switch GC 4 302 ip igmp profile Sets a profile number and enters IGMP filter profile configuration mode GC 4 302 permit deny Sets a profile access mode to permit or deny IPC 4 303 range Specifies one or a range of ...

Page 610: ... checked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP filtering and throttling only applies to dynamically learned multicast groups it does not apply to statically configured groups The IGMP filtering feature operates in the same manner when MVR is use...

Page 611: ...t or deny When the access mode is set to permit IGMP join reports are processed when a multicast group falls within the controlled range When the access mode is set to deny IGMP join reports are only processed when a multicast group is not in the controlled range Example range This command specifies multicast group addresses for a profile Use the no form to delete addresses from a profile Syntax n...

Page 612: ... Setting None Command Mode Interface Configuration Command Usage The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface Only one profile can be assigned to an interface A profile can also be assigned to a trunk interface When ports are configured as trunk members the trunk uses the filtering profile assigned to the first por...

Page 613: ...ny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group IGMP throttling can also be set on a trunk interface When ports are configured as trunk members the trunk uses the throttling settings of the first port member in the trunk Example ip igmp max...

Page 614: ... displays the global and interface settings for IGMP filtering Syntax show ip igmp filter interface interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 8 Default Setting None Command Mode Privileged Exec Example Console config interface ethernet 1 1 Console config if ip igmp max groups action replace Console config if Console s...

Page 615: ...command displays the interface settings for IGMP throttling Syntax show ip igmp throttle interface interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 8 Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces Console show ip igmp profile IGMP Pro...

Page 616: ... no form of this command without any keywords to globally disable MVR Use the no form with the group keyword to remove a specific address or range of addresses Or use the no form with the vlan keyword restore the default MVR VLAN Syntax no mvr group ip address count vlan vlan id ip address IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 count The number of contiguous MVR grou...

Page 617: ...ssages Example The following example enables MVR globally and configures a range of MVR group addresses mvr Interface Configuration This command configures an interface as an MVR receiver or source port using the type keyword enables immediate leave capability using the immediate keyword or configures an interface as a static member of the MVR VLAN using the group keyword Use the no form to restor...

Page 618: ...atically assigned using the group keyword The IP address range from 224 0 0 0 to 239 255 255 255 is used for multicast streams MVR group addresses cannot fall within the reserved IP multicast address range of 224 0 0 x Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message When immediate leave is...

Page 619: ...nnel channel id Range 1 8 ip address IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 Default Setting Displays global configuration settings for MVR when no keywords are used Command Mode Privileged Exec Command Usage Enter this command without any keywords to display the global settings for MVR Use the interface keyword to display information about interfaces attached to the ...

Page 620: ...assigned to the MVR VLAN MVR Current multicast groups Shows the number of multicast groups currently assigned to the MVR VLAN Console show mvr interface Port Type Status Immediate Leave eth1 1 SOURCE ACTIVE UP Disable eth1 2 RECEIVER ACTIVE UP Disable eth1 5 RECEIVER INACTIVE DOWN Disable eth1 6 RECEIVER INACTIVE DOWN Disable eth1 7 RECEIVER INACTIVE DOWN Disable Console Table 4 84 show mvr interf...

Page 621: ...5 0 0 10 INACTIVE None Console Table 4 85 show mvr members display description Field Description MVR Group IP Multicast groups assigned to the MVR VLAN Status Shows whether or not the there are active subscribers for this multicast group Note that this field will also display INACTIVE if MVR is globally disabled Members Shows the interfaces with subscribers for multicast services provided through ...

Page 622: ...ide this format will not be accepted by the configuration program If you select the bootp or dhcp option IP is enabled but will not function until a BOOTP or DHCP reply has been received Requests will be broadcast periodically by this device in an effort to learn its IP address BOOTP and DHCP values can include the IP address default gateway and subnet mask You can start broadcasting BOOTP or DHCP...

Page 623: ...ment Example The following example defines a default gateway for this device Related Commands show ip redirects 4 316 ip dhcp restart This command submits a BOOTP or DHCP client request Default Setting None Command Mode Privileged Exec Command Usage This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command DHCP requir...

Page 624: ...e default gateway configured for this device Default Setting None Command Mode Privileged Exec Example Related Commands ip default gateway 4 315 Console config interface vlan 1 Console config if ip address dhcp Console config if end Console ip dhcp restart Console show ip interface IP address and netmask 192 168 1 54 255 255 255 0 on VLAN 1 and address mode DHCP Console Console show ip interface I...

