SMC Networks 6152PL2 FICHE Management Manual Download Page 591

Page: 591 / 818

Access Control List Commands

4-213

Example

Related Commands

permit, deny (4-213)
show arp access-list (4-214)

(ARP ACL)

This command adds a rule to an ARP ACL. The rule filters packets matching a
specified source or destination address in ARP messages. Use the

form to

remove a rule.

Syntax

[

]

{

permit

deny

}

{

any

host

source-ip

source-ip ip-address-bitmask

}

mac

{

any

host

source-ip

source-ip ip-address-bitmask

} [

log

]

Note:

This form indicates either request or response packets.

[

]

{

permit

deny

}

request

{

any

host

source-ip

source-ip ip-address-bitmask

}

mac

{

any

host

source-mac

source-mac mac-address-bitmask

} [

log

]

[

]

{

permit

deny

}

response

{

any

host

source-ip

source-ip ip-address-bitmask

}

{

any

host

destination-ip | destination-ip ip-address-bitmask

}

mac

{

any

host

source-mac

source-mac mac-address-bitmask

}

[

any

host

destination-mac

destination-mac mac-address-bitmask

] [

log

]

•

source-ip

– Source IP address.

•

destination-ip

– Destination IP address with bitmask.

•

ip-address-bitmask

– IPv4 number representing the address bits to

match.

•

source-mac

– Source MAC address.

•

destination-mac

– Destination MAC address range with bitmask.

•

mac-address-bitmask

– Bitmask for MAC address (in hexidecimal

format).

•

log

- Logs a packet when it matches the access control entry.

Default Setting

None

Command Mode

ARP ACL

25. For all bitmasks, binary “1” means care and “0” means ignore.

Summary of Contents for 6152PL2 FICHE

Page 1: ...Management Guide SMC6128PL2 SMC6152PL2 TigerSwitchTM 10 100 24 Port 10 100 Switch with PoE IP Clustering and 4 Gigabit Ports ...

Page 2: ......

Page 3: ...20 Mason Irvine CA 92618 Phone 949 679 8000 TigerSwitch 10 100 Management Guide From SMC s Tiger line of feature rich workgroup LAN solutions May 2009 Pub 149100000007A E052009 MW R01 ...

Page 4: ...e is granted by implication or otherwise under any patent or patent rights of SMC SMC reserves the right to change specifications at any time without notice Copyright 2009 by SMC Networks Inc 20 Mason Irvine CA 92618 All rights reserved Trademarks SMC is a registered trademark and EZ Switch TigerStack and TigerSwitch are trademarks of SMC Networks Inc Other product and company names are trademarks...

Page 5: ...v Warranty and Product Registration To register SMC products and to review the detailed warranty statement please refer to the Support Section of the SMC Website at http www smc com ...

Page 6: ...vi ...

Page 7: ... your attention to related features or instructions Caution Alerts you to a potential hazard that could cause loss of data or damage the system or equipment Warning Alerts you to a potential hazard that could cause personal injury Related Publications The following publication details the hardware features of the switch including the physical and performance related characteristics and how to inst...

Page 8: ...viii ...

Page 9: ...ersion 1 and 2c clients 2 6 Trap Receivers 2 7 Configuring Access for SNMP Version 3 Clients 2 8 Managing System Files 2 8 Saving Configuration Settings 2 9 Chapter 3 Configuring the Switch 3 1 Using the Web Interface 3 1 Navigating the Web Browser Interface 3 2 Home Page 3 2 Configuration Options 3 3 Panel Display 3 3 Main Menu 3 4 Basic Configuration 3 13 Displaying System Information 3 13 Displ...

Page 10: ...g Community Access Strings 3 51 Specifying Trap Managers and Trap Types 3 52 Configuring SNMPv3 Management Access 3 55 Setting the Local Engine ID 3 55 Specifying a Remote Engine ID 3 56 Configuring SNMPv3 Users 3 57 Configuring Remote SNMPv3 Users 3 59 Configuring SNMPv3 Groups 3 61 Setting SNMPv3 Views 3 64 Sampling Traffic Flows 3 65 Configuring sFlow Global Parameters 3 66 Configuring sFlow Po...

Page 11: ...ion Port Information 3 113 Re authenticating Web Authenticated Ports 3 113 Network Access MAC Address Authentication 3 114 Configuring the MAC Authentication Reauthentication Time 3 116 Configuring MAC Authentication for Ports 3 117 Configuring Port Link Detection 3 119 Displaying Secure MAC Address Information 3 120 MAC Filter Configuration 3 121 Access Control Lists 3 123 Setting the ACL Name an...

Page 12: ...etting Unknown Unicast Storm Thresholds 3 175 Configuring Port Mirroring 3 177 Configuring MAC Address Mirroring 3 178 Configuring Rate Limits 3 179 Rate Limit Configuration 3 179 Showing Port Statistics 3 180 Power Over Ethernet Settings 3 184 Switch Power Status 3 185 Setting a Switch Power Budget 3 186 Displaying Port Power Status 3 186 Configuring Port PoE Power 3 187 Address Table Settings 3 ...

Page 13: ...Ns 3 243 Configuring Protocol VLAN Groups 3 244 Mapping Protocols to VLANs 3 245 Configuring VLAN Mirroring 3 246 Configuring IP Subnet VLANs 3 247 Configuring MAC based VLANs 3 248 Link Layer Discovery Protocol 3 249 Setting LLDP Timing Attributes 3 249 Configuring LLDP Interface Attributes 3 251 Displaying LLDP Local Device Information 3 254 Displaying LLDP Remote Port Information 3 257 Displayi...

Page 14: ...GMP Filtering and Throttling for Interfaces 3 297 Multicast VLAN Registration 3 299 Configuring Global MVR Settings 3 300 Displaying MVR Interface Status 3 302 Displaying Port Members of Multicast Groups 3 303 Configuring MVR Interface Status 3 304 Assigning Static Multicast Groups to Interfaces 3 306 Configuring MVR Receiver VLAN and Group Addresses 3 307 Displaying MVR Receiver Groups 3 308 Conf...

Page 15: ... history 4 13 reload Privileged Exec 4 14 reload Global Configuration 4 14 show reload 4 16 prompt 4 16 end 4 16 exit 4 17 quit 4 17 System Management Commands 4 18 Device Designation Commands 4 18 hostname 4 18 Banner Information Commands 4 19 banner configure 4 20 banner configure company 4 21 banner configure dc power info 4 22 banner configure department 4 22 banner configure equipment info 4 ...

Page 16: ...out login response 4 48 exec timeout 4 48 password thresh 4 49 silent time 4 50 databits 4 50 parity 4 51 speed 4 52 stopbits 4 52 terminal length 4 53 terminal width 4 53 terminal escape character 4 54 terminal terminal type 4 54 terminal history 4 55 disconnect 4 55 show line 4 56 Event Logging Commands 4 57 logging on 4 57 logging history 4 58 logging host 4 59 logging facility 4 59 logging tra...

Page 17: ...clock summer time predefined 4 77 clock summer time recurring 4 78 calendar set 4 80 show calendar 4 80 Switch Cluster Commands 4 81 cluster 4 81 cluster commander 4 82 cluster ip pool 4 83 cluster member 4 83 rcommand 4 84 show cluster 4 84 show cluster members 4 85 show cluster candidates 4 85 UPnP Commands 4 85 upnp device 4 86 upnp device ttl 4 86 upnp device advertise duration 4 87 show upnp ...

Page 18: ...count and Privilege Level Commands 4 110 username 4 110 enable password 4 111 privilege 4 112 privilege rerun 4 113 show privilege 4 113 Authentication Sequence 4 114 authentication login 4 114 authentication enable 4 115 RADIUS Client 4 116 radius server host 4 116 radius server acct port 4 117 radius server auth port 4 117 radius server key 4 118 radius server retransmit 4 118 radius server time...

Page 19: ...rver 4 139 ip ssh timeout 4 140 ip ssh authentication retries 4 140 ip ssh server key size 4 141 delete public key 4 141 ip ssh crypto host key generate 4 142 ip ssh crypto zeroize 4 142 ip ssh save host key 4 143 show ip ssh 4 143 show ssh 4 144 show public key 4 145 802 1X Port Authentication 4 146 dot1x system auth control 4 146 dot1x default 4 147 dot1x max req 4 147 dot1x port control 4 147 d...

Page 20: ...ccess link detection link up 4 170 network access link detection link up down 4 170 clear network access 4 171 show network access 4 171 show network access mac address table 4 172 show network access mac filter 4 173 Web Authentication 4 174 web auth login attempts 4 174 web auth quiet period 4 175 web auth session timeout 4 175 web auth system auth control 4 176 web auth 4 176 web auth re authen...

Page 21: ...7 show ip arp inspection vlan 4 198 show ip arp inspection log 4 198 show ip arp inspection statistics 4 199 Access Control List Commands 4 199 IPv4 ACLs 4 200 access list rule mode 4 200 access list ip 4 201 permit deny Standard IPv4 ACL 4 202 permit deny Extended IPv4 ACL 4 203 show ip access list 4 205 ip access group 4 205 show ip access group 4 206 IPv6 ACLs 4 206 access list ipv6 4 207 permi...

Page 22: ...ntrol alarm clear threshold 4 240 auto traffic control action 4 241 auto traffic control control release 4 242 snmp server enable port traps atc broadcast alarm fire 4 242 snmp server enable port traps atc multicast alarm fire 4 243 snmp server enable port traps atc broadcast alarm clear 4 243 snmp server enable port traps atc multicast alarm clear 4 244 snmp server enable port traps atc broadcast...

Page 23: ...address table aging time 4 272 show mac address table aging time 4 272 Spanning Tree Commands 4 274 spanning tree 4 275 spanning tree mode 4 276 spanning tree forward time 4 277 spanning tree hello time 4 277 spanning tree max age 4 278 spanning tree priority 4 279 spanning tree system bpdu flooding 4 279 spanning tree pathcost method 4 280 spanning tree transmission limit 4 280 spanning tree mst ...

Page 24: ...w garp timer 4 303 Editing VLAN Groups 4 304 vlan database 4 304 vlan 4 305 Configuring VLAN Interfaces 4 306 interface vlan 4 306 switchport mode 4 307 switchport acceptable frame types 4 308 switchport ingress filtering 4 308 switchport native vlan 4 309 switchport allowed vlan 4 310 switchport forbidden vlan 4 311 vlan trunking 4 311 Displaying VLAN Information 4 313 show vlan 4 313 Configuring...

Page 25: ... vlan 4 334 voice vlan aging 4 335 voice vlan mac address 4 336 switchport voice vlan 4 337 switchport voice vlan rule 4 337 switchport voice vlan security 4 338 switchport voice vlan priority 4 339 show voice vlan 4 339 LLDP Commands 4 341 lldp 4 343 lldp holdtime multiplier 4 343 lldp medFastStartCount 4 344 lldp notification interval 4 344 lldp refresh interval 4 345 lldp reinit delay 4 345 lld...

Page 26: ...queue cos map 4 365 show queue mode 4 366 show queue bandwidth 4 366 show queue cos map 4 367 Priority Commands Layer 3 and 4 4 368 map ip dscp Global Configuration 4 368 map ip dscp Interface Configuration 4 368 show map ip dscp 4 370 Quality of Service Commands 4 371 class map 4 372 match 4 373 rename 4 374 description 4 374 policy map 4 375 police 4 375 set 4 376 police 4 377 service policy 4 3...

Page 27: ...ermit deny 4 392 range 4 393 ip igmp filter Interface Configuration 4 393 ip igmp max groups 4 394 ip igmp max groups action 4 395 show ip igmp filter 4 395 show ip igmp profile 4 396 show ip igmp throttle interface 4 396 Multicast VLAN Registration Commands 4 397 mvr Global Configuration 4 398 mvr Interface Configuration 4 400 show mvr 4 402 Domain Name Service Commands 4 405 ip host 4 405 clear ...

Page 28: ...ware Specifications A 1 Software Features A 1 Management Features A 2 Standards A 2 Management Information Bases A 3 Appendix B Troubleshooting B 1 Problems Accessing the Management Interface B 1 Using System Logs B 2 Glossary Index ...

Page 29: ...3 17 Port ID Subtype 3 258 Table 3 18 Mapping CoS Values to Egress Queues 3 265 Table 3 19 CoS Priority Levels 3 265 Table 3 20 Mapping DSCP Priority Values 3 270 Table 4 1 Command Modes 4 6 Table 4 2 Configuration Modes 4 8 Table 4 3 Command Line Processing 4 9 Table 4 4 Command Groups 4 10 Table 4 5 General Commands 4 11 Table 4 6 System Management Commands 4 18 Table 4 7 Device Designation Comm...

Page 30: ... 4 158 Table 4 42 Port Security Commands 4 159 Table 4 43 Network Access 4 161 Table 4 44 Dynamic QoS Profiles 4 168 Table 4 45 Web Authentication 4 174 Table 4 46 DHCP Snooping Commands 4 179 Table 4 47 IP Source Guard Commands 4 187 Table 4 48 ARP Inspection Commands 4 191 Table 4 49 Access Control Lists 4 199 Table 4 50 IPv4 ACL Commands 4 200 Table 4 52 ARP ACL Commands 4 212 Table 4 53 MAC AC...

Page 31: ...ds 4 363 Table 4 88 Priority Commands Layer 2 4 363 Table 4 89 Default CoS Values to Egress Queues 4 365 Table 4 90 Priority Commands Layer 3 and 4 4 368 Table 4 91 IP DSCP to CoS Vales 4 369 Table 4 92 Quality of Service Commands 4 371 Table 4 93 Multicast Filtering Commands 4 380 Table 4 94 IGMP Snooping Commands 4 380 Table 4 95 IGMP Query Commands Layer 2 4 385 Table 4 96 Static Multicast Rout...

Page 32: ...Tables xxxii ...

Page 33: ... 19 System Logs 3 37 Figure 3 20 Remote Logs 3 38 Figure 3 21 Displaying Logs 3 39 Figure 3 22 Enabling and Configuring SMTP 3 40 Figure 3 23 Resetting the System 3 42 Figure 3 24 Current Time Configuration 3 43 Figure 3 25 SNTP Configuration 3 44 Figure 3 26 NTP Client Configuration 3 45 Figure 3 27 Setting the System Clock 3 47 Figure 3 28 Summer Time 3 49 Figure 3 29 Enabling SNMP Agent Status ...

Page 34: ...re 3 65 Web Authentication Configuration 3 111 Figure 3 66 Web Authentication Port Configuration 3 112 Figure 3 67 Web Authentication Port Information 3 113 Figure 3 68 Web Authentication Port Re authentication 3 114 Figure 3 69 Network Access Configuration 3 117 Figure 3 70 Network Access Port Configuration 3 118 Figure 3 71 Network Access Port Link Detection Configuration 3 120 Figure 3 72 Netwo...

Page 35: ...us 3 185 Figure 3 109 Setting the Switch Power Budget 3 186 Figure 3 110 Displaying Port PoE Status 3 187 Figure 3 111 Configuring Port PoE Power 3 188 Figure 3 112 Configuring a Static Address Table 3 189 Figure 3 113 Configuring a Dynamic Address Table 3 190 Figure 3 114 Setting the Address Aging Time 3 191 Figure 3 115 Configuring Port Loopback Detection 3 194 Figure 3 116 Displaying Spanning T...

Page 36: ...guration 3 264 Figure 3 153 Traffic Classes 3 266 Figure 3 154 Queue Mode 3 267 Figure 3 155 Displaying Queue Scheduling 3 268 Figure 3 156 IP DSCP Priority Status 3 269 Figure 3 157 Mapping IP DSCP Priority Values 3 271 Figure 3 158 Configuring Class Maps 3 274 Figure 3 159 Configuring Policy Maps 3 277 Figure 3 160 Service Policy Settings 3 278 Figure 3 161 Configuring VoIP Traffic 3 280 Figure ...

Page 37: ...309 Figure 3 181 DNS General Configuration 3 311 Figure 3 182 DNS Static Host Table 3 313 Figure 3 183 DNS Cache 3 314 Figure 3 184 Cluster Member Choice 3 315 Figure 3 185 Cluster Configuration 3 316 Figure 3 186 Cluster Member Configuration 3 317 Figure 3 187 Cluster Member Information 3 318 Figure 3 188 Cluster Candidate Information 3 319 Figure 3 189 UPnP Configuration 3 320 ...

Page 38: ...Figures xxxviii ...

Page 39: ...o TFTP server Authentication and Security Measures Console Telnet web User name password RADIUS TACACS AAA ARP inspection Web HTTPS Telnet SSH SNMP v1 2c Community strings SNMP version 3 MD5 or SHA password Port Authentication IEEE 802 1X Port Security MAC address filtering Private VLANs Network Access MAC Address Authentication Web Authentication Web access with RADIUS Authentication DHCP Snoopin...

Page 40: ...thentication is also supported via the IEEE 802 1X protocol This protocol uses the Extensible Authentication Protocol over LANs EAPOL to request user credentials from the 802 1X client and then verifies the client s right to access the network via an authentication server Other authentication options include HTTPS for secure management access via the web SSH for secure management access over a Tel...

Page 41: ... The switch can unobtrusively mirror traffic from any port VLAN or packets with a specified MAC address to a monitor port You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity Port Trunking Ports can be combined into an aggregate connection Trunks can be manually set up or dynamically configured using Link Aggregation Control...

Page 42: ...ol reduces the convergence time for network topology changes to 3 to 5 seconds compared to 30 seconds or more for the older IEEE 802 1D STP standard It is intended as a complete replacement for STP but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP compliant mode if they detect STP protocol messages from attached devices Multiple Spannin...

Page 43: ... to meet the requirements of specific traffic types on a per hop basis Each packet is classified upon entry into the network based on access lists IP Precedence or DSCP values or VLAN lists Using access lists allows you select traffic based on Layer 2 Layer 3 or Layer 4 information contained in each packet Based on network policies different kinds of traffic can be marked for different kinds of fo...

Page 44: ...l Console Timeout 0 disabled Authentication and Security Measures Privileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privileged Exec from Normal Exec Level Password super RADIUS Authentication Disabled TACACS Authentication Disabled 802 1X Port Authentication Disabled Web Authentication Disabled MAC Authentication Disabled HTTPS Enabled SSH D...

Page 45: ... Unknown Unicast disabled Rate Limit Broadcast 64 kbits per second Spanning Tree Algorithm Status Enabled RSTP Defaults Based on RSTP standard Fast Forwarding Edge Port Disabled Address Table Aging Time 300 seconds Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Enabled Switchport Mode Egress Mode Hybrid tagged untagged frames GVRP global Disabled GVRP port interface...

Page 46: ...Snooping Enabled Querier Enabled Multicast VLAN Registration Disabled System Log Status Enabled Messages Logged Levels 0 7 all Messages Logged to Flash Levels 0 3 SMTP Email Alerts Event Handler Enabled but no server defined SNTP Clock Synchronization Disabled NTP Clock Synchronization Disabled Switch Clustering Status Enabled Commander Disabled Table 1 2 System Defaults Continued Function Paramet...

Page 47: ... RS 232 serial console port on the switch or remotely by a Telnet connection over the network The switch s management agent also supports SNMP Simple Network Management Protocol This SNMP agent permits the switch to be managed from any system in the network using network management software such as HP OpenView The switch s web interface CLI configuration program and SNMP agent allow you to perform...

Page 48: ...the following steps 1 Connect the console cable to the serial port on a terminal or a PC running terminal emulation software and tighten the captive retaining screws on the DB 9 connector 2 Connect the other end of the cable to the RS 232 serial port on the switch 3 Make sure the terminal emulation software is set as follows Select the appropriate serial port COM port 1 or COM port 2 Set the baud ...

Page 49: ...ccess to basic configuration functions To access the full range of SNMP management functions you must use SNMP based network management software Basic Configuration Console Connection The CLI program provides two different command levels normal access level Normal Exec and privileged access level Privileged Exec The commands available at the Normal Exec level are a limited subset of those availabl...

Page 50: ...work This can be done in either of the following ways Manual You have to input the information including IP address and subnet mask If your management station is not in the same IP subnet as the switch you will also need to specify the default gateway router Dynamic The switch sends IP configuration requests to BOOTP or DHCP address allocation servers on the network Manual Configuration You can ma...

Page 51: ...TP or DHCP reply has been received Requests will be sent periodically in an effort to obtain IP configuration information BOOTP and DHCP values can include the IP address subnet mask and default gateway If the DHCP BOOTP server is slow to respond you may need to use the ip dhcp restart command to re start broadcasting service requests If the bootp or dhcp option is saved to the startup config file...

Page 52: ... agent that supports SNMP version 1 2c and 3 clients To provide management access for version 1 or 2c clients you must specify a community string The switch provides a default MIB View i e an SNMPv3 construct for the default public community string that provides read access to the entire MIB tree and a default view for the private community string that provides read write access to the entire MIB ...

Page 53: ...here are no community strings then SNMP management access from SNMP v1 and v2c clients is disabled Trap Receivers You can also specify SNMP stations that are to receive traps from the switch To configure a trap receiver use the snmp server host command From the Privileged Exec level global configuration mode prompt type snmp server host host address community string version 1 2c 3 auth noauth priv...

Page 54: ...stores system configuration information and is created when configuration settings are saved Saved configuration files can be selected as a system start up file or can be uploaded via FTP TFTP to a server for backup The file named Factory_Default_Config cfg contains all the system default settings and cannot be deleted from the system If the system is booted with the factory default settings the s...

Page 55: ...files must have a name specified File names on the switch are case sensitive can be from 1 to 31 characters must not contain slashes or and the leading letter of the file name must not be a period Valid characters A Z a z 0 9 _ There can be more than one user defined configuration file saved in the switch s flash memory but only one is designated as the startup file that is loaded when the switch ...

Page 56: ...Initial Configuration 2 10 2 ...

Page 57: ...age 2 4 2 Set user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Setting Passwords on page 2 4 3 After you enter a user name and password you will have access to the system configuration program Notes 1 You are allowed three attempts to enter the correct password on the ...

Page 58: ...th the switch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used to navigate to other menus and display configuration parameters and statistics Figure 3 1 Home Page Note The examples in this chapter are based on the SMC6128PL2 Other than the number of fixed p...

Page 59: ...This option is available under Tools Internet Options General Browsing History Settings Temporary Internet Files 2 You may have to manually refresh the screen after making configuration changes by pressing the browser s refresh button Panel Display The web agent displays an image of the switch s ports The Mode can be set to display different information for the ports including Active i e up or dow...

Page 60: ...e server 3 22 Copy Operation Allows the transfer and copying of files 3 22 HTTP Upgrade Copies operation code or configuration files from management station to the switch 3 30 HTTP Download Copies operation code or configuration files from the switch to the management station 3 30 Delete Allows deletion of files from the flash memory 3 26 Set Start Up Sets the startup file 3 26 Line 3 32 Console S...

Page 61: ...d parameters and sampling interval 3 68 Security 3 70 User Accounts Assigns a new password for the current user 3 70 Authentication Settings Configures authentication sequence RADIUS and TACACS 3 72 Encryption Key Configures RADIUS and TACACS encryption key settings 3 75 AAA Authentication Authorization and Accounting 3 76 RADIUS Group Settings Defines the configured RADIUS servers to use for acco...

Page 62: ...eters for individual ports 3 101 Statistics Displays protocol statistics for the selected port 3 104 Web Authentication 3 110 Configuration Configures Web Authentication settings 3 111 Port Configuration Enables Web Authentication for individual ports 3 112 Port Information Displays status information for individual ports 3 113 Re authentication Forces a host to re authenticate itself immediately ...

Page 63: ... Port Counters Information Displays statistics for LACP protocol messages 3 167 Port Internal Information Displays settings and operational state for the local side 3 168 Port Neighbors Information Displays settings and operational state for the remote side 3 170 Port Broadcast Control Sets the broadcast storm threshold for each port 3 172 Trunk Broadcast Control Sets the broadcast storm threshold...

Page 64: ...e 3 195 Configuration Configures global bridge settings for STA and RSTP 3 198 Port Information Displays individual port settings for STA 3 202 Trunk Information Displays individual trunk settings for STA 3 202 Port Configuration Configures individual port settings for STA 3 205 Trunk Configuration Configures individual trunk settings for STA 3 205 Port Edge Port Configuration Sets an interface to...

Page 65: ...ffic between uplink ports assigned to different client sessions 3 236 Session Configuration Creates a client session and assigns the downlink and uplink ports to service the traffic 3 237 Private VLAN 3 238 Information Displays Private VLAN feature information 3 238 Configuration This page is used to create remove primary or community VLANs 3 239 Association Each community VLAN must be associated ...

Page 66: ... statistics for remote devices on a selected port or trunk 3 261 Priority 3 263 Default Port Priority Sets the default priority for each port 3 263 Default Trunk Priority Sets the default priority for each trunk 3 263 Traffic Classes Maps IEEE 802 1p priority tags to output queues 3 265 Traffic Classes Status Enables disables traffic class priorities not implemented NA Queue Mode Sets queue mode t...

Page 67: ... 294 IGMP Filter Throttling Trunk Configuration Configures IGMP Filtering and Throttling for trunks 3 294 MVR 3 299 Configuration Globally enables MVR sets the MVR VLAN adds multicast stream addresses 3 300 Port Information Displays MVR interface type MVR operational and activity status and immediate leave status 3 302 Trunk Information Displays MVR interface type MVR operational and activity stat...

Page 68: ...he DHCP Snooping Information Option policy 3 147 Binding Information Displays the DHCP Snooping binding information 3 149 IP Source Guard 3 150 Port Configuration Enables IP source guard and selects filter type per port 3 150 Static Configuration Adds a static addresses to the source guard binding table 3 152 Dynamic Information Displays the source guard binding table for a selected interface 3 15...

Page 69: ...tem System Up Time Length of time the management agent has been up These additional parameters are displayed for the CLI MAC Address The physical layer address for this switch Web Server Shows if management access via is enabled Web Server Port Shows the TCP port number used by the web interface Web Secure Server Shows if management access via HTTPS is enabled Web Secure Server Port Shows the TCP ...

Page 70: ...n WC 9 4 92 Console config snmp server contact Ted 4 91 Console config exit Console show system 4 33 System Description 24 Fast Ethernet 2 Giga 2 ComboG L2 L4 PoE Standalone switch System OID string 1 3 6 1 4 1 202 20 65 System Information System Up Time 0 days 0 hours 38 minutes and 44 16 seconds System Name R D 5 System Location WC 9 System Contact Ted MAC Address Unit1 00 01 02 03 0A 0A Web Ser...

Page 71: ...ion Hardware version of the main board Chip Device ID Identifier for basic MAC Physical Layer switch chip Internal Power Status Displays the status of the internal power supply Management Software EPLD Version Version number of the Electronically Programmable Logic Device code Loader Version Version number of loader code Boot ROM Version Version of Power On Self Test POST and boot code Operation C...

Page 72: ...sion 4 34 Unit 1 Serial Number A749023132 Hardware Version R01 Chip Device ID Marvell 98DX106 B0 88E6095 F EPLD Version 0 02 Number of Ports 28 Main Power Status Up Redundant Power Status Not present Agent Master Unit ID 1 Loader Version 1 0 2 2 Boot ROM Version 1 0 3 5 Operation Code Version 1 3 5 2 Console ...

Page 73: ...tering for unicast and multicast addresses Refer to Setting Static Addresses on page 3 189 VLAN Learning This switch uses Independent VLAN Learning IVL where each port maintains its own filtering database Configurable PVID Tagging This switch allows you to override the default Port VLAN ID PVID used in frame tags and egress status VLAN Tagged or Untagged on each port Refer to VLAN Configuration on...

Page 74: ...N has been assigned an IP address IP Address Mode Specifies whether IP functionality is enabled via manual configuration Static Dynamic Host Configuration Protocol DHCP or Boot Protocol BOOTP If DHCP BOOTP is enabled IP will not function until a reply has been received from the server Requests will be broadcast periodically by the switch for an IP address DHCP BOOTP values can include the IP addre...

Page 75: ...o Static enter the IP address subnet mask and gateway then click Apply Figure 3 6 Manual IP Configuration CLI Specify the management interface IP address and default gateway Console config Console config interface vlan 1 4 221 Console config if ip address 192 168 1 1 255 255 255 0 4 412 Console config if exit Console config ip default gateway 0 0 0 0 4 413 Console config ...

Page 76: ...HCP IP Configuration Note If you lose your management connection use a console connection and enter show ip interface to determine the new switch address CLI Specify the management interface and set the IP address mode to DHCP or BOOTP and then enter the ip dhcp restart command Console config Console config interface vlan 1 4 221 Console config if ip address dhcp 4 412 Console config if end Consol...

Page 77: ...ng jumbo frames up to 10 KB for the Gigabit Ethernet ports Compared to standard Ethernet frames that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields Command Usage To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is ope...

Page 78: ... to an FTP server ftp to file Copies a file from an FTP server to the switch TFTP FTP Server IP Address The IP address of an FTP or TFTP server User Name The user name for FTP server access Password The password for FTP server access File Type Specify opcode operational code to copy firmware File Name The file name should not contain slashes or the leading letter of the file name should not be a p...

Page 79: ...grade file is stored as SMC6128_52PL2_op_V1 3 5 2 BIX or even SMC6128_52PL2_op_V1 3 5 2 bix on a case sensitive server then the switch requesting runtime bix will not be upgraded because the server does not recognize the requested file name and the stored file name as being equal A notable exception in the list of case sensitive Unix like operating systems is Mac OS X which by default is case inse...

Page 80: ...grade file can be found Nested directory structures are accepted The directory name must be separated from the host and in nested directory structures from the parent directory with a prepended forward slash The forward slash must be the last character of the URL ftp username password host filedir ftp Defines FTP protocol for the server connection username Defines the user name for the FTP connect...

Page 81: ...anonymous will be the user name and the password will be blank The image file is in the FTP root directory ftp switches upgrade 192 168 0 1 The user name is switches and the password is upgrade The image file is in the FTP root ftp switches upgrade 192 168 0 1 switches opcode The user name is switches and the password is upgrade The image file is in the opcode directory which is within the switche...

Page 82: ...e as the file transfer method enter the IP address of the TFTP server set the file type to opcode enter the file name of the software to download select a file on the switch to overwrite or specify a new file name then click Apply If you replaced the current firmware used for startup and want to start using the new operation code reboot the system via the System Reset menu Figure 3 10 Copy Firmwar...

Page 83: ...ew firmware form a TFTP server enter the IP address of the TFTP server select opcode as the file type then enter the source and destination file names When the file has finished downloading set the new file to start up the system and then restart the switch To start the new firmware enter the reload command or reboot the system Console copy tftp file 4 37 TFTP server ip address 192 168 1 23 Choose...

Page 84: ...es the running configuration to a TFTP server startup config to file Copies the startup configuration to a file on the switch startup config to ftp Copies the startup configuration to an FTP server startup config to running config Copies the startup config to the running config startup config to tftp Copies the startup configuration to a TFTP server ttftp to file Copies a file from a TFTP server t...

Page 85: ...the IP address of the TFTP server If you download from an FTP server enter the user name and password for an account on the server Specify the name of the file to download and select a file on the switch to overwrite or specify a new file name then click Apply Figure 3 13 Downloading Configuration Settings for Startup If you download to a new file name using ftp tftp to startup config or ftp tftp ...

Page 86: ... to copy a firmware file or config configuration to copy a switch configuration file Source File Name Use the Browse button to locate the file on the web management station The file name should not contain slashes or the leading letter of the file name should not be a period and the maximum length for file names on the FTP TFTP server is 127 characters or 31 characters for files on the switch Vali...

Page 87: ...ocal web management station Specify the name of a file on the switch to overwrite or specify a new file name then click Apply Figure 3 15 Uploading Files Using HTTP Web To download files using HTTP Click System File Management HTTP Download Select an operation code file or configuration file on the switch to download to the web management station Click Apply Figure 3 16 Downloading Files Using HTT...

Page 88: ...tempts Silent Time Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts has been exceeded Range 0 65535 Default 0 Data Bits Sets the number of data bits per character that are interpreted and generated by the console port If parity is being generated specify 7 data bits per character If no parity is required specify 8 data bits per characte...

Page 89: ...line login local 4 46 Console config line password 0 secret 4 47 Console config line timeout login response 0 4 48 Console config line exec timeout 0 4 48 Console config line password thresh 3 4 49 Console config line silent time 60 4 50 Console config line databits 8 4 50 Console config line parity none 4 51 Console config line speed 19200 4 52 Console config line stopbits 1 4 52 Console config l...

Page 90: ...ets the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is terminated Range 0 65535 seconds Default 600 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specif...

Page 91: ...ent virtual terminal settings use the show line command from the Normal Exec level Console config line vty 4 45 Console config line login local 4 46 Console config line password 0 secret 4 47 Console config line timeout login response 300 4 48 Console config line exec timeout 600 4 48 Console config line password thresh 3 4 49 Console config line end Console show line vty 4 56 VTY Configuration Pa...

Page 92: ... Enables disables the logging of debug or error messages to the logging process Default Enabled Flash Level Limits log messages saved to the switch s permanent flash memory for all levels up to the specified level For example if level 3 is specified all messages from level 0 to level 3 will be logged to flash Range 0 7 Default 3 RAM Level Limits log messages saved to the switch s temporary RAM mem...

Page 93: ...f 16 to 23 The facility type is used by the syslog server to dispatch log messages to an appropriate service The attribute specifies the facility type tag sent in syslog messages see RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to process messages such as sorting or storing messages in the corresponding database Range 1...

Page 94: ... the facility type and set the logging trap Console config logging host 192 168 1 15 4 59 Console config logging facility 23 4 59 Console config logging trap 4 4 60 Console config end Console show logging trap 4 60 Syslog logging Enabled REMOTELOG status Enabled REMOTELOG facility type local use 7 REMOTELOG level type Warning conditions REMOTELOG server ip address 192 168 1 15 REMOTELOG server ip ...

Page 95: ...f a specified level The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients Command Attributes Admin Status Enables disables the SMTP function Default Enabled Email Source Address Sets the email address used for the From field in alert messages You may use a symbolic email address that identifies the switch or the address of an administrator re...

Page 96: ...pecifies the email recipients of alert messages You can specify up to five recipients Use the New Email Destination Address text field and the Add Remove buttons to configure the list Email Destination Address This command specifies SMTP servers that may receive alert messages Web Click System Log SMTP Enable SMTP specify a source email address and select the minimum severity level To add an IP ad...

Page 97: ...ait combined with the hours before the switch resets Range 1 34560 Default 0 Reset Resets the switch after the specified time If the hour and minute fields are blank then the switch will reset immediately Refresh Refreshes the countdown timer of a pending delayed reset Cancel Cancels a pending delayed reset Note To rimmediately restart the switch enter 0 in both the Hours and Minutes fields and cl...

Page 98: ...nfig command See paratext on page 4 37 Setting the System Clock Simple Network Time Protocol SNTP allows the switch to set its internal clock based on periodic updates from a time server SNTP or NTP Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries You can also manually set the clock If the clock is not set manually or via SNTP...

Page 99: ...guring SNTP You can configure the switch to send time synchronization requests to time servers Command Attributes SNTP Client Configures the switch to operate as an SNTP client This requires at least one NTP or SNTP time server to be specified in the SNTP Server field Default Disabled SNTP Poll Interval Sets the interval between sending requests for a time update from a time server Range 16 16384 ...

Page 100: ...operate as an NTP client This requires at least one time server to be specified in the NTP Server list Default Disabled NTP Polling Interval Sets the interval between sending requests for a time update from NTP servers Range 16 16384 seconds Default 1024 seconds NTP Authenticate Enables authentication for time requests and updates between the switch and NTP servers Default Disabled NTP Server Sets...

Page 101: ...pecifies a key value in the NTP Authentication Key List Up to 255 keys can be configured in the NTP Authentication Key List Note that key numbers and values must match on both the server and client Range 1 65535 Key Context Specifies an MD5 authentication key string The key string can be up to 32 case sensitive printable ASCII characters no spaces Note SNTP and NTP clients cannot both be enabled a...

Page 102: ...t one major city or location covered by the time zone User defined Configuration Allows the user to define all parameters of the local time zone Direction Configures the time zone to be before east of or after west of UTC Name Assigns a name to the time zone Range 1 29 characters Hours 0 13 The number of hours before after UTC The maximum value before UTC is 12 The maximum value after UTC is 13 Mi...

Page 103: ...rd one hour at the start of spring and then adjusted backward in autumn Command Attributes General Configuration Summer Time in Effect Shows if the system time has been adjusted Status Shows if summer time is set to take effect during the specified period Name Name of the time zone while summer time is in effect usually an acronym Range 1 30 characters Mode Selects one of the following configurati...

Page 104: ...ime zone in minutes Range 0 99 minutes From Start time for summer time offset To End time for summer time offset Recurring Mode Sets the start end and offset times of summer time for the switch on a recurring basis This mode sets the summer time zone relative to the currently configured time zone To specify a time corresponding to your local time when summer time is in effect you must indicate the...

Page 105: ...NMP includes switches routers and host computers SNMP is typically used to configure these devices for proper operation in a network environment as well as to monitor them to evaluate performance or detect potential problems Managed devices supporting SNMP contain software which runs locally on the device and is referred to as an agent A defined set of variables known as managed objects is maintai...

Page 106: ...ding and writing which are known as views The switch has a default view all MIB objects and default groups defined for security models v1 and v2c The following table shows the security models and levels available and the system default settings Note The predefined default groups and view can be deleted from the system You can then define customized groups and views for the SNMP clients that requir...

Page 107: ...isted in this table For security reasons you should consider removing the default strings Command Attributes SNMP Community Capability The switch supports up to five community strings Current Displays a list of the community strings currently configured Community String A community string that acts like a password and permits access to the SNMP protocol Default strings public read only private rea...

Page 108: ...ryption options authNoPriv or authPriv the user name must first be defined in the SNMPv3 Users page page 3 57 Otherwise the authentication password and or privacy password will not exist and the switch will not authorize SNMP access for the host However if you specify a V3 host with the no authentication noAuth option an SNMP user account will be automatically generated and the switch will authori...

Page 109: ...nagers table we recommend that you define this string in the SNMP Community section at the top of the SNMP Configuration page for Version 1 or 2c clients or define a corresponding User Name in the SNMPv3 Users page for Version 3 clients Range 1 32 characters case sensitive Trap UDP Port Specifies the UDP port number used by the trap manager Default 162 Trap Version Specifies whether to send notifi...

Page 110: ...sages specify the UDP port trap version trap security level for v3 clients trap inform settings for v2c v3 clients and then click Add Select the trap types required using the check boxes for Authentication and Link up down traps and then click Apply Figure 3 31 Configuring IP Trap Managers CLI This example adds a trap manager and enables both authentication and link up link down traps 3 These are ...

Page 111: ...ds to generate the security keys for authenticating and encrypting SNMPv3 packets A local engine ID is automatically generated that is unique to the switch This is referred to as the default engine ID If the local engine ID is deleted or changed all SNMP users will be cleared You will need to reconfigure all existing users A new engine ID can be specified by entering 9 to 64 hexadecimal characters...

Page 112: ...ap Managers and Trap Types on page 3 52 and Configuring Remote SNMPv3 Users on page 3 59 The engine ID can be specified by entering 9 to 64 hexadecimal characters 5 to 32 octets in hexadecimal format If an odd number of characters are specified a trailing zero is added to the value to fill in the last octet For example the value 123456789 is equivalent to 1234567890 Web Click SNMP SNMPv3 Remote En...

Page 113: ...ser noAuthNoPriv There is no authentication or encryption used in SNMP communications This is the default for SNMPv3 AuthNoPriv SNMP communications use authentication but the data is not encrypted only available for the SNMPv3 security model AuthPriv SNMP communications use both authentication and encryption only available for the SNMPv3 security model Authentication Protocol The method used for u...

Page 114: ...up of a user click Change Group in the Actions column of the users table and select the new group Figure 3 34 Configuring SNMPv3 Users CLI Use the snmp server user command to configure a new user name and assign it to a group Console config snmp server user chris group r d v3 auth md5 greenpeace priv des56 einstien 4 101 Console config exit Console show snmp user 4 102 EngineId 80000034030001f488f...

Page 115: ...fier for the SNMP agent on the remote device where the remote user resides Note that the remote engine identifier must be specified before you configure a remote user See Specifying a Remote Engine ID on page 44 Remote IP The Internet address of the remote device where the user resides Security Model The user security model SNMP v1 v2c or v3 Default v3 Security Level The security level used for th...

Page 116: ...lick Delete Figure 3 35 Configuring Remote SNMPv3 Users CLI Use the snmp server user command to configure a new user name and assign it to a group Console config snmp server user mark group r d remote 192 168 1 19 v3 auth md5 greenpeace priv des56 einstien 4 101 Console config exit Console show snmp user 4 102 No user exist SNMP remote user EngineId 80000000030004e2b316c54321 User Name mark Authen...

Page 117: ...view for write access Range 1 64 characters Notify View The configured view for notifications Range 1 64 characters Table 3 4 Supported Notification Messages Object Label Object ID Description RFC 1493 Traps newRoot 1 3 6 1 2 1 17 0 1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree the trap is sent by a bridge soon after its election as the new root e...

Page 118: ...otocol message that is not properly authenticated While all implementations of the SNMPv2 must be capable of generating this trap the snmpEnableAuthenTraps object indicates whether this trap will be generated RMON Events V2 risingAlarm 1 3 6 1 2 1 16 0 1 The SNMP trap that is generated when an alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps...

Page 119: ...click Delete Figure 3 36 Configuring SNMPv3 Groups CLI Use the snmp server group command to configure a new group specifying the security model and level and restricting MIB access to defined read write and notify views Console config snmp server group secure users v3 priv read defaultview write defaultview notify defaultview 4 99 Console config exit Console show snmp group 4 100 Group Name secure...

Page 120: ... MIB tree Wild cards can be used to mask a specific portion of the OID string Type Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view Web Click SNMP SNMPv3 Views Click New to configure a new view In the New View page define a name and specify OID subtrees in the switch MIB to be included or excluded in the view Click Back to save the new v...

Page 121: ...oes not take place The wire speed transmission characteristic of the switch is thus preserved even at high traffic levels As the Collector receives streams from the various sFlow agents other switches or routers throughout the network a timely network wide picture of utilization and traffic flows is created Analysis of the sFlow stream s can reveal trends and information that can be leveraged in t...

Page 122: ...X ports are organized into groups of 8 based on a restriction in the switch ASIC and the 4 Gigabit ports each in it s own separate group Status Enables sFlow on the ports in the indicated group Rate Configures the packet sampling rate Setting the rate to 0 disables sampling Setting the rate to 100 configures sampling to 1 packet out of every 100 received Range 0 10000000 Default 0 Table 3 5 sFlow ...

Page 123: ...es the same sFlow settings for all port members in Group 1 Console config sflow 4 104 Console config interface ethernet 1 1 4 221 Console config if sflow source 4 104 Console config if sflow sample 10 4 105 Console config if end Console show sflow 4 108 sFlow global status Enabled Console show sflow interface ethernet 1 1 4 108 Interface of Ethernet 1 1 Interface status Enabled Owner name None Own...

Page 124: ...port parameters receiver owner time out max header size max datagram size and flow interval A time out value of 0 seconds indicates no time out Range 0 10000000 seconds Default 0 seconds The check box is cleared by the system if flow sampling is currently under way To change the timeout mark the check box enter a timeout value and click Apply Max Header Size Maximum size of the sFlow datagram head...

Page 125: ...et 1 1 4 221 Console config if sflow owner Bobby 4 106 Console config if sflow destination ipv4 192 168 0 4 4 107 Console config if sflow timeout 1000 4 106 Console config if sflow max header size 128 4 107 Console config if sflow max datagram size 1400 4 108 Console config if sflow polling interval 10 4 105 Console config if end Console show flow 4 108 Console show sflow interface ethernet 1 1 In...

Page 126: ...figuration parameters However the administrator has write access for all parameters governing the onboard agent You should therefore assign a new administrator password as soon as possible and store it in a safe place The default guest name is guest with the password guest The default administrator name is admin with the password admin Command Attributes Account List Displays the current list of u...

Page 127: ...t Click Add to save the new user account and add it to the Account List To change the password for a specific user enter the user name and new password confirm the password by entering it again then click Apply Figure 3 40 Access Levels CLI Assign a user name to access level 15 i e administrator then specify the password Console config username bob access level 15 4 110 Console config username bob...

Page 128: ...ed you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol Local and remote logon authentication control management access via the console port web browser or Telnet RADIUS and TACACS logon authentication assign a specific privilege level for each user name password pair The user name password and privilege level must be configured on th...

Page 129: ...g messages Range 1 65535 Default 1813 Number of Server Transmits Number of times the switch tries to authenticate logon access via the authentication server Range 1 30 Default 2 Timeout for a Reply The number of seconds the switch waits for a reply from the RADIUS server before it resends the request Range 1 65535 Default 5 TACACS Settings Global Provides globally applicable TACACS settings Server...

Page 130: ...uthentication login radius 4 114 Console config radius server auth port 181 4 117 Console config radius server key green 4 118 Console config radius server retransmit 5 4 118 Console config radius server timeout 10 4 119 Console config radius server 1 host 192 168 1 25 4 116 Console config end Console show radius server 4 120 Global Settings Authentication Port 181 Accounting Port 1813 Retransmit ...

Page 131: ...tings Global Provides globally applicable TACACS encryption key settings ServerIndex Specifies the index number of the TACACS server for which an encryption key may be configured The switch currently supports only one TACACS server Secret Text String Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters Console configure Cons...

Page 132: ...as follows Authentication Identifies users that request access to the network Authorization Determines if users can access specific services Accounting Provides reports auditing and billing for services that users have accessed on the network The AAA functions require the use of configured RADIUS or TACACS servers in the network The security servers can be defined as sequential groups that are the...

Page 133: ...he method names to port or line interfaces Note This guide assumes that RADIUS and TACACS servers have already been configured to support AAA The configuration of RADIUS and TACACS server software is beyond the scope of this guide refer to the documentation provided with the RADIUS or TACACS server software Configuring AAA RADIUS Group Settings The AAA RADIUS Group Settings screen defines the conf...

Page 134: ...nter the TACACS group name followed by the number of the server then click Add Figure 3 44 AAA TACACS Group Settings CLI Specify the group name for a list of TACACS servers and then specify the index number of a TACACS server to add it to the group Configuring AAA Accounting AAA accounting is a feature that enables the accounting of requested services for billing or security purposes Command Attri...

Page 135: ...tions Accounting Notice Records user activity from log in to log off point Group Name Specifies the accounting server group Range 1 255 characters The group names radius and tacacs specifies all configured RADIUS and TACACS hosts see Configuring Local Remote Logon Authentication on page 3 72 Any other group name refers to a server group configured on the RADIUS or TACACS Group Settings pages Web C...

Page 136: ...h the local accounting service updates information to the accounting server Range 1 2147483647 minutes Default Disabled Web Click Security AAA Accounting Periodic Update Enter the required update interval and click Apply Figure 3 46 AAA Accounting Update CLI This example sets the periodic accounting update interval at 10 minutes Console config aaa accounting dot1x tps start stop group radius 4 126...

Page 137: ...ply to the interface This method must be defined in the AAA Accounting Settings menu page 3 77 Range 1 255 characters Web Click Security AAA Accounting 802 1X Port Settings Enter the required accounting method and click Apply Figure 3 47 AAA Accounting 802 1X Port Settings CLI Specify the accounting method to apply to the selected interface Console config interface ethernet 1 2 Console config if a...

Page 138: ...red at the specified CLI privilege level Web Click Security AAA Accounting Command Privileges Enter a defined method name for console and Telnet privilege levels Click Apply Figure 3 48 AAA Accounting Exec Command Privileges CLI Specify the accounting method to use for Console and Telnet privilege levels Console config line console 4 45 Console config line accounting commands 15 tps method 4 130 C...

Page 139: ...ser sessions Command Attributes AAA Accounting Summary Accounting Type Displays the accounting service Method List Displays the user defined or default accounting method Group List Displays the accounting server group Interface Displays the port or trunk to which these rules apply This field is null if the accounting method and associated server group has not been assigned to an interface AAA Acco...

Page 140: ...ng the Switch 3 84 3 Web Click Security AAA Summary Figure 3 50 AAA Accounting Summary Management Guide SMC6128PL2 SMC6152PL2 TigerSwitchTM 10 100 24 Port 10 100 Switch with PoE IP Clustering and 4 Gigabit Ports ...

Page 141: ...ers The group name tacacs specifies all configured TACACS hosts see Configuring Local Remote Logon Authentication on page 3 72 Any other group name refers to a server group configured on the TACACS Group Settings page Authorization is only supported for TACACS servers Console show accounting 4 132 Accounting Type dot1x Method List default Group List radius Interface Method List tps method Group Li...

Page 142: ...roup Authorization EXEC Settings This feature specifies an authorization method name to apply to console and Telnet connections Command Attributes Method Name Specifies a user defined method name to apply to console and Telnet connections Web Click Security AAA Authorization Exec Settings Enter a defined method name for console and Telnet connections and click Apply Figure 3 52 AAA Authorization E...

Page 143: ...ies This field is null if the authorization method and associated server group has not been assigned Web Click Security AAA Authorization Summary Figure 3 53 AAA Authorization Summary CLI This example displays the configured authorization methods and the interfaces to which they are applied Console config line console 4 45 Console config line authorization exec tps auth 4 132 Console config line e...

Page 144: ... and decrypting data The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 5 x or above Netscape 6 2 or above and Mozilla Firefox 2 0 0 0 or above The following web browsers and operating systems currently support HTTPS To specify a secure site certificate see Replacing the Default Secure site Certificate on page 3 89 Com...

Page 145: ... that the connection to the switch is secure you must obtain a unique certificate and a private key and password from a recognized certification authority Caution For maximum security we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity This is because the default certificate for the switch is not unique to the hardware you have purchased When you have obta...

Page 146: ...Windows and other environments These tools including commands such as rlogin remote login rsh remote shell and rcp remote copy are not secure from hostile attacks The Secure Shell SSH includes server client applications intended as a secure replacement for the older Berkeley remote access tools SSH can also provide remote management access to this switch as a secure replacement for Telnet When the...

Page 147: ...ublic key in it An entry for a public key in the known hosts file would appear similar to the following example 10 1 0 54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 76546801726272571413428762941301196195566782 59566410486957427888146206 519417467729848654686157177393901647793559423035774130980227370877945...

Page 148: ... c If a match is found the switch uses its secret key to generate a random 256 bit string as a challenge encrypts this string with the user s public key and sends it to the client d The client uses its private key to decrypt the challenge string computes the MD5 checksum and sends the checksum back to the switch e The switch compares the checksum sent from the client against that computed for the ...

Page 149: ...d modulus Host Key Type The key type used to generate the host key pair i e public and private keys Range RSA Version 1 DSA Version 2 Both Default Both The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch and then negotiates with the client to select either DES 56 bit or 3DES 168 bit for data encryption Note The switch uses only RSA Version...

Page 150: ...448320102524878965977592168322225584652387791546479807396314033 86925793105105765212243052807865885485789272602937866089236841423275912127 60325919683697053439336438445223335188287173896894511729290510813919642025 190932104328579045764891 DSA ssh dss AAAAB3NzaC1kc3MAAACBAN6zwIqCqDb3869jYVXlME1sHL0EcE Re6hlasfEthIwmj hLY4O0jqJZpcEQUgCfYlum0Y2uoLka Py9ieGWQ8f2gobUZKIICuKg6vjO9XTs7XKc05xfzkBi KviDa 2...

Page 151: ...you wish to manage Note that you must first create users on the User Accounts page See paratext on page 3 70 Public Key Type The type of public key to upload RSA The switch accepts a RSA version 1 encrypted public key DSA The switch accepts a DSA version 2 encrypted public key The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch and then ne...

Page 152: ...H SSH User Public Key Settings Select the user name and the public key type from the respective drop down boxes input the TFTP server IP address and the public key source file name and then click Copy Public Key Figure 3 57 SSH User Public Key Settings ...

Page 153: ...h2 dsa pub key Username admin TFTP Download Success Write to FLASH Programming Success Console show public key user admin 4 145 admin RSA 1024 37 154886675541099600242673908076171863880953984597454546825066951007 29617437427136900505591624068119579408716226078634780682201498685790475062 34519480679939485042653504179153032795337422103356695026441903823445835730 8882347288969084282166542903131593765...

Page 154: ...host key pair on the SSH Host Key Settings page before you can enable the SSH server Figure 3 58 SSH Server Settings CLI This example enables SSH sets the authentication parameters and displays the current configuration It shows that the administrator has made a connection via SHH and then disables this connection Console config ip ssh server 4 139 Console config ip ssh timeout 100 4 140 Console c...

Page 155: ...t can reject the authentication method and request another depending on the configuration of the client software and the RADIUS server The encryption method used to pass authentication messages can be MD5 Message Digest 5 TLS Transport Layer Security PEAP Protected Extensible Authentication Protocol or TTLS Tunneled Transport Layer Security The client responds to the appropriate method with its cr...

Page 156: ... To support these encryption methods in Windows 95 and 98 you can use the AEGIS dot1x client or other comparable client software Displaying 802 1X Global Settings The 802 1X protocol provides client authentication Command Attributes 802 1X System Authentication Control The global setting for 802 1X Web Click Security 802 1X Information Figure 3 59 802 1X Global Information CLI This example shows t...

Page 157: ... switch and authentication server These parameters are described in this section Command Attributes Port Port number Status Indicates if authentication is enabled or disabled on the port Default Disabled Operation Mode Allows single or multiple hosts clients to connect to an 802 1X authorized port Options Single Host Multi Host Default Single Host Max Count The maximum number of hosts that can con...

Page 158: ...0 seconds Tx Period Sets the time period during an authentication session that the switch waits before re transmitting an EAP packet Range 1 65535 Default 30 seconds Intrusion Action Sets the port s response to a failed authentication Block Traffic Blocks all non EAP traffic on the port This is the default setting Guest VLAN All traffic for the port is assigned to a guest VLAN The guest VLAN must ...

Page 159: ...t1x 4 153 Global 802 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 enabled Single Host auto yes 1 28 disabled Single Host ForceAuthorized n a 802 1X Port Details 802 1X is disabled on port 1 1 802 1X is enabled on port 1 2 reauth enabled Enable reauth period 1800 quiet period 30 tx perio...

Page 160: ...er of EAP Resp Id frames that have been received by this Authenticator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx EAP LenError The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid Rx Last EAPOLVer The protocol version number carried in the mos...

Page 161: ...ying 802 1X Port Statistics CLI This example displays the 802 1X statistics for port 4 Console show dot1x statistics interface ethernet 1 4 4 153 Eth 1 4 Rx EAPOL EAPOL EAPOL EAPOL EAP EAP EAP Start Logoff Invalid Total Resp Id Resp Oth LenError 2 0 0 1007 672 0 0 Last Last EAPOLVer EAPOLSrc 1 00 12 CF 94 34 DE Tx EAPOL EAP EAP Total Req Id Req Oth 2017 1005 0 Console ...

Page 162: ...ses either individual addresses or address ranges When entering addresses for the same group i e SNMP web or Telnet the switch will not accept overlapping address ranges When entering addresses for different groups the switch will accept overlapping address ranges You cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses You can delet...

Page 163: ...the filter list Figure 3 63 Creating an IP Filter List CLI This example allows SNMP access for a specific client Console config management snmp client 10 1 2 3 4 156 Console config end Console show management all client Management IP Filter HTTP Client Start IP address End IP address SNMP Client Start IP address End IP address 1 10 1 2 3 10 1 2 3 TELNET Client Start IP address End IP address Conso...

Page 164: ...2 1X Port Authentication on page 3 99 Web Authentication Allows stations to authenticate and access the network in situations where 802 1X or Network Access authentication methods are infeasible or impractical Network Access Configures MAC authentication and dynamic VLAN assignment ACL Access Control Lists provide packet filtering for IPv4 frames based on address protocol Layer 4 protocol port num...

Page 165: ...C addresses the selected port will stop learning The MAC addresses already in the address table will be retained and will not age out Any other device that attempts to use the port will be prevented from accessing the switch Command Usage A secure port has the following restrictions It cannot be used as a member of a static or dynamic trunk It should not be connected to a network interconnection d...

Page 166: ...nauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries All other traffic except for HTTP protocol traffic is blocked The switch intercepts HTTP protocol traffic and redirects it to a switch generated web page that facilitates username and password authentication via RADIUS Once authentication is successful the web browser is forwarded on to the originally re...

Page 167: ...ow long a host must wait to attempt authentication again after it has exceeded the maximum allowable failed login attempts Range 1 180 seconds Default 60 seconds Login Attempts Configures the amount of times a supplicant may attempt and fail authentication before it must wait the configured quiet period Range 1 3 attempts Default 3 attempts Web Click Security Web Authentication Configuration Figur...

Page 168: ...us for the port Authenticated Host Counts Indicates how many authenticated hosts are connected to the port Web Click Security Web Authentication Port Configuration Set the status box to enabled for any port that requires web authentication and click Apply Figure 3 66 Web Authentication Port Configuration CLI This example enables web authentication for ethernet port 1 5 and displays a summary of we...

Page 169: ...host expires Web Click Security Web Authentication Port Information Figure 3 67 Web Authentication Port Information CLI This example displays web authentication parameters for port 1 5 The switch allows an administrator to manually force re authentication of any web authenticated host connected to any port Command Attributes Interface Indicates the Ethernet port to query Host IP Indicates the IP a...

Page 170: ...t on page 4 116 2 MAC authentication cannot be configured on trunk ports Command Usage Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server Whi...

Page 171: ...port for an authenticated user The Filter ID attribute attribute 11 can be configured on the RADIUS server to pass the following QoS information Multiple profiles can be specified in the Filter ID attribute by using a semicolon to separate each profile For example the attribute service policy in pp1 rate limit input 100 specifies that the diffserv profile name is pp1 the ingress rate limit profile...

Page 172: ...r dynamic QoS are not saved to the switch configuration file MAC address authentication is configured on a per port basis however there are two configurable parameters that apply globally to all ports on the switch Command Attributes Authenticated Age The secure MAC address table aging time This parameter setting is the same as switch MAC address table aging time and is only configurable from the ...

Page 173: ...secure MAC addresses supported for the switch system is 1024 When the limit is reached all new MAC addresses are treated as authentication failed Default 2048 Range 1 to 2048 MAC Filter ID Allows a MAC Filter to be assigned to the port MAC addresses or MAC address ranges present in a selected MAC Filter are exempt from authentication on the specified port as described under MAC Filter Configuratio...

Page 174: ...ication failures If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration the authentication is still treated as a success and the host is assigned to the default untagged VLAN When the dynamic VLAN assignment status is changed on a port all authenticated addresses are cleared from the secure MAC address table Dynamic QoS Enables dynamic QoS assignment fo...

Page 175: ...or a port Condition The link event type which will trigger the port action Link Up Only link up events will trigger the port action Link Down Only link down events will trigger the port action Link Up and Down All link up and link down events will trigger the port action Action The switch can respond in three ways to a link up or down trigger event Trap An SNMP trap is sent Trap and Shutdown An SN...

Page 176: ... table Command Attributes Network Access MAC Address Count The number of MAC addresses currently in the secure MAC address table Query By Specifies parameters to use in the MAC address query Port Specifies a port interface MAC Address Specifies a single MAC address information Attribute Displays static or dynamic addresses Address Table Sort Key Sorts the information displayed based on MAC address...

Page 177: ... Query Figure 3 72 Network Access MAC Address Information CLI This example displays all entries currently in the secure MAC address table MAC Filter Configuration The MAC Filter allows you to designate specific MAC addresses or MAC address ranges as exempt from authentication MAC addresses present in MAC Filter tables activated on a port are treated as pre authenticated on that port Command Usage ...

Page 178: ... the mask the system will assign the default mask of an exact match Range 000000000000 FFFFFFFFFFFF Default FFFFFFFFFFFF Add Adds a filter rule There is no limitation on the number of entries that can be used in a filter table Remove Removes the filter rule selected in the filter display Multiple rules can be selected and removed simultaneously Web Click Security Network Access MAC Filter Configur...

Page 179: ...e maximum number of ACLs is 64 The maximum number of rules per system is 1024 rules for mixed mode or 500 rules for extended mode Each ACL can have up to 32 rules However due to resource restrictions the average number of rules bound to the ports should not exceed 20 The order in which active ACLs are checked is as follows 1 User defined rules in IP and MAC ACLs for ingress ports are checked in pa...

Page 180: ... IPv6 address IPv6 Extended IPv6 ACL mode filters packets based on the source or destination IP address as well as the type of the next header and the flow label i e a request for special handling by IPv6 routers MAC MAC ACL mode filters packets based on the source or destination MAC address and the Ethernet frame type RFC 1060 ARP ARP ACL specifies static IP to MAC address bindings used for ARP i...

Page 181: ...s for each IP packet entering the port s to which this ACL has been assigned Web Specify the action i e Permit or Deny Select the address type Any Host or IP If you select Host enter a specific address If you select IP enter a subnet address and the mask for an address range Then click Add Figure 3 75 ACL Configuration Standard IPv4 CLI This example configures one permit rule for the specific addr...

Page 182: ...for the specified protocol type Range 0 65535 Source Destination Port Bitmask Decimal number representing the port bits to match Range 0 65535 Control Code Decimal number representing a bit string that specifies flag bits in byte 14 of the TCP header Range 0 63 Control Code Bit Mask Decimal number representing the code bits to match The control bitmask is a decimal number for an equivalent binary ...

Page 183: ...example adds two rules 1 Accept any incoming packets if the source address is in subnet 10 7 1 x For example if the rule is matched i e the rule 10 7 1 0 255 255 255 0 equals the masked address 10 7 1 2 255 255 255 0 the packet passes through 2 Allow TCP packets from class C addresses 192 168 1 0 to any destination address when set for destination TCP port 80 i e HTTP 3 Permit all TCP packets from...

Page 184: ...ecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields Source Prefix Length A decimal value indicating how many contiguous bits from the left of the address comprise the prefix i e the network portion of the address Web Specify the action i e Permit or Deny Select the address type Any Host or IPv6 prefix If you se...

Page 185: ...defined fields Source Prefix Length A decimal value indicating how many contiguous bits from the left of the address comprise the prefix Range 0 128 Destination Address Type Specifies the destination IP address Use Any to include all possible addresses or IPv6 prefix to specify a range of addresses Options Any IPv6 prefix Default Any Destination IPv6 Address The address must be formatted according...

Page 186: ...eria such as next header DSCP or flow label Then click Add Figure 3 78 ACL Configuration Extended IPv6 CLI This example adds three rules 1 Accepts any incoming packets for the destination 2009 DB9 2229 79 48 2 Allows packets to any destination address when the DSCP value is 5 Console config ext ipv6 acl permit 2009 DB9 2229 79 48 4 209 Console config ext ipv6 acl permit any dscp 5 Console config e...

Page 187: ...ation Bitmask Hexadecimal mask for source or destination MAC address CoS Class of Service value Range 0 7 CoS Bitmask Class of Service bitmask Range 0 7 VID VLAN ID Range 1 4094 VID Mask VLAN bitmask Range 0 4095 Ethernet Type This option can only be used to filter Ethernet II formatted packets Range 0 ffff hex A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the mor...

Page 188: ...imal bitmask for an address range Set any other required criteria such as VID Ethernet type or packet format Then click Add Figure 3 79 ACL Configuration MAC CLI This example configures one permit rule for all source mac addresses to communicate with all destination mac addresses on VLAN 12 and another permit rule for source mac address to communicate with all destination mac addresses Console con...

Page 189: ... field or IP to specify a range of addresses with the Address and Mask fields Options Any Host IP Default Any Sender Target IP Address Source or destination IP address Sender Target IP Address Mask Subnet mask for source or destination address See the description for Subnet Mask on page 3 125 Sender Target MAC Address Type Use Any to include all possible addresses Host to indicate a specific MAC a...

Page 190: ...ific address If you select IP or MAC enter a base address and a hexadecimal bitmask for an address range Enable logging if required Then click Add Figure 3 80 ACL Configuration ARP CLI This rule permits packets from any source IP and MAC address to the destination subnet address 192 168 0 0 Console config arp acl permit response ip any 192 168 0 0 255 255 0 0 mac any any 4 213 Console config arp a...

Page 191: ...tributes Port Fixed port or SFP module Range 1 28 52 IP Specifies the IP ACL to bind to a port MAC Specifies the MAC ACL to bind to a port IPv6 Specifies the IPv6 ACL to bind to a port IN ACL for ingress packets Trunk Indicates if a port is a member of a trunk To create trunks and select port members see Creating Trunk Groups on page 3 160 Web Click Security ACL Port Binding Mark the Enabled check...

Page 192: ...igured addresses see Configuring an ARP ACL on page 3 133 ARP Inspection must be activated both globally for the switch and per VLAN and inspection parameters set for each VLAN These functions as well as logging and configuration of trusted ports are provided on the ARP Inspection Configuration page ARP Inspection ACLs must be configured on the ARP ACL page before they can be activated here see pa...

Page 193: ...ed against the selected ACL packets are filtered according to any matching rules packets not matching any rules are dropped and the DHCP snooping bindings database check is bypassed If static is not specified ARP packets are first validated against the selected ACL if no ACL rules match the packets then the DHCP snooping bindings database determines their validity ARP Inspection Validation By defa...

Page 194: ...g on untrusted interfaces are subject to all configured ARP inspection tests ARP Packet Rate Limiting By default all untrusted ports are subject to ARP packet rate limiting By default all trusted ports are exempt from ARP packet rate limiting The switch will drop all ARP packets received on a port which exceeds the configured ARP packets per second rate limit Unless the default ARP rate limit has ...

Page 195: ...ses Src MAC Validates the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP requests and responses ARP Inspection Log Configures ARP Inspection logging parameters Message Number The maximum number of entries saved in a log message Range 0 256 Default 5 Interval The interval at which log messages are sent Range 0 86400 secon...

Page 196: ...inspection vlan 1 2 4 192 Console config ip arp inspection filter sales vlan 1 static 4 193 Console config ip arp inspection validate dst mac 4 194 Console config ip arp inspection log buffer logs 10 interval 100 4 195 Console config interface ethernet 1 1 4 221 Console config if no ip arp inspection trust 4 196 Console config if ip arp inspection limit 50 4 196 Console config if exit Console show...

Page 197: ... and dropped by ARP rate limiting Total ARP packets processed by ARP inspection Count of all ARP packets processed by the ARP Inspection engine ARP packets dropped by additional validation Src MAC Count of packets that failed the source MAC address test ARP packets dropped by additional validation Dst MAC Count of packets that failed the destination MAC address test ARP packets dropped by addition...

Page 198: ...Address Src MAC Address Dst MAC Address Console show ip arp inspection statistics ARP packets received before rate limit 150 ARP packets dropped due to rate limt 5 Total ARP packets processed by ARP Inspection 150 ARP packets dropped by additional validation source MAC address 0 ARP packets dropped by additional validation destination MAC address 0 ARP packets dropped by additional validation IP a...

Page 199: ...00 packets per second Any DHCP packets in excess of this limit are dropped When DHCP snooping is enabled DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping Filtering rules are implemented as follows If the global DHCP snooping is disabled all DHCP packets are forwarded If DHCP snooping is enabled globally and also enabled on the VLAN whe...

Page 200: ...packets for itself no filtering takes place However when the switch receives any messages from a DHCP server any packets received from untrusted ports are dropped Use the DHCP Snooping Configuration page to enable DHCP Snooping globally on the switch or to configure MAC Address Verification Command Attributes DHCP Snooping Status Enables DHCP snooping globally Default Disabled DHCP Snooping MAC Ad...

Page 201: ... re enabled When DHCP snooping is globally enabled and DHCP snooping is then disabled on a VLAN all dynamic bindings learned for this VLAN are removed from the binding table Command Attributes VLAN ID ID of a configured VLAN Range 1 4094 DHCP Snooping Status Enables or disables DHCP snooping for the selected VLAN When DHCP snooping is enabled globally on the switch and enabled on the specified VLA...

Page 202: ...P client server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN If Option 82 is enabled on the switch information about the switch itself may be included in any relayed request packet In some cases the switch may receive DHCP packets from a client that already includes DHCP Option 82 information The switch can be configure...

Page 203: ...VLAN DHCP packet filtering will be performed on any untrusted ports within the VLAN When an untrusted port is changed to a trusted port all the dynamic DHCP snooping bindings associated with this port are removed Set all ports connected to DHCP servers within the local network or fire wall to trusted state Set all other ports outside the local network or fire wall to untrusted state Console config...

Page 204: ...shows how to enable the DHCP Snooping Trust Status for ports Console config interface ethernet 1 5 Console config if ip dhcp snooping trust 4 182 Console config if end Console show ip dhcp snooping 4 186 Global DHCP Snooping status disable DHCP Snooping Information Option Status disable DHCP Snooping Information Policy replace DHCP Snooping is configured on the following VLANs Verify Source Mac Ad...

Page 205: ...nding entries from flash Removes all dynamically learned snooping entries from flash memory No Entry number for DHCP snooping binding information Unit Stack unit Port Port number VLAN ID VLAN for which DHCP snooping has been enabled MAC Address Physical address associated with the entry IP Address IP address corresponding to the client IP Address Type Indicates an IPv4 or IPv6 address type Lease T...

Page 206: ...y is found the packet is dropped When enabled traffic is filtered based upon dynamic entries learned via DHCP snooping see DHCP Snooping Configuration on page 3 144 or static addresses configured in the source guard binding table If IP source guard is enabled an inbound packet s IP address SIP option or both its IP address and corresponding MAC address SIP MAC option will be checked against the bi...

Page 207: ...ponding MAC addresses stored in the binding table Web Click IP Source Guard Port Configuration Set the required filtering type for each port and click Apply Figure 3 89 IP Source Guard Port Configuration CLI This example shows how to enable IP source guard on port 5 to check the source IP address for ingress packets against the binding table Console config interface ethernet 1 5 Console config if ...

Page 208: ... new entry is added to the binding table using the type static IP source guard binding If there is an entry with the same VLAN ID and MAC address and the type of entry is static IP source guard binding then the new entry will replace the old one If there is an entry with the same VLAN ID and MAC address and the type of the entry is dynamic DHCP snooping binding then the new entry will replace the ...

Page 209: ... be bound enter the MAC address and associated IP address then click Add Figure 3 90 Static IP Source Guard Binding Configuration CLI This example shows how to configure a static source guard binding on port 5 Console config ip source guard binding 11 22 33 44 55 66 vlan 1 192 168 0 99 interface ethernet 1 5 4 189 Console config ...

Page 210: ...splays the number of IP addresses in the source guard binding table Current Dynamic Binding Table Displays the IP addresses in the source guard binding table Web Click IP Source Guard Dynamic Information Figure 3 91 Dynamic IP Source Guard Binding Information CLI This example shows how to configure a static source guard binding on port 5 Console show ip source guard binding 4 190 MacAddress IpAddr...

Page 211: ...n Speed Duplex Status Shows the current speed and duplex mode Auto or fixed choice Flow Control Status Indicates the type of flow control currently in use IEEE 802 3x Back Pressure or None Autonegotiation Shows if auto negotiation is enabled or disabled Media Type7 Media type used for the combo ports Options Copper Forced SFP Forced or SFP Preferred Auto Default SFP Preferred Auto Trunk Member8 Sh...

Page 212: ...st Storm Shows if broadcast storm control is enabled or disabled Broadcast Storm Limit Shows the broadcast storm threshold 240 1488100 packets per second Multicast Storm Shows if multicast storm control is enabled or disabled Multicast Storm Limit Shows the multicast storm threshold 64 1 000 000 kilobits per second Unknown Unicast Storm Shows if unknown unicast storm control is enabled or disabled...

Page 213: ...settings will be negotiated between the link partners based on their advertised capabilities To set the speed duplex mode or flow control under auto negotiation the required operation modes must be specified in the capabilities list for an interface The 1000BASE T standard does not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T port or Cons...

Page 214: ...1000full operation requires the ports at both ends of a link to establish their role in the connection process as a master or slave Before using this feature auto negotiation must first be disabled and the Speed Duplex attribute set to 1000full Then select compatible Giga PHY modes at both ends of the link Note that using one of the preferred modes ensures that the ports at both ends of a link wil...

Page 215: ...port if both combination types are functioning and the SFP port has a valid link This is the default Trunk Indicates if a port is a member of a trunk To create trunks and select port members see Creating Trunk Groups on page 3 160 Web Click Port Port Configuration or Trunk Configuration Modify the required interface settings and click Apply Figure 3 93 Port Trunk Configuration CLI Select the inter...

Page 216: ...fail one of the standby ports will automatically be activated to replace it Command Usage Besides balancing the load across each port in the trunk the other ports provide redundancy by taking over the load if a port in the trunk fails However before making any physical connections between devices use the web interface or CLI to specify the trunk on the devices at both ends When using a port trunk ...

Page 217: ...nnecting the ports and also disconnect the ports before removing a static trunk via the configuration interface Command Attributes Member List Current Shows configured trunks Trunk ID Unit Port New Includes entry fields for creating new trunks Trunk Trunk identifier Range 1 8 Port Port identifier Range 1 28 52 Web Click Port Trunk Membership Enter a trunk ID of 1 8 in the Trunk field select any of...

Page 218: ...rts on both ends of an LACP trunk must be configured for full duplex and auto negotiation Console config interface port channel 2 4 221 Console config if exit Console config interface ethernet 1 1 4 221 Console config if channel group 2 4 249 Console config if exit Console config interface ethernet 1 2 Console config if channel group 2 Console config if end Console show interfaces status port chan...

Page 219: ...LACP Configuration Select any of the switch ports from the scroll down port list and click Add After you have completed adding ports to the member list click Apply Figure 3 95 LACP Trunk Configuration CLI The following example enables LACP for ports 1 to 6 Just connect these ports to LACP enabled trunk ports on another switch to form a trunk Console config interface ethernet 1 1 4 221 Console conf...

Page 220: ... is used to determine link aggregation group LAG membership and to identify this device to other switches during LAG negotiations Range 0 65535 Default 32768 Ports must be configured with the same system priority to join the same LAG System priority is combined with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with ...

Page 221: ...y configure these settings for the Port Partner Be aware that these settings only affect the administrative state of the partner and will not take effect until the next time an aggregate link is formed with this device After you have completed setting the port LACP parameters click Apply Figure 3 96 LACP Port Configuration CLI The following example configures LACP parameters for ports 1 4 Ports 1 ...

Page 222: ...formed that is it has the null value of 0 this key is set to the same value as the port admin key used by the interfaces that joined the group Note that when the LAG is no longer used the port channel admin key is reset to 0 Console show lacp sysid 4 255 Port Channel System Priority System MAC Address 1 3 00 12 CF 31 31 31 2 32768 00 12 CF 31 31 31 3 32768 00 12 CF 31 31 31 4 32768 00 12 CF 31 31 ...

Page 223: ...r of valid LACPDUs transmitted from this channel group LACPDUs Received Number of valid LACPDUs received on this channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group Marker Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an un...

Page 224: ...el 1 Eth 1 1 LACPDUs Sent 91 LACPDUs Receive 43 Marker Sent 0 Marker Receive 0 LACPDUs Unknown Pkts 0 LACPDUs Illegal Pkts 0 Table 3 9 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port Admin Key Current administrative value of the key for the aggregation port LACPDUs Interval Number of seconds before invalidating receiv...

Page 225: ...tocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information Synchronization The System considers this link to be IN_SYNC i e it has been allocated to the correct Link Aggregation Group the group has been associated with a...

Page 226: ...ption Partner Admin System ID LAG partner s system ID assigned by the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current adminis...

Page 227: ...emote side of port channel 1 Console show lacp 1 neighbors 4 255 Port channel 1 neighbors Eth 1 1 Partner Admin System ID 32768 00 00 00 00 00 00 Partner Oper System ID 3 00 12 CF CE 2A 20 Partner Admin Port Number 5 Partner Oper Port Number 3 Port Admin Priority 32768 Port Oper Priority 128 Admin Key 0 Oper Key 120 Admin State defaulted distributing collecting synchronization long timeout Oper St...

Page 228: ...wn unicast storm control is enabled both broadcast and multicast storm control are also enabled using the threshold value set by the unknown unicast storm control command The storm control feature provided on this configuration page is a hardware level control function Traffic storms can also be controlled at the software level using automatic storm control which triggers various control responses...

Page 229: ...ole config if switchport broadcast packet rate 500 4 228 Console config if end Console show interfaces switchport ethernet 1 2 4 232 Information of Eth 1 2 Broadcast Threshold Enabled 500 Kbits second Multicast Threshold Disabled Unknown unicast Threshold Disabled LACP Status Disabled Ingress Rate Limit Disabled 100000 Kbits per second Egress Rate Limit Disabled 100000 Kbits per second VLAN Member...

Page 230: ...d The storm control feature provided on this configuration page is a hardware level control function Traffic storms can also be controlled at the software level using automatic storm control which triggers various control responses This control type is only supported by the Command Line Interface as described under Automatic Traffic Control Commands on page 4 234 However note that only one of thes...

Page 231: ...SIC chip limitation the supported storm control modes include broadcast broadcast multicast broadcast multicast unknown unicast This means that when mulicast storm control is enabled broadcast storm control is also enabled using the threshold value set by the multicast storm control command And when unknown unicast storm control is enabled both broadcast and multicast storm control are also enable...

Page 232: ... unicast storm control Default Disabled Threshold Threshold as percentage of port bandwidth Range 64 100000 kilobits per second for Fast Ethernet ports 64 1000000 kilobits per second for Gigabit ports Default 64 kilobits per second Trunk Shows if port is a trunk member Web Click Configuration Port Port Unknown Unicast Control or Trunk Unknown Unicast Control Check the Enabled box for any interface...

Page 233: ... page 3 192 Command Attributes Mirror Sessions Displays a list of current mirror sessions Source Port The port whose traffic will be monitored Range 1 28 52 Type Allows you to select which traffic to mirror to the target port Rx receive Tx transmit or Both Default Rx Target Port The port that will mirror the traffic on the source port Range 1 28 52 Web Click Port Mirror Port Configuration Specify ...

Page 234: ...traffic the target port must be included in the same VLAN as the source port when using MSTP see Spanning Tree Algorithm Configuration on page 3 192 Command Attributes Mirror Sessions Displays a list of current mirror sessions Source MAC Address MAC address in the form of xx xx xx xx xx xx or xxxxxxxxxxxx Destination Port The port that will mirror the traffic from the source port Range 1 28 52 Web...

Page 235: ...o apply rate limiting Command Usage Input and output rate limits can be enabled or disabled for individual interfaces Command Attributes Port Trunk Displays the port trunk number Rate Limit Status Enables or disables the rate limit Default Disabled Rate Limit Sets the rate limit level Range 64 100000 kilobits per second for Fast Ethernet ports 64 to 1000000 kilobits per second for Gigabit Ethernet...

Page 236: ...ub layer Received Broadcast Packets The number of packets delivered by this sub layer to a higher sub layer which were addressed to a broadcast address at this sub layer Received Discarded Packets The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher layer protocol One possible reason for discarding su...

Page 237: ...ticular interface fails due to an internal MAC sublayer transmit error Multiple Collision Frames A count of successfully transmitted frames for which transmission is inhibited by more than one collision Carrier Sense Errors The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame SQE Test Errors A count of times that the SQE TEST ERROR mes...

Page 238: ...mber of frames received that were longer than 1518 octets excluding framing bits but including FCS octets and were otherwise well formed Fragments The total number of frames received that were less than 64 octets in length excluding framing bits but including FCS octets and had either an FCS or alignment error 64 Bytes Frames The total number of frames including bad packets received and transmitte...

Page 239: ...nfiguration 3 183 3 Web Click Port Port Statistics Select the required interface and click Query You can also use the Refresh button at the bottom of the page to update the screen Figure 3 107 Port Statistics ...

Page 240: ...he switch s budget ports set at critical or high priority have power enabled in preference to those ports set at low priority For example when a device is connected to a port set to critical priority the switch supplies the required power if necessary by dropping power to ports set for a lower priority If power is Console show interfaces counters ethernet 1 13 4 231 Ethernet 1 13 Iftable stats Oct...

Page 241: ...onsumption The amount of power being consumed by PoE devices connected to the switch Thermal Temperature 9 The internal temperature of the switch Software Version The version of software running on the PoE controller subsystem in the switch Web Click PoE Power Status Figure 3 108 Displaying the Global PoE Status CLI This example displays the current power status for the switch 9 This parameter is ...

Page 242: ...he supplied power Range 37 180 watts Default 180 Watts Web Click PoE Power Config Specify the desired power budget for the switch Click Apply Figure 3 109 Setting the Switch Power Budget CLI Use the power mainpower maximum allocation command to set the PoE power budget for the switch Displaying Port Power Status Use the Power Port Status page to display the current PoE power status for all ports C...

Page 243: ... device is connected to a low priority port and causes the switch to exceed its budget port power is not turned on If a device is connected to a critical or high priority port and causes the switch to exceed its budget port power is turned on but the switch drops power to one or more lower priority ports Note Power is dropped from low priority ports in sequence starting from port number 1 Console ...

Page 244: ...efault low Power Allocation Sets the power budget for the port Range 3000 15400 milliwatts Default 15400 milliwatts Web Click PoE Power Port Configuration Enable PoE power on selected ports set the priority and the power budget and then click Apply Figure 3 111 Configuring Port PoE Power CLI This example sets the PoE power budget for port 1 to 8 watts the priority to high 2 and then enables the po...

Page 245: ...re bound to the assigned interface and will not be moved When a static address is seen on another interface the address will be ignored and will not be written to the address table Command Attributes Static Address Counts10 The number of manually configured addresses Current Static Address Table Lists all the static addresses Interface Port or trunk associated with the device assigned a static add...

Page 246: ...e Indicates a port or trunk MAC Address Physical address associated with this interface VLAN ID of configured VLAN 1 4094 Address Table Sort Key You can sort the information displayed based on MAC address VLAN or interface port or trunk Dynamic Address Counts The number of addresses dynamically learned Current Dynamic Address Table Lists all the dynamic addresses Web Click Address Table Dynamic Ad...

Page 247: ...learned entry is discarded Range 10 630 seconds Default 300 seconds Web Click Address Table Address Aging Specify the new aging time click Apply Figure 3 114 Setting the Address Aging Time CLI This example sets the aging time to 300 seconds Console show mac address table interface ethernet 1 1 4 271 Interface MAC Address VLAN Type Eth 1 1 00 12 CF 48 82 93 1 Delete on reset Eth 1 1 00 12 CF 94 34 ...

Page 248: ...ng a packet from that LAN to the root device All ports connected to designated bridging devices are assigned as designated ports After determining the lowest cost spanning tree it enables all root ports and designated ports and disables all other ports Network packets are therefore only forwarded between root ports and designated ports eliminating any possible network loops Once a stable network t...

Page 249: ...en builds a Internal Spanning Tree IST for the Region containing all commonly configured MSTP bridges An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers including the Region Name Revision Level and Configuration Digest see Configuring Multiple Spanning Trees on page 3 210 An MST Region may contain multiple MSTP Instances An Internal Spannin...

Page 250: ...e port will drop the loopback BPDU according to IEEE Standard 802 1w 2001 9 3 4 Note 1 2 Port Loopback Detection will not be active if Spanning Tree is disabled on the switch 3 When configured for manual release mode then a link down up event will not release the port from the discarding state Field Attributes Port Indicates the interface to be configured Range 1 28 52 Status Enables Loopback Dete...

Page 251: ... device ports attached to the network References to ports in this section mean interfaces which includes both ports and trunks Hello Time Interval in seconds at which the root device transmits a configuration message Forward Delay The maximum time in seconds the root device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must re...

Page 252: ... messages at regular intervals If the root port ages out STA information provided in the last configuration message a new root port is selected from among the device ports attached to the network References to ports in this section means interfaces which includes both ports and trunks Root Forward Delay The maximum time in seconds this device will wait before changing states i e discarding to lear...

Page 253: ...spanning tree 4 297 Spanning Tree Information Spanning Tree Mode RSTP Spanning Tree Enabled Disabled Enabled Instance 0 VLANs Configuration 1 4094 Priority 32768 Bridge Hello Time sec 2 Bridge Max Age sec 20 Bridge Forward Delay sec 15 Root Hello Time sec 2 Root Max Age sec 20 Root Forward Delay sec 15 Max Hops 20 Remaining Hops 20 Designated Root 32768 00201A25AC00 Current Root Port 54 Current Ro...

Page 254: ...TP generates a unique spanning tree for each instance This provides multiple pathways across the network thereby balancing the traffic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new topology for the failed instance To allow multiple spanning trees to operate over the network you must configure a related set of bridge...

Page 255: ...conds at which the root device transmits a configuration message Default 2 Minimum 1 Maximum The lower of 10 or Max Message Age 2 1 Maximum Age The maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA info...

Page 256: ...mum interval between the transmission of consecutive protocol messages Range 1 10 Default 3 Configuration Settings for MSTP Max Instance Numbers The maximum number of MSTP instances to which this switch can be assigned Configuration Digest An MD5 signature key that contains the VLAN ID to MST ID mapping table In other words this key is a mapping of all VLANs to the CIST Region Revision12 The revis...

Page 257: ...Spanning Tree Algorithm Configuration 3 201 3 Web Click Spanning Tree STA Configuration Modify the required attributes and click Apply Figure 3 117 Configuring Spanning Tree ...

Page 258: ...switch are connected to the same segment and there is no other STA device attached to this segment the port with the smaller ID forwards packets and the other is discarding All ports are discarding when the switch is booted then some of them change state to learning and then to forwarding Forward Transitions The number of times this port has transitioned from the Learning state to the Forwarding s...

Page 259: ...ating that another bridge is attached to this port Port Role Roles are assigned according to whether the port is part of the active topology connecting the bridge to the root bridge i e root port connecting a LAN through the bridge to the root bridge i e designated port is the MSTI regional root i e master port or is an alternate or backup port that may provide connectivity if other bridges bridge...

Page 260: ...ce Fast forwarding This field provides the same information as Admin Edge port and is only included for backward compatibility with earlier products Admin Edge Port You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding ...

Page 261: ...t does not forward packets Learning Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information Port address table is cleared and the port begins learning addresses Forwarding Port forwards packets and continues learning addresses Trunk Indicates if a port is a member of a trunk STA Port Configuration only Console show ...

Page 262: ...n steps of 16 Admin Path Cost This parameter is used by the STA to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Path cost takes precedence over port priority Range 0 for auto configuration 1 65535 for the short path cost method13 1 200 000 000 for the long path cost method B...

Page 263: ...ree topology It could also be used to form a border around part of the network where the root bridge is allowed Default Disabled Migration If at any time the switch detects STP BPDUs including Configuration or Topology Change Notification BPDUs it will automatically set the selected interface to forced STP compatible mode However you can also use the Protocol Migration button to manually re check ...

Page 264: ...ooding required to rebuild address tables during reconfiguration events does not cause the spanning tree to initiate reconfiguration when the interface changes state and also overcomes other STA related timeout problems However remember that Edge Port should only be enabled for ports connected to an end node device Default Enabled Enabled Manually configures a port as an Edge Port Disabled Disable...

Page 265: ...tion time when the port link type is point to point which is 3 seconds as defined in IEEE 802 3D 2004 17 20 4 otherwise it equals the maximum age for configuration messages see Displaying Global Settings for STA on page 3 195 BPDU Guard This feature prevents loops by disabling an edge port when a BPDU is received instead of putting it into the spanning tree blocking state In a valid configuration ...

Page 266: ...for the selected MST instance MSTP VLAN Configuration 3 Add the VLANs that will share this MSTI MSTP VLAN Configuration Note All VLANs are automatically added to the IST Instance 0 Note All VLANs are automatically added to the IST Instance 0 To ensure that the MSTI maintains connectivity across the network you must configure a related set of bridges with the same MSTI settings Command Attributes M...

Page 267: ...e STA settings for instance 1 followed by settings for each port Console config spanning tree mst configuration 4 281 Console config mst mst 1 priority 4096 4 282 Console config mstp mst 1 vlan 1 5 4 281 Console config mst Console config spanning tree mst configuration 4 281 Console config mst mst 1 priority 4096 4 282 Console config mstp mst 1 vlan 1 4 281 Console config mst end Console show span...

Page 268: ...External Oper Path Cost 100000 Internal Oper Path Cost 100000 Priority 128 Designated Cost 0 Designated Port 128 1 Designated Root 32768 00201A25AC00 Designated Bridge 32768 00201A25AC00 Fast Forwarding Enabled Forward Transitions 0 Admin Edge Port Enabled Oper Edge Port Enabled Admin Link Type Auto Oper Link Type Point to point Flooding Behavior Enabled Spanning Tree Status Enabled Loopback Detec...

Page 269: ... MST instance Command Attributes MST Instance ID Instance identifier to configure Default 0 Note The other attributes are described under Displaying Interface Settings for STA on page 3 202 Web Click Spanning Tree MSTP Port or Trunk Information Select the required MST instance to display the current spanning tree values Figure 3 122 Displaying MSTP Interface Settings ...

Page 270: ...ent Root Cost 100000 Number of Topology Changes 4 Last Topology Change Time sec 539 Transmission Limit 3 Path Cost Method Long Flooding Behavior To VLAN Eth 1 1 Information Admin Status Enabled Role Disabled State Discarding External Admin Path Cost 0 Internal Admin Path Cost 0 External Oper Path Cost 100000 Internal Oper Path Cost 100000 Priority 128 Designated Cost 100000 Designated Port 128 1 D...

Page 271: ...the highest priority i e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Default 128 Range 0 240 in steps of 16 Admin MST Path Cost This para...

Page 272: ...802 1Q VLAN is a group of ports that can be located anywhere in the network but communicate as though they belong to the same physical segment VLANs help to simplify network management by allowing you to move devices to a new VLAN without having to change any physical connections VLANs can be easily organized to reflect departmental groups such as Marketing or R D usage groups such as e mail or mu...

Page 273: ...VLAN s either manually or dynamically using GVRP However if you want a port on this switch to participate in one or more VLANs but none of the intermediate network devices nor the host at the other end of the connection supports VLANs then you should add this port to the VLAN as an untagged port Note VLAN tagged frames can pass through VLAN aware or VLAN unaware network interconnection devices but...

Page 274: ...the message arrives at another switch that supports GVRP it will also place the receiving port in the specified VLANs and pass the message on to all other ports VLAN requirements are propagated in this way throughout the network This allows GVRP compliant devices to be automatically configured for VLAN groups based solely on endstation requests To implement GVRP in a network first add the host dev...

Page 275: ...ag before forwarding the frame When the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag However when this switch receives an untagged frame from a VLAN unaware device it first decides where to forward the frame and then inserts a VLAN tag reflecting the ingress port s default VID Enabling or Disabling GVRP Global Setting GARP VLAN Registration Prot...

Page 276: ...r of Supported VLANs Maximum number of VLANs that can be configured on this switch Web Click VLAN 802 1Q VLAN Basic Information Figure 3 125 Displaying Basic VLAN Information CLI Enter the following command 14 Web Only Console show bridge ext 4 301 Max Support VLAN Numbers 256 Max Support VLAN ID 4094 Extended Multicast Filtering Services No Static Entry Individual Port Yes VLAN Learning IVL Confi...

Page 277: ...Up Time at Creation Time this VLAN was created i e System Up Time Status Shows how this VLAN was added to the switch Dynamic GVRP Automatically learned via GVRP Permanent Added as a static entry Egress Ports Shows all the VLAN port members Untagged Ports Shows the untagged VLAN port members Web Click VLAN 802 1Q VLAN Current Table Select any ID from the scroll down list Figure 3 126 Displaying Cur...

Page 278: ...AN group The VLAN name is only used for management on this system it is not added to the VLAN tag VLAN ID ID of configured VLAN 1 4094 no leading zeroes VLAN Name Name of the VLAN 1 100 characters no spaces Status Web Enables or disables the specified VLAN Enabled VLAN is operational Disabled VLAN is suspended i e does not pass packets State CLI Enables or disables the specified VLAN Active VLAN i...

Page 279: ...s Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 9 S Eth1 10 S Eth1 11 S Eth1 12 S Eth1 13 S Eth1 14 S Eth1 15 S Eth1 16 S Eth1 17 S Eth1 18 S Eth1 19 S Eth1 20 S Eth1 21 S Eth1 22 S Eth1 23 S Eth1 24 S Eth1 25 S Eth1 26 S Eth1 27 S Eth1 28 S VLAN ID 2 Type Static Name R D Status Active Ports Port Channels VLAN ID 4093 Type Static Name Status Active Port...

Page 280: ...100 characters Status Enables or disables the specified VLAN Enable VLAN is operational Disable VLAN is suspended i e does not pass packets Port Port identifier Membership Type Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk Tagged Interface is a member of the VLAN All packets transmitted by the port will be tagged that is carry a tag and there...

Page 281: ...gure 3 128 Configuring a VLAN Static Table CLI The following example adds tagged and untagged ports to VLAN 2 Console config interface ethernet 1 1 4 221 Console config if switchport allowed vlan add 2 tagged 4 310 Console config if exit Console config interface ethernet 1 2 Console config if switchport allowed vlan add 2 untagged Console config if exit Console config interface ethernet 1 13 Conso...

Page 282: ...t an interface from the scroll down box Port or Trunk Click Query to display membership information for the interface Select a VLAN ID and then click Add to add the interface as a tagged member or click Remove to remove the interface After configuring VLAN membership for each interface click Apply Figure 3 129 VLAN Static Membership by Port CLI This example adds Port 3 to VLAN 1 as a tagged port a...

Page 283: ...nly tagged frames When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Options All Tagged Default All Ingress Filtering Determines how to process frames tagged for VLANs for which the ingress port is not a member Ingress Filtering is always enabled Default Enabled Ingress filtering only affects tagged frames If ingress filtering is disabled and...

Page 284: ...1000 Mode Indicates VLAN membership mode for an interface Default Hybrid Access Sets the port to operate as an untagged interface All frames are sent untagged 1Q Trunk Specifies a port as an end point for a VLAN trunk A trunk is a direct link between two switches so the port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated w...

Page 285: ...rent customers is segregated within the service provider s network even when they use the same customer specific VLAN IDs QinQ tunneling expands VLAN space by using a VLAN in VLAN hierarchy preserving the customer s original tagged packets and adding SPVLAN tags to each frame also called double tagging A port configured to support QinQ tunneling must be set to tunnel port mode The Service Provider...

Page 286: ...y already have The ingress process constructs and inserts the outer tag SPVLAN into the packet based on the default VLAN ID and Tag Protocol Identifier TPID that is the ether type of the tag This outer tag is used for learning and switching packets The priority of the inner tag is copied to the outer tag if it is a tagged or priority tagged packet 2 After successful source and destination lookup t...

Page 287: ...ether type of an incoming packet single or double tagged is equal to the TPID of the uplink port no new VLAN tag is added If the uplink port is not the member of the outer VLAN of the incoming packets the packet will be dropped when ingress filtering is enabled If ingress filtering is not enabled the packet will still be forwarded If the VLAN is not listed in the VLAN table the packet will be drop...

Page 288: ...e bridge protocol data unit BPDU filtering is automatically disabled on a tunnel port General Configuration Guidelines for QinQ 1 Configure the switch to QinQ mode see Enabling QinQ Tunneling on the Switch on page 3 233 2 Set the Tag Protocol Identifier TPID value of the tunnel access port This step is required if the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagge...

Page 289: ...incoming frames containing that ethertype are assigned to the VLAN contained in the tag following the ethertype field as they would be with a standard 802 1Q trunk Frames arriving on the port containing any other ethertype are looked upon as untagged frames and assigned to the native VLAN of that port All ports on the switch will be set to the same ethertype Command Attributes 802 1Q Tunnel Sets t...

Page 290: ...rt operates in its normal VLAN mode This is the default 802 1Q Tunnel Configures IEEE 802 1Q tunneling QinQ for a client access port to segregate and preserve customer VLAN IDs for traffic crossing the service provider network 802 1Q Tunnel Uplink Configures IEEE 802 1Q tunneling QinQ for an uplink port to another device within the service provider network Trunk Member Shows if a port is a member ...

Page 291: ...e config if interface ethernet 1 2 Console config if switchport dot1q tunnel mode uplink 4 315 Console config if end Console show dot1q tunnel 4 317 Current double tagged status of the system is Enabled The dot1q tunnel mode of the set interface 1 1 is Access mode TPID is 0x9100 The dot1q tunnel mode of the set interface 1 2 is Uplink mode TPID is 0x8100 The dot1q tunnel mode of the set interface ...

Page 292: ...Status page to enable traffic segmentation and to block or forward traffic between uplink ports assigned to different client sessions Command Attributes Traffic Segmentation Status Enables port based traffic segmentation Default Disabled Uplink to Uplink Specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions Default Blocking Web Click VLAN Traf...

Page 293: ...interface Web Click VLAN Traffic Segmentation Session Configuration Set the session number specify whether an uplink or downlink is to be used select the interface and click Apply Figure 3 134 Traffic Segmentation Session Configuration CLI This example enables traffic segmentation and allows traffic to be forwarded across the uplink ports assigned to different client sessions Console config pvlan ...

Page 294: ...dary associated groups follow these steps 1 Use the Private VLAN Configuration menu page 3 239 to designate one or more community VLANs and the primary VLAN that will channel traffic outside of the VLAN groups 2 Use the Private VLAN Association menu page 3 240 to map the secondary i e community VLAN s to the primary VLAN 3 Use the Private VLAN Port Configuration menu page 3 242 to set the port typ...

Page 295: ...4 and 5 can only pass through port 3 The Private VLAN Configuration page is used to create remove primary or community VLANs Command Attributes VLAN ID ID of configured VLAN 2 4094 Type There are three types of private VLANs Primary VLANs Conveys traffic between promiscuous ports and to community ports within secondary or community VLANs Community VLANs Conveys traffic between community ports and ...

Page 296: ...ith a primary VLAN Command Attributes Primary VLAN ID ID of primary VLAN 2 4094 Association Community VLANs associated with the selected primary VLAN Non Association Community VLANs not associated with the selected VLAN Web Click VLAN Private VLAN Association Select the required primary VLAN from the scroll down box highlight one or more community VLANs in the Non Association list box and click Ad...

Page 297: ...can only communicate with the lone promiscuous port within its own isolated VLAN Promiscuous A promiscuous port can communicate with all the interfaces within a private VLAN Primary VLAN Conveys traffic between promiscuous ports and between promiscuous ports and community ports within the associated secondary VLANs Community VLAN A community VLAN conveys traffic between community ports and from co...

Page 298: ...rivate VLAN Host The port is a community port A community port can communicate with other ports in its own community VLAN and with designated promiscuous port s Promiscuous A promiscuous port can communicate with all interfaces within a private VLAN Primary VLAN Conveys traffic between promiscuous ports and between promiscuous ports and community ports within the associated secondary VLANs If PVLA...

Page 299: ...s in order to encompass all the devices participating in a specific protocol This kind of configuration deprives users of the basic benefits of VLANs including security and easy accessibility To avoid these problems you can configure this switch with protocol based VLANs that divide the physical network into logical VLAN groups for each required protocol When a frame is received at a port its VLAN...

Page 300: ...protocol groups Command Attributes Protocol Group ID Protocol Group ID assigned to the Protocol VLAN Group Range 1 2147483647 Frame Type Choose either Ethernet RFC 1042 or LLC Other as the frame type used by this protocol Protocol Type Specifies the protocol type to match The available options are IP ARP and RARP If LLC Other is chosen for the Frame Type the only available Protocol Type is IPX Raw...

Page 301: ... standard rules applied to tagged frames If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the default VLAN for this interface Command Attributes Protocol Group ID Protocol Group ID assigned to the Protocol VLAN Group Range 1 2147483647 VLAN ID VLAN to which m...

Page 302: ...nd again from the source mirrored VLAN The target port receives traffic from all monitored source VLANs and can become congested Some mirror traffic may therefore be dropped from the target port Note Spanning Tree BPDU packets are not mirrored to the target port Command Attributes Mirror Sessions Displays a list of current mirror sessions Source VLAN A VLAN whose traffic will be monitored Range 1 ...

Page 303: ...ource IP address is checked against the IP subnet to VLAN mapping table and if an entry is found the corresponding VLAN ID is assigned to the frame If no mapping is found the PVID of the receiving port is assigned to the frame The IP subnet cannot be a broadcast or multicast IP address When MAC based IP subnet based and protocol based VLANs are supported concurrently priority is applied in this se...

Page 304: ...esses can be mapped to only one VLAN ID Configured MAC addresses cannot be broadcast or multicast addresses When MAC based IP subnet based and protocol based VLANs are supported concurrently priority is applied in this sequence and then port based VLANs last Command Attributes MAC Address A source MAC address which is to be mapped to a specific VLAN The MAC address must be specified in the format ...

Page 305: ...y troubleshooting enhance network management and maintain an accurate network topology Setting LLDP Timing Attributes Use the LLDP Configuration screen to set attributes for general functions such as globally enabling LLDP on the switch setting the message ageout time and setting the frequency for broadcasting general advertisements or reports about changes in the LLDP MIB Command Attributes LLDP ...

Page 306: ...d interval for sending SNMP notifications about LLDP MIB changes Range 5 3600 seconds Default 5 seconds This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted Only state changes that exist at the time of a notification are include...

Page 307: ...ata Units Options Tx only Rx only TxRx Disabled Default TxRx SNMP Notification Enables the transmission of SNMP trap notifications about LLDP and LLDP MED changes Default Enabled This option sends out SNMP trap notifications to designated target stations at the interval specified by the Notification Interval in the preceding section Trap Console config lldp 4 343 Console config lldp refresh interv...

Page 308: ...ncludes the IPv4 address of the switch If no management address is available the address should be the MAC address for the CPU or for the port sending this advertisement The management address TLV may also include information about the specific interface associated with this address and an object identifier indicating the type of hardware component or protocol entity associated with this address T...

Page 309: ...tails such as power availability from the switch and power state of the switch including whether the switch is operating from primary or backup power the Endpoint Device could use this information to decide to enter power conservation mode Note that this device does not support PoE capabilities Inventory This option advertises device details useful for inventory management such as manufacturer mod...

Page 310: ...onsole config if lldp basic tlv management ip address 4 349 Console config if lldp basic tlv system name 4 351 Console config if lldp basic tlv system capabilities 4 350 Console config if lldp medtlv extPoe 4 355 Console config if lldp medtlv inventory 4 356 Console config if lldp medtlv location 4 356 Console config if lldp medtlv med cap 4 357 Console config if lldp medtlv network policy 4 357 C...

Page 311: ...l packet includes the IPv4 address of the switch If no management address is available the address should be the MAC address for the CPU or for the port sending this advertisement Interface Settings The attributes listed below apply to both port and trunk interface types When a trunk is listed the descriptions apply to the first port of the trunk Port Description A string that indicates the port s...

Page 312: ...a 2 ComboG L2 L4 PoE Standal one switch System Capabilities Support Bridge System Capabilities Enable Bridge Management Address 192 168 0 101 IPv4 LLDP Port Information Interface PortID Type PortID PortDesc Eth 1 1 MAC Address 00 20 1A 25 AC 01 Ethernet Port on unit 1 port 1 Eth 1 2 MAC Address 00 20 1A 25 AC 02 Ethernet Port on unit 1 port 2 Eth 1 3 MAC Address 00 20 1A 25 AC 03 Ethernet Port on ...

Page 313: ...itted Port Name A string that indicates the port s description If RFC 2863 is implemented the ifDescr object should be used for this field System Name An string that indicates the system s administratively assigned name Web Click LLDP Remote Port Trunk Information Figure 3 148 LLDP Remote Port Information CLI This example displays LLDP information for remote devices attached to this switch which a...

Page 314: ...ring that contains the specific identifier for the port from which this LLDPDU was transmitted System Name An string that indicates the system s assigned name System Description A textual description of the network entity System Capabilities Supported The capabilities that define the primary function s of the system See Table 3 16 paratext on page 3 255 System Capabilities Enabled The primary func...

Page 315: ...evice attached to a specific port on this switch Console show lldp info remote device detail ethernet 1 1 4 361 LLDP Remote Devices Information Detail Local PortName Eth 1 1 Chassis Type MAC Address Chassis Id 00 01 02 03 04 05 PortID Type MAC Address PortID 00 01 02 03 04 06 SysName SysDescr SMC6128PL2 PortDescr Ethernet Port on unit 1 port 1 SystemCapSupported Bridge SystemCapEnabled Bridge Remo...

Page 316: ...ved from the LLDP remote systems MIB for any reason Neighbor Entries Dropped Count The number of times which the remote database on this switch dropped an LLDPDU because of insufficient resources Neighbor Entries Age out Count The number of times that a neighbor s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired Interface Statistics on LLDP Pro...

Page 317: ...ived Frames Sent Number of LLDP PDUs transmitted TLVs Unrecognized A count of all TLVs not recognized by the receiving LLDP local agent TLVs Discarded A count of all LLDPDUs received and then discarded due to insufficient memory space missing or out of sequence attributes or any other reason Neighbor Ageouts A count of the times that a neighbor s information has been deleted from the LLDP remote s...

Page 318: ...ys detailed LLDP statistics for an LLDP enabled remote device attached to a specific port on this switch switch show lldp info statistics detail ethernet 1 1 4 362 LLDP Port Statistics Detail PortName Eth 1 1 Frames Discarded 0 Frames Invalid 0 Frames Received 12 Frames Sent 13 TLVs Unrecognized 0 TLVs Discarded 0 Neighbor Ageouts 0 switch ...

Page 319: ...riority and then sorted into the appropriate priority queue at the output port Command Usage This switch provides four priority queues for each port It uses Weighted Round Robin to prevent head of queue blockage The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged frames This priority does not apply to IEEE 802 1Q...

Page 320: ...1 3 4 232 Information of Eth 1 3 Broadcast Threshold Enabled 64 Kbits second Multicast Threshold Disabled Unknown unicast Threshold Disabled LACP Status Disabled Ingress Rate Limit Disabled 100000 Kbits per second Egress Rate Limit Disabled 100000 Kbits per second VLAN Membership Mode Hybrid Ingress Rule Enabled Acceptable Frame Type All frames Native VLAN 1 Priority for Untagged Traffic 5 GVRP St...

Page 321: ...work applications are shown in the following table However you can map the priority levels to the switch s output queues in any way that benefits application traffic for your own network Command Attributes Priority CoS value Range 0 7 where 7 is the highest priority Traffic Class17 Output queue buffer Range 0 3 where 3 is the highest CoS priority queue Table 3 18 Mapping CoS Values to Egress Queue...

Page 322: ...iced or use Weighted Round Robin WRR queuing that specifies a relative weight of each queue Command Usage Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced WRR uses a relative weighting for each queue which determines the amount of packets the switch transmits every time it services each queue before moving on to the next queu...

Page 323: ...ch uses the Weighted Round Robin WRR algorithm to determine the frequency at which it services each priority queue As described in Mapping CoS Values to Egress Queues on page 3 265 the traffic classes are mapped to one of the four egress queues provided for each port This weight sets the limit for the number of packets the switch will transmit each time the queue is serviced and subsequently affec...

Page 324: ...riority Queue Scheduling Figure 3 155 Displaying Queue Scheduling CLI The following example shows how to display the WRR weights assigned to each of the priority queues Console show queue bandwidth 4 366 Queue ID Weight 0 1 1 2 2 4 3 8 Console ...

Page 325: ...value by the switch and the traffic then sent to the corresponding output queue Because different priority information may be contained in the traffic this switch maps priority values to the output queues in the following manner The precedence for priority mapping is IP DSCP Priority and then Default Port Priority Enabling IP DSCP Priority The switch allows you to enable or disable the IP DSCP pri...

Page 326: ...CP default mapping is defined in the following table Note that all the DSCP values that are not specified are mapped to CoS value 0 Command Attributes DSCP Priority Table Shows the DSCP Priority to CoS map Class of Service Value Maps a CoS value to the selected DSCP Priority value Note that 0 represents low priority and 7 represent high priority Note IP DSCP settings apply to all interfaces Consol...

Page 327: ... 1 on port 1 and then displays the DSCP Priority settings Mapping specific values for IP DSCP is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Console config map ip dscp 4 368 Console config interface ethernet 1 1 4 221 Console config if map ip dscp 1 cos 0 4 368 Console config if end Console show map ip dscp ethernet 1 1 4 370 DSC...

Page 328: ...prioritize the resources allocated to different traffic classes The manner in which an individual device handles traffic in the DiffServ architecture is called per hop behavior All devices along a path should be configured in a consistent manner to construct a consistent end to end QoS solution Notes 1 You can configure up to 16 rules per Class Map You can also include multiple classes in a Policy...

Page 329: ... a brief description of a class map Range 1 16 characters for the name 1 64 characters for the description Edit Rules Opens the Match Class Settings page for the selected class entry Modify the criteria used to classify ingress traffic on this page Add Class Opens the Class Configuration page Enter a class name and description on this page and click Add to open the Match Class Settings page Enter ...

Page 330: ...ied criteria to the class Up to 16 items are permitted per class Remove Deletes the selected criteria from the class Web Click QoS DiffServ then click Add Class to create a new class or Edit Rules to change the rules of an existing class Figure 3 158 Configuring Class Maps ...

Page 331: ... class maps for each of the following access list types MAC ACL IP ACL including Standard ACL and Extended ACL Also note that the maximum number of classes that can be applied to a policy map is 16 Policing is based on a token bucket where bucket depth i e the maximum burst before the bucket overflows is specified by the Burst field and the average rate at which tokens are removed from the bucket ...

Page 332: ...d or the DSCP service level will be reduced Remove Class Deletes a class Policy Options Class Name Name of class map Action Configures the service provided to ingress traffic by setting a CoS DSCP or IP Precedence value in a matching packet as specified in Match Class Settings on page 3 273 Range CoS 0 7 DSCP 0 63 IP Precedence 0 7 IPv6 DSCP 0 63 Meter Check this to define the maximum throughput b...

Page 333: ...3 277 3 Web Click QoS DiffServ Policy Map to display the list of existing policy maps To add a new policy map click Add Policy To configure the policy rule settings click Edit Classes Figure 3 159 Configuring Policy Maps ...

Page 334: ... Command Attributes Ports Specifies a port Ingress Applies the rule to ingress traffic Enabled Check this to enable a policy map on the specified port Policy Map Select the appropriate policy map from the scroll down box Web Click QoS DiffServ Service Policy Settings Check Enabled and choose a Policy Map for a port from the scroll down box then click Apply Figure 3 160 Service Policy Settings CLI ...

Page 335: ...the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the switch automatically assigns the port as a tagged member the Voice VLAN Alternatively switch ports can be manually configured To configure the switch for VoIP traffic first enable the automatic detection of VoIP devices attached to switch ports t...

Page 336: ...oice VLAN when VoIP traffic is detected on the port You must select a method for detecting VoIP traffic either OUI or 802 1ab LLDP When OUI is selected be sure to configure the MAC address ranges in the Telephony OUI list Manual The Voice VLAN feature is enabled on the port but the port must be manually added to the Voice VLAN Security Enables security filtering that discards any non VoIP packets ...

Page 337: ... on See Link Layer Discovery Protocol on page 3 249 for more information on LLDP Priority Defines a CoS priority for port traffic on the Voice VLAN The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port Web Click QoS VoIP Traffic Setting Port Configuration Set the mode for a VoIP traffic port select the detection mechanism t...

Page 338: ...three octets Other masks restrict the MAC address range Selecting FF FF FF FF FF FF specifies a single MAC address Default FF FF FF 00 00 00 Description User defined text that identifies the VoIP devices Console config interface ethernet 1 2 Console config if switchport voice vlan auto 4 337 Console config if switchport voice vlan security 4 338 Console config if switchport voice vlan rule oui 4 3...

Page 339: ...en click Add Figure 3 163 Telephony OUI List CLI This example adds an identifier to the list then displays the current list Console config voice vlan mac address 00 e0 bb 00 00 00 mask ff ff ff 00 00 00 description old phones 4 336 Console config exit Console show voice vlan oui 4 339 OUIAddress Mask Description 00 e0 bb 00 00 00 FF FF FF 00 00 00 old phones 00 11 22 33 44 55 FF FF FF 00 00 00 new...

Page 340: ...r the ports that want to join a multicast group and set its filters accordingly If there is no multicast router attached to the local subnet multicast traffic and query messages may not be received by the switch In this case Layer 2 IGMP Query can be used to actively ask the attached hosts if they want to receive a specific multicast service IGMP Query thereby identifies the ports containing hosts...

Page 341: ...s case traffic is filtered from sources in the Exclude list and forwarded from all other available sources Notes 1 When the switch is configured to use IGMPv3 snooping the snooping version may be downgraded to version 2 or version 1 depending on the version of the IGMP query packets detected on each VLAN 2 IGMP snooping will not function unless a multicast router port is enabled on the switch This...

Page 342: ... or multicast enabled switch can periodically ask their hosts if they want to receive multicast traffic If there is more than one router switch on the LAN performing IP multicasting one of these devices is elected querier and assumes the role of querying the LAN for group members It then propagates the service requests on to any upstream multicast switch router to ensure that it will continue to r...

Page 343: ...t which the switch sends IGMP host query messages Range 60 125 seconds Default 125 IGMP Report Delay Sets the time between receiving an IGMP Report for an IP multicast address on a port before the switch sends an IGMP Query out of that port and removes the entry from its list Range 5 25 seconds Default 10 IGMP Query Timeout The time the switch waits after the previous querier stops before it consi...

Page 344: ...te leave should only be enabled on an interface if it is connected to only one IGMP enabled device either a service host or a neighbor running IGMP snooping Immediate leave is only effective if IGMP snooping is enabled and IGMPv2 or IGMPv3 snooping is used Immediate leave does not apply to a port if the switch has learned that a multicast router is attached to it Immediate leave can improve bandwi...

Page 345: ...Immediate Leave CLI This example enables IGMP immediate leave for VLAN 1 and then displays the current IGMP snooping status Console config interface vlan 1 Console config if ip igmp snooping immediate leave 4 383 Console config if end Console show ip igmp snooping 4 382 Service Status Enabled Querier Status Disabled Leave proxy status Enabled Query Count 2 Query Interval 125 sec Query Max Response...

Page 346: ...icast router switch for each VLAN ID Command Attributes VLAN ID ID of configured VLAN 1 4094 Multicast Router List Multicast routers dynamically discovered by this switch or those that are statically assigned to an interface on this switch Web Click IGMP Snooping Multicast Router Port Information Select the required VLAN ID from the scroll down list to display the associated multicast routers Figu...

Page 347: ...nterface Activates the Port or Trunk scroll down list VLAN ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router Port or Trunk Specifies the interface attached to a multicast router Web Click IGMP Snooping Static Multicast Router Port Configuration Specify the interfaces attached to a multicast router indicate the VLAN which will forward all the correspon...

Page 348: ...ast service Web Click IGMP Snooping IP Multicast Registration Table Select a VLAN ID and the IP address for a multicast service from the scroll down lists The switch will display all the interfaces that are propagating this multicast service Figure 3 168 IP Multicast Registration Table CLI This example displays all the known multicast services supported on VLAN 1 along with the ports propagating t...

Page 349: ...cific VLAN the corresponding traffic can only be forwarded to ports within that VLAN Command Attributes Interface Activates the Port or Trunk scroll down list VLAN ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router switch Range 1 4094 Multicast IP The IP address for a specific multicast service Port or Trunk Specifies the interface attached to a multic...

Page 350: ...rwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can take one of two actions either deny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to r...

Page 351: ...ch profile has only one access mode either permit or deny When the access mode is set to permit IGMP join reports are processed when a multicast group falls within the controlled range When the access mode is set to deny IGMP join reports are only processed when the multicast group is not in the controlled range Command Attributes Profile ID Selects an existing profile number to configure After se...

Page 352: ...he profile number you want to configure then click Query to display the current settings Specify the access mode for the profile and then add multicast groups to the profile list Click Apply Figure 3 171 IGMP Profile Configuration CLI This example configures profile number 19 by setting the access mode to permit and then specifying a range of multicast groups that a user can join The current profi...

Page 353: ...ce If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group Command Attributes Profile Selects an existing profile number to assign to an interface Max Multicast Groups Sets the maximum number of multicast groups an interface can join at the same time Range 0 255...

Page 354: ...rrent IGMP filtering and throttling settings for the interface are then displayed Console config interface ethernet 1 1 4 221 Console config if ip igmp filter 19 4 393 Console config if ip igmp max groups 64 4 394 Console config if ip igmp max groups action deny 4 395 Console config if end Console show ip igmp filter interface ethernet 1 1 4 395 Information of Eth 1 1 IGMP Profile 19 permit range ...

Page 355: ... different VLAN groups from the MVR VLAN users in different IEEE 802 1Q or private VLANs cannot exchange any information except through upper level routing services General Configuration Guidelines for MVR 1 Enable MVR globally on the switch select the MVR VLAN and add the multicast groups that will stream traffic to attached hosts see Configuring Global MVR Settings on page 3 300 2 Set the interf...

Page 356: ...receive data from that multicast group Default Disabled MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied Running status is true as long as MVR Status is enabled and the specified MVR VLAN exists MVR VLAN Identifier of the VLAN that serves as the channel for streaming multicast services using MVR MVR source ports should be configured as membe...

Page 357: ...s that will stream traffic to attached hosts and then click Apply Figure 3 173 MVR Global Configuration CLI This example first enables IGMP snooping enables MVR globally and then configures a range of MVR group addresses Console config ip igmp snooping 4 381 Console config mvr 4 398 Console config mvr group 228 1 23 1 10 4 398 Console config ...

Page 358: ... if there are subscribers receiving multicast traffic from one of the MVR groups or a multicast group has been statically assigned to an interface Immediate Leave Shows if immediate leave is enabled or disabled Trunk Member19 Shows if port is a trunk member Web Click MVR Port or Trunk Information Figure 3 174 MVR Port Information CLI This example shows information about interfaces attached to the ...

Page 359: ...vided through the MVR VLAN Web Click MVR Group IP Information Figure 3 175 MVR Group IP Information CLI This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN Console show mvr interface 4 402 MVR Group IP Status Members 225 0 0 1 ACTIVE eth1 1 d eth1 2 s 225 0 0 2 INACTIVE None 225 0 0 3 INACTIVE None 225 0 0 4 INACTIVE None 225 0 0 ...

Page 360: ...ch have been statically assigned see Assigning Static Multicast Groups to Interfaces on page 3 306 Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message When immediate leave is disabled the switch follows the standard rules by sending a group specific query to the receiver port and waiting for a...

Page 361: ...gured as an MVR receiver Trunk20 Shows if port is a trunk member Web Click MVR Port or Trunk Configuration Figure 3 176 MVR Port Configuration CLI This example configures an MVR source port and receiver port and then enables immediate leave on the receiver port 20 Port Information only Console config interface ethernet 1 1 Console config if mvr type source 4 400 Console config if exit Console conf...

Page 362: ...of 224 0 0 x Command Attributes Interface Indicates a port or trunk Member Shows the IP addresses for MVR multicast groups which have been statically assigned to the selected interface Non Member Shows the IP addresses for all MVR multicast groups which have not been statically assigned to the selected interface Web Click MVR Group Member Configuration Select a port or trunk from the Interface fie...

Page 363: ...tags Command Attributes MVR Receiver VLAN Allows multicast traffic to be forwarded from the specified Receiver VLAN without revealing the identity of the MVR VLAN in tagged frames Range 1 4094 MVR Receiver Group IP Address Specifies groups to be managed through the receiver VLAN Web Click MVR Receiver Configuration Select a VLAN from the MVR Receiver VLAN field enter the required multicast groups ...

Page 364: ...rs for multicast services provided through the MVR Receiver VLAN Web Click MVR Receiver Group IP Information Select a receiver group multicast address from the Group IP Address field to show the interfaces which have joined the selected group Figure 3 179 MVR Receiver Group Address Table CLI This example shows the interfaces which have joined MVR receiver groups and the status of MVR traffic for e...

Page 365: ...AN see Configuring MVR Receiver VLAN and Group Addresses on page 3 307 Web Click MVR Receiver Group Member Configuration Select a port or trunk from the Interface field select a multicast group address from the member list and then click the Add or Remove button to modify the list Figure 3 180 Static MVR Receiver Group Member Configuration CLI This example sets the type of a port as an MVR receive...

Page 366: ...the system will search it for a corresponding entry If none is found the default domain name is used When an incomplete host name is received by the DNS service on this switch and a domain name list has been specified the switch will work through the domain list appending each domain name in the list to the host name and checking with the specified name servers for a match When more than one name ...

Page 367: ...a domain list However remember that if a domain list is specified the default domain name is not used Console config ip domain name sample com 4 406 Console config ip domain list sample com uk 4 407 Console config ip domain list sample com jp Console config ip name server 192 168 1 55 10 1 0 55 4 408 Console config ip domain lookup 4 409 Console show dns 4 410 Domain Lookup Status DNS enabled Defa...

Page 368: ...may support one or more connections via multiple IP addresses If more than one IP address is associated with a host name in the static table or via information returned from a name server a DNS client can try each address in succession until it establishes a connection with the target device Field Attributes Host Name Name of a host device that is mapped to one or more IP addresses Range 1 64 char...

Page 369: ...ply Figure 3 182 DNS Static Host Table CLI This example maps two address to a host name and then configures an alias host name for the same addresses Console config ip host rd5 192 168 1 55 10 1 0 55 4 405 Console config ip host rd6 10 1 0 55 Console show hosts 4 410 Hostname rd5 Inet address 10 1 0 55 192 168 1 55 Alias rd6 Console ...

Page 370: ... host address for the owner and CNAME which specifies an alias IP The IP address associated with this record TTL The time to live reported by the name server Domain The domain name associated with this record Web Select DNS Cache Figure 3 183 DNS Cache CLI This example displays all the resource records learned from the designated name servers Console show dns cache 4 411 NO FLAG TYPE DOMAIN TTL IP...

Page 371: ... management station There can be up to 100 candidates and 36 member switches in one cluster A switch can only be a member of one cluster After the Commander and Members have been configured any switch in the cluster can be managed from the web agent by choosing the desired Member ID from the Cluster drop down menu To connect to the Member switch from the Commander CLI prompt use the rcommand see p...

Page 372: ...254 254 1 Number of Members The current number of Member switches in the cluster Number of Candidates The current number of Candidate switches discovered in the network that are available to become Members Web Click Cluster Configuration Figure 3 185 Cluster Configuration CLI This example first enables clustering on the switch sets the switch as the cluster Commander and then configures the cluste...

Page 373: ... specific MAC address of a known switch Web Click Cluster Member Configuration Figure 3 186 Cluster Member Configuration CLI This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID Console config cluster member mac address 00 12 34 56 78 9a id 5 4 83 Console config end Console show cluster candidates 4 85 Cluster Candidates Role Mac Descript...

Page 374: ...rnal cluster IP address assigned to the Member switch MAC Address The MAC address of the Member switch Description The system description string of the Member switch Web Click Cluster Member Information Figure 3 187 Cluster Member Information CLI This example shows information about cluster Member switches Console show cluster members 4 85 Cluster Members ID 1 Role Active member IP Address 10 254 ...

Page 375: ...the network MAC Address The MAC address of the Candidate switch Description The system description string of the Candidate switch Web Click Cluster Candidate Information Figure 3 188 Cluster Candidate Information CLI This example shows information about cluster Candidate switches Console show cluster candidates 4 85 Cluster Candidates Role Mac Description ACTIVE MEMBER 00 12 cf 23 49 c0 24 48 L2 L...

Page 376: ...ice To do this a control point sends a suitable control message to the control URL for the service provided in the device description When a device is known to the control point periodic event notification messages are sent A UPnP description for a service includes a list of actions the service responds to and a list of variables that model the state of the service at run time If a device has a UR...

Page 377: ... TTL to 6 and displays information about basic UPnP configuration Console config upnp device 4 86 Console config upnp device advertise duration 200 4 87 Console config upnp device ttl 6 4 86 Console config end Console show upnp 4 87 UPnP global settings Status Enabled Advertise duration 200 TTL 6 Console ...

Page 378: ...Configuring the Switch 3 322 3 ...

Page 379: ...the console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec But when the guest user name and password is entered the CLI displays the Console prompt and enters normal acc...

Page 380: ... isolated network then you can use any IP address that matches the network segment to which you are attached After you configure the switch with an IP address you can open a Telnet session by performing these steps 1 From the remote host enter the Telnet command and the IP address of the device you want to access 2 At the prompt enter the user name and system password The CLI will display the Vty ...

Page 381: ...how startup config To enter commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username admin password 0 smith Minimum Abbreviation The CLI will accept a minimum number of characters that uniquely identify a command For example the command configure can be entered as con If an entry is am...

Page 382: ...nformation hosts Host information interfaces Interface information ip IP information ipv6 IPv6 information lacp LACP statistics line TTY line information lldp LLDP log Login records logging Logging setting mac MAC access list mac address table Shows the MAC address table mac vlan MAC based VLAN information management Show management information map Maps priority memory Memory utilization mvr Shows...

Page 383: ... been entered You can scroll back through the history of commands by pressing the up arrow key Any command displayed in the history list can be executed again or first modified and then executed Using the show history command displays a longer list of recently executed commands startup config Startup system configuration subnet vlan IP subnet based VLAN information system System information tacacs...

Page 384: ...nly a limited number of the commands are available in this mode You can access all commands only from the Privileged Exec command mode or administrator mode To access Privilege Exec mode open a new console session with the user name and password admin The system will now display the Console command prompt You can also enter Privileged Exec mode from within Normal Exec mode by entering the enable c...

Page 385: ...dify the port configuration such as speed duplex and negotiation Line Configuration These commands modify the console port and Telnet configuration and include command such as parity and databits Multiple Spanning Tree Configuration These commands configure settings for the selected multiple spanning tree instance Policy Map Configuration Creates a DiffServ policy map for multiple interfaces Serve...

Page 386: ...ist ipv6 standard access list ipv6 extended access list mac Console config arp acl Console config std acl Console config ext acl Console config std ipv6 acl Console config ext ipv6 acl Console config mac acl 4 212 4 201 4 201 4 207 4 207 4 215 Class Map class map Console config cmap 4 375 Interface interface ethernet port port channel id vlan id Console config if 4 221 MSTP spanning tree mst confi...

Page 387: ...ine Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor to the right one character Ctrl K Deletes all characters from the cursor to the end of the line Ctrl L Repeats current command line on a new line Ctrl N Enters the next command line in the history buffer Ctrl P Enters...

Page 388: ...P UDP port number TCP control code ARP request response packets IPv6 frames based on destination address next header type or flow label or non IP frames based on MAC address or Ethernet type 4 199 Interface Configures the connection parameters for all Ethernet ports aggregated links and VLANs 4 220 Automatic Traffic Control Configures bounding thresholds for broadcast and multicast storms which ca...

Page 389: ...0 Domain Name Service Configures DNS services 4 405 IP Interface Configures IP address for the switch 4 412 Table 4 5 General Commands Command Function Mode Page enable Activates privileged mode NE 4 12 disable Returns to normal mode from privileged mode PE 4 12 configure Activates global configuration mode PE 4 13 show history Shows the command history buffer NE PE 4 13 reload Restarts the system...

Page 390: ...rmal Exec to Privileged Exec To set this password see the enable password command on page 4 111 The character is appended to the end of the prompt to indicate that the system is in privileged access mode Example Related Commands disable 4 12 enable password 4 111 disable This command returns to Normal Exec mode from privileged mode In normal access mode you can only display basic information on th...

Page 391: ...paratext on page 4 6 Command Mode Privileged Exec Example Related Commands end 4 16 show history This command shows the contents of the command history buffer Command Mode Normal Exec Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands Example In this example the show history command lists the contents of the command history buffer ...

Page 392: ...Example This example shows how to reset the switch Global Configuration This command restarts the system at a specified time after a specified delay or at a periodic interval You can reboot the system immediately or you can configure the switch to reset after a specified amount of time Use the cancel option to remove a configured setting Syntax reload at hour minute month day day month year in hou...

Page 393: ...oad Range 1 31 reload cancel Cancels the specified reload option Default Setting None Command Mode Global Configuration Command Usage This command resets the entire system Any combination of reload options may be specified If the same option is re specified the previous setting will be overwritten When the system is restarted it will always run the Power On Self Test It will also retain all config...

Page 394: ...ing Console Command Mode Global Configuration Example end This command returns to Privileged Exec mode Command Mode Global Configuration Interface Configuration Line Configuration VLAN Database Configuration and Multiple Spanning Tree Configuration Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode Console show reload Reloading switch in time...

Page 395: ...on mode and then quit the CLI session quit This command exits the configuration program Command Mode Normal Exec Privileged Exec Command Usage The quit and exit commands can both exit the configuration program Example This example shows how to quit a CLI session Console config exit Console exit Press ENTER to start session User Access Verification Username Console quit Press ENTER to start session...

Page 396: ...m Status Displays system configuration active managers and version information 4 29 Frame Size Enables support for jumbo frames 4 35 File Management Manages code image or switch configuration files 4 36 Line Sets communication parameters for the serial port including baud rate and console time out 4 44 Event Logging Controls logging of error messages 4 57 SMTP Alerts Configures SMTP email alerts 4...

Page 397: ...configure dc power info Configures the DC Power information that is displayed by banner GC 4 22 banner configure department Configures the Department information that is displayed by banner GC 4 22 banner configure equipment info Configures the Equipment information that is displayed by banner GC 4 23 banner configure equipment location Configures the Equipment Location information that is display...

Page 398: ...esses the enter key the script prompts for the next piece of information and so on until all information has been entered Pressing enter without inputting information at any prompt during the script s operation will leave the field empty Spaces can be used during script mode because pressing the enter key signifies the end of data input The delete and left arrow keys terminate the script The use o...

Page 399: ...ary for clarity Console config banner configure Company Edgecore Networks Responsible department R D Dept Name and telephone to Contact the management people Manager1 name Sr Network Admin phone number 123 555 1212 Manager2 name Jr Network Admin phone number 123 555 1213 Manager3 name Night shift Net Admin Janitor phone number 123 555 1214 The physical location of the equipment City and street add...

Page 400: ...ation Command Usage Input strings cannot contain spaces The banner configure dc power info command interprets spaces as data input boundaries The use of underscores _ or other unobtrusive non letter characters is suggested for situations where white space is necessary for clarity Example banner configure department This command is used to configure the department information displayed in the banne...

Page 401: ...or floor id row row id rack rack id shelf rack sr id manufacturer mfr name no banner configure equipment info floor manufacturer manufacturer id rack row shelf rack mfr id The name of the device model number floor id The floor number row id The row number rack id The rack number sr id The shelf number in the rack mfr name The name of the device manufacturer Maximum length of each parameter 32 char...

Page 402: ...ut boundaries The use of underscores _ or other unobtrusive non letter characters is suggested for situations where white space is necessary for clarity Example banner configure ip lan This command is used to configure the device IP address and subnet mask information displayed in the banner Use the no form to restore the default setting Syntax banner configure ip lan ip mask no banner configure i...

Page 403: ... banner Use the no form to restore the default setting Syntax banner configure lp number lp num no banner configure lp number lp num The LP number Maximum length 32 characters Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces The banner configure lp number command interprets spaces as data input boundaries The use of underscores _ or other uno...

Page 404: ...number of the third manager Maximum length of each parameter 32 characters Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces The banner configure manager info command interprets spaces as data input boundaries The use of underscores _ or other unobtrusive non letter characters is suggested for situations where white space is necessary for clar...

Page 405: ...r configure note note info Miscellaneous information that does not fit the other banner categories or any other information of importance to users of the switch CLI Maximum length 150 characters Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces The banner configure note command interprets spaces as data input boundaries The use of underscores ...

Page 406: ...eve 123 555 9876 Lamar 123 555 3322 Station s information 710_Network_Path Indianapolis Edgecore Networks SMC6128PL2 Floor Row Rack Sub Rack 7 10 15 6 DC power supply Power Source A Floor Row Rack Electrical circuit 3 15 24 48V id_3 15 24 2 Number of LP 4 Position MUX telco 9734212kx_PVC 1 23 IP LAN 216 241 132 3 255 255 255 0 Note ROUTINE_MAINTENANCE_firmware upgrade_0100 0500_GMT 0500_20071022 _...

Page 407: ...C address SNTP server settings SNMP community strings Users names and access levels VLAN database VLAN ID name and state VLAN configuration settings for each interface Multiple spanning tree instances name and interfaces IP address configured for the switch Spanning tree settings Interface settings Any configured settings for the console port and Telnet Table 4 9 System Status Commands Command Fun...

Page 408: ...cf 12 34 56 sntp server 0 0 0 0 0 0 0 0 0 0 0 0 snmp server community public ro snmp server community private rw username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethe...

Page 409: ...mmand displays the following information Switch s MAC address SNTP server settings SNMP community strings Users names and access levels VLAN database VLAN ID name and state VLAN configuration settings for each interface Multiple spanning tree instances name and interfaces IP address configured for the switch Spanning tree settings Interface settings Any configured settings for the console port and...

Page 410: ...rname admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethernet state active vlan 4093 media ethernet state active spanning tree mst configuration interface vlan 1 ip address dhcp interface vlan 4093 interf...

Page 411: ...ec Privileged Exec Command Usage The session used to execute this command is indicated by a symbol next to the Line i e session index number Console show system System Description 8 Fast Ethernet 2 Giga 2 ComboG L2 L4 PoE Standalone switch System OID String 1 3 6 1 4 1 259 6 10 94 System Information System Up Time 0 days 2 hours 52 minutes and 32 16 seconds System Name NONE System Location NONE Sy...

Page 412: ... 15 RSA Online users Line Username Idle time h m s Remote IP addr 0 console admin 0 14 14 1 VTY 0 admin 0 00 00 192 168 1 19 2 SSH 1 steve 0 00 06 192 168 1 19 Web online users Line Remote IP addr Username Idle time h m s 1 HTTP 192 168 1 19 admin 0 00 00 Console Console show version Unit 1 Serial Number A733006612 Hardware Version R01 Chip Device ID Marvell 98DX107 A2 88E6095 F EPLD Version 1 03 ...

Page 413: ... using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extended frame size And for half ...

Page 414: ...itch settings The configuration file can be downloaded under a new file name and then set as the startup file or the current startup configuration file can be specified as the destination file to directly replace it Note that the file Factory_Default_Config cfg can be copied to the FTP TFTP server but cannot be used as the destination on the switch Table 4 11 Flash File Commands Command Function M...

Page 415: ... running config Keyword that adds the settings listed in the specified file to the running configuration file Keyword that allows you to copy to from a file ftp Keyword that allows you to copy to from an FTP server running config Keyword that allows you to copy to from the current running configuration startup config The configuration used for system initialization tftp Keyword that allows you to ...

Page 416: ...user name and password configured on the remote server Note that anonymous is set as the default user name Example The following example shows how to download new firmware from a TFTP server The following example shows how to upload the configuration settings to a file on the TFTP server The following example shows how to copy the running configuration to a startup file Console copy tftp file TFTP...

Page 417: ...tup 01 Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Console Console copy tftp https certificate TFTP server ip address 10 1 0 19 Source certificate file name SS certificate Source private file name SS private Private password Success Console reload System will be restarted continue y n y Console copy tftp public key TFTP server IP address 192 168...

Page 418: ...ration file from flash memory Related Commands dir 4 40 delete public key 4 141 This command displays a list of files in flash memory Syntax dir boot rom config opcode filename The type of file or image to display includes boot rom Boot ROM or diagnostic image file config Switch configuration file opcode Run time operation code image file filename Name of the configuration file or code image Defau...

Page 419: ... name The name of the file File type File types Boot Rom Operation Code and Config file Startup Shows if this file is used when the system is started Size The length of the file in bytes Console dir File name File type Startup Size byte Unit1 DIAG_phaseIV_1035 BIX Boot Rom Image Y 1476128 MOPOE bix Operation Code N 4507168 op_v1 3 5 2 bix Operation Code Y 4456740 Factory_Default_Config cfg Config ...

Page 420: ...mand Mode Global Configuration Command Usage A colon is required after the specified file type If the file contains an error it cannot be set as the default file Example Related Commands dir 4 40 whichboot 4 41 This command automatically upgrades the current operational code when a new version is detected on the server indicated by the upgrade opcode path command Use the no form of this command to...

Page 421: ...was successful 3 It sets the new version as the startup image 4 It then restarts the system to start using the new image Any changes made to the default setting can be displayed with the show running config page 4 30 or show startup config page 4 29 commands Example If a new image is found at the specified location the following type of messages will be displayed during bootup This command specifi...

Page 422: ...nonymous will be used for the connection If the password is omitted a null string will be used for the connection Example This shows how to specify a TFTP server where new code is stored This shows how to specify an FTP server where new code is stored You can access the onboard configuration program by attaching a VT100 compatible device to the server s serial port These commands are used to set c...

Page 423: ...sole is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password thresh command LC 4 50 databits Sets the number of data bits per character that are interpreted and generated by hardware LC 4 50 parity Defines the generation of a parity bit LC 4 51 speed Sets the terminal baud rate LC 4 52 stopbits Sets the number of the stop bits transmitted per byte ...

Page 424: ...pecified by the password line configuration command When using this method the management interface starts in Normal Exec NE mode login local selects authentication via the user name and password specified by the username command i e default setting When using this method the management interface starts in Normal Exec NE or Privileged Exec PE mode depending on the user s privilege level 0 NE 8 15 ...

Page 425: ...ord protection the system prompts for the password If you enter the correct password the system shows a prompt You can use the password thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state The encrypted password is required for compatibility with legacy password settings i e plai...

Page 426: ...on is terminated for the session This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the default setting Example To set the timeout to two minutes enter this command Related Commands silent time 4 50 exec timeout 4 14 This command sets the interval that the system waits until user in...

Page 427: ...se the no form to remove the threshold value Syntax password thresh threshold no password thresh threshold The number of allowed password attempts Range 1 120 0 no threshold Default Setting The default value is three attempts Command Mode Line Configuration Command Usage When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time before allowing t...

Page 428: ...ole response Range 0 65535 0 no silent time Default Setting The default value is no silent time Command Mode Line Configuration Example To set the silent time to 60 seconds enter this command Related Commands password thresh 4 49 This command sets the number of data bits per character that are interpreted and generated by the console port Use the no form to restore the default value Syntax databit...

Page 429: ...Commands parity 4 51 This command defines the generation of a parity bit Use the no form to restore the default setting Syntax parity none even odd no parity none No parity even Even parity odd Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting Exampl...

Page 430: ...device connected to the serial port Some baud rates available on devices connected to the port might not be supported The system indicates if the speed you selected is not supported Example To specify 38400 bps enter this command This command sets the number of the stop bits transmitted per byte Use the no form to restore the default setting Syntax stopbits 1 2 1 One stop bit 2 Two stop bits Defau...

Page 431: ...2 where 0 means no pause for output displays Default Setting 24 Command Mode Privileged Exec Example This command sets the number of characters displayed across a terminal Use the no form to restore the default setting Syntax terminal width characters no terminal width characters The number of characters displayed across a terminal Range 0 80 Default Setting 80 Command Mode Privileged Exec Example...

Page 432: ...the escape character specified by this command can be used to break off screen output Ctrl C can also be used to break off the current command line input string Example This command specifies the terminal type connected to the console port Use the no form to restore the default setting Syntax terminal terminal type ansi bbs vt 100 vt 102 no terminal terminal type ansi bbs ANSI BBS vt 100 VT100 vt ...

Page 433: ...command history buffer The default history buffer size is fixed at 10 Execution commands and 10 Configuration commands Example Related Commands show history 4 13 This command terminates an SSH Telnet or console connection Syntax disconnect session id session id The session identifier for an SSH Telnet or console connection Range 0 4 Command Mode Privileged Exec Command Usage Specifying session ide...

Page 434: ...l Exec Privileged Exec Example To show all lines enter this command Console disconnect 1 Console Console show line Terminal Configuration for this session Length 24 Width 80 History size 10 Escape character ASCII number 27 Terminal type VT100 Console Configuration Password Threshold 3 times Interactive Timeout 65535 sec Login Timeout Disabled Silent Time Disabled Baudrate 9600 Databits 8 Parity No...

Page 435: ...pecified syslog servers Example Related Commands logging history 4 58 logging trap 4 60 clear log 4 60 Table 4 14 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages GC 4 57 logging history Limits syslog messages saved to switch memory based on severity GC 4 58 logging host Adds a syslog server host IP address that will receive logging messages GC 4 59 l...

Page 436: ...obal Configuration Command Usage The message level specified for flash memory must be a higher priority i e numerically lower than that specified for RAM Example Table 4 15 Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition such as cold start 4 warnings Warning conditions e g ret...

Page 437: ...pe for remote logging of syslog messages Use the no form to return the type to the default Syntax no logging facility type type A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service Range 16 23 Default Setting 23 Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog messages See RFC 316...

Page 438: ...etting Enabled Level 7 0 Command Mode Global Configuration Command Usage Using this command with a specified level enables remote logging and sets the minimum severity level to be saved Using this command without a specified level also enables remote logging but restores the minimum severity level to the default Example This command clears messages from the log buffer Syntax clear log flash ram fl...

Page 439: ...le The following example shows that system logging is enabled the message level for flash memory is errors i e default level 3 0 the message level for RAM is informational i e default level 7 0 Related Commands show logging sendmail 4 65 Console show logging flash Syslog logging Enabled History logging in FLASH level errors Console show logging ram Syslog logging Enabled History logging in RAM lev...

Page 440: ...the time stamp message level page 4 58 program module function and event number Example The following example shows sample messages stored in RAM Console show log ram 5 00 01 06 2001 01 01 STA root change notification level 6 module 6 function 1 and event no 1 4 00 01 00 2001 01 01 STA root change notification level 6 module 6 function 1 and event no 1 3 00 00 54 2001 01 01 STA root change notific...

Page 441: ...tion the switch first selects the server that successfully sent mail during the last connection or the first server configured by this command If it fails to send mail the switch selects the next server in the list and tries to send mail again If it still fails the system will repeat the process at a periodic interval A trap will be triggered if the switch cannot successfully open a connection Exa...

Page 442: ... 0 Example This example will send email alerts for system errors from level 4 through 0 This command sets the email address used for the From field in alert messages Use the no form to delete the source email address Syntax no logging sendmail source email email address email address The source email address used in alert messages Range 0 41 characters Default Setting None Command Mode Global Conf...

Page 443: ...e You can specify up to five recipients for alert messages However you must enter a separate command to specify each recipient Example This command enables SMTP event handling Use the no form to disable this function Syntax no logging sendmail Default Setting Enabled Command Mode Global Configuration Example This command displays the settings for the SMTP event handler Command Mode Normal Exec Pri...

Page 444: ...e 4 66 4 Example Console show logging sendmail SMTP servers 1 192 168 1 200 SMTP Minimum Severity Level 4 SMTP destination email addresses 1 geoff acme com SMTP Source Email Address john acme com SMTP status Enabled Console ...

Page 445: ...tp server Specifies NTP servers to poll for time updates GC 4 71 ntp poll Sets the interval at which the NTP client polls for time GC 4 72 ntp authenticate Enables authentication for NTP traffic GC 4 72 ntp authentication key Configures authentication keys GC 4 73 show ntp Shows current NTP configuration settings NE PE 4 74 Manual Configuration Commands clock timezone predefined Sets the time zone...

Page 446: ...the time starting from the factory default set at the last bootup i e 00 00 00 Jan 1 2001 This command enables client time requests to time servers specified via the sntp servers command It issues time synchronization requests based on the interval set via the sntp poll command Example Related Commands sntp server 4 69 sntp poll 4 69 show sntp 4 70 Console config sntp server 10 1 0 19 Console conf...

Page 447: ...updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issues time synchronization requests based on the interval set via the sntp poll command Example Related Commands sntp client 4 68 sntp poll 4 69 show sntp 4 70 This command sets the interval between sending time requests when the switch is set to SNTP client mode Use t...

Page 448: ...th the ntp servers command Use the no form to disable NTP client requests Syntax no ntp client Default Setting Disabled Command Mode Global Configuration Command Usage The SNTP and NTP clients cannot be enabled at the same time First disable the SNTP client before using this command The time acquired from time servers is used to record accurate dates and times for log events Without NTP the switch...

Page 449: ...to use in communications with the server Range 1 65535 Default Setting Version number 3 Command Mode Global Configuration Command Usage This command specifies time servers that the switch will poll for time updates when set to NTP client mode It issues time synchronization requests based on the interval set with the ntp poll command The client will poll all the time servers configured the response...

Page 450: ...ds Default Setting 16 seconds Command Mode Global Configuration Example Related Commands ntp client 4 70 This command enables authentication for NTP client server communications Use the no form to disable authentication Syntax no ntp authenticate Default Setting Disabled Command Mode Global Configuration Console config ntp server 192 168 3 20 Console config ntp server 192 168 3 21 Console config n...

Page 451: ...ation key number number The NTP authentication key ID number Range 1 65535 md5 Specifies that authentication is provided by using the message digest algorithm 5 key An MD5 authentication key string The key string can be up to 32 case sensitive printable ASCII characters no spaces Default Setting None Command Mode Global Configuration Command Usage The key number specifies a key value in the NTP au...

Page 452: ...e config Console show ntp Current Time Jan 1 02 02 11 2001 Polling 1024 seconds Current Mode unicast NTP Status Disabled NTP Authenticate Status Disabled Last Update NTP Server 0 0 0 0 Port 0 Last Update Time Dec 31 00 00 00 2000 UTC NTP Server 192 168 3 20 version 3 NTP Server 192 168 3 21 version 3 NTP Server 192 168 3 22 version 2 NTP Server 192 168 4 50 version 3 key 30 NTP Server 192 168 5 35...

Page 453: ...cal time zone relative to the Coordinated Universal Time UTC formerly Greenwich Mean Time or GMT based on the earth s prime meridian zero degrees longitude To display a time corresponding to your local time you must indicate the number of hours and minutes your time zone is east before or west after of UTC Example Related Commands show sntp 4 70 clock timezone This command sets the time zone for t...

Page 454: ...hour e minute offset no clock summer time name Name of the time zone while summer time is in effect usually an acronym Range 1 30 characters b month The month when summer time will begin Options january february march april may june july august september october november december b day The day summer time will begin Options sunday monday tuesday wednesday thursday friday saturday b year The year s...

Page 455: ...gured time zone To specify a time corresponding to your local time when summer time is in effect you must indicate the number of minutes your summer time time zone deviates from your regular time zone Example Related Commands show sntp 4 70 clock summer time predefined This command configures the summer time daylight savings time status and settings for the switch using predefined configurations f...

Page 456: ...witch on a recurring basis Use the no form to disable summer time Syntax clock summer time name recurring b week b day b month b hour b minute e week e day e month e hour e minute offset no clock summer time name Name of the timezone while summer time is in effect usually an acronym Range 1 30 characters b week The week of the month when summer time will begin Range 1 5 b day The day of the week w...

Page 457: ...r time zone in minutes Range 0 99 minutes Default Setting Disabled Command Mode Global Configuration Command Usage In some countries or regions clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less This is known as Summer Time or Daylight Savings Time DST Typically clocks are adjusted forward one hour at the start of spring and then adjusted bac...

Page 458: ... format Range 0 23 min Minute Range 0 59 sec Second Range 0 59 day Day of month Range 1 31 month january february march april may june july august september october november december year Year 4 digit Range 2001 2100 Default Setting None Command Mode Privileged Exec Example This command displays the system clock Default Setting None Command Mode Normal Exec Privileged Exec Example Console calendar...

Page 459: ... by the administrator through the management station Note Cluster Member switches can be managed either through a Telnet connection to the Commander or through a web management connection to the Commander When using a console connection from the Commander CLI prompt use the rcommand see page 4 84 to connect to the Member switch This command enables clustering on the switch Use the no form to disab...

Page 460: ...itch clusters are maintained across power resets and network changes Example This command enables the switch as a cluster Commander Use the no form to disable the switch as cluster Commander Syntax no cluster commander Default Setting Disabled Command Mode Global Configuration Command Usage Once a switch has been configured to be a cluster Commander it automatically discovers other cluster enabled...

Page 461: ... 1 and 36 Set a Cluster IP Pool that does not conflict with addresses in the network IP subnet Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander You cannot change the cluster IP pool when the switch is currently in Commander mode Commander mode must first be disabled Example This command configures a Cand...

Page 462: ... Commander switch Managing cluster Members using the local console CLI on the Commander is not supported There is no need to enter the username and password for access to the Member switch CLI Example This command shows the switch clustering configuration Command Mode Privileged Exec Example Console config cluster member mac address 00 12 34 56 78 9a id 5 Console config Vty 0 rcommand id 1 CLI ses...

Page 463: ... compliant device When discovered by a host device basic information about this switch can be displayed and the web management interface accessed Console show cluster members Cluster Members ID 1 Role Active member IP Address 10 254 254 2 MAC Address 00 12 cf 23 49 c0 Description 24 48 L2 L4 IPV4 IPV6 GE Switch Console Console show cluster candidates Cluster Candidates Role Mac Description ACTIVE ...

Page 464: ...nabled on the device Related Commands upnp device ttl 4 86 upnp device advertise duration 4 87 This command sets the time to live TTL value for sending of UPnP messages from the device Syntax upnp device ttl value value The number of router hops a UPnP packet can travel before it is discarded Range 1 255 Default Setting 4 Command Mode Global Configuration Command Usage UPnP devices and control poi...

Page 465: ...Default Setting 100 seconds Command Mode Global Configuration Example In the following example the device advertise duration is set to 200 seconds Related Commands upnp device ttl 4 86 This command displays the UPnP management status and time out settings Command Mode Privileged Exec Example Console config upnp device ttl 6 Console config Console config upnp device advertise duration 200 Console c...

Page 466: ...P Commands snmp server Enables the SNMP agent GC 4 89 show snmp Displays the status of SNMP communications NE PE 4 90 snmp server community Sets up the community access string to permit access to SNMP commands GC 4 91 snmp server contact Sets the system contact string GC 4 91 snmp server location Sets the system location string GC 4 92 SNMP Target Host Commands snmp server host Specifies the recip...

Page 467: ...multicast traffic falls beneath the lower threshold after a storm control response has been triggered IC Port 4 244 snmp server enable port traps atc broadcast control apply Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires IC Port 4 244 snmp server enable port traps atc multicast control apply Sends a trap when multicast traffi...

Page 468: ...ple Console show snmp SNMP Agent enabled SNMP traps Authentication enable Link up down enable SNMP communities 1 private and the privilege is read write 2 public and the privilege is read only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get r...

Page 469: ...ions are able to both retrieve and modify MIB objects Default Setting public Read only access Authorized management stations are only able to retrieve MIB objects private Read write access Authorized management stations are able to both retrieve and modify MIB objects Command Mode Global Configuration Example This command sets the system contact string Use the no form to remove the system contact ...

Page 470: ...form to remove the location string Syntax snmp server location text no snmp server location text String that describes the system location Maximum length 255 characters Default Setting None Command Mode Global Configuration Example Related Commands snmp server contact 4 91 Console config snmp server location WC 19 Console config ...

Page 471: ... like community string sent with the notification operation to SNMP V1 and V2c hosts Although you can set this string using the snmp server host command by itself we recommend that you define this string using the snmp server community command prior to using the snmp server host command Maximum length 32 characters version Specifies whether to send notifications as SNMP Version 1 2c or 3 traps Ran...

Page 472: ...rget host that will receive inform messages with the snmp server host command as described in this section 4 Create a view with the required notification messages page 4 97 5 Create a group that includes the required notify view page 4 99 To send an inform to a SNMPv3 host complete these steps 1 Enable the SNMP agent page 4 89 2 Allow the switch to send SNMP traps i e notifications page 4 95 3 Spe...

Page 473: ...ast one snmp server enable traps command If you enter the command with no keywords both authentication and link up down notifications are enabled If you enter the command with a keyword only the notification type related to that keyword is enabled The snmp server enable traps command is used in conjunction with the snmp server host command Use the snmp server host command to specify which host or ...

Page 474: ...ting and encrypting SNMPv3 packets A remote engine ID is required when using SNMPv3 informs See snmp server host on page 4 93 The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent Y...

Page 475: ... OID string Refer to the examples included Defines an included view excluded Defines an excluded view Default Setting defaultview includes access to the entire MIB tree Command Mode Global Configuration Console show snmp engine id Local SNMP engineID 8000002a8000000000e8666672 Local SNMP engineBoots 1 Remote SNMP engineID IP address 80000000030004e2b316c54321 192 168 1 19 Console Table 4 22 show s...

Page 476: ...eged Exec Example Console config snmp server view mib 2 1 3 6 1 2 1 included Console config Console config snmp server view ifEntry 2 1 3 6 1 2 1 2 2 1 2 included Console config Console config snmp server view ifEntry a 1 3 6 1 2 1 2 2 1 1 included Console config Console show snmp view View Name mib 2 Subtree OID 1 2 2 3 6 2 1 View Type included Storage Type permanent Row Status active View Name d...

Page 477: ...write access 1 64 characters notifyview Defines the view for notifications 1 64 characters Default Setting Default groups public22 read only private23 read write readview Every object belonging to the Internet OID space 1 3 6 1 writeview Nothing is defined notifyview Nothing is defined Command Mode Global Configuration Command Usage A group sets the access policy for the assigned users When authen...

Page 478: ...us active Group Name public Security Model v1 Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name public Security Model v2c Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name private Security Model v1 Read View defaultview Write View defaultview Notify View none Storage Type volatile Row St...

Page 479: ... 2c or 3 encrypted Accepts the password as encrypted input auth Uses SNMPv3 with authentication md5 sha Uses MD5 or SHA authentication auth password Authentication password Enter as plain text if the encrypted option is not used Otherwise enter an encrypted password A minimum of eight characters is required priv des56 Uses SNMPv3 with privacy with DES56 encryption priv password Privacy password En...

Page 480: ...remote user will fail SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it Example show snmp user This command shows information on SNMP users Command Mode Privileged Exec Example Console config snm...

Page 481: ...atus The row status of this entry SNMP remote user A user associated with an SNMP engine on a remote device Table 4 26 sFlow Commands Command Function Mode Page sflow Enables sFlow globally for the switch GC 4 104 sflow source Due to the switch s hardware design these commands can only be enabled for specific port groups 1 8 9 16 17 24 25 32 33 48 However sampling for each of the Gigabit combinati...

Page 482: ...Flow on the specified ports Syntax no sflow source Default Setting Disabled Command Mode Interface Configuration Ethernet Command Usage The 100BASE TX ports are organized into groups of 8 based on a restriction in the switch ASIC 1 8 9 16 17 24 25 32 33 48 Selecting any port in one of these groups effectively configures all of the group members as an sFlow source port However the four Gigabit port...

Page 483: ...nfigures the interval at which counters are added to the sample datagram Use the no form to restore the default polling interval Syntax sflow polling interval seconds no sflow polling interval seconds The interval at which the sFlow process adds counter values to the sample datagram Range 0 10000000 seconds where 0 disables this feature Default Setting Disabled Command Mode Interface Configuration...

Page 484: ... port parameters Use the no form to restore the default time out Syntax sflow timeout seconds no sflow timeout seconds The length of time the sFlow process continuously sends samples to the Collector before resetting all sFlow port parameters Range 0 10000000 seconds where 0 indicates no time out Default Setting Disabled Command Mode Interface Configuration Ethernet Command Usage The sFlow paramet...

Page 485: ...t 6343 Command Mode Interface Configuration Ethernet Example This example configures the Collector s IP address and uses the default UDP port This command configures the maximum size of the sFlow datagram header Use the no form to restore the default setting Syntax sflow max header size max header size no max header size max header size The maximum size of the sFlow datagram header Range 64 256 by...

Page 486: ...es Default Setting 1400 bytes Command Mode Interface Configuration Ethernet Example This command shows the global and interface settings for the sFlow process Syntax show sflow interface interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 52 Command Mode Privileged Exec Console config interface ethernet 1 9 Console config if sflow max header size 256 Console ...

Page 487: ...on Commands Command Group Function Page User Accounts Configures the basic user names and passwords for management access 4 110 Authentication Sequence Defines logon authentication method and precedence 4 114 RADIUS Client Configures settings for authentication via a RADIUS server 4 116 TACACS Client Configures settings for authentication via a TACACS server 4 120 AAA Configures authentication aut...

Page 488: ...anager 15 Privileged Exec nopassword No password is required for this user to log in 0 7 0 means plain password 7 means encrypted password password password The authentication password for the user Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting The default access level is Normal Exec The factory defaults for the user names and passwords are Table 4 28 User Acces...

Page 489: ...ser After initially logging onto the system you should set the Privileged Exec password Remember to record it in a safe place This command controls access to the Privileged Exec level from the Normal Exec level Use the no form to reset the default password Syntax enable password level level 0 7 password no enable password level level level level Level 15 for Privileged Exec Levels 0 14 are not use...

Page 490: ...ommands under the specified command level level Specifies the privilege level for the specified command This device has three predefined privilege levels 0 Normal Exec 8 Manager 15 Privileged Exec Range 0 15 command Specifies any command contained within the specified mode Default Setting Privilege level 0 provides access to a limited number of the commands which display the current status of the ...

Page 491: ...must therefore be used to correctly update these commands to the running config file Example This command shows the privilege level for the current user or the privilege level for commands modified by the privilege command see page 4 112 Syntax show privilege command command Displays the privilege level for all commands modified by the privilege command Command Mode Privileged Exec Example This ex...

Page 492: ...cess request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command to indicate the authentication ...

Page 493: ...e password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command to indicate...

Page 494: ...r auth_port RADIUS server UDP port used for authentication messages Range 1 65535 acct_port RADIUS server UDP port used for accounting messages Range 1 65535 timeout Number of seconds the switch waits for a reply before resending a request Range 1 65535 retransmit Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 key Encryption key used to authentica...

Page 495: ... Configuration Example This command sets the RADIUS server network port for authentication messages Use the no form to restore the default Syntax radius server auth port port_number no radius server auth port port_number RADIUS server UDP port used for authentication messages Range 1 65535 Default Setting 1812 Command Mode Global Configuration Example Console config radius server 1 host 192 168 1 ...

Page 496: ...s Default Setting None Command Mode Global Configuration Example This command sets the number of retries Use the no form to restore the default Syntax radius server retransmit number_of_retries no radius server retransmit number_of_retries Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 Default Setting 2 Command Mode Global Configuration Example Co...

Page 497: ...Use the no form to restore the default Syntax radius server timeout number_of_seconds no radius server timeout number_of_seconds Number of seconds the switch waits for a reply before resending a request Range 1 65535 Default Setting 5 Command Mode Global Configuration Example Console config radius server timeout 10 Console config ...

Page 498: ...figuration Global Settings Authentication Port 1812 Accounting Port 1813 Retransmit Times 2 Request Timeout 5 seconds Attributes NAS IP Address 4 192 168 1 1 Server 1 Server IP Address 10 1 2 3 Authentication Port 1812 Accounting Port 1813 Retransmit Times 2 Request Timeout 5 seconds Radius server group Group Name Member Index radius 1 Console Table 4 32 TACACS Commands Command Function Mode Page ...

Page 499: ... 540 seconds retransmit Number of times the switch will resend an authentication request to the TACACS server Range 1 30 key Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 20 characters Default Setting port 49 timeout 5 seconds retransmit 2 Command Mode Global Configuration Example tacacs server port This command specifies the TACAC...

Page 500: ...ommand Mode Global Configuration Example tacacs server retransmit This command sets the number of retries Use the no form to restore the default Syntax tacacs server retransmit number_of_retries no tacacs server retransmit number_of_retries Number of times the switch will try to authenticate logon access via the TACACS server Range 1 30 Default Setting 2 Command Mode Global Configuration Example C...

Page 501: ...mand Mode Global Configuration Example show tacacs server This command displays the current settings for the TACACS server Default Setting None Command Mode Privileged Exec Example Console config tacacs server timeout 10 Console config Console show tacacs server Remote TACACS server configuration Global Settings Communication Key with TACACS Server Server Port Number 49 Retransmit Times 2 Request ...

Page 502: ...ver Groups security servers in to defined lists GC 4 124 server Configures the IP address of a server in a group list SG 4 125 aaa accounting dot1x Enables accounting of 802 1X services GC 4 126 aaa accounting exec Enables accounting of Exec services GC 4 127 aaa accounting commands Enables accounting of Exec mode commands GC 4 128 aaa accounting update Enables periodoc updates to be sent to the a...

Page 503: ...tting None Command Mode Server Group Configuration Command Usage When specifying the index for a RADIUS server that server index must already be defined by the radius server host command see page 4 116 When specifying the index for a TACACS server that server index must already be defined by the tacacs server host command see page 4 121 Example Console config aaa group server radius tps Console co...

Page 504: ... use radius Specifies all RADIUS hosts configure with the radius server host command described on page 4 116 tacacs Specifies all TACACS hosts configure with the tacacs server host command described on page 4 121 server group Specifies the name of a server group configured with the aaa group server command described on 4 124 Range 1 255 characters Default Setting Accounting is not enabled No serve...

Page 505: ...h the radius server host command described on page 4 116 tacacs Specifies all TACACS hosts configure with the tacacs server host command described on page 4 121 server group Specifies the name of a server group configured with the aaa group server command described on 4 124 Range 1 255 characters Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration C...

Page 506: ... point group Specifies the server group to use tacacs Specifies all TACACS hosts configure with the tacacs server host command described on page 4 121 server group Specifies the name of a server group configured with the aaa group server command described on 4 124 Range 1 255 characters Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Command Usa...

Page 507: ...accounting records for all users on the system Using the command without specifying an interim interval enables updates but does not change the current interval setting Example accounting dot1x This command applies an accounting method for 802 1X service requests on an interface Use the no form to disable accounting on the interface Syntax accounting dot1x default list name no accounting dot1x def...

Page 508: ...n accounting method to entered CLI commands Use the no form to disable accounting for entered CLI commands Syntax accounting commands level default list name no accounting commands level level The privilege level for executing commands Range 0 15 default Specifies the default method list created with the aaa accounting commands command page 4 128 list name Specifies a method list created with the ...

Page 509: ... 4 121 server group Specifies the name of a server group configured with the aaa group server command described on 4 124 Range 1 255 characters Default Setting Authorization is not enabled No servers are specified Command Mode Global Configuration Command Usage This command performs authorization to determine if a user is allowed to run an Exec shell AAA authentication must be enabled before autho...

Page 510: ...settings per function and per port Syntax show accounting commands level dot1x statistics username user name interface interface exec statistics statistics commands Displays command accounting information level Displays command accounting information for a specifiable command level dot1x Displays dot1x accounting information exec Displays Exec accounting records statistics Displays accounting reco...

Page 511: ...lt Setting 80 Command Mode Global Configuration Console show accounting Accounting type dot1x Method list default Group list radius Interface Method list tps Group list radius Interface eth 1 2 Accounting type Exec Method list default Group list radius Interface vty Console Table 4 34 Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the web browser inter...

Page 512: ...HTTPS over the Secure Socket Layer SSL providing secure access i e an encrypted connection to the switch s web interface Use the no form to disable this function Syntax no ip http secure server Default Setting Enabled Command Mode Global Configuration Command Usage Both HTTP and HTTPS service can be enabled independently on the switch However you cannot configure the HTTP and HTTPS servers to use ...

Page 513: ...t Secure site Certificate on page 3 89 Also refer to the copy command on page 4 37 Example Related Commands ip http secure port 4 135 copy tftp https certificate 4 37 ip http secure port This command specifies the UDP port number used for HTTPS connection to the switch s web interface Use the no form to restore the default port Syntax ip http secure port port_number no ip http secure port port_num...

Page 514: ...by the Telnet interface Use the no form without the port keyword to disable this function Use the no from with the port keyword to use the default port Syntax ip telnet server port port number no telnet server port port The TCP port used by the Telnet interface port number The TCP port number to be used by the browser interface Range 1 65535 Default Setting Server Enabled Server Port 23 Command Mo...

Page 515: ...d to create a host public private key pair 2 Provide Host Public Key to Clients Many SSH client programs automatically import the host public key during the initial connection setup with the switch Table 4 37 SSH Commands Command Function Mode Page ip ssh server Enables the SSH server on the switch GC 4 139 ip ssh timeout Specifies the authentication timeout for the SSH server GC 4 140 ip ssh auth...

Page 516: ...1781943722884025331159521348610229029789827213532671 31629432532818915045306393916643 steve 192 168 1 19 4 Set the Optional Parameters Set other optional parameters including the authentication timeout the number of retries and the server key size 5 Enable SSH Service Use the ip ssh server command to enable the SSH server on the switch 6 Authentication One of the following authentication methods i...

Page 517: ...ther the supplied key is acceptable for authentication and if so it then checks whether the signature is correct If both checks succeed the client is authenticated Note The SSH server supports up to four client sessions The maximum number of client sessions includes both current Telnet sessions and SSH sessions ip ssh server This command enables the Secure Shell SSH server on this switch Use the n...

Page 518: ... wait for a response from the client during the SSH negotiation phase Once an SSH session has been established the timeout for user input is controlled by the exec timeout command for vty sessions Example Related Commands exec timeout 4 48 show ip ssh 4 143 ip ssh authentication retries This command configures the number of times the SSH server attempts to reauthenticate a user Use the no form to ...

Page 519: ...Configuration Command Usage The server key is a private key that is never shared outside the switch The host key is shared with the SSH client and is fixed at 1024 bits Example delete public key This command deletes the specified user s public key Syntax delete public key username dsa rsa username Name of an SSH user Range 1 8 characters dsa DSA public key type rsa RSA public key type Default Sett...

Page 520: ... key command to save the host key pair to flash memory Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process Otherwise you must manually create a known hosts file and place the host public key in it The SSH server uses this host key to negotiate a session key and encryption method with the client trying to connect to it Example Relat...

Page 521: ...y generate 4 142 ip ssh save host key 4 143 no ip ssh server 4 139 ip ssh save host key This command saves host key from RAM to flash memory Syntax ip ssh save host key dsa rsa dsa DSA key type rsa RSA key type Default Setting Saves both the DSA and RSA key Command Mode Privileged Exec Example Related Commands ip ssh crypto host key generate 4 142 show ip ssh This command displays the connection s...

Page 522: ...hentication Started Session Started Username The user name of the client Encryption The encryption method is automatically negotiated between the client and server Options for SSHv1 5 include DES 3DES Options for SSHv2 0 can include different algorithms for the client to server ctos and server to client stoc aes128 cbc hmac sha1 aes192 cbc hmac sha1 aes256 cbc hmac sha1 3des cbc hmac sha1 blowfish...

Page 523: ...ing is the encoded modulus Example Console show public key host Host RSA 1024 35 1568499540186766925933394677505461732531367489083654725415020245593199868 5443583616519999233297817660658309586108259132128902337654680172627257141 3428762941301196195566782595664104869574278881462065194174677298486546861 5717739390164779355942303577413098022737087794545240839717526463580581767 16709574804776117 DSA s...

Page 524: ... identity packet to the client before it times out the authentication session IC 4 147 dot1x port control Sets dot1x mode for a port interface IC 4 147 dot1x operation mode Allows single or multiple hosts on an dot1x port IC 4 148 dot1x re authenticate Forces re authentication on specific ports PE 4 149 dot1x re authentication Enables re authentication for all ports IC 4 149 dot1x timeout quiet pe...

Page 525: ...and Mode Interface Configuration Example dot1x port control This command sets the dot1x mode on a port interface Use the no form to restore the default Syntax dot1x port control auto force authorized force unauthorized no dot1x port control auto Requires a dot1x aware connected client to be authorized by the RADIUS server Clients that are not dot1x aware will be denied access force authorized Conf...

Page 526: ...Keyword for the maximum number of hosts count The maximum number of hosts that can connect to a port Range 1 1024 Default 5 Default Single host Command Mode Interface Configuration Command Usage The max count parameter specified by this command is only effective if the dot1x mode is set to auto by the dot1x port control command page 4 147 In multi host mode only one host connected to a port needs ...

Page 527: ...N see dot1x intrusion action on page 4 152 Example dot1x re authentication This command enables periodic re authentication globally for all ports Use the no form to disable re authentication Syntax no dot1x re authentication Command Mode Interface Configuration Command Usage The re authentication process verifies the connected client s user ID and password on the RADIUS server During re authentica...

Page 528: ...535 Default 60 seconds Command Mode Interface Configuration Example dot1x timeout re authperiod This command sets the time period after which a connected client must be re authenticated Use the no form of this command to reset the default Syntax dot1x timeout re authperiod seconds no dot1x timeout re authperiod seconds The number of seconds Range 1 65535 Default 3600 seconds Command Mode Interface...

Page 529: ...ration Example dot1x timeout supp timeout This command sets the time that an interface on the switch waits for a response to an EAP request from a client before re transmitting an EAP packet Use the no form to reset to the default value Syntax dot1x timeout supp timeout seconds no dot1x timeout supp timeout seconds The number of seconds Range 1 65535 Default 30 seconds Command Mode Interface Confi...

Page 530: ...sion action This command sets the port s response to a failed authentication either to block all traffic or to assign all traffic for the port to a guest VLAN Use the no form to reset the default Syntax dot1x intrusion action block traffic guest vlan no dot1x intrusion action Default block traffic Command Mode Interface Configuration Command Usage For guest VLAN assignment to be successful the VLA...

Page 531: ...mode page 4 147 Authorized Authorization status yes or n a not authorized 802 1X Port Details Displays the port access control parameters for each interface including the following items reauth enabled Periodic re authentication page 4 149 reauth period Time after which a connected client must be re authenticated page 4 150 quiet period Time a port waits after Max Request Count is exceeded before ...

Page 532: ...AN if authentication fails Authenticator State Machine State Current state including initialize disconnected connecting authenticating authenticated aborting held force_authorized force_unauthorized Reauth Count Number of times connecting state is re entered Backend State Machine State Current state including request response success fail timeout idle initialize Request Count Number of EAP Request...

Page 533: ...02 1X is disabled on port 1 1 802 1X is enabled on port 1 2 reauth enabled Enable reauth period 1800 quiet period 30 tx period 40 supplicant timeout 30 server timeout 10 reauth max 2 max req 5 Status Authorized Operation mode Single Host Max count 5 Port control Auto Supplicant 00 12 cf 49 5e dc Current Identifier 3 Intrusion action Guest VLAN Authenticator State Machine State Authenticated Reauth...

Page 534: ...gement interface on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respectively Each of these groups can include up to five different sets of addresses either individual addresses or address ranges When entering addresses for the...

Page 535: ...nmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group Command Mode Privileged Exec Example Console config management all client 192 168 1 19 Console config management all client 192 168 1 25 192 168 1 30 Console config Console show management all client Management IP Filter HTTP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 ...

Page 536: ...322 Port Security The priority of execution for these filtering commands is Port Security Port Authentication Network Access Web Authentication Access Control Lists DHCP Snooping and then IP Source Guard Configures secure addresses for a port 4 159 Port Authentication Configures host authentication on specific ports using 802 1X 4 146 Network Access Configures MAC authentication and dynamic VLAN a...

Page 537: ...e the no form without any keywords to disable port security Use the no form with the appropriate keyword to restore the default settings for a response to a security violation or for the maximum number of allowed addresses Syntax port security action shutdown trap trap and shutdown max mac count address count no port security action max mac count action Response to take when port security is viola...

Page 538: ... number of addresses allowed on a port You can also manually add secure addresses with the mac address table static command A secure port has the following restrictions Cannot be connected to a network interconnection device Cannot be a trunk port If a port is disabled due to a security violation it must be manually re enabled using the no shutdown command Example The following example enables por...

Page 539: ...C 4 165 mac authentication max mac count Sets a maximum number for mac authentication authenticated MAC addresses on an interface IC 4 166 mac authentication intrusion action Determines the port response when a connected host fails MAC authentication IC 4 166 network access dynamic vlan Enables dynamic VLAN assignment from a RADIUS server IC 4 167 network access guest vlan Specifies the guest VLAN...

Page 540: ...me command page 4 272 The maximum number of secure MAC addresses supported for the switch system is 1024 Example Use this command to add a MAC address into a filter table Use the no form of this command to remove the specified MAC address Syntax no network access mac filter filter id mac address mac address mask mask address filter id Specifies a MAC address filter table Range 1 64 mac address Spe...

Page 541: ...rk access port mac filter filter id no network access port mac filter filter id Specifies a MAC address filter table Range 1 64 Default Setting None Command Mode Interface Configuration Command Mode Only one filter table can be assigned to a port Example Use this command to set the maximum number of MAC addresses that can be authenticated on a port interface via all forms of authentication Use the...

Page 542: ...to a configured RADIUS server The username and password are both equal to the MAC address being authenticated On the RADIUS server PAP username and passwords must be configured in the MAC address format XX XX XX XX XX XX all in upper case Authenticated MAC addresses are stored as dynamic entries in the switch s secure MAC address table and are removed when the aging time expires The maximum number...

Page 543: ...he time period after which a connected MAC address must be re authenticated Use the no form of this command to restore the default value Syntax mac authentication reauth time seconds no mac authentication reauth time seconds The reauthentication time period Range 120 1000000 seconds Default Setting 1800 Command Mode Global Configuration Command Usage The reauthentication time is a global setting a...

Page 544: ...set the maximum number of MAC addresses that can be authenticated on a port via 802 1X authentication or MAC authentication Use the no form of this command to restore the default Syntax mac authentication max mac count count no mac authentication max mac count count The maximum number of 802 1X and MAC authenticated MAC addresses allowed Range 1 1024 Default Setting 1024 Command Mode Interface Con...

Page 545: ...tion or they are treated as authentication failures If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration the authentication is still treated as a success When the dynamic VLAN assignment status is changed on a port all authenticated addresses are cleared from the secure MAC address table Example The following example enables dynamic VLAN assignment on...

Page 546: ... can be configured on the RADIUS server to pass the following QoS information When the last user logs off of a port with a dynamic QoS assignment the switch restores the original QoS configuration for the port When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port the user is denied access While a port has an...

Page 547: ...ode Interface Configuration Example Use this command to detect link down events When detected the switch can shut down the port send an SNMP trap or both Use the no form of this command to disable this feature Syntax network access link detection link down action shutdown trap trap and shutdown no network access link detection Default Setting Disabled Command Mode Interface Configuration Console c...

Page 548: ...the switch can shut down the port send an SNMP trap or both Use the no form of this command to disable this feature Syntax network access link detection link up down action shutdown trap trap and shutdown no network access link detection Default Setting Disabled Command Mode Interface Configuration Example Console config interface ethernet 1 1 Console config if network access link detection link d...

Page 549: ...erface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 28 52 Default Setting None Command Mode Privileged Exec Example Use this command to display the MAC authentication settings for port interfaces Syntax show network access interface interface interface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 28 52 Defa...

Page 550: ...sort Sorts displayed entries by either MAC address or interface Default Setting Displays all entries Command Mode Privileged Exec Command Usage When using a bit mask to filter displayed MAC addresses a 1 means care and a 0 means don t care For example a MAC of 00 00 01 02 03 04 and mask FF FF FF 00 00 00 would result in all MACs in the range 00 00 01 00 00 00 to 00 00 01 FF FF FF to be displayed A...

Page 551: ...Mode Privileged Exec Example Console show network access mac address table Port MAC Address RADIUS Server Attribute Time 1 1 00 00 01 02 03 04 172 155 120 17 Static 00d06h32m50s 1 1 00 00 01 02 03 05 172 155 120 17 Dynamic 00d06h33m20s 1 1 00 00 01 02 03 06 172 155 120 17 Static 00d06h35m10s 1 3 00 00 01 02 03 07 172 155 120 17 Dynamic 00d06h34m20s Console Console sh network access mac filter Filt...

Page 552: ...pts until the quiet time expires Use the no form to restore the default Syntax web auth login attempts count no web auth login attempts count The limit of allowed failed login attempts Range 1 3 Table 4 45 Web Authentication Command Function Mode Page web auth login attempts Defines the limit for failed web authentication login attempts GC 4 174 web auth quiet period Defines the amount of time to ...

Page 553: ...e 1 180 seconds Default Setting 60 seconds Command Mode Global Configuration Example This command defines the amount of time a web authentication session remains valid When the session timeout has been reached the host is logged off and must re authenticate itself the next time data transmission takes place Use the no form to restore the default Syntax web auth session timeout timeout no web auth ...

Page 554: ...ust be enabled for the web authentication feature to be active Example This command enables web authentication for an interface Use the no form to restore the default Syntax no web auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web auth system auth control for the switch and web auth for a port must be enabled for the web authentication feature to be active E...

Page 555: ...mple IP This command ends the web authentication session associated with the designated IP address and forces the user to re authenticate Syntax web auth re authenticate interface interface ip interface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 28 52 ip IPv4 formatted IP address Default Setting None Command Mode Privileged Exec Example Console web a...

Page 556: ...pecifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 28 52 Command Mode Privileged Exec Example Console show web auth Global Web Auth Parameters System Auth Control Enabled Session Timeout 3600 Quiet Period 60 Max Login Attempts 3 Console Console show web auth interface ethernet 1 2 Web Auth Status Enabled Host Summary IP address Web Auth State Remaining Sessio...

Page 557: ...lly GC 4 180 ip dhcp snooping vlan Enables DHCP snooping on the specified VLAN GC 4 181 ip dhcp snooping trust Configures the specified interface as trusted IC 4 182 ip dhcp snooping verify mac address Verifies the client s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header GC 4 183 ip dhcp snooping information option Enables or disables DHCP Option 82...

Page 558: ...P snooping is enabled the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second Any DHCP packets in excess of this limit are dropped Filtering rules are implemented as follows If the global DHCP snooping is disabled all DHCP packets are forwarded If DHCP snooping is enabled globally and also enabled on the VLAN where the DHCP packet is received al...

Page 559: ...lient request to the DHCP server must be configured as trusted ip dhcp snooping trust page 4 182 Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server Also when the switch sends out DHCP client packets for itself no filtering takes place However when the switch receives any messages from a DHCP server any packets receiv...

Page 560: ... no ip dhcp snooping trust Default Setting All interfaces are untrusted Command Mode Interface Configuration Ethernet Port Channel Command Usage A trusted interface is an interface that is configured to receive only messages from within the network An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall Set all ports connected to DHCP ser...

Page 561: ...ed in the DHCP packet against the source MAC address in the Ethernet header Use the no form to disable this function Syntax no ip dhcp snooping verify mac address Default Setting Enabled Command Mode Global Configuration Command Usage If MAC address verification is enabled and the source MAC address in the Ethernet header of the packet is not same as the client s hardware address in the DHCP packe...

Page 562: ... the requesting client or an intermediate relay agent that has used the information fields to describe itself can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server by the switch port to which they are connected rather than just their MAC address DHCP client server exchange messages are then forwarded directly between the server an...

Page 563: ...efault Setting replace Command Mode Global Configuration Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information the switch can be configured to set the action policy for these packets The switch can drop the DHCP packets keep the existing information or replace it with the switch s relay information Example This command writes all dynamical...

Page 564: ...ation settings Command Mode Privileged Exec Example This command shows the DHCP snooping binding table entries Command Mode Privileged Exec Example DHCP Snooping Information Option Status disable DHCP Snooping Information Policy replace Eth 1 5 Yes Console show ip dhcp snooping binding MacAddress IpAddress Lease sec Type VLAN Interface 11 22 33 44 55 66 192 168 0 99 0 Static 1 Eth 1 5 Console ...

Page 565: ...ode Interface Configuration Ethernet Command Usage Source guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor Setting source guard mode to sip or sip mac enables this function on the selected port Use the sip option to check the V...

Page 566: ... snooping is disabled see page 4 180 IP source guard will check the VLAN ID source IP address port number and source MAC address for the sip mac option If a matching entry is found in the binding table and the entry type is static IP source guard binding the packet will be forwarded If the DHCP snooping is enabled IP source guard will check the VLAN ID source IP address port number and source MAC ...

Page 567: ...cated with a value of zero by the show ip source guard command page 4 190 When source guard is enabled traffic is filtered based upon dynamic entries learned via DHCP snooping or static addresses configured in the source guard binding table with this command Static bindings are processed as follows If there is no entry with same VLAN ID and MAC address a new entry is added to binding table using t...

Page 568: ...snooping static dhcp snooping Shows dynamic entries configured with DHCP Snooping commands see page 4 179 static Shows static entries configured with the ip source guard binding command see page 4 189 Command Mode Privileged Exec Example Console show ip source guard Interface Filter type Eth 1 1 DISABLED Eth 1 2 DISABLED Eth 1 3 DISABLED Eth 1 4 DISABLED Eth 1 5 SIP Eth 1 6 DISABLED Console show i...

Page 569: ...bally on the switch GC 4 191 ip arp inspection vlan Enables ARP Inspection for a specified VLAN or range of VLANs GC 4 192 ip arp inspection filter Specifies an ARP ACL to apply to one or more VLANs GC 4 193 ip arp inspection validate Specifies additional validation of address components in an ARP packet GC 4 194 ip arp inspection log buffer logs Sets the maximum number of entries saved in a log m...

Page 570: ...nd then re enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for individual VLANs These configuration changes will only become active after ARP Inspection is globally enabled again Example This command enables ARP Inspection for a specified VLAN or range of VLANs Us...

Page 571: ...mand specifies an ARP ACL to apply to one or more VLANs Use the no form to remove an ACL binding Syntax ip arp inspection filter arp acl name vlan vlan id vlan range static arp acl name Name of an ARP ACL Maximum length 16 characters vlan id VLAN ID Range 1 4094 vlan range A consecutive range of VLANs indicated by the use a hyphen or a random group of VLANs with each entry separated by a comma sta...

Page 572: ... as invalid and are dropped ip Checks the ARP body for invalid and unexpected IP addresses Addresses include 0 0 0 0 255 255 255 255 and all IP multicast addresses Sender IP addresses are checked in all ARP requests and responses while target IP addresses are checked only in ARP responses src mac Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body Th...

Page 573: ...ARP Inspection and cannot be disabled When the switch drops a packet it places an entry in the log buffer Each entry contains flow information such as the receiving VLAN the port number the source and destination IP addresses and the source and destination MAC addresses If multiple identical invalid ARP packets are received consecutively on the same VLAN then the logging facility will only generat...

Page 574: ...mit for the ARP packets received on a port Use the no form to restore the default setting Syntax ip arp inspection limit rate pps none no ip arp inspection limit pps The maximum number of ARP packets that can be processed by the CPU per second Range 0 2048 where 0 means that no ARP packets can be forwarded none There is no limit on the number of ARP packets that can be processed by the CPU Default...

Page 575: ...number Range 1 28 52 Command Mode Privileged Exec Example Console config interface ethernet 1 1 Console config if ip arp inspection limit 150 Console config if Console show ip arp inspection configuration ARP inspection global information Global IP ARP Inspection status disabled Log Message Interval 10 s Log Message Number 1 Need Additional Validation s Yes Additional Validation Type Destination M...

Page 576: ...andom group of VLANs with each entry separated by a comma Command Mode Privileged Exec Example This command shows information about entries stored in the log including the associated VLAN port and address components Command Mode Privileged Exec Example Console show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status 1 disabled sales static Console Console show ip arp inspection log Tot...

Page 577: ... show ip arp inspection statistics ARP packets received before rate limit 150 ARP packets dropped due to rate limt 5 Total ARP packets processed by ARP Inspection 150 ARP packets dropped by additional validation source MAC address 0 ARP packets dropped by additional validation destination MAC address 0 ARP packets dropped by additional validation IP address 0 ARP packets dropped by ARP ACLs 0 ARP ...

Page 578: ... following features are not supported When the rule mode is changed the change must be saved in the startup configuration file and the switch rebooted for the new mode to take effect When using extended rule mode each rule used in an ACL occupies the space of two standard rules Table 4 50 IPv4 ACL Commands Command Function Mode Page access list rule mode Permits only extended rules or permits both...

Page 579: ... remove the specified ACL Syntax no access list ip standard extended acl_name standard Specifies an ACL that filters packets based on the source IP address extended Specifies an ACL that filters packets based on the source or destination IP address and other more specific criteria acl_name Name of the ACL Maximum length 16 characters no spaces Default Setting None Command Mode Global Configuration...

Page 580: ...Standard IPv4 ACL Command Usage New rules are appended to the end of the list Address bitmasks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the p...

Page 581: ...port bitmask destination port dport port bitmask control flag control flags flag bitmask protocol number A specific protocol number Range 0 255 source Source IP address destination Destination IP address address bitmask Decimal number representing the address bits to match host Keyword followed by a specific IP address precedence IP precedence level Range 0 7 tos Type of Service level Range 0 15 d...

Page 582: ...he following bits may be specified 1 fin Finish 2 syn Synchronize 4 rst Reset 8 psh Push 16 ack Acknowledgement 32 urg Urgent pointer For example use the code value and mask below to catch packets with the following flags set SYN flag valid use control code 2 2 Both SYN and ACK valid use control code 18 18 SYN valid and ACK invalid use control code 2 18 Example This example accepts any incoming pa...

Page 583: ... Exec Example Related Commands permit deny 4 202 ip access group 4 205 This command binds a port to an IPv4 ACL Use the no form to remove the port Syntax no ip access group acl_name in acl_name Name of the ACL Maximum length 16 characters no spaces in Indicates that this list applies to ingress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only...

Page 584: ...r more ports Console config int eth 1 25 Console config if ip access group david in Console config if Console show ip access group Interface ethernet 1 25 IP access list david in Console Table 4 51 IPv6 ACL Commands Command Function Mode Page access list ipv6 Creates an IPv6 ACL and enters configuration mode for standard or extended IPv6 ACLs GC 4 207 permit deny Filters packets matching a specifi...

Page 585: ...ress and other more specific criteria acl_name Name of the ACL Maximum length 16 characters Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no per...

Page 586: ...dress to indicate the appropriate number of zeros required to fill the undefined fields prefix length A decimal value indicating how many contiguous bits from the left of the address comprise the prefix i e the network portion of the address host Keyword followed by a specific IP address Default Setting None Command Mode Standard IPv6 ACL Command Usage New rules are appended to the end of the list...

Page 587: ...3 flow label A label for packets belonging to a particular traffic flow for which the sender requests special handling by IPv6 routers such as non default quality of service or real time service see RFC 2460 Range 0 16777215 next header Identifies the type of header immediately following the IPv6 header Range 0 255 Default Setting None Command Mode Extended IPv6 ACL Command Usage All new rules are...

Page 588: ...1700 17 UDP Upper layer Header RFC 1700 43 Routing RFC 2460 44 Fragment RFC 2460 51 Authentication RFC 2402 50 Encapsulating Security Payload RFC 2406 60 Destination Options RFC 2460 Example This example accepts any incoming packets if the destination address is 2009 DB9 2229 79 48 This allows packets to any destination address when the DSCP value is 5 This allows any packets sent to the destinati...

Page 589: ...Indicates that this list applies to ingress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one IPv6 ACLs can only be applied to ingress packets Example Related Commands show ipv6 access list 4 210 ...

Page 590: ...the ACL Maximum length 16 characters Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a ...

Page 591: ...e mac source mac mac address bitmask log no permit deny response ip any host source ip source ip ip address bitmask any host destination ip destination ip ip address bitmask mac any host source mac source mac mac address bitmask any host destination mac destination mac mac address bitmask log source ip Source IP address destination ip Destination IP address with bitmask ip address bitmask25 IPv4 n...

Page 592: ...This command displays the rules for configured ARP ACLs Syntax show arp access list acl_name acl_name Name of the ACL Maximum length 16 characters Command Mode Privileged Exec Example Related Commands permit deny 4 213 Console config arp acl permit response ip any 192 168 0 0 255 255 0 0 mac any any Console config mac acl Console show arp access list ARP access list factory permit response ip any ...

Page 593: ...ny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 32 rules Example Related Commands permit deny 4 216 mac access group 4 218 show mac access list 4 217 Table 4 53 MAC ACL Commands Command Function M...

Page 594: ...t destination destination address bitmask ethertype protocol protocol bitmask no permit deny tagged 802 3 any host source source address bitmask any host destination destination address bitmask cos cos cos bitmask vid vid vid bitmask no permit deny untagged 802 3 any host source source address bitmask any host destination destination address bitmask tagged eth2 Tagged Ethernet II packets untagged ...

Page 595: ... of Ethernet protocol types can be found in RFC 1060 A few of the more common types include the following 0800 IP 0806 ARP 8137 IPX Example This rule permits packets from any source MAC address to the destination address 00 e0 29 94 34 de where the Ethernet type is 0800 Related Commands access list mac 4 215 This command displays the rules for configured MAC ACLs Syntax show mac access list acl_na...

Page 596: ...ess packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one Example Related Commands show mac access list 4 217 This command shows the ports assigned to MAC ACLs Command Mode Privileged Exec Example Rel...

Page 597: ... 219 Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 16 0 255 255 240 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 255 255 255 0 any destination port 80 80 permit 192 168 1 0 255 255 255 0 any protocol tcp control code 2 2 IP access list jerry permit any host 00 30 29 94 34 de ethertype 800 800 IP extended access list...

Page 598: ...selected for combination ports IC 4 226 giga phy mode Forces two connected ports in to a master slave configuration to enable 1000BASE T full duplex IC 4 226 shutdown Disables an interface IC 4 227 switchport packet rate Enabling hardware level storm control with this command on a port will disable software level automatic storm control on the same port if configured by the auto traffic control co...

Page 599: ...e 1 8 vlan vlan id Range 1 4094 Default Setting None Command Mode Global Configuration Example To specify port 24 enter the following command description This command adds a description to an interface Use the no form to remove the description Syntax description string no description string Comment or a description to help you remember what is attached to this interface Range 1 64 characters Defau...

Page 600: ...iation is enabled by default When auto negotiation is disabled the default speed duplex setting for both 100BASE TX and Gigabit Ethernet ports is 100full Command Mode Interface Configuration Ethernet Port Channel Command Usage The 1000BASE T standard does not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T port or trunk If not used the succe...

Page 601: ... Usage When auto negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command When auto negotiation is disabled you must manually specify the link attributes with the speed duplex and flowcontrol commands If autonegotiation is disabled auto MDI MDI X pin signal configuration will also be disabled for the RJ 45 ports Example The following example c...

Page 602: ...ecified the port will auto negotiate to determine the sender and receiver for asymmetric pause frames The current switch ASIC only supports symmetric pause frames Default Setting 100BASE TX 10half 10full 100half 100full 1000BASE T 10half 10full 100half 100full 1000full SFP 1000full Command Mode Interface Configuration Ethernet Port Channel Command Usage When auto negotiation is enabled with the ne...

Page 603: ...trol or no flowcontrol command use the no negotiation command to disable auto negotiation on the selected interface When using the negotiation command to enable auto negotiation the optimal settings will be determined by the capabilities command To enable flow control under auto negotiation flowcontrol must be included in the capabilities list for any port Avoid using flow control on a port connec...

Page 604: ... 28 49 52 Example This forces the switch to use the built in RJ 45 port for the combination port 25 giga phy mode This command forces two connected ports in to a master slave configuration to enable 1000BASE T full duplex for Gigabit ports 25 28 SMC6128PL2 and 49 52 SMC6152PL2 Use the no form to restore the default mode Syntax giga phy mode mode no giga phy mode mode master Sets the selected port ...

Page 605: ...s feature auto negotiation must first be disabled and the Speed Duplex attribute set to 1000full Then select compatible Giga PHY modes at both ends of the link Note that using one of the preferred modes ensures that the ports at both ends of a link will eventually cooperate to establish a valid master slave relationship Example This forces the switch port to master mode on port 24 shutdown This co...

Page 606: ... threshold specified for broadcast and multicast or unknown unicast traffic packets exceeding the threshold are dropped until the rate falls back down beneath the threshold Due to an ASIC chip limitation the supported storm control modes include broadcast broadcast multicast broadcast multicast unknown unicast This means that when multicast storm control is enabled broadcast storm control is also ...

Page 607: ...vileged Exec Command Usage Statistics are only initialized for a power reset This command sets the base value for displayed statistics to zero for the current management session However if you log out and back into the management interface the statistics displayed will show the absolute value accumulated since the last power reset Example The following example clears statistics on port 5 show inte...

Page 608: ...ec Privileged Exec Command Usage If no interface is specified information on all interfaces is displayed For a description of the items displayed by this command see paratext on page 3 155 Console show interfaces brief Console sh interfaces brief Interface Name Status PVID Pri Speed Duplex Type Trunk Eth 1 1 Up 1 0 Auto 100full 100TX None Eth 1 2 Down 1 0 Auto 100TX None Eth 1 3 Down 1 0 Auto 100T...

Page 609: ...00 12 CF 12 34 57 Configuration Name Port Admin Up Speed duplex 100full Capabilities 100full Broadcast Storm Enabled Broadcast Storm Limit 64 Kbits second Multicast Storm Disabled Multicast Storm Limit 64 Kbits second UnknownUnicast Storm Disabled UnknownUnicast Storm Limit 64 Kbits second Flow Control Disabled VLAN Trunking Disabled LACP Disabled Port Security Disabled Max MAC Count 0 Port Securi...

Page 610: ...Input 0 Discard Output 0 Error Input 0 Error Output 0 Unknown Protos Input 0 QLen Output 0 Extended Iftable Stats Multi cast Input 4642 Multi cast Output 4921 Broadcast Input 258 Broadcast Output 6 Ether like Stats Alignment Errors 0 FCS Errors 0 Single Collision Frames 0 Multiple Collision Frames 0 SQE Test Errors 0 Deferred Transmissions 0 Late Collisions 0 Excessive Collisions 0 Internal Mac Tr...

Page 611: ...rt Statistics Field Description Broadcast Threshold Shows if broadcast storm suppression is enabled or disabled if enabled it also shows the threshold level page 4 228 Multicast Threshold Shows if multicast storm suppression is enabled or disabled if enabled it also shows the threshold level page 4 228 Unknown unicast Threshold Shows if unknown unicast storm suppression is enabled or disabled if e...

Page 612: ...el or 802 1Q Tunnel Uplink page 4 315 802 1Q tunnel TPID Shows the Tag Protocol Identifier used for learning and switching packets page 4 316 Table 4 57 ATC Commands Command Function Mode Page Threshold Commands auto traffic control apply timer Sets the time at which to apply the control response after ingress traffic has exceeded the upper threshold GC 4 237 auto traffic control release timer Set...

Page 613: ...pires IC Port 4 244 snmp server enable port traps atc multicast control apply Sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires IC Port 4 245 snmp server enable port traps atc broadcast control release Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the ...

Page 614: ...en traffic exceeds the alarm fire threshold and the apply timer expires a traffic control response is applied and a Traffic Control Apply Trap is sent and logged Alarm Clear Threshold The lower threshold beneath which an control response can be automatically terminated after the release timer expires When ingress traffic falls below this threshold ATC sends a Storm Alarm Clear Trap and logs it Whe...

Page 615: ...d Use the no form to restore the default setting Syntax auto traffic control broadcast multicast apply timer seconds no auto traffic control broadcast multicast apply timer broadcast Specifies automatic storm control for broadcast traffic multicast Specifies automatic storm control for multicast traffic seconds The interval after the upper threshold has been exceeded at which to apply the control ...

Page 616: ...g 900 seconds Command Mode Global Configuration Command Usage The release timer only applies to a rate limiting control response set by the auto traffic control action command page 4 241 When a port has been shut down by a control response it must be manually re enabled by the no shutdown command page 4 227 Example This example sets the release timer to 800 seconds for all ports auto traffic contr...

Page 617: ...t alarm fire threshold threshold no auto traffic control broadcast multicast alarm fire threshold broadcast Specifies automatic storm control for broadcast traffic multicast Specifies automatic storm control for multicast traffic threshold The upper threshold for ingress traffic beyond which a storm control response is triggered after the apply timer expires Range 1 255 kilo packets per second sec...

Page 618: ... Usage Once the traffic rate falls beneath the lower threshold a trap message may be sent if configured by the snmp server enable port traps atc broadcast alarm clear command page 4 243 or snmp server enable port traps atc multicast alarm clear command page 4 244 If rate limiting has been configured as a control response it will discontinued after the traffic rate has fallen beneath the lower thre...

Page 619: ...ed Default Setting rate control Command Mode Interface Configuration Ethernet Command Usage When the upper threshold is exceeded and the apply timer expires a control response will be triggered based on this command When the control response is set to rate limiting by this command the rate limits are determined by the auto traffic control alarm clear threshold command page 4 240 If the control res...

Page 620: ...t can re enabled using this command or using the no shutdown command page 4 227 Example snmp server enable port traps atc broadcast alarm fire This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control Use the no form to disable this trap Syntax no snmp server enable port traps atc broadcast alarm fire Default Setting Disabled Command Mode Interface Co...

Page 621: ...cast alarm clear This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered Use the no form to disable this trap Syntax no snmp server enable port traps atc broadcast alarm clear Default Setting Disabled Command Mode Interface Configuration Ethernet Example Related Commands auto traffic control action 4 241 auto traffic cont...

Page 622: ... port traps atc broadcast control apply This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires Use the no form to disable this trap Syntax no snmp server enable port traps atc broadcast control apply Default Setting Disabled Command Mode Interface Configuration Ethernet Example Related Commands auto traffic control alarm...

Page 623: ...ontrol apply timer 4 237 snmp server enable port traps atc broadcast control release This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires Use the no form to disable this trap Syntax no snmp server enable port traps atc broadcast control release Default Setting Disabled Command Mode Interfa...

Page 624: ...t control release Default Setting Disabled Command Mode Interface Configuration Ethernet Example Related Commands auto traffic control alarm clear threshold 4 240 auto traffic control action 4 241 auto traffic control release timer 4 238 show auto traffic control This command shows global configuration settings for automatic storm control Command Mode Privileged Exec Example Console config interfa...

Page 625: ...ort Port number Range 1 28 52 Command Mode Privileged Exec Example Console show auto traffic control interface e 1 1 Eth 1 1 Information Storm Control Broadcast Multicast State Disabled Disabled Action rate control rate control Auto Release Control Disabled Disabled Alarm Fire Threshold Kpps 128 128 Alarm Clear Threshold Kpps 128 128 Trap Storm Fire Disabled Disabled Trap Storm Clear Disabled Disa...

Page 626: ...de and flow control VLAN assignments and CoS settings Any of the 100BASE TX ports can be trunked together Any of the 1000BASE TX ports Ports 25 28 49 52 can also be trunked together including those of different media types All the ports in a trunk have to be treated as a whole when moved from to added or deleted from a VLAN via the specified port channel Table 4 58 Link Aggregation Commands Comman...

Page 627: ...t be set to the same value for a port to be allowed to join a channel group If a link goes down LACP port priority is used to select the backup link channel group This command adds a port to a trunk Use the no form to remove a port from a trunk Syntax channel group channel id no channel group channel id Trunk index Range 1 8 Default Setting The current port will be added to this trunk Command Mode...

Page 628: ... an LACP trunk must be configured for full duplex and auto negotiation A trunk formed with another switch using LACP will automatically be assigned the next available port channel ID If the target switch has also enabled LACP on the connected ports the trunk will be activated automatically If more than eight ports attached to the same target switch have LACP enabled the additional ports will be pl...

Page 629: ... other switches during LAG negotiations Range 0 65535 Default Setting 32768 Console config interface ethernet 1 11 Console config if lacp Console config if exit Console config interface ethernet 1 12 Console config if lacp Console config if exit Console config interface ethernet 1 13 Console config if lacp Console config if exit Console config exit Console show interfaces status port channel 1 Inf...

Page 630: ...key Use the no form to restore the default setting Syntax lacp actor partner admin key key no lacp actor partner admin key actor The local side an aggregate link partner The remote side of an aggregate link key The port admin key must be set to the same value for ports that belong to the same link aggregation group LAG Range 0 65535 Default Setting 0 Command Mode Interface Configuration Ethernet C...

Page 631: ... during local LACP setup on this switch Range 0 65535 Default Setting 0 Command Mode Interface Configuration Port Channel Command Usage Ports are only allowed to join the same LAG if 1 the LACP system priority matches 2 the LACP port admin key matches and 3 the LACP port channel key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a channel group is f...

Page 632: ...cates a higher effective priority If an active port link goes down the backup port with the highest priority is selected to replace the downed link However if two or more ports have the same LACP port priority the port with the lowest physical port number will be selected as the backup port Once the remote side of a link has been established LACP operational settings are already in use on that sid...

Page 633: ...de Interface Configuration Ethernet Command Usage Regardless of the LACP initiation mode if the target switch has also enabled LACP on the connected ports and negotiations are successfully completed the trunk will be activated automatically Example show lacp This command displays LACP information Syntax show lacp port channel counters internal neighbors sysid port channel Local identifier for a li...

Page 634: ... of valid LACPDUs received on this channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group LACPDUs Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do n...

Page 635: ...state Defaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information Collecting Collection of...

Page 636: ...signed by the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol part...

Page 637: ...0 12 CF 8F 2C A7 4 32768 00 12 CF 8F 2C A7 Console Table 4 62 show lacp sysid display description Field Description Channel group A link aggregation group configured on this switch System Priority LACP system priority for this channel group System MAC Address System MAC address The LACP system priority and system MAC address are concatenated to form the LAG system ID ...

Page 638: ...ssion is defined When enabled for an interface default mirroring is for both received and transmitted packets When enabled for a VLAN or a MAC address mirroring is restricted to received packets Command Mode Interface Configuration Ethernet destination port Command Usage You can mirror traffic to a destination port for real time analysis You can then attach a logic analyzer or RMON probe to the de...

Page 639: ...ll sessions must share the same destination port Example The following example configures the switch to mirror received packets from port 6 to 11 show port monitor This command displays mirror information Syntax show port monitor interface vlan vlan id mac address mac address interface ethernet unit port source port unit Stack unit Range 1 port Port number Range 1 28 52 vlan id VLAN ID Range 1 409...

Page 640: ... configured from port 6 to port 11 Console config interface ethernet 1 11 Console config if port monitor ethernet 1 6 rx Console config if end Console show port monitor Port Mirroring Destination port listen port Eth1 11 Source port monitored port Eth1 6 Mode RX Console ...

Page 641: ...e Use this command without specifying a rate to restore the default rate limit level Use the no form to restore the default status of disabled Syntax rate limit input output rate no rate limit input output input Input rate limit output Input rate limit rate The traffic rate limit level Range 64 100000 kilobits per second for 100 Mbps ports 64 1000000 kilobits per second for 1 Gbps ports Default Se...

Page 642: ...t watts The power budget for the switch Range 37 180 watts unit Specifies the stack unit Range 1 Default Setting 180 watts Command Mode Global Configuration Command Usage Setting a maximum power budget for the switch enables power to be centrally managed preventing overload conditions at the power source If the power demand from devices connected to the switch exceeds the power budget setting the ...

Page 643: ...y then turn on the power to this device When the power inline compatible command is used this switch can detect 802 3af compliant devices and the more recent 802 3af non compliant devices that also reflect the test voltages back to the switch It cannot detect other legacy devices that do not reflect back the test voltages For legacy devices to be supported by this switch they must be able to accep...

Page 644: ...et Example power inline maximum allocation This command limits the power allocated to specific ports Use the no form to restore the default setting Syntax power inline maximum allocation milliwatts no power inline maximum allocation milliwatts The maximum power budget for the port Range 3000 15400 milliwatts Default Setting 15400 milliwatts Command Mode Interface Configuration Command Usage If a d...

Page 645: ...riority settings to control the supplied power For example A device connected to a low priority port that causes the switch to exceed its budget is not supplied power A device connected to a critical or high priority port that causes the switch to exceed its budget is supplied power but the switch drops power to one or more lower priority ports Power is dropped from low priority ports in sequence ...

Page 646: ...5400 7505 low Eth 1 4 enable off 15400 0 low Eth 1 5 enable off 15400 0 low Eth 1 6 enable off 15400 0 low Eth 1 7 enable on 15400 8597 low Eth 1 23 enable off 15400 0 low Eth 1 24 enable off 15400 0 low Console Table 4 66 show power inline status parameters Parameter Description Admin The power mode set on the port see power inline on page 4 266 Oper The current operating power status displays on...

Page 647: ...h see power mainpower maximum allocation on page 4 264 System Operation Status The current operating power status displays on or off Mainpower Consumption The current power consumption on the switch in watts Software Version The version of software running on the PoE controller subsystem in the switch This software can be updated using the copy file controller command see page 4 36 Table 4 68 Addr...

Page 648: ...default mode is permanent Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add static addresses to the MAC Address Table Static addresses have the following characteristics Static addresses will not be removed from the address table when a given interface link is down Static addresses ...

Page 649: ...ce ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 52 port channel channel id Range 1 8 vlan id VLAN ID Range 1 4094 sort Sort by address vlan or interface Default Setting None Command Mode Privileged Exec Command Usage The MAC Address Table contains the MAC addresses associated with each interface Note that the Type field may include the following types Learned Dynamic addr...

Page 650: ...onds no mac address table aging time seconds Aging time Range 10 30000 seconds 0 to disable aging Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information Example show mac address table aging time This command shows the aging time for entries in the address table Default Setting None Command Mode Privil...

Page 651: ...Address Table Commands 4 273 4 Example Console show mac address table aging time Aging time 100 sec Console ...

Page 652: ...figuration mode GC 4 281 mst vlan Adds VLANs to a spanning tree instance MST 4 281 mst priority Configures the priority of a spanning tree instance MST 4 282 name Configures the name for the multiple spanning tree MST 4 283 revision Configures the revision number for the multiple spanning tree MST 4 283 max hops Configures the maximum number of hops allowed in the region before a BPDU is discarded...

Page 653: ...ample shows how to enable the Spanning Tree Algorithm for the switch spanning tree loopback detection release mode Configures loopback release mode for a port IC 4 293 spanning tree loopback detection trap Enables BPDU loopback SNMP trap notification for a port IC 4 294 spanning tree mst cost Configures the path cost of an instance in the MST IC 4 294 spanning tree mst port priority Configures the...

Page 654: ...es by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits as described below STP Mode If the switch receives an 802 1D BPDU after a port s migration delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives an RSTP ...

Page 655: ...states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to the discarding state otherwise temporary data loops might result Example This command configures the spanning tree bridge hel...

Page 656: ...lower of 40 or 2 x forward time 1 Default Setting 20 seconds Command Mode Global Configuration Command Usage This command sets the maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided ...

Page 657: ...the STA root device However if all devices have the same priority the device with the lowest MAC address will then become the root device Example This command configures the system to flood BPDUs to all other ports on the switch or just to all other ports in the same VLAN when spanning tree is disabled globally on the switch or disabled on a specific port Use the no form to restore the default Syn...

Page 658: ...hod is based on the IEEE 802 1 Spanning Tree Protocol Default Setting Long method Command Mode Global Configuration Command Usage The path cost method is used to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Note that path cost page 4 285 takes precedence over port priority p...

Page 659: ...mands mst vlan 4 281 mst priority 4 282 name 4 283 revision 4 283 max hops 4 284 This command adds VLANs to a spanning tree instance Use the no form to remove the specified VLANs Using the no form without any VLAN parameters to remove all VLANs Syntax no mst instance_id vlan vlan range instance_id Instance identifier of the spanning tree Range 0 4094 vlan range Range of VLANs Range 1 4094 Default ...

Page 660: ...egion as a single node connecting all regions to the Common Spanning Tree Example This command configures the priority of a spanning tree instance Use the no form to restore the default Syntax mst instance_id priority priority no mst instance_id priority instance_id Instance identifier of the spanning tree Range 0 4094 priority Priority of the a spanning tree instance Range 0 61440 in steps of 409...

Page 661: ... bridge i e spanning tree compliant device such as this switch can only belong to one MST region And all bridges in the same region must be configured with the same MST instances Example Related Commands revision 4 283 This command configures the revision number for this multiple spanning tree configuration of this switch Use the no form to restore the default Syntax revision number number Revisio...

Page 662: ...Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols Therefore the message age for BPDUs inside an MSTI region is never changed However each spanning tree instance within a region and the internal spanning tree IST that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU Each bridge decrements ...

Page 663: ...h cost method Console config interface ethernet 1 5 Console config if spanning tree spanning disabled Console config if 27 Use the spanning tree pathcost method command on page 4 280 to set the path cost method Table 4 70 Recommended STA Path Cost Range Port Type IEEE 802 1D 1998 IEEE 802 1w 2001 Ethernet 50 600 200 000 20 000 000 Fast Ethernet 10 60 20 000 2 000 000 Gigabit Ethernet 3 10 2 000 20...

Page 664: ...to faster media and higher values assigned to ports with slower media Path cost takes precedence over port priority When the spanning tree pathcost method page 4 280 is set to short the maximum value for path cost is 65 535 Example This command configures the priority for the specified interface Use the no form to restore the default Syntax spanning tree port priority priority no spanning tree por...

Page 665: ...sage You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or servers retains the current forwarding database to reduce the amoun...

Page 666: ...xpired If the port does not receive any BPDUs after the edge delay timer expires its role changes to designated port and it immediately enters forwarding state see paratext on page 3 202 The edge delay time equals the protocol migration time when the port link type is point to point which is 3 seconds as defined in IEEE 802 3D 2004 17 20 4 otherwise it equals the maximum age for configuration mess...

Page 667: ...yntax no spanning tree bpdu filter Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This command filters all Bridge Protocol Data Units BPDUs received on an interface to save CPU processing time This function is designed to work in conjunction with edge ports which should only connect end stations to the switch and therefore do not need to process B...

Page 668: ... must be manually re enabled using the no spanning tree spanning disabled command Before enabling BPDU Guard the interface must be configured as an edge port with the spanning tree edge port or spanning tree portfast command Also note that if the edge port attribute is disabled on an interface BPDU Guard will also be disabled on that interface Example Related Commands spanning tree edge port 4 287...

Page 669: ...ddress can take over as the root bridge at any time When Root Guard is enabled and the switch receives a superior BPDU on this port it is set to the Discarding state until it stops receiving superior BPDUs for a fixed recovery period While in the discarding state no traffic is forwarded across the port Root Guard can be used to ensure that the root bridge is not formed at a suboptimal location Roo...

Page 670: ...tch derives the link type from the duplex mode A full duplex interface is considered a point to point link while a half duplex interface is assumed to be on a shared link RSTP only works on point to point links between two bridges If you designate a port as a shared link RSTP is forbidden Since MSTP is an extension of RSTP this same restriction applies Example This command enables the detection an...

Page 671: ...an only be released from the discarding state manually Default Setting auto Command Mode Interface Configuration Ethernet Port Channel Command Usage If the port is configured for automatic loopback release then the port will only be returned to the forwarding state if one of the following conditions is satisfied The port receives any other BPDU except for it s own or The port s link status changes...

Page 672: ...cost method29 1 200 000 000 for long path cost method The recommended path cost range is listed in Table 4 70 on page 4 285 The recommended path cost is listed in Table 4 71 on page 4 285 Default Setting By default the system automatically detects the speed and duplex mode used on each port and configures the path cost according to the values shown below Path cost 0 is used to indicate auto config...

Page 673: ...nning Tree Use the no form to restore the default Syntax spanning tree mst instance_id port priority priority no spanning tree mst instance_id port priority instance_id Instance identifier of the spanning tree Range 0 4094 no leading zeroes priority Priority for an interface Range 0 240 in steps of 16 Default Setting 128 Command Mode Interface Configuration Ethernet Port Channel Command Usage This...

Page 674: ...mand Usage If at any time the switch detects STP BPDUs including Configuration or Topology Change Notification BPDUs it will automatically set the selected interface to forced STP compatible mode However you can also use the spanning tree protocol migration command at any time to manually re check the appropriate BPDU format to send on the selected interfaces i e RSTP or STP compatible Example Con...

Page 675: ...ommand Usage Use the show spanning tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree CST and for every interface in the tree Use the show spanning tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree CST Use the show spanning tree mst instance_id command to display the...

Page 676: ...nges 1 Last Topology Change Time sec 15263 Transmission Limit 3 Path Cost Method Long Flooding Behavior To VLAN Eth 1 1 Information Admin Status Enabled Role Disabled State Discarding External Admin Path Cost 0 Internal Admin Path Cost 0 External Oper Path Cost 100000 Internal Oper Path Cost 100000 Priority 128 Designated Cost 100000 Designated Port 128 3 Designated Root 32768 0 0001ECF8D8C6 Desig...

Page 677: ... extension MIB 4 300 Editing VLAN Groups Sets up VLAN groups including name VID and state 4 304 Configuring VLAN Interfaces Configures VLAN interface parameters including ingress and egress tagging mode ingress filtering PVID and GVRP 4 306 Displaying VLAN Information Displays VLAN groups status port members and MAC addresses 4 313 Configuring 802 1Q Tunneling Configures 802 1Q Tunneling QinQ Tunn...

Page 678: ...to exchange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration and to support VLANs which extend beyond the local switch Example Table 4 74 GVRP and Bridge Extension Commands Command Function Mode Page bridge ext gvrp Enables GVRP globally for the switch GC 4 300 show bridge ext Shows the global bridg...

Page 679: ... the no form to disable it Syntax no switchport gvrp Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Example Console show bridge ext Max support vlan numbers 256 Max support vlan ID 4092 Extended multicast filtering services No Static entry individual port Yes VLAN learning IVL Configurable PVID tagging Yes Local VLAN capable No Traffic classes Enabled Global GV...

Page 680: ...command sets the values for the join leave and leaveall timers Use the no form to restore the timers default values Syntax garp timer join leave leaveall timer_value no garp timer join leave leaveall join leave leaveall Which timer to set timer_value Value of timer Ranges join 20 1000 centiseconds leave 60 3000 centiseconds leaveall 500 18000 centiseconds Default Setting join 20 centiseconds leave...

Page 681: ... Set GVRP timers on all Layer 2 devices connected in the same network to the same values Otherwise GVRP may not operate successfully Example Related Commands show garp timer 4 303 show garp timer This command shows the GARP timers for the selected interface Syntax show garp timer interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 52 port channel channel id R...

Page 682: ...N settings by entering the show vlan command Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN The results of these commands are written to the running configuration file and you can display this file by entering the show running config command Example Related Commands show vlan 4 313 Table 4 75 Editing VLAN Groups Command Function Mode Page...

Page 683: ...Suspended VLANs do not pass packets Default Setting By default only VLAN 1 exists and is active Command Mode VLAN Database Configuration Command Usage no vlan vlan id deletes the VLAN no vlan vlan id name removes the VLAN name no vlan vlan id state returns the VLAN to the default state i e active You can configure up to 255 VLANs on the switch Note The switch allows 255 user manageable VLANs One e...

Page 684: ...or a specified VLAN GC 4 306 switchport mode Configures VLAN membership mode for an interface IC 4 307 switchport acceptable frame types Configures frame types to be accepted by an interface IC 4 308 switchport ingress filtering Enables ingress filtering on an interface IC 4 308 switchport native vlan Configures the PVID native VLAN of an interface IC 4 309 switchport allowed vlan Configures the V...

Page 685: ...g to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames private vlan For an explanation of this command see paratext on page 4 324 Default Setting All ports are in hybrid mode with the PVID set to VLAN 1 Command Mode Interface Configuration Ethernet Port Channel Command Usage Access mode is mutually exclusive with VLAN trunking see the vlan trunking command ...

Page 686: ... Command Usage When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Example The following example shows how to restrict the traffic received on port 1 to tagged frames Related Commands switchport mode 4 307 switchport ingress filtering This command enables ingress filtering for an interface Syntax no switchport ingress filtering Default Setting...

Page 687: ...yntax switchport native vlan vlan id no switchport native vlan vlan id Default VLAN ID for a port Range 1 4094 no leading zeroes Default Setting VLAN 1 Command Mode Interface Configuration Ethernet Port Channel Command Usage If an interface is not a member of VLAN 1 and you assign its PVID to this VLAN the interface will automatically be added to VLAN 1 as an untagged member For all other VLANs an...

Page 688: ...witchport mode set to trunk i e 1Q Trunk then you can only assign an interface to VLAN groups as a tagged member Frames are always tagged within the switch The tagged untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress If none of the intermediate network devices nor the host at the other end of the connection supports...

Page 689: ...st Command Mode Interface Configuration Ethernet Port Channel Command Usage This command prevents a VLAN from being automatically added to the specified interface via GVRP If a VLAN has been added to the set of allowed VLANs for an interface then you cannot add it to the set of forbidden VLANs for that same interface Example The following example shows how to prevent port 1 from being added to VLA...

Page 690: ...apply to this feature VLAN trunking can only be enabled on Gigabit Ethernet ports or trunks VLAN trunking is mutually exclusive with the access switchport mode see the switchport mode command on page 4 307 If VLAN trunking is enabled on an interface then that interface cannot be set to access mode and vice versa To prevent loops from forming in the spanning tree all unknown VLANs will be bound to ...

Page 691: ...Privileged Exec Example The following example shows how to display information for VLAN 1 Table 4 77 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE PE 4 313 show interfaces status vlan Displays status for the specified VLAN interface NE PE 4 230 show interfaces switchport Displays the administrative and operational status of an interface NE PE 4 232 Console show ...

Page 692: ... 5 Configure the QinQ tunnel access port to join the SPVLAN as an untagged member switchport allowed vlan page 4 310 6 Configure the SPVLAN ID as the native VID on the QinQ tunnel access port switchport native vlan page 4 309 7 Configure the QinQ tunnel uplink port to dot1Q tunnel uplink mode switchport dot1q tunnel mode page 4 315 8 Configure the QinQ tunnel uplink port to join the SPVLAN as a ta...

Page 693: ...Commands show dot1q tunnel 4 317 show interfaces switchport 4 232 This command configures an interface as a QinQ tunnel port Use the no form to disable QinQ on the interface Syntax switchport dot1q tunnel mode access uplink no switchport dot1q tunnel mode access Sets the port as an 802 1Q tunnel access port uplink Sets the port as an 802 1Q tunnel uplink port Default Setting Disabled Command Mode ...

Page 694: ...identifier is used to select a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is 0x8100 Range 0800 FFFF hexadecimal Default Setting 0x8100 Command Mode Interface Configuration Ethernet Port Channel Command Usage Use the switchport dot1q tunnel tpid command to set a custom 802 1Q ethertype value on the selected interface This feature allows the switch to ...

Page 695: ...ot1q tunnel system tunnel control Console config interface ethernet 1 1 Console config if switchport dot1q tunnel mode access Console config if interface ethernet 1 2 Console config if switchport dot1q tunnel mode uplink Console config if end Console show dot1q tunnel Current double tagged status of the system is Enabled The dot1q tunnel mode of the set interface 1 1 is Access mode TPID is 0x8100 ...

Page 696: ...ther clients allowing different clients to share access to their uplink ports where security is less likely to be compromised This section describes commands used to configure traffic segmentation pvlan This command enables port based traffic segmentation Use the no form to disable this feature Syntax no pvlan Default Setting Disabled Command Mode Global Configuration Table 4 79 Traffic Segmentati...

Page 697: ...n Range 1 15 interface list One or more uplink or downlink interfaces ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 52 port channel channel id Range 1 8 Default Setting None Command Mode Global Configuration Table 4 80 Traffic Segmentation Forwarding Destination Source Session 1 Downlinks Session 1 Uplinks Session 2 Downlinks Session 2 Uplinks Normal Ports Session 1 Downli...

Page 698: ...rts will operate as normal ports Due to switch ASIC limitations ports 1 8 9 16 17 24 are grouped together when any group member is configured as an uplink or downlink interface Example pvlan session This command creates a traffic segmentation client session Use the no form to remove a client session Syntax no pvlan session session id session id Traffic segmentation session Range 1 15 Default Setti...

Page 699: ...en uplink ports assigned to different sessions Default Setting Blocking Command Mode Global Configuration Example This example enables forwarding of traffic between uplink ports assigned to different client sessions show pvlan This command displays the traffic segmentation configuration settings Syntax show pvlan session session id session id Traffic segmentation session Range 1 15 Command Mode Pr...

Page 700: ...ity associated groups follow these steps 1 Use the private vlan command to designate one or more community VLANs and the primary VLAN that will channel traffic outside of the community groups 2 Use the private vlan association command to map the community VLAN s to the primary VLAN 3 Use the switchport mode private vlan command to configure ports as promiscuous i e having access to all ports in th...

Page 701: ...s to channel traffic between community VLANs and other locations Default Setting None Command Mode VLAN Configuration Command Usage Private VLANs are used to restrict traffic to ports within the same community and channel traffic passing outside the community through promiscuous ports When using community VLANs they must be mapped to an associated primary VLAN that contains promiscuous ports Port ...

Page 702: ...curity for group members The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN e g servers configured with promiscuous ports and to resources outside of the primary VLAN via promiscuous ports Example switchport mode private vlan Use this command to set the private VLAN mode for an interface Use the no form to restore the default setti...

Page 703: ...iation secondary vlan id ID of secondary i e community VLAN Range 1 4094 no leading zeroes Default Setting None Command Mode Interface Configuration Ethernet Port Channel Command Usage All ports assigned to a secondary i e community VLAN can pass traffic between group members but must communicate with resources outside of the group via promiscuous ports in the associated primary VLAN Example Conso...

Page 704: ...VLAN can communicate with any other promiscuous ports in the same VLAN and with the group members within any associated secondary VLANs Example show vlan private vlan Use this command to show the private VLAN configuration settings on this switch Syntax show vlan private vlan community primary community Displays all community VLANs along with their associated primary VLAN and assigned host interfa...

Page 705: ...up for each of the protocols you want to assign to a VLAN using the protocol vlan protocol group add command 3 Then map the protocol group to the appropriate VLAN using the protocol vlan protocol group vlan command Note Traffic which matches IP Protocol Ethernet Frames is mapped to the VLAN VLAN 1 that has been configured with the switch s administrative IP IP Protocol Ethernet traffic must not be...

Page 706: ... The options for all other frames types include ip arp and rarp Default Setting No protocol groups are configured Command Mode Global Configuration Example The following creates protocol group 2 and specifies Ethernet frames transmitting ARP protocol type traffic protocol vlan protocol group Configuring VLANs This command globally maps a protocol group to a VLAN Use the no form to remove the proto...

Page 707: ...d frames If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the default VLAN for the interface Example The following example maps traffic matching the protocol type specified in protocol group 2 to VLAN 2 show protocol vlan protocol group This command shows the...

Page 708: ... belonging to the VLAN whose VID PVID is associated with that port When IP subnet based VLAN classification is enabled the source address of untagged ingress frames are checked against the IP subnet to VLAN mapping table If an entry is found for that subnet these frames are assigned to the VLAN indicated in the entry If no IP subnet is matched the untagged frames are classified as belonging to the...

Page 709: ...ntagged frame is received by a port the source IP address is checked against the IP subnet to VLAN mapping table and if an entry is found the corresponding VLAN ID is assigned to the frame If no mapping is found the PVID of the receiving port is assigned to the frame The IP subnet cannot be a broadcast or multicast IP address When MAC based IP subnet based and protocol based VLANs are supported co...

Page 710: ...he no form to remove an assignment Syntax mac vlan mac address mac address vlan vlan id no mac vlan mac address mac address all mac address The source MAC address to be matched Configured MAC addresses can only be unicast addresses The MAC address must be specified in the format xx xx xx xx xx xx or xxxxxxxxxxxx vlan id VLAN to which the matching source MAC address traffic is forwarded Range 1 409...

Page 711: ...applied in this sequence and then port based VLANs last Example The following example assigns traffic from source MAC address 00 00 00 11 22 33 to VLAN 10 show mac vlan This command displays MAC address to VLAN assignments Command Mode Privileged Exec Command Usage Use this command to display MAC address to VLAN mappings Example The following example displays all configured MAC address based VLANs...

Page 712: ...it is recommended to isolate the Voice over IP VoIP network traffic from other data traffic Traffic isolation helps prevent excessive packet delays packet loss and jitter which results in higher voice quality This is best achieved by assigning all VoIP traffic to a single VLAN VoIP traffic can be detected on switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to d...

Page 713: ...detection and specifies the Voice VLAN ID as 1234 voice vlan aging This command sets the Voice VLAN ID time out Use the no form to restore the default Syntax voice vlan aging minutes no voice vlan minutes Specifies the port Voice VLAN membership time out Range 5 43200 minutes Default Setting 1440 minutes Command Mode Global Configuration Command Usage The Voice VLAN aging time is the time after wh...

Page 714: ...ne Command Mode Global Configuration Command Usage VoIP devices attached to the switch can be identified by the manufacturer s Organizational Unique Identifier OUI in the source MAC address of received packets OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from ...

Page 715: ...r OUI or 802 1ab LLDP using the switchport voice vlan rule command page 4 337 When OUI is selected be sure to configure the MAC address ranges in the Telephony OUI list using the voice vlan mac address command page 4 336 Example The following example sets port 1 to Voice VLAN auto mode switchport voice vlan rule This command selects a method for detecting VoIP traffic on a port Use the no form to ...

Page 716: ...e the no form to disable filtering on a port Syntax no switchport voice vlan security Default Setting Disabled Command Mode Interface Configuration Command Usage Security filtering discards any non VoIP packets received on the port that are tagged with the voice VLAN ID VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list or through LLDP that discovers VoIP devic...

Page 717: ...he port VoIP traffic on the Voice VLAN The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port Example The following example sets the CoS priority to 5 on port 1 show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list Syntax show voice vlan oui status oui Displays the OUI Telepho...

Page 718: ...led Disabled OUI 6 Eth 1 3 Manual Enabled OUI 5 Eth 1 4 Auto Enabled OUI 6 Eth 1 5 Disabled Disabled OUI 6 Eth 1 6 Disabled Disabled OUI 6 Eth 1 7 Disabled Disabled OUI 6 Eth 1 8 Disabled Disabled OUI 6 Eth 1 9 Disabled Disabled OUI 6 Eth 1 10 Disabled Disabled OUI 6 Console show voice vlan oui OUIAddress Mask Description 00 12 34 56 78 9A FF FF FF 00 00 00 old phones 00 11 22 33 44 55 FF FF FF 00...

Page 719: ...value sent in LLDP advertisements GC 4 343 medFastStartCount Configures how many medFastStart packets are transmitted GC 4 344 lldp notification interval Configures the allowed interval for sending SNMP notifications about LLDP changes GC 4 344 lldp refresh interval Configures the periodic transmit interval for LLDP advertisements GC 4 345 lldp reinit delay Configures the delay before attempting t...

Page 720: ... an LLDP enabled port to advertise its Power over Ethernet capabilities IC 4 355 lldp medtlv extpoe Configures an LLDP MED enabled port to advertise its extended Power over Ethernet configuration and usage information IC 4 355 lldp medtlv inventory Configures an LLDP MED enabled port to advertise its inventory identification details IC 4 356 lldp medtlv location Configures an LLDP MED enabled port...

Page 721: ... default setting Syntax lldp holdtime multiplier value no lldp holdtime multiplier value Calculates the TTL in seconds based on holdtime multiplier refresh interval 65536 Range 2 10 Default Setting Holdtime multiplier 4 TTL 4 30 120 seconds Command Mode Global Configuration Command Usage The time to live tells the receiving LLDP agent how long to retain all information pertaining to the sending LL...

Page 722: ...id availability of Emergency Call Service Example lldp notification interval This command configures the allowed interval for sending SNMP notifications about LLDP MIB changes Use the no form to restore the default setting Syntax lldp notification interval seconds no lldp notification interval seconds Specifies the periodic interval at which SNMP notifications are sent Range 5 3600 seconds Default...

Page 723: ...nterval at which LLDP advertisements are sent Range 5 32768 seconds Default Setting 30 seconds Command Mode Global Configuration Command Usage This attribute must comply with the following rule refresh interval holdtime multiplier 65536 Example lldp reinit delay This command configures the delay before attempting to re initialize after LLDP ports are disabled or the link goes down Use the no form ...

Page 724: ...tax lldp tx delay seconds no lldp tx delay seconds Specifies the transmit delay Range 1 8192 seconds Default Setting 2 seconds Command Mode Global Configuration Command Usage The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects and to increase the probability that multiple rather than single changes are rep...

Page 725: ...tification Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification interval command page 4 344 Trap notifications include information about state changes in the LLDP MIB IEEE 802 1AB or organization specific LLDP EXT DOT1 and LLDP E...

Page 726: ...ap notifications include information about state changes in the LLDP MIB IEEE 802 1AB the LLDP MED MIB ANSI TIA 1057 or organization specific LLDP EXT DOT1 and LLDP EXT DOT3 MIBs SNMP trap destinations are defined using the snmp server host command page 4 93 Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted Only state changes that exist...

Page 727: ...interface number and OID are included to assist SNMP applications to perform network discovery by indicating enterprise specific or other starting points for the search such as the Interface or Entity MIB Since there are typically a number of different addresses associated with a Layer 3 device an individual LLDP PDU may contain more than one management address TLV Every management address TLV tha...

Page 728: ...bled Command Mode Interface Configuration Ethernet Port Channel Command Usage The system capabilities identifies the primary function s of the system and whether or not these primary functions are enabled The information advertised by this TLV is described in IEEE 802 1AB Example lldp basic tlv system description This command configures an LLDP enabled port to advertise the system description Use ...

Page 729: ...tem name Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The system name is taken from the sysName object in RFC 3418 which contains the system s administratively assigned name and is in turn based on the hostname command page 4 18 Example This command configures an LLDP enabled port to advertise the supported protocols Use the no form to disable th...

Page 730: ...ernet Port Channel Command Usage This option advertises the port based and protocol based VLANs configured on this interface see paratext on page 4 306 and paratext on page 4 327 Example This command configures an LLDP enabled port to advertise its default VLAN ID Use the no form to disable this feature Syntax no lldp dot1 tlv pvid Default Setting Enabled Command Mode Interface Configuration Ether...

Page 731: ...e This option advertises the name of all VLANs to which this interface has been assigned See paratext on page 4 310 and paratext on page 4 328 Example lldp dot3 tlv link agg This command configures an LLDP enabled port to advertise link aggregation capabilities Use the no form to disable this feature Syntax no lldp dot3 tlv link agg Default Setting Enabled Command Mode Interface Configuration Ethe...

Page 732: ...guration Ethernet Port Channel Command Usage This option advertises MAC PHY configuration status which includes information about auto negotiation support capabilities and operational Multistation Access Unit MAU type Example lldp dot3 tlv max frame This command configures an LLDP enabled port to advertise its maximum frame size Use the no form to disable this feature Syntax no lldp dot3 tlv max f...

Page 733: ...upported currently enabled if the port pins through which power is delivered can be controlled the port pins selected to deliver power and the power class Note that this device does not support PoE capabilities Example lldp medtlv extpoe This command configures an LLDP MED enabled port to advertise and accept Extended Power over Ethernet configuration and usage information Use the no form to disab...

Page 734: ...this feature Syntax no lldp medtlv inventory Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises device details useful for inventory management such as manufacturer model software version and other pertinent information Example lldp medtlv location This command configures an LLDP MED enabled port to advertise its location identifi...

Page 735: ...V capabilities allowing Media Endpoint and Connectivity Devices to efficiently discover which LLDP MED related TLVs are supported on the switch Example lldp medtlv network policy This command configures an LLDP MED enabled port to advertise its network policy configuration Use the no form to disable this feature Syntax no lldp medtlv network policy Default Setting Enabled Command Mode Interface Co...

Page 736: ...uality degradation or complete service disruption Example show lldp config This command shows LLDP configuration settings for all ports Syntax show lldp config detail interface detail Shows configuration summary interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 52 port channel channel id Range 1 8 Command Mode Privileged Exec Console config interface ethernet 1 1 Con...

Page 737: ... Tx Rx True Eth 1 4 Tx Rx True Eth 1 5 Tx Rx True Console show lldp config detail ethernet 1 1 LLDP Port Configuration Detail Port Eth 1 1 Admin Status Tx Rx Notification Enabled True Basic TLVs Advertised port description system name system description system capabilities management ip address 802 1 specific TLVs Advertised port vid vlan name proto vlan proto ident 802 3 specific TLVs Advertised ...

Page 738: ...03 04 05 System Name System Description Edgecore Networks SMC6128PL2 System Capabilities Support Bridge System Capabilities Enable Bridge Management Address 192 168 0 101 IPv4 LLDP Port Information Interface PortID Type PortID PortDesc Eth 1 1 MAC Address 00 01 02 03 04 06 Ethernet Port on unit 1 port 1 Eth 1 2 MAC Address 00 01 02 03 04 07 Ethernet Port on unit 1 port 2 Eth 1 3 MAC Address 00 01 ...

Page 739: ...ommand Mode Privileged Exec Example Console show lldp info remote device LLDP Remote Devices Information Interface ChassisId PortId SysName Eth 1 1 00 01 02 03 04 05 00 01 02 03 04 06 Console show lldp info remote device detail ethernet 1 1 LLDP Remote Devices Information Detail Local PortName Eth 1 1 Chassis Type MAC Address Chassis Id 00 01 02 03 04 05 PortID Type MAC Address PortID 00 01 02 03 ...

Page 740: ...e switch show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated 2450279 seconds New Neighbor Entries Count 1 Neighbor Entries Deleted Count 0 Neighbor Entries Dropped Count 0 Neighbor Entries Ageout Count 0 Interface NumFramesRecvd NumFramesSent NumFramesDiscarded Eth 1 1 10 11 0 Eth 1 2 0 0 0 Eth 1 3 0 0 0 Eth 1 4 0 0 0 Eth 1 5 0 0 0 switch show lldp info statistics d...

Page 741: ...uential order transmitting all traffic in the higher priority queues before servicing lower priority queues wrr Weighted Round Robin shares bandwidth at the egress ports by using scheduling weights 1 2 4 8 for queues 0 3 respectively Table 4 87 Priority Commands Command Groups Function Page Priority Layer 2 Configures default priority for untagged frames sets queue weights and maps class of servic...

Page 742: ...rity service mode switchport priority default This command sets a priority for incoming untagged frames Use the no form to restore the default value Syntax switchport priority default default priority id no switchport priority default default priority id The priority number for untagged ingress traffic The priority is a number from 0 to 7 Seven is the highest priority Default Setting The priority ...

Page 743: ...y on port 3 to 5 Related Commands show interfaces switchport 4 232 queue cos map This command assigns class of service CoS values to the priority queues i e hardware output queues 0 3 Use the no form set the CoS map to the default values Syntax queue cos map queue_id cos1 cosn no queue cos map queue_id The ID of the priority queue Ranges are 0 to 3 where 3 is the highest priority queue cos1 cosn T...

Page 744: ...ple shows how to change the CoS assignments Related Commands show queue cos map 4 367 show queue mode This command shows the current queue mode Default Setting None Command Mode Privileged Exec Example show queue bandwidth This command displays the weighted round robin WRR bandwidth allocation for the four priority queues Default Setting None Command Mode Privileged Exec Priority Queue 0 1 2 1 2 2...

Page 745: ...hernet unit port unit Stack unit Range 1 port Port number Range 1 28 52 port channel channel id Range 1 8 Default Setting None Command Mode Privileged Exec Example Console show queue bandwidth Queue ID Weight 0 1 1 2 2 4 3 8 Console Console show queue cos map ethernet 1 1 Information of Eth 1 1 Traffic Class 0 1 2 3 4 5 6 7 Priority Queue 1 0 0 1 2 2 3 3 Console ...

Page 746: ...priority Example The following example shows how to enable IP DSCP mapping globally Interface Configuration This command sets IP DSCP priority i e Differentiated Services Code Point priority Use the no form to restore the default table Syntax map ip dscp dscp value cos cos value no map ip dscp dscp value 8 bit DSCP value Range 0 63 cos value Class of Service value Range 0 7 Table 4 90 Priority Com...

Page 747: ...iority values are mapped to default Class of Service values according to recommendations in the IEEE 802 1p standard and then subsequently mapped to the four hardware priority queues This command sets the IP DSCP priority for all interfaces Example The following example shows how to map IP DSCP value 1 to CoS value 0 Table 4 91 IP DSCP to CoS Vales IP DSCP Value CoS Value 0 0 8 1 10 12 14 16 2 18 ...

Page 748: ... Range 1 28 52 port channel channel id Range 1 8 Default Setting None Command Mode Privileged Exec Example Related Commands map ip dscp Global Configuration 4 368 map ip dscp Interface Configuration 4 368 Console show map ip dscp ethernet 1 1 DSCP mapping status disabled Port DSCP COS Eth 1 1 0 0 Eth 1 1 1 0 Eth 1 1 2 0 Eth 1 1 3 0 Eth 1 1 61 0 Eth 1 1 62 0 Eth 1 1 63 0 Console ...

Page 749: ...c class and use the policer command to monitor the average flow and burst rate and drop Table 4 92 Quality of Service Commands Command Function Mode Page class map Creates a class map for a type of traffic GC 4 372 match Defines the criteria used to classify traffic CM 4 373 rename Redefines the name of a class map CM 4 374 description Specifies the description of a class map CM 4 374 policy map C...

Page 750: ...class map name Name of the class map Range 1 16 characters Default Setting None Command Mode Global Configuration Command Usage First enter this command to designate a class map and enter the Class Map configuration mode Then use the match command page 4 373 to specify the criteria for ingress traffic that will be classified under this class map Up to 16 match commands are permitted per class map ...

Page 751: ...ress packets that must match to qualify for this class map If an ingress packet matches an ACL specified by this command any deny rules included in the ACL will be ignored If match criteria includes an IP ACL or IP priority rule then a VLAN rule cannot be included in the same class map If match criteria includes a MAC ACL or VLAN rule then neither an IP ACL nor IP priority rule can be included in ...

Page 752: ...n This command specifies the description of a class map or policy map Syntax description string string Description of the class map or policy map Range 1 64 characters Command Mode Class Map Configuration Policy Map Configuration Example Console config class map rd_class 3 match any Console config cmap match vlan 1 Console config cmap Console config class map rd class 1 Console config cmap rename ...

Page 753: ...te a Class Map page 4 375 before assigning it to a Policy Map Example This example creates a policy called rd_policy uses the class command to specify the previously defined rd_class uses the set command to classify the service that incoming packets will receive and then uses the police command to limit the average bandwidth to 100 000 Kbps the burst rate to 1522 bytes and configure the response t...

Page 754: ...es the police command to limit the average bandwidth to 100 000 Kbps the burst rate to 1522 bytes and configure the response to drop any violating packets set This command services IP traffic by setting a CoS DSCP or IP Precedence value in a matching packet as specified by the match command on page 4 373 Use the no form to remove the traffic classification Syntax no set cos new cos ip dscp new dsc...

Page 755: ...ACL and Extended ACL IPv6 Standard ACL and IPv6 Extended ACL Policing is based on a token bucket where bucket depth i e the maximum burst before the bucket overflows is specified by the burst byte field and the average rate at which tokens are removed from the bucket is specified by the rate bps option Example This example creates a policy called rd_policy uses the class command to specify the pre...

Page 756: ...olicy map can be assigned to an interface First define a class map then define a policy map and finally use the service policy command to bind the policy map to the required interface The switch does not allow a policy map to be bound to an interface for egress traffic Example This example applies a service policy to an ingress interface show class map This command displays the QoS class maps whic...

Page 757: ...d Mode Privileged Exec Example show policy map interface This command displays the service policy assigned to the specified interface Syntax show policy map interface interface input interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 52 port channel channel id Range 1 8 Console show class map Class Map match any rd_class 1 Match ip dscp 3 Class Map match any rd_class ...

Page 758: ...ers 4 380 IGMP Query Configures IGMP query parameters for multicast filtering at Layer 2 4 385 Static Multicast Routing Configures static multicast router ports 4 389 IGMP Filtering and Throttling Configures IGMP filtering and throttling 4 391 Multicast VLAN Registration Configures a single network wide multicast VLAN shared by hosts residing in other standard or private VLAN groups preserving sec...

Page 759: ... igmp snooping vlan vlan id static ip address interface vlan id VLAN ID Range 1 4094 ip address IP address for multicast group interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 52 port channel channel id Range 1 8 Default Setting None Command Mode Global Configuration Command Usage Static multicast entries are never aged out When a multicast entry is assigned to an i...

Page 760: ...3 are all supported and versions 2 and 3 are backward compatible so the switch can operate with other devices regardless of the snooping version employed Some commands are only enabled for IGMPv2 and or v3 including ip igmp snooping querier ip igmp snooping query max response time ip igmp snooping query interval and ip igmp snooping immediate leave Example The following configures the switch to us...

Page 761: ...ry timer for that port When the conditions in the preceding item all apply except that the receiving port is a router port then the switch will not send a GS query but will immediately start the last member query timer for that port Example This command immediately deletes a member port of a multicast service if a leave packet is received at that port and immediate leave is enabled for the parent ...

Page 762: ...ion Default Setting None Command Mode Privileged Exec Command Usage See paratext on page 3 286 for a description of the displayed items Example The following shows the current IGMP snooping configuration This command shows known multicast addresses Syntax show mac address table multicast vlan vlan id user igmp snooping vlan id VLAN ID 1 to 4092 Console config interface vlan 1 Console config if ip ...

Page 763: ...he switch as an IGMP querier Use the no form to disable it Syntax no ip igmp snooping querier Default Setting Enabled Console show mac address table multicast vlan 1 igmp snooping VLAN M cast IP addr Member ports Type 1 224 1 2 3 Eth1 11 IGMP Console Table 4 95 IGMP Query Commands Layer 2 Command Function Mode Page ip igmp snooping querier Allows this device to act as the querier for IGMP snooping...

Page 764: ...p a client from the multicast group Range 2 10 Default Setting 2 times Command Mode Global Configuration Command Usage The query count defines how long the querier waits for a response from a multicast client before taking action If a querier has sent a number of queries defined by this command but a client has not responded a countdown timer is started using the time defined by ip igmp snooping q...

Page 765: ...ime seconds no ip igmp snooping query max response time seconds The report delay advertised in IGMP queries Range 5 25 Default Setting 10 seconds Command Mode Global Configuration Command Usage The switch must be using IGMPv2 or v3 snooping for this command to take effect This command defines the time after a query during which a response is expected from a multicast client If a querier has sent a...

Page 766: ...fter the previous querier stops before it considers the router port i e the interface which had been receiving query packets to have expired Range 300 500 Default Setting 300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 or v3 snooping for this command to take effect Example The following shows how to configure the default timeout to 300 seconds Related Command...

Page 767: ...iguration Command Usage Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore if the IGMP querier is a known multicast router switch connected over the network to an interface port or trunk on your router you can manually configure that interface to join all the current multicast groups Example The following shows how to configure port 11 a...

Page 768: ...d VLAN ID Range 1 4094 Default Setting Displays multicast router ports for all configured VLANs Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static Example The following shows that port 11 in VLAN 1 is attached to a multicast router Console show ip igmp snooping mrouter vlan 1 VLAN M cast Router Ports Type 1 Eth 1 11 Static 2 Eth 1 12 Static Console ...

Page 769: ...eived on the port are checked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP filtering and throttling only applies to dynamically learned multicast groups it does not apply to statically configured groups Table 4 97 IGMP Filtering and Throttling Commands...

Page 770: ...A profile defines the multicast groups that a subscriber is permitted or denied to join The same profile can be applied to many interfaces but only one profile can be assigned to one interface Each profile has only one access mode either permit or deny Example permit deny This command sets the access mode for an IGMP filter profile Use the no form to delete a profile number Syntax permit deny Defa...

Page 771: ...oup range Default Setting None Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile Example ip igmp filter This command assigns an IGMP filtering profile to an interface on the switch Use the no form to remove a profile from an interface Syntax no ip igmp filter profile number profile numbe...

Page 772: ...n at the same time Range 0 64 Default Setting 64 Command Mode Interface Configuration Command Usage IGMP throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can take one of two actions either deny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is...

Page 773: ...wo actions either deny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group Example show ip igmp filter This command displays the global and interface settings for IGMP filtering Syntax show ip igmp filter interface interface interface ethernet uni...

Page 774: ...tings for IGMP throttling Syntax show ip igmp throttle interface interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 52 port channel channel id Range 1 8 Console show ip igmp filter IGMP filter enabled Console show ip igmp filter interface ethernet 1 1 Ethernet 1 1 information IGMP Profile 19 Deny range 239 1 1 1 239 1 1 1 range 239 2 3 1 239 2 3 100 Console ...

Page 775: ...tains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong Console show ip igmp throttle interface ethernet 1 1 Eth 1 1 Information Status TRUE Action Deny Max Multicast Groups 32 Current Multicast Groups 0 Console Table 4 98 Multicast VLAN Registration Commands Command Function Mode Page mvr Globally e...

Page 776: ...group Range 224 0 1 0 239 255 255 255 count The number of contiguous MVR group addresses Range 1 255 vlan Specifies the VLAN through which MVR multicast data is received This is also the VLAN to which all source ports must be assigned Range 1 4094 vlan id MVR VLAN ID Range 1 4094 receiver group Specifies groups to be managed through the receiver VLAN receiver vlan Allows multicast traffic to be fo...

Page 777: ...tion will be flooded to all ports in the associated VLAN Multicast traffic forwarded to subscribers is normally stripped of frame tags to prevent the hosts from discovering the identity of the MVR VLAN To allow multicast traffic with tagged frames to be sent to subscribers without revealing the identity of the MVR VLAN both the receiver group and receiver vlan attributes must be specifically defin...

Page 778: ... an MVR multicast group Range 224 0 1 0 239 255 255 255 static receiver group Statically assigns a multicast receiver group to the selected interface Note that the specified multicast service must already be configured as a receiver group which will managed through the MVR receiver VLAN see mvr global configuration command on page 4 398 Default Setting The port type is not defined Immediate leave ...

Page 779: ...ng for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list Using immediate leave can speed up leave latency but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface Immediate leave does not apply to multicast groups whi...

Page 780: ...ge 1 8 ip address IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 receiver group members Displays interfaces assigned to the MVR receiver groups and the current MVR status for each group Default Setting Displays global configuration settings for MVR when no keywords are used Command Mode Privileged Exec Command Usage Enter this command without any keywords to display the glob...

Page 781: ...without revealing the identity of the MVR VLAN MVR Supported Receiver Multicast Groups Number of multicast groups to be managed through the receiver VLAN MVR Used Receiver Multicast Groups Number of multicast groups currently active within the receiver VLAN eth1 5 RECEIVER INACTIVE DOWN Disable eth1 6 RECEIVER INACTIVE DOWN Disable eth1 7 RECEIVER INACTIVE DOWN Disable Console Table 4 100 show mvr...

Page 782: ...ceiver VLAN VLAN used to froward multicast traffic with tagged frames without revealing the identity of the MVR VLAN Members Shows the interfaces with subscribers for multicast services provided through the MVR VLAN Also shows if an interface has dynamically joined a multicast group d or if a multicast group has been statically bound to the interface s Console show mvr receiver group members MVR G...

Page 783: ...ress1 Corresponding IP address address2 address8 Additional corresponding IP addresses Default Setting No static entries Command Mode Global Configuration Table 4 103 DNS Commands Command Function Mode Page ip host Creates a static host name to address mapping GC 4 405 clear host Deletes entries from the host name to address table PE 4 406 ip domain name Defines a default domain name for incomplet...

Page 784: ...Syntax clear host name name Name of the host Range 1 64 characters Removes all entries Default Setting None Command Mode Privileged Exec Example This example clears all static entries from the DNS table ip domain name This command defines the default domain name appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation Use the no form to remo...

Page 785: ...main name Range 1 64 characters Default Setting None Command Mode Global Configuration Command Usage Domain names are added to the end of the list one at a time When an incomplete host name is received by the DNS service on this switch it will work through the domain list appending each domain name in the list to the host name and checking with the specified name servers for a match If there is no...

Page 786: ... server address1 IP address of domain name server server address2 server address6 IP address of additional domain name servers Default Setting None Command Mode Global Configuration Command Usage The listed name servers are queried in the specified sequence until a response is received or the end of the list is reached with no response Console config ip domain list sample com jp Console config ip ...

Page 787: ...ore you can enable DNS If all name servers are deleted DNS will automatically be disabled Example This example enables DNS and then displays the configuration Console config ip domain server 192 168 1 55 10 1 0 55 Console config end Console show dns Domain Lookup Status DNS disabled Default Domain Name sample com Domain Name List sample com jp sample com uk Name Server List 192 168 1 55 10 1 0 55 ...

Page 788: ... an alias if it is mapped to the same address es as a previously configured entry This command displays the configuration of the DNS service Command Mode Privileged Exec Example Console show hosts Hostname rd5 Inet address 10 1 0 55 192 168 1 55 Alias 1 rd6 Console Console show dns Domain Lookup Status DNS enabled Default Domain Name sample com Domain Name List sample com jp sample com uk Name Ser...

Page 789: ...nytimes com 19 POINTER TO 2 4 4 CNAME graphics478 nytimes com edgesui 19 POINTER TO 2 Console Table 4 104 show dns cache display description Field Description NO The entry number for each resource record FLAG The flag is always 4 indicating a cache entry and therefore unreliable TYPE This field includes ADDRESS which specifies the host address for the owner and CNAME which specifies an alias IP Th...

Page 790: ...ress from BOOTP dhcp Obtains IP address from DHCP Default Setting DHCP Command Mode Interface Configuration VLAN Command Usage You must assign an IP address to this device to gain management access over the network You can manually configure a specific IP address or direct the device to obtain an address from a BOOTP or DHCP server Valid IP addresses consist of four numbers 0 to 255 separated by p...

Page 791: ...w management VLAN Example In the following example the device is assigned an address in VLAN 1 Related Commands ip dhcp restart 4 414 ip default gateway This command establishes a static route between this switch and devices that exist on another network segment Use the no form to remove the static route Syntax ip default gateway gateway no ip default gateway gateway IP address of the default gate...

Page 792: ...twork portion of the address provided to the client will be based on this new domain Example In the following example the device is reassigned the same address Related Commands ip address 4 412 show ip interface This command displays the settings of an IP interface Default Setting All interfaces Command Mode Normal Exec Privileged Exec Example Console config interface vlan 1 Console config if ip a...

Page 793: ...hows each cache entry including the corresponding IP address MAC address type dynamic other and VLAN interface Note that entry type other indicates local addresses for this switch Example ping This command sends ICMP echo request packets to another node on the network Syntax ping host count count size size host IP address or IP alias of the host Console show ip redirects IP default gateway 10 1 0 ...

Page 794: ...ffic Destination does not respond If the host does not respond a timeout appears in ten seconds Destination unreachable The gateway for this destination indicates that the destination is unreachable Network or host unreachable The gateway found no corresponding entry in the route table Press Esc to stop pinging Example Related Commands interface 4 221 Console ping 10 1 0 9 Type ESC to abort PING t...

Page 795: ... Control Broadcast multicast or unknown unicast traffic throttled above a critical threshold Port Mirroring Destination single port Source Multiple ports VLANs MAC addresses Rate Limits Input limit Output limit Port Trunking Static trunks Cisco EtherChannel compliant Dynamic trunks Link Aggregation Control Protocol Spanning Tree Algorithm Spanning Tree Protocol STP IEEE 802 1D 2004 Rapid Spanning ...

Page 796: ...ement Features In Band Management Telnet web based HTTP or HTTPS SNMP manager or Secure Shell Out of Band Management RS 232 DB 9 console port Software Loading FTP TFTP in band or XModem out of band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1 2 3 9 Statistics History Alarm Event Standards IEEE 802 1AB Link Layer Discovery Protocol IEEE 802 1D 2004 Spanni...

Page 797: ...6 TFTP RFC 1350 Management Information Bases Bridge MIB RFC 1493 Differentiated Services MIB RFC 3289 Entity MIB RFC 2737 Ether like MIB RFC 3635 Extended Bridge MIB RFC 2674 Extensible SNMP Agents MIB RFC 2742 Forwarding Table MIB RFC 2096 IGMP MIB RFC 2933 Interface Group MIB RFC 2233 Interfaces Evolution MIB RFC 2863 IP Multicasting related MIBs MAU MIB RFC 3636 MIB II RFC 1213 Port Access Enti...

Page 798: ...munity MIB RFC 3584 SNMP Framework MIB RFC 3411 SNMP MPD MIB RFC 3412 SNMP Target MIB SNMP Notification MIB RFC 3413 SNMP User Based SM MIB RFC 3414 SNMP View Based ACM MIB RFC 3415 TACACS Authentication Client MIB TCP MIB RFC 2012 Trap RFC 1215 UDP MIB RFC 2013 ...

Page 799: ...d the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH clien...

Page 800: ...r messages reported to include all categories 3 Designate the SNMP host that is to receive the error messages 4 Repeat the sequence of commands or other actions that lead up to the error 5 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 6 Contact your distributor s service engineer For example Console config logging on Console con...

Page 801: ...etworks by employing a well defined set of building blocks from which a variety of aggregate forwarding behaviors may be built Each packet carries information DS byte used by each hop to give it a particular forwarding treatment or per hop behavior at each network node DiffServ allocates different levels of service to users on the network with mechanisms such as traffic meters shapers droppers pac...

Page 802: ...to an authentication server e g RADIUS for verification EAPOL is implemented as part of the IEEE 802 1X Port Authentication standard File Transfer Protocol FTP A TCP IP protocol commonly used for software downloads GARP VLAN Registration Protocol GVRP Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs d...

Page 803: ... Spanning Tree Protocol RSTP which reduces the convergence time for network topology changes to about 10 of that required by the older IEEE 802 1D STP standard Now incorporated in IEEE 802 1D 2004 IEEE 802 1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication IEEE 802 3ac Defines frame extensions for VLAN tagging IEEE...

Page 804: ...t may be configured differently to suit the requirements for specific network applications Layer 2 Data Link layer in the ISO 7 Layer Data Communications Protocol This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses Link Aggregation See Port Trunk Link Aggregation Control Protocol Allows ports to automatically negotiate a trunked link ...

Page 805: ...ocol MSTP can provide an independent spanning tree for different VLANs It simplifies network management provides for even faster convergence than RSTP by limiting the size of each region and prevents VLAN members from being segmented from the rest of the group Network Time Protocol NTP provides the mechanisms to synchronize time across the network The time servers operate in a hierarchical master ...

Page 806: ...ority of one flow or limiting the priority of another flow Remote Authentication Dial in User Service RADIUS RADIUS is a logon authentication protocol that uses software running on a central server to control access to RADIUS compliant devices on the network RMON RMON provides comprehensive network monitoring capabilities It eliminates the polling required in standard SNMP and can set alarms on a ...

Page 807: ...ludes TCP as the primary transport protocol and IP as the network layer protocol TFTP A TCP IP protocol commonly used for software downloads UTC UTC is a time scale that couples Greenwich Mean Time based solely on the Earth s rotation rate with highly accurate atomic time The UTC does not have daylight saving time UDP UDP provides a datagram mode for packet switched communications It uses IP as th...

Page 808: ...Glossary Glossary 8 A protocol used to transfer files between devices Data is grouped in 128 byte blocks and error corrected ...

Page 809: ... 227 4 308 Access Control List See ACL ACL 3 123 4 199 ARP 3 133 4 212 binding to a port 3 135 4 205 IPv4 Extended 3 124 3 125 4 200 4 203 IPv4 Standard 3 124 3 125 4 200 4 202 IPv6 Extended 3 124 3 129 4 206 4 209 IPv6 Standard 3 124 3 128 4 206 4 208 MAC 3 131 4 215 restricting rule types 4 200 address table 3 189 4 269 aging time 3 191 4 272 ARP ACL 3 133 4 193 ARP inspection 3 136 4 191 ACL fi...

Page 810: ...mic configuration 2 5 DHCP snooping enabling 3 144 4 180 global configuration 3 144 4 180 information option 3 146 4 184 information option policy 3 146 4 185 information option enabling 3 146 4 184 policy selection 3 146 4 185 specifying trusted interfaces 3 147 4 182 verifying MAC addresses 3 144 4 183 VLAN configuration 3 145 4 181 Differentiated Code Point Service See DSCP Differentiated Servi...

Page 811: ...2 1X 3 99 4 146 IGMP filter profiles configuration 3 295 4 392 filter parameters 3 295 filtering throttling 3 294 4 391 filtering throttling configuring profile 4 392 4 393 filtering throttling creating profile 3 294 4 392 filtering throttling enabling 3 294 4 391 filtering throttling interface configuration 3 297 4 393 filtering throttling interface settings 4 393 4 395 filtering throttling statu...

Page 812: ...n 3 253 4 356 TLV network policy 3 253 4 357 TLV PoE 3 253 4 355 TLV port capabilities 3 253 4 357 logging syslog traps 3 37 4 60 to syslog servers 3 37 4 59 log in web interface 3 2 logon authentication 3 70 4 109 encryption keys 3 75 4 118 4 122 RADIUS client 3 73 4 116 RADIUS server 3 73 4 116 sequence 3 73 4 114 4 115 settings 3 73 4 114 TACACS client 3 72 4 120 TACACS server 3 72 4 120 logon ...

Page 813: ... status 3 186 4 268 maximum allocation 3 186 4 266 priority 3 188 4 267 showing mainpower 3 186 4 269 port priority configuring 3 263 4 363 default ingress 3 263 4 364 STA 3 204 4 286 port security configuring 3 109 4 159 port statistics 3 180 4 231 ports autonegotiation 3 158 4 223 broadcast storm threshold 3 172 4 228 capabilities 3 158 4 224 configuring 3 155 4 220 duplex mode 3 158 4 222 flow ...

Page 814: ...4 44 sFlow flow configuration 3 68 4 104 4 108 port groups source 3 66 4 104 target device 3 68 4 107 Simple Mail Transfer Protocol See SMTP Simple Network Management Protocol See SNMP SMTP sending log events 3 39 4 63 SNMP 3 49 4 88 community string 3 51 4 91 enabling traps 3 52 4 95 engine identifier local 3 55 4 96 engine identifier remote 3 56 4 96 filtering IP addresses 3 106 4 156 groups 3 6...

Page 815: ...ion 3 72 4 120 settings 3 73 4 120 Telnet server enabling 3 34 4 136 time zone setting 3 46 4 75 time setting 3 42 4 67 TPID 3 233 4 316 traffic class weights 3 267 4 366 traffic segmentation 3 236 4 318 enabling 3 236 4 318 sessions assigning ports 3 237 4 319 sessions creating 3 237 4 320 uplink to uplink blocking 3 236 4 321 uplink to uplink forwarding 3 236 4 321 trap manager 2 7 3 52 4 93 tro...

Page 816: ...334 detecting VoIP devices 3 279 4 334 enabling for ports 3 280 4 337 4 339 identifying client devices 3 282 4 336 VoIP traffic 3 279 4 334 ports configuring 3 280 4 337 4 339 telephony OUI configuring 3 282 4 336 voice VLAN configuring 3 279 4 334 W web authentication 3 110 4 176 address re authenticating 3 113 4 177 configuring 3 111 4 176 port information displaying 3 113 4 178 ports configurin...

Page 817: ......

Page 818: ...SMC6128PL2 SMC6152PL2 149100000007A R01 ...

Search results

Summary of Contents for 6152PL2 FICHE

Reviews:

Related manuals for 6152PL2 FICHE

Brands by name

Popular brands

SMC Networks 6152PL2 FICHE, Management Manual

Search results

Summary of Contents for 6152PL2 FICHE

Reviews:

Related manuals for 6152PL2 FICHE

Brands by name

Popular brands