Page 625: ... ping command Normal response The normal response occurs in one to ten seconds depending on network traffic Destination does not respond If the host does not respond a timeout appears in ten seconds Destination unreachable The gateway for this destination indicates that the destination is unreachable Network or host unreachable The gateway found no corresponding entry in the route table Press Esc ...

Page 626: ...addresses and corresponding MAC addresses stored in the binding table Default Setting Disabled Command Mode Interface Configuration Ethernet Command Usage Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor Setting source gu...

Page 627: ...binding table If no matching entry is found the packet will be dropped Filtering rules are implemented as follows If the DHCP snooping is disabled see page 4 322 IP source guard will check the VLAN ID source IP address port number and source MAC address for the sip mac option If a matching entry is found in the binding table and the entry type is static IP source guard binding the packet will be f...

Page 628: ...ith a value of zero by the show ip source guard command page 4 321 When source guard is enabled traffic is filtered based upon dynamic entries learned via DHCP snooping static entries configured in the DHCP snooping table or static addresses configured in the source guard binding table with this command Static bindings are processed as follows If there is no entry with same VLAN ID and MAC address...

Page 629: ...de Privileged Exec Example show ip source guard binding This command shows the source guard binding table Command Mode Privileged Exec Example Console show ip source guard Interface Filter type Eth 1 1 DISABLED Eth 1 2 DISABLED Eth 1 3 DISABLED Eth 1 4 DISABLED Eth 1 5 SIP Eth 1 6 DISABLED Console show ip source guard binding MacAddress IpAddress Lease sec Type VLAN Interface 11 22 33 44 55 66 192...

Page 630: ...ages received on an untrusted interface as specified by the no ip dhcp snooping trust command page 4 325 from a device not listed in the DHCP snooping table will be dropped Table 4 88 DHCP Snooping Commands Command Function Mode Page ip dhcp snooping Enables DHCP snooping globally GC 4 322 ip dhcp snooping vlan Enables DHCP snooping on the specified VLAN GC 4 324 ip dhcp snooping trust Configures ...

Page 631: ...s the packet only if the corresponding entry is found in the binding table If the DHCP packet is from client such as a DISCOVER REQUEST INFORM DECLINE or RELEASE message the packet is forwarded if MAC address verification is disabled as specified by the ip dhcp snooping verify mac address command page 4 325 However if MAC address verification is enabled then the packet will only be forwarded if th...

Page 632: ...mand DHCP packet filtering will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust command page 4 325 When the DHCP snooping is globally disabled DHCP snooping can still be configured for specific VLANs but the changes will not take effect until DHCP snooping is globally re enabled When DHCP snooping is globally enabled configuration changes for specific...

Page 633: ...n the VLAN according to the default status or as specifically configured for an interface with the no ip dhcp snooping trust command When an untrusted port is changed to a trusted port all the dynamic DHCP snooping bindings associated with this port are removed Additional considerations when the switch itself is a DHCP client The port s through which it submits a client request to the DHCP server ...

Page 634: ...sage DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server Known as DHCP Option 82 it allows compatible DHCP servers to use the information when assigning IP addresses or to set other services or policies for clients When the DHCP Snooping Information Option is enabled clients can be identified by the switch port to which they are connecte...

Page 635: ...2 information the switch can be configured to set the action policy for these packets Either the switch can discard the Option 82 information keep the existing information or replace it with the switch s relay information Example ip dhcp snooping database flash This command writes all dynamically learned snooping entries to flash memory Command Mode Global Configuration Command Usage This command ...

Page 636: ... and the Commander manages Member switches using cluster internal IP addresses There can be up to 36 Member switches in one cluster Cluster switches are limited to within a single IP subnet Console show ip dhcp snooping Global DHCP Snooping status disable DHCP Snooping is configured on the following VLANs 1 Verify Source Mac Address enable Interface Trusted Eth 1 1 No Eth 1 2 No Eth 1 3 No Eth 1 4...

Page 637: ...are limited to a single IP subnet Layer 2 domain A switch can only be a Member of one cluster Configured switch clusters are maintained across power resets and network changes Example cluster commander This command enables the switch as a cluster Commander Use the no form to disable the switch as cluster Commander Syntax no cluster commander Default Setting Disabled cluster member Sets Candidate s...

Page 638: ...ress The base IP address for IP addresses assigned to cluster Members The IP address must start 10 x x x Default Setting 10 254 254 1 Command Mode Global Configuration Command Usage An internal IP address pool is used to assign IP addresses to Member switches in the cluster Internal cluster IP addresses are in the form 10 x x member ID Only the base IP address of the pool needs to be set since Mem...

Page 639: ...m number of switch Candidates is 100 Example rcommand This command provides access to a cluster Member CLI for configuration Syntax rcommand id member id member id The ID number of the Member switch Range 1 36 Command Mode Privileged Exec Command Usage This command only operates through a Telnet connection to the Commander switch Managing cluster Members using the local console CLI on the Commande...

Page 640: ...mand Mode Privileged Exec Example Console show cluster Role commander Interval heartbeat 30 Heartbeat loss count 3 Number of Members 1 Number of Candidates 2 Console Console show cluster members Cluster Members ID 1 Role Active member IP Address 10 254 254 2 MAC Address 00 12 cf 23 49 c0 Description 24 48 L2 L4 IPV4 IPV6 GE Switch Console Console show cluster candidates Cluster Candidates Role Mac...

Page 641: ...led Command Mode Global Configuration Command Usage You must enable UPnP before you can configure time out settings for sending of UPnP messages Example In the following example UPnP is enabled on the device Related Commands upnp device ttl 4 334 upnp device advertise duration 4 334 Table 4 1 UPnP Commands Command Function Mode Page upnp device Enables disables UPnP on the network GC 4 333 upnp de...

Page 642: ... within the TTL value for multicast messages Example In the following example the TTL is set to 6 upnp device advertise duration This command sets the duration for which a device will advertise its presence on the local network Syntax upnp device advertise duration value value A time out value expressed in seconds Range 6 86400 seconds Default Setting 100 seconds Command Mode Global Configuration ...

Page 643: ...ands upnp device ttl 4 334 show upnp This command displays the UPnP management status and time out settings Command Mode Privileged Exec Example Console show upnp UPnP global settings Status Enabled Advertise duration 200 TTL 20 Console ...

Page 644: ...Command Line Interface 4 336 4 ...

Page 645: ...essure Broadcast Storm Control Traffic throttled above a critical threshold Port Mirroring Multiple source ports one destination port Rate Limits Input limit Output limit Port Trunking Static trunks Cisco EtherChannel compliant Dynamic trunks Link Aggregation Control Protocol Spanning Tree Algorithm Spanning Tree Protocol STP IEEE 802 1D Rapid Spanning Tree Protocol RSTP IEEE 802 1w Muliple Spanni...

Page 646: ...anager or Secure Shell Out of Band Management RS 232 DB 9 console port Software Loading TFTP in band or XModem out of band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1 2 3 9 Statistics History Alarm Event Standards IEEE 802 1D Spanning Tree Protocol and traffic priorities IEEE 802 1p Priority tags IEEE 802 1Q VLAN IEEE 802 1v Protocol based VLANs IEEE 80...

Page 647: ...P MIB RFC 2933 Interface Group MIB RFC 2233 Interfaces Evolution MIB RFC 2863 IP Multicasting related MIBs MAU MIB RFC 2668 MIB II RFC 1213 Port Access Entity MIB IEEE 802 1X Port Access Entity Equipment MIB Private MIB Quality of Service MIB RADIUS Authentication Client MIB RFC 2621 RMON MIB RFC 2819 RMON II Probe Configuration Group RFC 2021 partial implementation SNMPv2 IP MIB RFC 2011 SNMP Com...

Page 648: ...Software Specifications A 4 A ...

Page 649: ...d the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH clien...

Page 650: ...r messages reported to include all categories 3 Designate the SNMP host that is to receive the error messages 4 Repeat the sequence of commands or other actions that lead up to the error 5 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 6 Contact your distributor s service engineer For example Console config logging on Console con...

Page 651: ... Point Service DSCP DSCP uses a six bit tag to provide for up to 64 different forwarding behaviors Based on network policies different kinds of traffic can be marked for different kinds of forwarding The DSCP bits are mapped to the Class of Service categories and then into the output queues Domain Name Service DNS A system used for translating host names for network nodes into IP addresses Dynamic...

Page 652: ...s comply with the IEEE 802 1p standard Group Attribute Registration Protocol GARP See Generic Attribute Registration Protocol IEEE 802 1D Specifies a general method for the operation of MAC bridges including the Spanning Tree Protocol IEEE 802 1Q VLAN Tagging Defines Ethernet frame tags which carry VLAN information It allows switches to assign endstations to different virtual LANs and defines a st...

Page 653: ...nt of the network from a station attached directly to the network IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts Layer 2 Data Link layer in the ISO 7 Layer Data Communications Protocol This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses Link Aggregation See Port Trunk Link ...

Page 654: ...n the target port to be studied unobstructively Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high speed logical link that combines several lower speed physical links Private VLANs Private VLANs provide port based security and isolation between ports within the assigned VLAN Data traffic on downlink ports can only be forwarded to and from ...

Page 655: ...the shortest available path maximizing the performance and efficiency of the network Telnet Defines a remote communication facility for interfacing to a terminal device over TCP IP Terminal Access Controller Access Control System Plus TACACS TACACS is a logon authentication protocol that uses software running on a central server to control access to TACACS compliant devices on the network Transmis...

Page 656: ...dless of their physical location or connection point in the network A VLAN serves as a logical workgroup with no physical barriers and allows users to share information and resources as though located on the same LAN XModem A protocol used to transfer files between devices Data is grouped in 128 byte blocks and error corrected ...

Page 657: ...9 4 140 4 142 MAC 4 145 4 145 4 147 Standard IP 4 139 4 140 4 141 address table 3 140 4 195 4 246 aging time 3 142 4 198 authentication MAC 3 101 MAC address auth 3 95 MAC configuring ports 3 101 network access 3 95 public key 3 75 web 3 90 web auth for ports configuring 3 92 web auth port info displaying 3 93 web auth re authenticating ports 3 94 web configuring 3 91 B BOOTP 3 18 4 314 4 333 4 33...

Page 658: ... 3 79 event logging 4 54 exec command privileges accounting 3 66 exec settings accounting 3 67 exec settings authorization 3 70 F filtering packets 3 102 firmware displaying version 3 13 4 82 upgrading 3 20 4 84 G GARP VLAN Registration Protocol See GVRP gateway default 3 16 4 315 GVRP enabling 3 166 global setting 3 166 4 220 interface configuration 3 173 4 221 H hardware version displaying 3 13 ...

Page 659: ...ink Layer Discovery Protocol See LLDP link type STA 3 154 3 156 3 158 3 160 3 163 4 212 4 213 4 214 LLDP 3 189 device statistics detail displaying 3 198 device statistics displaying 3 197 interface attributes configuring 3 191 local device information displaying 3 194 remote information displaying 3 196 remote port information displaying 3 195 timing attributes configuring 3 189 TLV 3 189 3 192 TL...

Page 660: ...ng multicast groups 4 308 specifying a VLAN 4 308 using immediate leave 4 309 N network access authentication 3 95 4 121 dynamic VLAN assignment 4 125 port configuration 3 97 reauthentication 3 96 4 128 secure MAC information 3 99 4 130 P packet filtering 3 102 password line 4 12 4 13 passwords 2 4 administrator setting 3 52 3 61 3 62 3 64 3 65 3 67 4 37 path cost 3 146 3 153 method 3 150 4 204 ST...

Page 661: ...ings configuring 3 148 global settings displaying 3 146 interface settings configuring 3 155 interface settings displaying 3 152 S secure shell 3 74 4 45 configuration 3 74 4 48 serial port configuring 4 10 show dot1q tunnel 4 236 Simple Network Management Protocol See SNMP SNMP 3 39 community string 3 40 3 44 3 46 3 47 3 50 4 152 enabling traps 3 41 4 155 filtering IP addresses 3 110 trap manager...

Page 662: ...7 4 181 Type Length Value See LLDP TLV Type Length Value See also LLDP MED TLV U upgrading software 3 20 UPnP 3 254 configuration 3 254 user password 3 52 3 61 3 62 3 64 3 65 3 67 4 37 4 38 V VLANs 3 163 3 199 4 219 4 220 802 1Q tunnel mode 3 180 adding static members 3 170 3 172 4 230 creating 3 169 4 225 description 3 163 3 199 displaying basic information 3 167 4 221 displaying port members 3 1...

Page 663: ......

Page 664: ...Support und weitere Information unter www smc com SPANISH En www smc com Ud podrá encontrar la información relativa a servicios de soporte técnico DUTCH Technische ondersteuningsinformatie beschikbaar op www smc com PORTUGUES Informações sobre Suporte Técnico em www smc com SWEDISH Information om Teknisk Support finns tillgängligt på www smc com INTERNET E mail address techsupport smc com Driver u...

Reviews: