Home
/
SMC Networks
/
7824M/FSW - annexe 1
/
Management Manual

SMC Networks 7824M/FSW - annexe 1, Management Manual

Share

Page: 157 / 748

SMC Networks 7824M/FSW - annexe 1 Management Manual Download Page 157

C

ONFIGURING

802.1X P

ORT

A

UTHENTICATION

6-19

Configuring 802.1X Port Authentication

Network switches can provide open and easy access to network resources
by simply attaching a client PC. Although this automatic configuration and
access is a desirable feature, it also allows unauthorized personnel to easily
intrude and possibly gain access to sensitive network data.

The IEEE 802.1X (dot1x) standard defines a port-based access control
procedure that prevents unauthorized access to a network by requiring
users to first submit credentials for authentication. Access to all switch
ports in a network can be centrally controlled from a server, which means
that authorized users can use the same credentials for authentication from
any point within the network.

This switch uses the
Extensible
Authentication
Protocol over LANs
(EAPOL) to
exchange
authentication
protocol messages
with the client, and a
remote RADIUS authentication server to verify user identity and access
rights. When a client (i.e., Supplicant) connects to a switch port, the switch
(i.e., Authenticator) responds with an EAPOL identity request. The client
provides its identity (such as a user name) in an EAPOL response to the
switch, which it forwards to the RADIUS server. The RADIUS server
verifies the client identity and sends an access challenge back to the client.
The EAP packet from the RADIUS server contains not only the challenge,
but the authentication method to be used. The client can reject the
authentication method and request another, depending on the
configuration of the client software and the RADIUS server. The
encryption method used to pass authentication messages can be MD5
(Message-Digest 5), TLS (Transport Layer Security), or TTLS (Tunneled

802.1x
client

RADIUS
server

1. Client attempts to access a switch port.
2. Switch sends client an identity request.
3. Client sends back identity information.
4. Switch forwards this to authentication server.
5. Authentication server challenges client.
6. Client responds with proper credentials.
7. Authentication server approves access.
8. Switch grants client access to this port.

«
...
155
156
157
158
159
...
»

Summary of Contents for 7824M/FSW - annexe 1

Page 1: ...ecture Spanning Tree Protocol RSTP and MSTP Up to 12 LACP or static 8 port trunks Layer 2 3 4 CoS support through eight priority queues Layer 3 4 traffic priority with IP Precedence and IP DSCP Full support for VLANs with GVRP IGMP multicast filtering and snooping Support for jumbo frames up to 9 KB Manageable via console Web SNMP RMON Security features ACL RADIUS 802 1X Management Guide SMC7824M ...

Page 2: ......

Page 3: ...38 Tesla Irvine CA 92618 Phone 949 679 8000 TigerAccess 10 100 Management Guide From SMC s Tiger line of feature rich workgroup LAN solutions December 2006 Pub 150200058800A ...

Page 4: ... implication or otherwise under any patent or patent rights of SMC SMC reserves the right to change specifications at any time without notice Copyright 2006 by SMC Networks Inc 38 Tesla Irvine CA 92618 All rights reserved Printed in Taiwan Trademarks SMC is a registered trademark and EZ Switch TigerAccess TigerStack and TigerSwitch are trademarks of SMC Networks Inc Other product and company names...

Page 5: ...ncorporates these newer technologies At that point the obsolete product is discontinued and is no longer an Active SMC product A list of discontinued products with their respective dates of discontinuance can be found at http www smc com index cfm action customer_service_warranty All products that are replaced become the property of SMC Replacement products may be either new or reconditioned Any r...

Page 6: ...IRE LIGHTNING OR OTHER HAZARD LIMITATION OF LIABILITY IN NO EVENT WHETHER BASED IN CONTRACT OR TORT INCLUDING NEGLIGENCE SHALL SMC BE LIABLE FOR INCIDENTAL CONSEQUENTIAL INDIRECT SPECIAL OR PUNITIVE DAMAGES OF ANY KIND OR FOR LOSS OF REVENUE LOSS OF BUSINESS OR OTHER FINANCIAL LOSS ARISING OUT OF OR IN CONNECTION WITH THE SALE INSTALLATION MAINTENANCE USE PERFORMANCE FAILURE OR INTERRUPTION OF ITS...

Page 7: ...n 2 4 Setting Passwords 2 5 Setting an IP Address 2 6 Manual Configuration 2 6 Dynamic Configuration 2 7 Enabling SNMP Management Access 2 9 Community Strings for SNMP version 1 and 2c clients 2 9 Trap Receivers 2 10 Configuring Access for SNMP Version 3 Clients 2 11 Managing System Files 2 12 Saving Configuration Settings 2 13 Section II Switch Management 3 Configuring the Switch 3 1 Using the We...

Page 8: ...or Restoring Configuration Settings 4 18 Downloading Configuration Settings from a Server 4 20 Console Port Settings 4 22 Telnet Settings 4 24 Configuring Event Logging 4 27 System Log Configuration 4 27 Remote Log Configuration 4 29 Displaying Log Messages 4 31 Sending Simple Mail Transfer Protocol Alerts 4 32 Resetting the System 4 34 Setting the System Clock 4 35 Configuring SNTP 4 35 Setting t...

Page 9: ...6 21 Configuring 802 1X Global Settings 6 22 Configuring Port Settings for 802 1X 6 23 Displaying 802 1X Statistics 6 26 Filtering IP Addresses for Management Access 6 28 7 Client Security 7 1 Configuring Port Security 7 2 8 Access Control Lists 8 1 Configuring Access Control Lists 8 1 Setting the ACL Name and Type 8 3 Configuring a Standard ACL 8 4 Configuring an Extended ACL 8 5 Configuring a MA...

Page 10: ...ing the Aging Time 10 5 11 Spanning Tree Algorithm 11 1 Displaying Global Settings 11 4 Configuring Global Settings 11 8 Displaying Interface Settings 11 13 Configuring Interface Settings 11 17 Configuring Multiple Spanning Trees 11 21 Displaying Interface Settings for MSTP 11 24 Configuring Interface Settings for MSTP 11 26 12 VLAN Configuration 12 1 IEEE 802 1Q VLANs 12 1 Enabling or Disabling G...

Page 11: ...ce DSCP Priority 13 9 Mapping IP Precedence 13 10 Mapping DSCP Priority 13 12 Mapping IP Port Priority 13 14 14 Quality of Service 14 1 Configuring Quality of Service Parameters 14 2 Configuring a Class Map 14 3 Creating QoS Policies 14 6 Attaching a Policy Map to Ingress Queues 14 10 15 Multicast Filtering 15 1 Layer 2 IGMP Snooping and Query 15 2 Configuring IGMP Snooping and Query Parameters 15...

Page 12: ...he Command Line Interface 17 1 Accessing the CLI 17 1 Console Connection 17 1 Telnet Connection 17 2 Entering Commands 17 3 Keywords and Arguments 17 3 Minimum Abbreviation 17 4 Command Completion 17 4 Getting Help on Commands 17 4 Showing Commands 17 5 Partial Keyword Lookup 17 6 Negating the Effect of Commands 17 6 Using Command History 17 6 Understanding Command Modes 17 7 Exec Commands 17 7 Co...

Page 13: ...ers 19 8 show version 19 9 System Mode Commands 19 10 system mode 19 10 show system mode 19 11 System MTU Commands 19 12 jumbo frame 19 12 system mtu 19 13 show system mtu 19 14 File Management Commands 19 14 copy 19 16 delete 19 19 dir 19 20 whichboot 19 21 boot system 19 22 Line Commands 19 23 line 19 24 login 19 25 password 19 26 timeout login response 19 27 exec timeout 19 28 password thresh 1...

Page 14: ...il host 19 45 logging sendmail level 19 46 logging sendmail source email 19 47 logging sendmail destination email 19 47 logging sendmail 19 48 show logging sendmail 19 49 Time Commands 19 50 sntp client 19 50 sntp server 19 51 sntp poll 19 52 show sntp 19 53 clock timezone 19 54 calendar set 19 55 show calendar 19 55 20 SNMP Commands 20 1 snmp server 20 2 show snmp 20 2 snmp server community 20 4 ...

Page 15: ... login 21 5 authentication enable 21 7 RADIUS Client 21 8 radius server host 21 9 radius server port 21 10 radius server key 21 10 radius server retransmit 21 11 radius server timeout 21 11 show radius server 21 12 TACACS Client 21 13 tacacs server host 21 13 tacacs server port 21 14 tacacs server key 21 14 show tacacs server 21 15 Web Server Commands 21 15 ip http port 21 16 ip http server 21 16 ...

Page 16: ...port control 21 36 dot1x operation mode 21 37 dot1x re authenticate 21 38 dot1x re authentication 21 39 dot1x timeout quiet period 21 39 dot1x timeout re authperiod 21 40 dot1x timeout tx period 21 41 show dot1x 21 41 Management IP Filter Commands 21 45 management 21 45 show management 21 46 22 Client Security Commands 22 1 Port Security Commands 22 2 port security 22 3 IP Source Guard Commands 22...

Page 17: ...ist 23 7 access list ip mask precedence 23 8 mask IP ACL 23 9 show access list ip mask precedence 23 13 ip access group 23 14 show ip access group 23 15 MAC ACLs 23 15 access list mac 23 16 permit deny MAC ACL 23 17 show mac access list 23 19 access list mac mask precedence 23 20 mask MAC ACL 23 21 show access list mac mask precedence 23 23 mac access group 23 23 show mac access group 23 24 ACL In...

Page 18: ...5 6 lacp admin key Ethernet Interface 25 7 lacp admin key Port Channel 25 8 lacp port priority 25 9 show lacp 25 10 26 Mirror Port Commands 26 1 port monitor 26 1 show port monitor 26 2 27 Rate Limit Commands 27 1 rate limit 27 2 rate limit cos 27 3 show rate limit cos 27 5 28 Address Table Commands 28 1 mac address table static 28 2 clear mac address table dynamic 28 3 show mac address table 28 4...

Page 19: ...ing tree cost 29 16 spanning tree port priority 29 18 spanning tree edge port 29 18 spanning tree portfast 29 19 spanning tree link type 29 21 spanning tree mst cost 29 22 spanning tree mst port priority 29 23 spanning tree protocol migration 29 24 show spanning tree 29 25 show spanning tree mst configuration 29 27 30 VLAN Commands 30 1 GVRP and Bridge Extension Commands 30 2 bridge ext gvrp 30 2 ...

Page 20: ...nterfaces 30 21 show protocol vlan protocol group 30 22 show interfaces protocol vlan protocol group 30 23 Configuring IEEE 802 1Q Tunneling 30 24 switchport mode dot1q tunnel 30 25 show dot1q tunnel 30 26 switchport dot1q ethertype 30 27 31 Class of Service Commands 31 1 Priority Commands Layer 2 31 2 queue mode 31 3 show queue mode 31 4 switchport priority default 31 4 queue bandwidth 31 6 queue...

Page 21: ...32 13 33 Multicast Filtering Commands 33 1 IGMP Snooping Commands 33 2 ip igmp snooping 33 2 ip igmp snooping vlan static 33 3 ip igmp snooping version 33 4 ip igmp snooping leave proxy 33 5 ip igmp snooping immediate leave 33 6 show ip igmp snooping 33 7 show mac address table multicast 33 8 IGMP Query Commands 33 9 ip igmp snooping querier 33 9 ip igmp snooping query count 33 10 ip igmp snooping...

Page 22: ...s 34 1 ip host 34 2 clear host 34 3 ip domain name 34 4 ip domain list 34 5 ip name server 34 6 ip domain lookup 34 7 show hosts 34 8 show dns 34 9 show dns cache 34 9 clear dns cache 34 10 35 IP Interface Commands 35 1 Basic IP Configuration 35 1 ip address 35 2 ip default gateway 35 3 ip dhcp restart 35 4 show ip interface 35 5 show ip redirects 35 5 show arp 35 6 ping 35 7 ...

Page 23: ...pendices A Software Specifications A 1 Software Features A 1 Management Features A 3 Standards A 3 Management Information Bases A 4 B Troubleshooting B 1 Problems Accessing the Management Interface B 1 Using System Logs B 3 Glossary Index ...

Page 24: ...TABLE OF CONTENTS xxiv ...

Page 25: ...commended STA Path Cost Range 11 27 Table 11 4 Default STA Path Costs 11 27 Table 13 1 Mapping CoS Values to Egress Queues 13 3 Table 13 2 CoS Priority Levels 13 4 Table 13 3 Mapping IP Precedence 13 10 Table 13 4 Mapping DSCP Priority 13 12 Table 17 1 General Command Modes 17 7 Table 17 2 Configuration Command Modes 17 10 Table 17 3 Keystroke Commands 17 11 Table 17 4 Command Group Index 17 12 Ta...

Page 26: ...8 HTTPS System Support 21 18 Table 21 9 Telnet Server Commands 21 20 Table 21 10 Secure Shell Commands 21 21 Table 21 11 show ssh display description 21 31 Table 21 12 802 1X Port Authentication Commands 21 34 Table 21 13 Management IP Filter Commands 21 45 Table 22 1 Client Security Commands 22 2 Table 22 2 Port Security Commands 22 3 Table 22 3 IP Source Guard Commands 22 5 Table 22 4 DHCP Snoop...

Page 27: ... Commands 30 19 Table 30 8 IEEE 802 1Q Tunneling Commands 30 24 Table 31 1 Priority Commands 31 1 Table 31 2 Priority Commands Layer 2 31 2 Table 31 3 Default CoS Priority Levels 31 7 Table 31 4 Priority Commands Layer 3 and 4 31 11 Table 31 5 Mapping IP Precedence to CoS Values 31 14 Table 31 6 Mapping IP DSCP to CoS Values 31 15 Table 32 1 Quality of Service Commands 32 1 Table 33 1 Multicast Fi...

Page 28: ...TABLES xxviii ...

Page 29: ...ure 4 14 Configuring the Console Port 4 23 Figure 4 15 Configuring the Telnet Interface 4 26 Figure 4 16 System Logs 4 28 Figure 4 17 Remote Logs 4 30 Figure 4 18 Displaying Logs 4 31 Figure 4 19 Enabling and Configuring SMTP Alerts 4 33 Figure 4 20 Resetting the System 4 34 Figure 4 21 SNTP Configuration 4 36 Figure 4 22 Clock Time Zone 4 37 Figure 5 1 Enabling the SNMP Agent 5 4 Figure 5 2 Confi...

Page 30: ...Figure 9 1 Port Port Information 9 2 Figure 9 2 Port Port Configuration 9 6 Figure 9 3 Static Trunk Configuration 9 10 Figure 9 4 LACP Trunk Configuration 9 12 Figure 9 5 LACP Aggregation Port 9 15 Figure 9 6 LACP Port Counters Information 9 17 Figure 9 7 LACP Port Internal Information 9 20 Figure 9 8 LACP Port Neighbors Information 9 22 Figure 9 9 Port Broadcast Control 9 24 Figure 9 10 Mirror Po...

Page 31: ...igure 13 4 Queue Scheduling 13 7 Figure 13 5 IP Precedence DSCP Priority Status 13 9 Figure 13 6 IP Precedence Priority 13 11 Figure 13 7 IP DSCP Priority 13 13 Figure 13 8 IP Port Priority Status 13 14 Figure 13 9 IP Port Priority 13 15 Figure 14 1 Configuring Class Maps 14 5 Figure 14 2 Configuring Policy Maps 14 9 Figure 14 3 Service Policy Settings 14 11 Figure 15 1 IGMP Configuration 15 6 Fig...

Page 32: ...FIGURES xxxii Figure 16 3 DNS Cache 16 7 ...

Page 33: ...his section provides an overview of the switch and introduces some basic concepts about network switches It also describes the basic settings required to access the management interface Introduction 1 1 Initial Configuration 2 1 ...

Page 34: ...GETTING STARTED ...

Page 35: ...ticular network environment Key Features Table 1 1 Key Features Feature Description Configuration Backup and Restore Backup to TFTP server Authentication Console Telnet web User name password RADIUS TACACS Web HTTPS Telnet SSH SNMP v1 2c Community strings SNMP version 3 MD5 or SHA password Port IEEE 802 1X MAC address filtering Access Control Lists Supports IP or MAC ACLs Fast Ethernet ports 157 r...

Page 36: ...addresses learning Store and Forward Switching Supported to ensure wire speed switching while eliminating bad frames Spanning Tree Algorithm Supports standard STP Rapid Spanning Tree Protocol RSTP and Multiple Spanning Trees MSTP Virtual LANs Up to 255 using IEEE 802 1Q port based protocol based VLANs private VLANs and QinQ tunneling Traffic Prioritization Default port priority VLAN priority traff...

Page 37: ...ad this file to restore the switch configuration settings Authentication This switch authenticates management access via the console port Telnet or web browser User names and passwords can be configured locally or can be verified via a remote authentication server i e RADIUS or TACACS Port based authentication is also supported via the IEEE 802 1X protocol This protocol uses Extensible Authenticat...

Page 38: ...ntrol based on the IEEE 802 3 2005 standard Rate Limiting This feature controls the maximum rate for traffic transmitted or received on an interface Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network Traffic that falls within the rate limit is transmitted while packets that exceed the acceptable amount of traffic are dropped Input rate li...

Page 39: ...ilters ingress traffic based on static IP addresses and addresses stored in the DHCP Snooping table IEEE 802 1D Bridge The switch supports IEEE 802 1D transparent bridging The address table facilitates data switching by learning addresses and then filtering or forwarding traffic based on this information The address table supports up to 16K addresses Store and Forward Switching The switch copies e...

Page 40: ...ning tree for different VLANs It simplifies network management provides for even faster convergence than RSTP by limiting the size of each region and prevents VLAN members from being segmented from the rest of the group as sometimes occurs with IEEE 802 1D STP Virtual LANs The switch supports up to 255 VLANs A Virtual LAN is a collection of network nodes that share the same collision domain regard...

Page 41: ...e TCP UDP port When these services are enabled the priorities are mapped to a Class of Service value by the switch and the traffic then sent to the corresponding output queue Quality of Service Differentiated Services DiffServ provides policy based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis Each packet is clas...

Page 42: ...mers use the same internal VLAN IDs This is accomplished by inserting Service Provider VLAN SPVLAN tags into the customer s frames when they enter the service provider s network and then stripping the tags when the frames leave the network System Defaults The switch s system defaults are provided in the configuration file Factory_Default_Config cfg To reset the switch defaults this file should be ...

Page 43: ...S Enabled SSH Disabled Port Security Disabled DHCP Snooping Disabled IP Source Guard Disabled IP Filtering Disabled Web Management HTTP Server Enabled HTTP Port Number 80 HTTP Secure Server Enabled HTTP Secure Port Number 443 SNMP SNMP Agent Enabled Community Strings public read only private read write Traps Authentication traps enabled Link up down events enabled SNMP V3 View defaultview Group pu...

Page 44: ...sabled Rate Limit Broadcast 500 packets per second Unknown Packet Blocking Status Multicast disabled Unicast disabled Spanning Tree Algorithm Status Enabled RSTP Defaults Based on IEEE 802 1w Fast Forwarding Edge Port Disabled Address Table Aging Time 300 seconds Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Disabled Switchport Mode Egress Mode Hybrid tagged untagg...

Page 45: ...igured with an IP address IP Address 0 0 0 0 Subnet Mask 255 0 0 0 Default Gateway 0 0 0 0 DHCP Client Enabled DNS Service Disabled BOOTP Disabled Multicast Filtering IGMP Snooping Snooping Enabled Querier Disabled Multicast VLAN Registration Disabled System Log Status Enabled Messages Logged Levels 0 7 all Messages Logged to Flash Levels 0 3 SMTP Email Alerts Event Handler Enabled but no server d...

Page 46: ...SYSTEM DEFAULTS 1 12 ...

Page 47: ...ent allows you to configure switch parameters monitor port connections and display statistics using a standard web browser such as Netscape Navigator version 6 2 and higher or Microsoft IE version 5 0 and higher The switch s web management interface can be accessed from any computer attached to the network The CLI program can be accessed by a direct connection to the RS 232 serial console port on ...

Page 48: ...lticast filtering Upload and download system firmware via TFTP Upload and download switch configuration files via TFTP Configure Spanning Tree parameters Configure Class of Service CoS priority queuing Configure up to 12 static or LACP trunks Enable port mirroring Set broadcast storm control on any port Display system information and statistics Required Connections The switch provides an RS 232 se...

Page 49: ... stop bit and no parity Set flow control to none Set the emulation mode to VT100 When using HyperTerminal select Terminal keys not Windows keys Notes 1 When using HyperTerminal with Microsoft Windows 2000 make sure that you have Windows 2000 Service Pack 2 or later installed Windows 2000 Service Pack 2 fixes the problem of arrow keys not functioning in HyperTerminal s VT100 emulation See www micro...

Page 50: ...d using Telnet from any computer attached to the network The switch can also be managed by any computer using a web browser Internet Explorer 5 0 or above or Netscape Navigator 6 2 or above or from a network computer using SNMP network management software Note The onboard program only provides access to basic configuration functions To access the full range of SNMP management functions you must us...

Page 51: ...s opened and the CLI displays the Console prompt indicating you have access at the Privileged Exec level Setting Passwords Note If this is your first time to log into the CLI program you should define new passwords for both default user names using the username command record them and put them in a safe place Passwords can consist of up to 8 alphanumeric characters and are case sensitive To preven...

Page 52: ...guration requests to BOOTP or DHCP address allocation servers on the network Manual Configuration You can manually assign an IP address to the switch You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment Valid IP addresses consist of four decimal numbers 0 to 255 separated by periods Anything outside this forma...

Page 53: ...the network to which the switch belongs type ip default gateway gateway where gateway is the IP address of the default gateway Press Enter Dynamic Configuration If you select the bootp or dhcp option IP will be enabled but will not function until a BOOTP or DHCP reply has been received You therefore need to use the ip dhcp restart command to start broadcasting service requests Requests will be sen...

Page 54: ...rivileged Exec mode Press Enter 4 Type ip dhcp restart to begin broadcasting service requests Press Enter 5 Wait a few minutes and then check the IP configuration settings by typing the show ip interface command Press Enter 6 Then save your configuration changes by typing copy running config startup config Enter the startup file name and press Enter Console config interface vlan 1 24 2 Console con...

Page 55: ...c clients you must specify a community string The switch provides a default MIB View i e an SNMPv3 construct for the default public community string that provides read access to the entire MIB tree and a default view for the private community string that provides read write access to the entire MIB tree However you may assign new views to version 1 or 2c community strings that suit your specific s...

Page 56: ...mmend that you delete both of the default community strings If there are no community strings then SNMP management access from SNMP v1 and v2c clients is disabled Trap Receivers You can also specify SNMP stations that are to receive traps from the switch To configure a trap receiver use the snmp server host command From the Privileged Exec level global configuration mode prompt type snmp server ho...

Page 57: ...ia MD5 or SHA In the last step it assigns a v3 user to this group indicating that MD5 will be used for authentication provides the password greenpeace for authentication and the password einstien for encryption For a more detailed explanation on how to configure the switch for access from SNMP v3 clients refer to Simple Network Management Protocol on page 5 1 or refer to the specific CLI commands ...

Page 58: ...named startup1 cfg that contains system settings for initialization including information about the unit identifier MAC address and installed module type The configuration settings from the factory defaults configuration file are copied to this file which is then used to boot the switch See Saving or Restoring Configuration Settings on page 4 18 for more information Operation Code System software ...

Page 59: ... must copy the running configuration file to the start up configuration file using the copy command New startup configuration files must have a name specified File names on the switch are case sensitive can be from 1 to 31 characters must not contain slashes or and the leading letter of the file name must not be a period Valid characters A Z a z 0 9 _ There can be more than one user defined config...

Page 60: ... 1 From the Privileged Exec mode prompt type copy running config startup config and press Enter 2 Enter the name of the start up file Press Enter Console copy running config startup config 19 16 Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Console ...

Page 61: ...erface Configuring the Switch 3 1 Basic Management Tasks 4 1 Simple Network Management Protocol 5 1 User Authentication 6 1 Client Security 7 1 Access Control Lists 8 1 Port Configuration 9 1 Address Table Settings 10 1 Spanning Tree Algorithm 11 1 VLAN Configuration 12 1 Class of Service 13 1 Quality of Service 14 1 Multicast Filtering 15 1 Domain Name Service 16 1 Dynamic Host Configuration Prot...

Page 62: ...SWITCH MANAGEMENT ...

Page 63: ...net For more information on using the CLI refer to Chapter 17 Overview of Command Line Interface Prior to accessing the switch from a web browser be sure you have first performed the following tasks 1 Configure the switch with a valid IP address subnet mask and default gateway using an out of band serial connection BOOTP or DHCP protocol See Setting an IP Address on page 2 6 2 Set user names and p...

Page 64: ... password If you log in as admin Privileged Exec level you can change the settings on any page 3 If the path between your management station and this switch does not pass through any device that uses the Spanning Tree Algorithm then you can set the switch port attached to your management station to fast forwarding i e enable Admin Edge Port to improve the switch s response time to management comma...

Page 65: ...and statistics The default user name and password admin is used for the administrator Home Page When your web browser connects with the switch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used to navigate to other menus and display configuration parameters a...

Page 66: ...sit to the page 2 When using Internet Explorer 5 0 you may have to manually refresh the screen after making configuration changes by pressing the browser s refresh button Panel Display The web agent displays an image of the switch s ports The Mode can be set to display different information for the ports including Active i e up or down Duplex i e half or full duplex or Flow Control i e with or wit...

Page 67: ...ximum transfer unit for traffic crossing the switch 4 5 Switch Information Shows the number of ports hardware firmware version numbers and power status 4 8 Bridge Extension Shows the bridge extension parameters 4 10 IP Configuration Sets the IP address for management access 4 12 Jumbo Frames Enables support for jumbo frames 4 7 File Management 4 15 Copy Operation Allows the transfer and copying fi...

Page 68: ...NMPv3 5 10 Engine ID Sets the SNMP v3 engine ID 5 10 Remote Engine ID Sets the SNMP v3 engine ID on a remote device 5 11 Users Configures SNMP v3 users 5 12 Remote Users Configures SNMP v3 users on a remote device 5 15 Groups Configures SNMP v3 groups 5 18 Views Configures SNMP v3 views 5 24 Security 6 1 User Accounts Configures user names passwords and access levels 6 1 Authentication Settings Co...

Page 69: ...ed 8 10 Port Binding Binds a port to the specified ACL 8 16 IP Filter Configures IP addresses that are allowed management access 6 28 Port 9 1 Port Information Displays port connection status 9 1 Trunk Information Displays trunk connection status 9 1 Port Configuration Configures port connection settings 9 4 Trunk Configuration Configures trunk connection settings 9 4 Trunk Membership Specifies po...

Page 70: ...the output rate limit for each trunk 9 26 Port Statistics Lists Ethernet and RMON port statistics 9 28 Address Table 10 1 Static Addresses Displays entries for interface address or VLAN 10 1 Dynamic Addresses Displays or edits static entries in the Address Table 10 3 Address Aging Sets timeout for dynamically learned entries 10 5 Spanning Tree 11 1 STA Information Displays STA values used for the ...

Page 71: ...Current Table Shows the current port members of each VLAN and whether or not the port is tagged or untagged 12 7 Static List Used to create or remove VLAN groups 12 8 Static Table Modifies the settings for an existing VLAN 12 10 Static Membership by Port Configures membership type for interfaces including tagged untagged or forbidden 12 13 Port Configuration Specifies default PVID and VLAN attribu...

Page 72: ...13 10 IP DSCP Priority Sets IP Differentiated Services Code Point priority mapping a DSCP tag to a class of service value 13 12 IP Port Priority Status Globally enables or disables IP Port Priority 13 14 IP Port Priority Sets TCP UDP port priority defining the socket number and associated class of service value 13 10 QoS 14 1 DiffServ Configure QoS classification criteria and service policies 14 2...

Page 73: ...nformation Displays MVR interface type MVR operational and activity status and immediate leave status 15 15 Group IP Information Displays the ports attached to an MVR multicast stream 15 19 Port Configuration Configures MVR interface type and immediate leave status 15 11 Trunk Configuration Configures MVR interface type and immediate leave status 15 11 Group Member Configuration Statically assigns...

Page 74: ...CONFIGURING THE SWITCH 3 12 ...

Page 75: ...stem Object ID MIB II object ID for switch s network management subsystem Location Specifies the system location Contact Administrator responsible for the system System Up Time Length of time the management agent has been up These additional parameters are displayed for the CLI System Description Brief description of device type MAC Address The physical layer address for this switch Web Server Sho...

Page 76: ... Jumbo Frame Shows if jumbo frames are enabled Power Module Status Shows the power module status Power Module Type Shows the power module type Fan Shows the power fan status POST Result Shows results of the power on self test Web Click System System Information Specify the system name location and contact information for the system administrator then click Apply This page also includes a Telnet bu...

Page 77: ...tem Information System Up Time 0 days 0 hours 4 minutes and 7 84 seconds System Name R D 5 System Location WC 9 System Contact Ted MAC Address Unit1 00 12 CF 21 DC E0 Web Server Enabled Web Server Port 80 Web Secure Server Enabled Web Secure Server Port 443 Telnet Server Enable Telnet Server Port 23 Jumbo Frame Disabled Power Module A Status UP Power Module B Status Not present Power Module A Type...

Page 78: ...n area network Command Attributes System Mode Sets the switch to operate in one of the following modes Normal Mode The switch functions in normal operating mode This is the default operating mode QinQ Mode Sets the switch to QinQ mode and allows the QinQ tunnel port to be configured For an explanation of QinQ see Configuring IEEE 802 1Q Tunneling on page 12 17 Web Click System System Mode Select t...

Page 79: ...packet overhead required to process protocol encapsulation fields Frame sizes for Fast Ethernet ports can be extended up to 1546 bytes and are used primarily to allow for additional header fields not to significantly increase the per packet data size These Fast Ethernet extended fames and are more often called baby jumbo frames To use jumbo frames both the source and destination end nodes such as ...

Page 80: ...hernet ports Range 1500 9216 bytes Web Click System System MTU Set the maximum frame size for Fast Ethernet and Gigabit Ethernet ports then click Apply Figure 4 3 System MTU CLI This example sets the MTU for Fast Ethernet ports to 1528 bytes Console config system mtu 1528 19 13 Console config exit Console show system mtu 19 14 System MTU size is 1528 Bytes System Jumbo MTU size is 1518 Bytes Conso...

Page 81: ...crease the per packet data size Command Usage To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extended frame size And for half duplex connections all devices in the collision domain would need to s...

Page 82: ... version of the main board EPLD Version Version number of EEPROM Programmable Logic Device Number of Ports Number of built in ports Main Power Status Displays the status of the primary power supply Redundant Power Status Displays the status of the redundant power supply Management Software Unit ID Unit number in stack Loader Version Version number of loader code Boot ROM Version Version of Power O...

Page 83: ...h Information CLI Use the following command to display version information Console show version 19 9 Unit 1 Serial Number 0000E8900000 Hardware Version R01 EPLD Version 0 01 Number of Ports 29 Agent Master Unit ID 1 Loader Version 1 0 0 1 Boot ROM Version 1 0 0 7 Operation Code Version 1 0 1 5 Console ...

Page 84: ...dual Port This switch allows static filtering for unicast and multicast addresses Refer to Setting Static Addresses on page 10 1 VLAN Learning This switch uses Independent VLAN Learning IVL where each port maintains its own filtering database Configurable PVID Tagging This switch allows you to override the default Port VLAN ID PVID used in frame tags and egress status VLAN Tagged or Untagged on ea...

Page 85: ... CLI Enter the following command Console show bridge ext 30 3 Max support VLAN numbers 256 Max support VLAN ID 4094 Extended multicast filtering services No Static entry individual port Yes VLAN learning IVL Configurable PVID tagging Yes Local VLAN capable No Traffic classes Enabled Global GVRP status Disabled GMRP Disabled Console ...

Page 86: ...4093 By default all ports on the stack are members of VLAN 1 However the management station can be attached to a port belonging to any VLAN as long as that VLAN has been assigned an IP address IP Address Mode Specifies whether IP functionality is enabled via manual configuration Static Dynamic Host Configuration Protocol DHCP or Boot Protocol BOOTP If DHCP BOOTP is enabled IP will not function unt...

Page 87: ...ent station is attached Enter the IP address subnet mask and gateway then click Apply Figure 4 7 IP Interface Configuration Manual CLI Specify the management interface IP address and default gateway Console config Console config interface vlan 1 24 2 Console config if ip address 10 1 0 253 255 255 255 0 35 2 Console config if exit Console config ip default gateway 10 1 0 254 35 3 Console config ...

Page 88: ... request for IP configuration settings on each power reset Figure 4 8 IP Interface Configuration DHCP Note If you lose your management connection make a console connection to the Master unit and enter show ip interface to determine the new stack address CLI Specify the management interface and set the IP address mode to DHCP or BOOTP and then enter the ip dhcp restart command Console config Consol...

Page 89: ... upload download firmware to or from a TFTP server or copy files to and from switch units in a stack By saving runtime code to a file on a TFTP server that file can later be downloaded to the switch to restore operation You can also set the switch to use new firmware without overwriting the previous version You must specify the method of file transfer along with the file type and file names as req...

Page 90: ...rom a Server When downloading runtime code you can specify the destination file name to replace the current image or first download the file using a different name from the current runtime code file and then set the new file as the startup file Web Click System File Management Copy Operation Select tftp to file as the file transfer method enter the IP address of the TFTP server set the file type t...

Page 91: ...click Apply To start the new firmware reboot the system via the System Reset menu Figure 4 10 Setting the Startup Code To delete a file select System File Management Delete Select the file name from the given list by checking the tick box and click Apply Note that the file currently designated as the startup code cannot be deleted Figure 4 11 Deleting Files ...

Page 92: ...e switch s settings Command Attributes File Transfer Method The configuration copy operation includes these options file to file Copies a file within the switch directory assigning it a new name file to running config Copies a file in the switch to the running configuration file to startup config Copies a file in the switch to the startup configuration file to tftp Copies a file from the switch to...

Page 93: ...ver to the switch tftp to running config Copies a file from a TFTP server to the running config tftp to startup config Copies a file from a TFTP server to the startup config TFTP Server IP Address The IP address of a TFTP server File Type Specify config configuration to copy configuration settings File Name The configuration file name should not contain slashes or the leading letter of the file na...

Page 94: ... replace it Note that the file Factory_Default_Config cfg can be copied to the TFTP server but cannot be used as the destination on the switch Web Click System File Management Copy Operation Choose tftp to startup config or tftp to file and enter the IP address of the TFTP server Specify the name of the file to download select a file on the switch to overwrite or specify a new file name and then c...

Page 95: ...nfiguration Settings CLI Enter the IP address of the TFTP server specify the source file on the server set the startup file name on the switch and then restart the switch To select another configuration file as the start up configuration use the boot system command and then restart the switch Console copy tftp startup config 19 16 TFTP server ip address 192 168 1 19 Source configuration file name ...

Page 96: ...ssword Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time set by the Silent Time parameter before allowing the next logon attempt Range 0 120 Default 3 attempts Silent Time Sets the amount of time the management console is inaccessible after t...

Page 97: ...ne with password protection the system prompts for the password If you enter the correct password the system shows a prompt Default No password Login1 Enables password checking at login You can select authentication by a single global password as configured for the Password parameter or by passwords set up for specific user name accounts Default Local Web Click System Line Console Specify the cons...

Page 98: ...lnet access to the switch Default Enabled Telnet Port Number Sets the TCP port number for Telnet on the switch Range 1 65535 Default 23 Console config line console 19 24 Console config line login local 19 25 Console config line password 0 secret 19 26 Console config line timeout login response 0 19 27 Console config line exec timeout 0 19 28 Console config line password thresh 5 19 29 Console conf...

Page 99: ...hold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time set by the Silent Time parameter before allowing the next logon attempt Range 0 120 Default 3 attempts Password2 Specifies a password for the line connection When a connection is started on a line with password protection the system pr...

Page 100: ... current virtual terminal settings use the show line command from the Normal Exec level Console config line vty 19 24 Console config line login local 19 25 Console config line password 0 secret 19 26 Console config line timeout login response 300 19 27 Console config line exec timeout 600 19 28 Console config line password thresh 3 19 29 Console config line end Console show line vty 19 34 VTY conf...

Page 101: ...erwritten first when the available log memory 256 kilobytes has been exceeded The System Logs page allows you to configure and limit system messages that are logged to flash or RAM memory The default is for event levels 0 to 3 to be logged to flash and levels 0 to 7 to be logged to RAM Command Attributes System Log Status Enables disables the logging of debug or error messages to the logging proce...

Page 102: ...s Specify System Log Status set the level of event messages to be logged to RAM and flash memory then click Apply Figure 4 16 System Logs 4 Warning Warning conditions e g return false unexpected return 3 Error Error conditions e g invalid input default used 2 Critical Critical conditions e g memory allocation or free memory error resource exhausted 1 Alert Immediate action needed 0 Emergency Syste...

Page 103: ... syslog server to dispatch log messages to an appropriate service The attribute specifies the facility type tag sent in syslog messages See RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to process messages such as sorting or storing messages in the corresponding database Range 16 23 Default 23 Logging Trap Limits log mes...

Page 104: ... to add to the Host IP List Web Click System Logs Remote Logs To add an IP address to the Host IP List type the new IP address in the Host IP Address box and then click Add To delete an IP address click the entry in the Host IP List and then click Remove Figure 4 17 Remote Logs ...

Page 105: ...ash memory Web Click System Log Logs Figure 4 18 Displaying Logs Console config logging host 10 1 0 9 19 38 Console config logging facility 23 19 39 Console config logging trap 4 19 40 Console config logging trap Console config exit Console show logging trap 19 42 Syslog logging Enabled REMOTELOG status Disabled REMOTELOG facility type local use 7 REMOTELOG level type Warning conditions REMOTELOG ...

Page 106: ...og severity threshold level see table on page 4 27 used to trigger alert messages All events at this level or higher will be sent to the configured email recipients For example using Level 7 will report all events from level 7 to level 0 Default Level 7 SMTP Server List Specifies a list of up to three recipient SMTP servers The switch attempts to connect to the other listed servers if the first fa...

Page 107: ...rity level To add an IP address to the SMTP Server List type the new IP address in the SMTP Server field and click Add To delete an IP address click the entry in the SMTP Server List and click Remove Specify up to five email addresses to receive the alert messages and click Apply Figure 4 19 Enabling and Configuring SMTP Alerts ...

Page 108: ...t button to restart the switch When prompted confirm that you want reset the switch Figure 4 20 Resetting the System Console config logging sendmail host 192 168 1 4 19 45 Console config logging sendmail level 3 19 46 Console config logging sendmail source email big wheels matel com 19 47 Console config logging sendmail destination email chris matel com 19 47 Console config logging sendmail 19 48 ...

Page 109: ...ime from the factory default set at the last bootup When the SNTP client is enabled the switch periodically sends a request for a time update to a configured time server You can configure up to three time server IP addresses The switch will attempt to poll each server in the configured sequence Configuring SNTP You can configure the switch to send time synchronization requests to time servers Comm...

Page 110: ...ly Figure 4 21 SNTP Configuration CLI This example configures the switch to operate as an SNTP client and then displays the current time and settings Console config sntp client 19 50 Console config sntp poll 16 19 52 Console config sntp server 10 1 0 19 137 82 140 80 128 250 36 2 19 51 Console config exit Console show sntp 19 53 Current time Jan 6 14 56 05 2004 Poll interval 60 Current mode unicas...

Page 111: ...mand Attributes Current Time Displays the current time Name Assigns a name to the time zone Range 1 29 characters Hours 0 13 The number of hours before after UTC Minutes 0 59 The number of minutes before after UTC Direction Configures the time zone to be before east or after west UTC Web Select SNTP Clock Time Zone Set the offset for your time zone relative to the UTC and click Apply Figure 4 22 C...

Page 112: ...BASIC MANAGEMENT TASKS 4 38 ...

Page 113: ... by the SNMP agent and used to manage the device These objects are defined in a Management Information Base MIB that provides a standard presentation of the information controlled by the agent SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network The switch includes an onboard agent that supports SNMP versions 1 2c and 3 This agent...

Page 114: ...all MIB objects and default groups defined for security models v1 and v2c The following table shows the security models and levels available and the system default settings Table 5 1 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security v1 noAuthNoPriv public read only defaultview none none Community string only v1 noAuthNoPriv private read write defaultview...

Page 115: ...ser defined user defined user defined user defined Provides user authenticati on via MD5 or SHA algorithms v3 AuthPriv user defined user defined user defined user defined Provides user authenticati on via MD5 or SHA algorithms and data privacy using DES 56 bit encryption Table 5 1 SNMPv3 Security Models and Levels Continued Model Level Group Read View Write View Notify View Security ...

Page 116: ...wing example enables SNMP on the switch Setting Community Access Strings You may configure up to five community strings authorized for management access by clients using SNMP v1 and v2c All community strings used for IP Trap Managers should be listed in this table For security reasons you should consider removing the default strings Command Attributes SNMP Community Capability The switch supports ...

Page 117: ...ng Read Only Authorized management stations are only able to retrieve MIB objects Read Write Authorized management stations are able to both retrieve and modify MIB objects Web Click SNMP Configuration Add new community strings as required select the access rights from the Access Mode drop down list then click Add Figure 5 2 Configuring SNMP Community Strings CLI The following example adds the str...

Page 118: ...or the host However if you specify a V3 host with the no authentication noAuth option an SNMP user account will be automatically generated and the switch will authorize SNMP access for the host Notifications are issued by the switch as trap messages by default The recipient of a trap message does not send a response to the switch Traps are therefore not as reliable as inform messages which include...

Page 119: ...alid community string for the new trap manager entry Though you can set this string in the Trap Managers table we recommend that you define this string in the SNMP Configuration page for Version 1 or 2c clients or define a corresponding User Name in the SNMPv3 Users page for Version 3 clients Range 1 32 characters case sensitive Trap UDP Port Specifies the UDP port number used by the trap manager ...

Page 120: ...f times to resend an inform message if the recipient does not acknowledge receipt Range 0 255 Default 3 Enable Authentication Traps3 Issues a notification message to specified IP trap managers whenever authentication of an SNMP request fails Default Enabled Enable Link up and Link down Traps3 Issues a notification message whenever a port link is established or broken Default Enabled 3 These are le...

Page 121: ... v3 clients trap inform settings for v2c v3 clients and then click Add Select the trap types required using the check boxes for Authentication and Link up down traps and then click Apply Figure 5 3 Configuring SNMP Trap Managers CLI This example adds a trap manager and enables authentication traps Console config snmp server host 10 1 19 23 private version 2c udp port 162 20 6 Console config snmp s...

Page 122: ... SNMPv3 engine is an independent SNMP agent that resides on the switch This engine protects against message replay delay and redirection The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A local engine ID is automatically generated that is unique to the switch This is referred to as the default engine ID If ...

Page 123: ...re localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it See Specifying Trap Managers and Trap Types on page 5 6 and Configuring Remote SNMPv3 Users on page 5 15 The engine ID can be specified by entering 10 to 64 hexa...

Page 124: ...ange 1 32 characters Group Name The name of the SNMP group to which the user is assigned Range 1 32 characters Security Model The user security model SNMP v1 v2c or v3 Security Level The security level used for the user noAuthNoPriv There is no authentication or encryption used in SNMP communications This is the default for SNMPv3 AuthNoPriv SNMP communications use authentication but the data is n...

Page 125: ...The method used for user authentication Options MD5 SHA Default MD5 Authentication Password A minimum of eight plain text characters is required Privacy Protocol The encryption algorithm use for data privacy only 56 bit DES is currently available Privacy Password A minimum of eight plain text characters is required Actions Enables the user to be assigned to another SNMPv3 group ...

Page 126: ...name and assign it to a group then click Add to save the configuration and return to the User Name list To delete a user check the box next to the user name then click Delete To change the assigned group of a user click Change Group in the Actions column of the users table and select the new group Figure 5 6 Configuring SNMPv3 Users ...

Page 127: ...Managers and Trap Types on page 5 6 and Specifying a Remote Engine ID on page 5 11 Command Attributes User Name The name of user connecting to the SNMP agent Range 1 32 characters Group Name The name of the SNMP group to which the user is assigned Range 1 32 characters Engine ID The engine identifier for the SNMP agent on the remote device where the remote user resides Note that the remote engine ...

Page 128: ...t the data is not encrypted only available for the SNMPv3 security model AuthPriv SNMP communications use both authentication and encryption only available for the SNMPv3 security model Authentication Protocol The method used for user authentication Options MD5 SHA Default MD5 Authentication Password A minimum of eight plain text characters is required Privacy Protocol The encryption algorithm use...

Page 129: ...ick New to configure a user name In the New User page define a name and assign it to a group then click Add to save the configuration and return to the User Name list To delete a user check the box next to the user name then click Delete Figure 5 7 Configuring Remote SNMPv3 Users ...

Page 130: ...uthentication or encryption used in SNMP communications AuthNoPriv SNMP communications use authentication but the data is not encrypted only available for the SNMPv3 security model AuthPriv SNMP communications use both authentication and encryption only available for the SNMPv3 security model Read View The configured view for read access Range 1 64 characters Write View The configured view for wri...

Page 131: ... to its election topologyChange 1 3 6 1 2 1 17 0 2 A topologyChange trap is sent by a bridge when any of its configured ports transitions from the Learning state to the Forwarding state or from the Forwarding state to the Discarding state The trap is not sent if a newRoot trap is sent for the same transition SNMPv2 Traps coldStart 1 3 6 1 6 3 1 1 5 1 A coldStart trap signifies that the SNMPv2 enti...

Page 132: ...detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state but not into the notPresent state Thisotherstate is indicated by the included value of ifOperStatus authenticationFailure 1 3 6 1 6 3 1 1 5 5 An authenticationFailure trap signifies that the SNMPv2 entity acting in an agent role has received a protocol message that is...

Page 133: ...8 This trap is sent when the fan failure has recovered swIpFilterRejectTrap 1 3 6 1 4 1 202 20 64 90 2 1 0 40 This trap is sent when an incorrect IP address is rejected by the IP Filter swSmtpConnFailure Trap 1 3 6 1 4 1 202 20 64 90 2 1 0 41 This trap is triggered if the SMTP system cannot open a connection to the mail server successfully swMainBoardVer MismatchNotificaiton 1 3 6 1 4 1 202 20 64 ...

Page 134: ...lls below the switchThermalActionFallingThre shold swModuleInsertion Notificaiton 1 3 6 1 4 1 202 20 64 90 2 1 0 60 This trap is sent when a module is inserted swModuleRemoval Notificaiton 1 3 6 1 4 1 202 20 64 90 2 1 0 61 This trap is sent when a module is removed These are legacy notifications and therefore must be enabled in conjunction with the corresponding traps on the SNMP Configuration men...

Page 135: ... new group In the New Group page define a name assign a security model and level and then select read write and notify views Click Add to save the new group and return to the Groups list To delete a group check the box next to the group name then click Delete Figure 5 8 Configuring SNMPv3 Groups ...

Page 136: ... configured object identifiers of branches within the MIB tree that define the SNMP view Edit OID Subtrees Allows you to configure the object identifiers of branches within the MIB tree Wild cards can be used to mask a specific portion of the OID string Type Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view Console config snmp server grou...

Page 137: ...witch MIB to be included or excluded in the view Click Back to save the new view and return to the SNMPv3 Views list For a specific view click on View OID Subtrees to display the current configuration or click on Edit OID Subtrees to make changes to the view settings To delete a view check the box next to the view name then click Delete Figure 5 9 Configuring SNMPv3 Views ...

Page 138: ...ver view ifEntry a 1 3 6 1 2 1 2 2 1 1 included 20 13 Console config exit Console show snmp view 20 14 View Name ifEntry a Subtree OID 1 3 6 1 2 1 2 2 1 1 View Type included Storage Type nonvolatile Row Status active View Name readaccess Subtree OID 1 3 6 1 2 View Type included Storage Type nonvolatile Row Status active View Name defaultview Subtree OID 1 View Type included Storage Type nonvolatil...

Page 139: ...s rights HTTPS Settings Provide a secure web connection SSH Settings Provide a secure shell for secure Telnet access 802 1X Use IEEE 802 1X port authentication to control access to specific ports IP Filter Filters management access to the web SNMP or Telnet interface Configuring User Accounts The guest only has read access for most configuration parameters However the administrator has write acces...

Page 140: ... Access Level Specifies the user level Options Normal and Privileged Password Specifies the user password Range 0 8 characters plain text case sensitive Change Password Sets a new password for the specified user Web Click Security User Accounts To configure a new user account enter the user name access level and password then click Add To change the password for a specific user enter the user name...

Page 141: ...S aware devices on the network An authentication server contains a database of multiple user name password pairs with associated privilege levels for each user that requires management access to the switch RADIUS uses UDP while TACACS uses TCP UDP only offers best effort delivery while TCP offers a connection oriented transport Also note that RADIUS encrypts only the password in the access request...

Page 142: ... pass authentication messages between the server and client that have been encrypted using MD5 Message Digest 5 TLS Transport Layer Security or TTLS Tunneled Transport Layer Security You can specify up to three authentication methods for any user to indicate the authentication sequence For example if you select 1 RADIUS 2 TACACS and 3 Local the user name and password on the RADIUS server is verifi...

Page 143: ...nk spaces in the string Maximum length 48 characters Number of Server Transmits Number of times the switch tries to authenticate logon access via the authentication server Range 1 30 Default 2 Timeout for a reply The number of seconds the switch waits for a reply from the RADIUS server before it resends the request Range 1 65535 Default 5 TACACS Settings Server IP Address Address of the TACACS ser...

Page 144: ...quired parameters to enable logon authentication Console config authentication login radius 21 5 Console config radius server port 181 21 10 Console config radius server key green 21 10 Console config radius server retransmit 5 21 11 Console config radius server timeout 10 21 11 Console config radius server 1 host 192 168 1 25 21 13 Console config exit Console show radius server 21 12 Remote RADIU...

Page 145: ...e The client and server negotiate a set of security protocols to use for the connection The client and server generate session keys for encrypting and decrypting data The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 5 x or above and Netscape Navigator 6 2 or above Server 1 Server IP address 192 168 1 25 Communication...

Page 146: ...switch s web interface Default Port 443 Web Click Security HTTPS Settings Enable HTTPS and specify the port number then click Apply Figure 6 3 HTTPS Settings CLI This example enables the HTTP secure server and modifies the port number Table 6 1 HTTPS System Support Web Browser Operating System Internet Explorer 5 0 or later Windows 98 Windows NT with service pack 6a Windows 2000 Windows XP Netscap...

Page 147: ... a recognized certification authority Note For maximum security we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity This is because the default certificate for the switch is not unique to the hardware you have purchased When you have obtained these place them on your TFTP server and use the following command at the switch s command line interface to replac...

Page 148: ...etween the switch and SSH enabled management station clients and ensures that data traveling over the network arrives unaltered Note that you need to install an SSH client on the management station to access the switch for management via the SSH protocol Note The switch supports both SSH Version 1 5 and 2 0 clients Command Usage The SSH server on this switch supports both password and public key a...

Page 149: ...Client s Public Key to the Switch Use the copy tftp public key command page 19 16 to copy a file containing the public key for all the SSH client s granted management access to the switch Note that these clients must be configured locally on the switch via the User Accounts page as described on page 6 1 The clients are subsequently authenticated using these keys The current firmware only accepts p...

Page 150: ...encryption method Only clients that have a private key corresponding to the public keys stored on the switch can access it The following exchanges take place during this process Authenticating SSH v1 5 Clients a The client sends its RSA public key to the switch b The switch compares the client s public key to those stored in memory c If a match is found the switch uses its secret key to generate a...

Page 151: ...SSH server supports up to four client sessions The maximum number of client sessions includes both current Telnet sessions and SSH sessions Generating the Host Key Pair A host public private key pair is used to provide secure communications between an SSH client and the switch After generating this key pair you must provide the host public key to SSH clients and import the client s public key to t...

Page 152: ...only RSA Version 1 for SSHv1 5 clients and DSA Version 2 for SSHv2 clients Save Host Key from Memory to Flash Saves the host key from RAM i e volatile memory to flash memory Otherwise the host key pair is stored to RAM by default Note that you must select this item prior to generating the host key pair Generate This button is used to generate the host key pair Note that you must first generate the...

Page 153: ...lick Security SSH Host Key Settings Select the host key type from the drop down box select the option to save the host key from memory to flash if required prior to generating the key and then click Generate Figure 6 4 SSH Host Key Settings ...

Page 154: ...st key 21 30 Console show public key host 21 32 Host RSA 1024 65537 127250922544926402131336514546131189679055192360076028653006761 8240969094744832010252487896597759216832222558465238779154647980739 6314033869257931051057652122430528078658854857892726029378660892368 4142327591212760325919683697053439336438445223335188287173896894511 729290510813919642025190932104328579045764891 DSA ssh dss AAAAB3...

Page 155: ...cifies the SSH server key size Range 512 896 bits Default 768 The server key is a private key that is never shared outside the switch The host key is shared with the SSH client and is fixed at 1024 bits Web Click Security SSH Settings Enable SSH and adjust the authentication parameters as required then click Apply Note that you must first generate the host key pair on the SSH Host Key Settings pag...

Page 156: ...e config ip ssh timeout 100 21 25 Console config ip ssh authentication retries 5 21 26 Console config ip ssh server key size 512 21 27 Console config end Console show ip ssh 21 31 SSH Enabled version 2 0 Negotiation timeout 120 secs Authentication retries 3 Server key size 768 bits Console show ssh 21 31 Information of secure shell Session Username Version Encrypt method Negotiation state 0 admin ...

Page 157: ...fy user identity and access rights When a client i e Supplicant connects to a switch port the switch i e Authenticator responds with an EAPOL identity request The client provides its identity such as a user name in an EAPOL response to the switch which it forwards to the RADIUS server The RADIUS server verifies the client identity and sends an access challenge back to the client The EAP packet fro...

Page 158: ...DIUS server must be specified 802 1X must be enabled globally for the switch Each switch port that will be used must be set to dot1x Auto mode Each client that needs to be authenticated must have dot1x client software installed and properly configured The RADIUS server and 802 1X client support EAP The switch only supports EAPOL in order to pass the EAP packets from the server to the client The RA...

Page 159: ... 1X Information Figure 6 6 802 1X Global Information CLI This example shows the default global setting for 802 1X Console show dot1x 21 41 Global 802 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 disabled Single Host ForceAuthorized n a 802 1X Port Details 802 1X is disabled on port 1 1 ...

Page 160: ...port settings are active Command Attributes 802 1X System Authentication Control Sets the global setting for 802 1X Default Disabled Web Select Security 802 1X Configuration Enable 802 1X globally for the switch and click Apply Figure 6 7 802 1X Global Configuration CLI This example enables 802 1X globally for the switch Console config dot1x system auth control 21 35 Console config ...

Page 161: ...d Range 1 1024 Default 5 Mode Sets the authentication mode to one of the following options Auto Requires a dot1x aware client to be authorized by the authentication server Clients that are not dot1x aware will be denied access Force Authorized Forces the port to grant access to all clients either dot1x aware or otherwise This is the default setting Force Unauthorized Forces the port to deny access...

Page 162: ... before re transmitting an EAP packet Range 1 65535 Default 30 seconds Authorized Yes Connected client is authorized No Connected client is not authorized Blank Displays nothing when dot1x is disabled on a port Supplicant Indicates the MAC address of a connected client Trunk Indicates if the port is configured as a trunk port Web Click Security 802 1X Port Configuration Modify the parameters requi...

Page 163: ...nsole config if end Console show dot1x 21 41 Global 802 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized yes 1 2 enabled Single Host Auto yes 1 27 disabled Single Host ForceAuthorized n a 1 28 disabled Single Host ForceAuthorized n a 802 1X Port Details 802 1X is disabled on port 1 1 802 1X is enab...

Page 164: ...thenticator in which the frame type is not recognized Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Authenticator Rx EAP Resp Id The number of EAP Resp Id frames that have been received by this Authenticator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx EAP LenError Th...

Page 165: ...t have been transmitted by this Authenticator Tx EAP Req Oth The number of EAP Request frames other than Rq Id frames that have been transmitted by this Authenticator Console show dot1x statistics interface ethernet 1 4 21 41 Eth 1 4 Rx EAPOL EAPOL EAPOL EAPOL EAP EAP EAP Start Logoff Invalid Total Resp Id Resp Oth LenError 2 0 0 1007 672 0 0 Last Last EAPOLVer EAPOLSrc 1 00 00 E8 98 73 21 Tx EAPO...

Page 166: ...oups can include up to five different sets of addresses either individual addresses or address ranges When entering addresses for the same group i e SNMP web or Telnet the switch will not accept overlapping address ranges When entering addresses for different groups the switch will accept overlapping address ranges You cannot delete an individual address from a specified range You must delete the ...

Page 167: ...er CLI This example restricts management access for Telnet clients Console config management telnet client 192 168 1 19 21 45 Console config management telnet client 192 168 1 25 192 168 1 30 Console config exit Console show management all client 21 46 Management IP Filter HTTP Client Start IP address End IP address SNMP Client Start IP address End IP address TELNET Client Start IP address End IP ...

Page 168: ...USER AUTHENTICATION 6 30 ...

Page 169: ...statically configured MAC IP address pairs The addresses assigned to DHCP clients can also be carefully controlled using static or dynamic bindings with the IP Source Guard and DHCP Snooping commands This switch provides client security using the following options Private VLANs Provide port based security and isolation between ports within the assigned VLAN See Configuring Private VLANs on page 12...

Page 170: ...with an unauthorized MAC address attempts to use the switch port the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message To use port security specify a maximum number of addresses to allow on the port and then let the switch dynamically learn the source MAC address VLAN pair for frames received on the port Note that you can also ...

Page 171: ...t Port number Name Descriptive text page 24 3 Action Indicates the action to be taken when a port security violation is detected None No action should be taken This is the default Trap Send an SNMP trap message Shutdown Disable the port Trap and Shutdown Send an SNMP trap message and disable the port Security Status Enables or disables port security on the port Default Disabled Max MAC Count The m...

Page 172: ...ed on a port and click Apply Figure 7 1 Port Security CLI This example selects the target port sets the port security action to send a trap and disable the port specifies a maximum address count and then enables port security for the port Console config interface ethernet 1 5 Console config if port security action trap and shutdown 22 3 Console config if port security max mac count 20 Console conf...

Page 173: ...et will be accepted as soon as it matches a permit rule or dropped as soon as it matches a deny rule If no rules match for a list of all permit rules the packet is dropped and if no rules match for a list of all deny rules the packet is accepted You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule This is done by s...

Page 174: ...any port for egress filtering In other words only four ACLs can be bound to an interface Ingress IP ACL Egress IP ACL Ingress MAC ACL and Egress MAC ACL When an ACL is bound to an interface as an egress filter all entries in the ACL must be deny rules Otherwise the bind operation will fail The maximum number of ACLs is Fast Ethernet ports 157 rules 4 masks shared by 8 port groups Gigabit Ethernet ...

Page 175: ...ule permit any any in the ingress MAC ACL for ingress ports 7 If no explicit rule is matched the implicit default is permit all Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL Command Attributes Name Name of the ACL Maximum length 16 characters Type There are three filtering modes Standard IP ACL mode that filters packets based on the source IP...

Page 176: ...address Use Any to include all possible addresses Host to specify a specific host address in the Address field or IP to specify a range of addresses with the Address and SubMask fields Options Any Host IP Default Any IP Address Source IP address Subnet Mask A subnet mask containing four integers from 0 to 255 each separated by a period The mask uses 1 bits to indicate match and 0 bits to indicate ...

Page 177: ...for the address range 168 92 16 x 168 92 31 x using a bitmask Configuring an Extended ACL Command Attributes Action An ACL can contain any combination of permit or deny rules Source Destination Address Type Specifies the source or destination IP address Use Any to include all possible addresses Host to specify a specific host address in the Address field or IP to specify a range of addresses with ...

Page 178: ...Source Destination Port Bit Mask Decimal number representing the port bits to match Range 0 65535 Control Code Decimal number representing a bit string that specifies flag bits in byte 14 of the TCP header Range 0 63 Control Code Bit Mask Decimal number representing the code bits to match The control bitmask is a decimal number for an equivalent binary bit mask that is applied to the control code ...

Page 179: ...ed criteria such as service type protocol type or TCP control code Then click Add Figure 8 3 ACL Configuration Extended IPv4 CLI This example adds three rules 1 Accept any incoming packets if the source address is in subnet 10 7 1 x For example if the rule is matched i e the rule 10 7 1 0 255 255 255 0 equals the masked address 10 7 1 2 255 255 255 0 the packet passes through 2 Allow TCP packets f...

Page 180: ... VLAN bitmask Range 1 4093 Ethernet Type This option can only be used to filter Ethernet II formatted packets Range 600 fff hex A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX Ethernet Type Bit Mask Protocol bitmask Range 600 fff hex Packet Format This attribute includes the following packet types Any Any Ether...

Page 181: ... you select Host enter a specific address e g 11 22 33 44 55 66 If you select MAC enter a base address and a hexidecimal bitmask for an address range Set any other required criteria such as VID Ethernet type or packet format Then click Add Figure 8 4 ACL Configuration MAC CLI This rule permits packets from any source MAC address to the destination address 00 e0 29 94 34 de where the Ethernet type ...

Page 182: ...st be bound exclusively to one of the basic ACL types i e Ingress IP ACL Egress IP ACL Ingress MAC ACL or Egress MAC ACL but a mask can be bound to up to four ACLs of the same type Command Usage Up to seven entries can be assigned to an ACL mask Packets crossing a port are checked against all the rules in the ACL until a match is found The order in which these packets are checked is determined by ...

Page 183: ... types to open the configuration page Figure 8 5 Selecting ACL Mask Types CLI This example creates an IP ingress mask and then adds two rules Each rule is checked in order of precedence to look for a match in the ACL entries The first entry matching a mask is applied to the inbound packet Console config access list ip mask precedence in 23 8 Console config ip mask acl mask host any 23 9 Console co...

Page 184: ...to match any address Host to specify a host address not a subnet or IP to specify a range of addresses Options Any Host IP Default Any Source Destination Subnet Mask Source or destination address of rule must match this bitmask See the description for SubMask on page 8 4 Protocol Mask Check the protocol field Service Type Mask Check the rule for the specified priority type Options Precedence TOS D...

Page 185: ...e mask to check for any source or destination address a specific host address or an address range Include other criteria to search for in the rules such as a protocol type or one of the service types Or use a bitmask to search for specific protocol port s or TCP control code s Then click Add Figure 8 6 ACL Mask Configuration IP ...

Page 186: ...o match any address Host to specify the host address for a single node or MAC to specify a range of addresses Options Any Host MAC Default Any Source Destination Bit Mask Address of rule must match this bitmask VID Bitmask VLAN ID of rule must match this bitmask Ethernet Type Bit Mask Ethernet type of rule must match this bitmask Packet Format Mask A packet format must be specified in the rule Con...

Page 187: ... MAC ingress or egress ACLs Set the mask to check for any source or destination address a host address or an address range Use a bitmask to search for specific VLAN ID s or Ethernet type s Or check for rules where a packet format was specified Then click Add Figure 8 7 ACL Mask Configuration MAC ...

Page 188: ...y port for egress filtering In other words only four ACLs can be bound to an interface Ingress IP ACL Egress IP ACL Ingress MAC ACL and Egress MAC ACL Console config access list mac M4 23 16 Console config mac acl permit any any 23 17 Console config mac acl deny tagged eth2 00 11 11 11 11 11 ff ff ff ff ff ff any vid 3 23 17 Console config mac acl end Console show access list 23 25 MAC access list...

Page 189: ...bind the ACL to an interface for egress checking the bind operation will fail Command Attributes Port Fixed port or SFP module Range 1 28 IP Specifies the IP ACL to bind to a port MAC Specifies the MAC ACL to bind to a port IN ACL for ingress packets OUT ACL for egress packets Egress filtering is not supported ACL Name Name of the ACL Web Click Security ACL Port Binding Mark the Enable field for t...

Page 190: ...nd an IP ingress ACL to port 2 Console config interface ethernet 1 1 24 2 Console config if ip access group tom in 23 14 Console config if mac access group jerry in 23 23 Console config if exit Console config interface ethernet 1 2 Console config if ip access group tom in Console config if ...

Page 191: ...er Status Indicates if the link is Up or Down Speed Duplex Status Shows the current speed and duplex mode Auto or fixed choice Flow Control Status Indicates the type of flow control currently in use IEEE 802 3x Back Pressure or None Autonegotiation Shows if auto negotiation is enabled or disabled Media Type6 Shows the forced preferred port type to use for combination ports 25 28 Copper Forced SFP ...

Page 192: ...4 12 Configuration Name Interface label Port admin Shows if the interface is enabled or disabled i e up or down Speed duplex Shows the current speed and duplex mode Auto or fixed choice Capabilities Specifies the capabilities to be advertised for a port during auto negotiation To access this item on the web see Configuring Interface Connections on page 3 48 The following capabilities are supported...

Page 193: ...rity is enabled or disabled Max MAC count Shows the maximum number of MAC address that can be learned by a port 0 1024 addresses Port security action Shows the response to take when a security violation is detected shutdown trap trap and shutdown Media Type Shows the forced or preferred port type to use for combination ports 25 28 copper forced SFP forced SFP preferred auto Current status Link sta...

Page 194: ...lisions and then reenable it after the problem has been resolved You may also disable an interface for security reasons Speed Duplex Allows you to manually set the port speed and duplex mode i e with auto negotiation disabled Console show interfaces status ethernet 1 5 24 13 Information of Eth 1 13 Basic information Port type 100TX Mac address 00 30 F1 D4 73 A5 Configuration Name Port admin Up Spe...

Page 195: ...ration Sym Gigabit only Check this item to transmit and receive pause frames or clear it to auto negotiate the sender and receiver for asymmetric pause frames The current switch chip only supports symmetric pause frames FC Supports flow control Flow control can eliminate frame loss by blocking traffic from end stations or segments connected directly to the switch when its buffers fill When enabled...

Page 196: ...ult Trunk Indicates if a port is a member of a trunk To create trunks and select port members see Creating Trunk Groups on page 9 8 Note Auto negotiation must be disabled before you can configure or force the interface to use the Speed Duplex Mode or Flow Control options Web Click Port Port Configuration or Trunk Configuration Modify the required interface settings and click Apply Figure 9 2 Port ...

Page 197: ...hutdown 24 9 Console config if no shutdown Console config if no negotiation 24 5 Console config if speed duplex 100half 24 3 Console config if negotiation Console config if capabilities 100half 24 6 Console config if capabilities 100full Console config if capabilities flowcontrol Console config if exit Console config interface ethernet 1 21 Console config if media type copper forced 24 8 Console c...

Page 198: ...so configured as LACP the switch and the other device will negotiate a trunk link between them If an LACP trunk consists of more than eight ports all other ports will be placed in a standby mode Should one link in the trunk fail one of the standby ports will automatically be activated to replace it Command Usage Besides balancing the load across each port in the trunk the other ports provide redun...

Page 199: ...ed from a VLAN STP VLAN and IGMP settings can only be made for the entire trunk Statically Configuring a Trunk Command Usage When configuring static trunks you may not be able to link switches of different types depending on the manufacturer s implementation However note that the static trunks on this switch are Cisco EtherChannel compatible To avoid creating a loop in the network be sure you add ...

Page 200: ...ating new trunks Trunk Trunk identifier Range 1 32 Port Port identifier Range 1 28 Web Click Port Trunk Membership Enter a trunk ID of 1 32 in the Trunk field select any of the switch ports from the scroll down port list and click Add After you have completed adding ports to the member list click Apply Figure 9 3 Static Trunk Configuration ...

Page 201: ...f exit Console config interface ethernet 1 9 24 2 Console config if channel group 1 25 3 Console config if exit Console config interface ethernet 1 10 Console config if channel group 1 Console config if end Console show interfaces status port channel 1 24 13 Information of Trunk 1 Basic information Port type 100TX Mac address 00 30 F1 D4 73 A2 Configuration Name Port admin Up Speed duplex Auto Cap...

Page 202: ...t be configured for full duplex either by forced mode or auto negotiation Trunks dynamically established through LACP will also be shown in the Member List on the Trunk Membership menu see page 9 9 Command Attributes Member List Current Shows configured trunks Port New Includes entry fields for creating new trunks Port Port identifier Range 1 28 Web Click Port LACP Configuration Select any of the ...

Page 203: ...lue for a port to be allowed to join a channel group Console config interface ethernet 1 1 24 2 Console config if lacp 25 4 Console config if exit Console config interface ethernet 1 6 Console config if lacp Console config if end Console show interfaces status port channel 1 24 13 Information of Trunk 1 Basic information Port type 100TX Mac address 00 30 F1 D4 73 A2 Configuration Port admin Up Spe...

Page 204: ...t be configured with the same system priority to join the same LAG System priority is combined with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Admin Key The LACP administration key must be set to the same value for ports that belong to the same LAG Range 0 65535 Default 1 Port Priority If a link...

Page 205: ...ou can optionally configure these settings for the Port Partner Be aware that these settings only affect the administrative state of the partner and will not take effect until the next time an aggregate link is formed with this device After you have completed setting the port LACP parameters click Apply Figure 9 5 LACP Aggregation Port ...

Page 206: ...sole config if lacp actor system priority 3 Console config if lacp actor admin key 120 Console config if lacp actor port priority 512 Console config if end Console show lacp sysid 25 10 Channel Group System Priority System MAC Address 1 3 00 00 E9 31 31 31 2 32768 00 00 E9 31 31 31 3 32768 00 00 E9 31 31 31 Console show lacp 1 internal 25 10 Port channel 1 Oper Key 120 Admin Key 0 Eth 1 1 LACPDUs ...

Page 207: ...Number of valid LACPDUs received by this channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group Marker Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but...

Page 208: ...ive 10 Marker Sent 0 Marker Receive 0 LACPDUs Unknown Pkts 0 LACPDUs Illegal Pkts 0 Table 9 2 LACP Internal Configuration Information Field Description Oper Key Current operational value of the key for the aggregation port Admin Key Current administrative value of the key for the aggregation port LACPDUs Internal Number of seconds before invalidating received LACPDU information LACP System Priorit...

Page 209: ...nabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information Synchronization The System considers this link to be IN_SYNC i e it has been allocated to the correct Link Aggregation Group the group has been associated with a compatible Aggregator and the identity of the Link Aggregation Group is con...

Page 210: ...ACP configuration settings and operational state for the local side of port channel 1 Console show lacp 1 internal 25 10 Port channel 1 Oper Key 3 Admin Key 0 Eth 1 2 LACPDUs Internal 30 sec LACP System Priority 32768 LACP Port Priority 32768 Admin Key 3 Oper Key 3 Admin State defaulted aggregation long timeout LACP activity Oper State distributing collecting synchronization aggregation long timeo...

Page 211: ...lue of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port Oper Priority Priority value assigned to this aggregation port by the partner Admin Key Current administrative value of the Key for the pr...

Page 212: ... side of port channel 1 Console show lacp 1 neighbors 25 10 Port channel 1 neighbors Eth 1 2 Partner Admin System ID 32768 00 00 00 00 00 00 Partner Oper System ID 32768 00 01 F4 78 AE C0 Partner Admin Port Number 2 Partner Oper Port Number 2 Port Admin Priority 32768 Port Oper Priority 32768 Admin Key 0 Oper Key 3 Admin State defaulted distributing collecting synchronization long timeout Oper Sta...

Page 213: ...hold will then be dropped Command Usage Broadcast control does not effect IP multicast traffic The resolution is 1 packet per second pps i e any setting between 500 262143 is acceptable Note Multicast and unicast storm thresholds can also be set using the CLI see the switchport packet rate command on page 24 10 Command Attributes Port8 Port number Trunk9 Trunk number Type Indicates the port type 1...

Page 214: ...2 Console config if no switchport broadcast 24 10 Console config if exit Console config interface ethernet 1 2 Console config if switchport broadcast packet rate 600 24 10 Console config if end Console show interfaces switchport ethernet 1 2 24 16 Information of Eth 1 2 Broadcast threshold Enabled 600 packets second LACP status Disabled Ingress rate limit Disable 1000M bits per second Egress rate ...

Page 215: ...from the monitor port All mirror sessions have to share the same destination port When mirroring port traffic the target port must be included in the same VLAN as the source port when using MSTP see Spanning Tree Algorithm on page 11 1 Command Attributes Mirror Sessions Displays a list of current mirror sessions Source Port The port whose traffic will be monitored Range 1 28 Type Allows you to sel...

Page 216: ...nterface Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the switch Traffic that falls within the rate limit is transmitted while packets that exceed the acceptable amount of traffic are dropped Rate limiting can be applied to individual ports or trunks When an interface is configured with this feature the traffic rate will be monitored by the har...

Page 217: ...ort Rate Limit Input Output Port Trunk Configuration Set the Input Rate Limit Status or Output Rate Limit Status then set the rate limit for the individual interfaces and click Apply Figure 9 11 Rate Limit Configuration CLI This example sets the rate limit for input and output traffic passing through port 1 to 60 Mbps Console config interface ethernet 1 1 24 2 Console config if rate limit input 60...

Page 218: ... groups 2 3 and 9 can only be accessed using SNMP management software such as HP OpenView Table 9 4 Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface including framing characters Received Unicast Packets The number of subnetwork unicast packets delivered to a higher layer protocol Received Multicast Packets The number of...

Page 219: ... a multicast address at this sub layer including those that were discarded or not sent Transmit Broadcast Packets The total number of packets that higher level protocols requested be transmitted and which were addressed to a broadcast address at this sub layer including those that were discarded or not sent Transmit Discarded Packets The number of outbound packets which were chosen to be discarded...

Page 220: ...to an internal MAC sublayer transmit error Multiple Collision Frames A count of successfully transmitted frames for which transmission is inhibited by more than one collision Carrier Sense Errors The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame SQE Test Errors A count of times that the SQE TEST ERROR message is generated by the PLS...

Page 221: ...ood frames received that were directed to the broadcast address Note that this does not include multicast packets Multicast Frames The total number of good frames received that were directed to this multicast address CRC Alignment Errors The number of CRC alignment errors FCS or alignment errors Undersize Frames The total number of frames received that were less than 64 octets long excluding frami...

Page 222: ...d and transmitted that were 64 octets in length excluding framing bits but including FCS octets 65 127 Byte Frames 128 255 Byte Frames 256 511 Byte Frames 512 1023 Byte Frames 1024 1518 Byte Frames 1519 1536 Byte Frames The total number of frames including bad packets received and transmitted where the number of octets fall within the specified range excluding framing bits but including FCS octets...

Page 223: ...SHOWING PORT STATISTICS 9 33 Figure 9 12 Port Statistics ...

Page 224: ...rors 0 FCS errors 0 Single Collision frames 0 Multiple collision frames 0 SQE Test errors 0 Deferred transmissions 0 Late collisions 0 Excessive collisions 0 Internal mac transmit errors 0 Internal mac receive errors 0 Frame too longs 0 Carrier sense errors 0 Symbol errors 0 RMON stats Drop events 0 Octets 4422579 Packets 31552 Broadcast pkts 238 Multi cast pkts 17033 Undersize pkts 0 Oversize pkt...

Page 225: ...s can be assigned to a specific interface on this switch Static addresses are bound to the assigned interface and will not be moved When a static address is seen on another interface the address will be ignored and will not be written to the address table Command Attributes Static Address Counts10 The number of manually configured addresses Current Static Address Table Lists all the static address...

Page 226: ...ss and VLAN then click Add Static Address Figure 10 1 Static Addresses CLI This example adds an address to the static address table but sets it to be deleted when the switch is reset Console config mac address table static 00 e0 29 94 34 de interface ethernet 1 1 vlan 1 delete on reset 28 2 Console config ...

Page 227: ... address are forwarded directly to the associated port Otherwise the traffic is flooded to all ports Command Attributes Interface Indicates a port or trunk MAC Address Physical address associated with this interface VLAN ID of configured VLAN 1 4093 Address Table Sort Key You can sort the information displayed based on MAC address VLAN or interface port or trunk Dynamic Address Counts The number o...

Page 228: ...x select the method of sorting the displayed addresses and then click Query Figure 10 2 Dynamic Addresses CLI This example also displays the address table entries for port 1 Console show mac address table interface ethernet 1 1 28 4 Interface Mac Address Vlan Type Eth 1 1 00 E0 29 94 34 DE 1 Permanent Eth 1 1 00 20 9C 23 CD 60 2 Learned Console ...

Page 229: ...es disables the aging function Aging Time The time after which a learned entry is discarded Range 10 1000000 seconds Default 300 seconds Web Click Address Table Address Aging Specify the new aging time click Apply Figure 10 3 Address Aging CLI This example sets the aging time to 400 seconds Console config mac address table aging time 400 28 5 Console config ...

Page 230: ...ADDRESS TABLE SETTINGS 10 6 ...

Page 231: ...iple Spanning Tree Protocol IEEE 802 1s STP STP uses a distributed algorithm to select a bridging device STP compliant switch bridge or router that serves as the root of the spanning tree network It selects a root port on each bridging device except for the root device which incurs the lowest path cost when forwarding a packet from that device to the root device Then it selects a designated bridgi...

Page 232: ... the number of state changes before active ports start learning predefining an alternate route that can be used when a node or port fails and retaining the forwarding database for ports insensitive to changes in the tree structure when reconfiguration occurs MSTP When using STP or RSTP it may be difficult to maintain a stable path between all VLAN members Frequent changes in the tree structure can...

Page 233: ...ion Level and Configuration Digest see Configuring Multiple Spanning Trees on page 21 An MST Region may contain multiple MSTP Instances An Internal Spanning Tree IST is used to connect all the MSTP switches within an MST region A Common Spanning Tree CST interconnects all adjacent MST Regions and acts as a virtual bridge node for communications with STP or RSTP nodes in the global network Region R...

Page 234: ... The maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message becomes the designated port for the attached LAN If it is a root port a new root port is sel...

Page 235: ...ameters are only displayed for the CLI Spanning tree mode Specifies the type of spanning tree used on this switch STP Spanning Tree Protocol IEEE 802 1D RSTP Rapid Spanning Tree IEEE 802 1w MSTP Multiple Spanning Tree IEEE 802 1s Instance Instance identifier of this spanning tree This is always 0 for the CIST VLANs configuration VLANs assigned to the CIST Priority Bridge priority is used in select...

Page 236: ...ceive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to a discarding state otherwise temporary data loops might result Max hops The max number of hop counts for the MST region Remaining hops The remaining number of hop counts for the MST instance Transmission limit The minimum in...

Page 237: ... Delay sec 15 Max hops 20 Remaining hops 20 Designated Root 32768 0 0000ABCD0000 Current root port 1 Current root cost 200000 Number of topology changes 1 Last topology changes time sec 13380 Transmission limit 3 Path Cost Method long Eth 1 1 information Admin status enabled Role disable State discarding External admin path cost 10000 Internal admin cost 10000 External oper path cost 10000 Interna...

Page 238: ...protocol messages the RSTP node transmits as described below STP Mode If the switch receives an 802 1D BPDU i e STP BPDU after a port s migration delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires RSTP restarts the migration delay ...

Page 239: ...efault MSTP Multiple Spanning Tree IEEE 802 1s Priority Bridge priority is used in selecting the root device root port and designated port The device with the highest priority becomes the STA root device However if all devices have the same priority the device with the lowest MAC address will then become the root device Note that lower numeric values indicate higher priority Default 32768 Range 0 ...

Page 240: ...se every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to a discarding state otherwise temporary data loops might result Default 15 Minimum The higher of 4 or Max Message Age 2 1 Maximum 30 Configuration Settings for RSTP The following attributes apply to bot...

Page 241: ...VLAN ID to MST ID mapping table In other words this key is a mapping of all VLANs to the CIST Region Revision12 The revision for this MSTI Range 0 65535 Default 0 Region Name12 The name for this MSTI Maximum length 32 characters Max Hop Count The maximum number of hops allowed in the MST region before a BPDU is discarded Range 1 40 Default 20 12 The MST name and revision number are both required t...

Page 242: ...SPANNING TREE ALGORITHM 11 12 Web Click Spanning Tree STA Configuration Modify the required attributes and click Apply Figure 11 2 STA Global Configuration ...

Page 243: ...iving contradictory information Port address table is cleared and the port begins learning addresses Forwarding Port forwards packets and continues learning addresses The rules defining port status are A port on a network segment with no other STA compliant bridging device is always forwarding Console config spanning tree 29 3 Console config spanning tree mode mstp 29 4 Console config spanning tre...

Page 244: ... the Spanning Tree Oper Path Cost The contribution of this port to the path cost of paths towards the spanning tree root which include this port Oper Link Type The operational point to point status of the LAN segment attached to this interface This parameter is determined by manual configuration or by auto detection as described for Admin Link Type in STA Port Configuration on page 11 17 Oper Edge...

Page 245: ...path cost The path cost for the MST See the preceding item Priority Defines the priority used for this port in the Spanning Tree Algorithm If the path cost for all ports on a switch is the same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Algorithm ...

Page 246: ...tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or servers retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events does not cause the spanning tree to reconfigure when the interface changes state and also overcomes other STA related timeout problems Howe...

Page 247: ...s and trunks Command Attributes The following attributes are read only and cannot be changed STA State Displays current state of this port within the Spanning Tree See Displaying Interface Settings on page 11 13 for additional information Console show spanning tree ethernet 1 5 29 25 Eth 1 5 information Admin status enabled Role disable State discarding External admin path cost 10000 Internal admi...

Page 248: ...g Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Default 128 Range 0 240 in steps of 16 Admin Path Cost This parameter is used by the STA to determine the best path between devices Therefore lower values sh...

Page 249: ...at is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Ports provides quicker convergence for devices Table 11 1 Recommended STA Path Cost Range Port Type IEEE 802 1D 1998 IEEE 802 1w 2001 Fast Ethernet 10 60 20 000 2 000 000 Gigabit Ethernet 3 10 2 000 200 000 Table 11 2...

Page 250: ...he selected interface to forced STP compatible mode However you can also use the Protocol Migration button to manually re check the appropriate BPDU format RSTP or STP compatible to send on the selected interfaces Default Disabled Web Click Spanning Tree STA Port Configuration or Trunk Configuration Modify the required attributes then click Apply Figure 11 4 STA Port Configuration CLI This example...

Page 251: ...h the same set of instances and the same instance on each bridge with the same set of VLANs Also note that RSTP treats each MSTI region as a single node connecting all regions to the Common Spanning Tree To use multiple spanning trees 1 Set the spanning tree type to MSTP STA Configuration page 11 8 2 Enter the spanning tree priority for the selected MST instance MSTP VLAN Configuration 3 Add the V...

Page 252: ...ibed under Displaying Global Settings page 11 4 The attributes displayed by the CLI for individual interfaces are described under Displaying Interface Settings page 11 13 Web Click Spanning Tree MSTP VLAN Configuration Select an instance identifier from the list set the instance priority and click Apply To add the VLAN members to an MSTI instance enter the instance identifier the VLAN identifier a...

Page 253: ...nated Root 32768 1 0030F1D473A0 Current root port 7 Current root cost 10000 Number of topology changes 2 Last topology changes time sec 85 Transmission limit 3 Path Cost Method long Eth 1 7 information Admin status enabled Role master State forwarding External admin path cost 10000 Internal admin path cost 10000 External oper path cost 10000 Internal oper path cost 10000 Priority 128 Designated co...

Page 254: ...es MST Instance ID Instance identifier to configure Range 0 4094 Default 0 Note The other attributes are described under Displaying Interface Settings page 11 13 Web Click Spanning Tree MSTP Port Information or Trunk Information Select the required MST instance to display the current spanning tree values Figure 11 6 MSTP Port Information Console config spanning tree mst configuration 29 10 Console...

Page 255: ...ot Max Age sec 20 Root Forward Delay sec 15 Max hops 20 Remaining hops 20 Designated Root 32768 0 0000E8AAAA00 Current root port 1 Current root cost 10000 Number of topology changes 12 Last topology changes time sec 303 Transmission limit 3 Path Cost Method long Eth 1 1 information Admin status enabled Role root State forwarding External admin path cost 10000 Internal admin path cost 10000 Externa...

Page 256: ... Port address table is cleared and the port begins learning addresses Forwarding Port forwards packets and continues learning addresses Trunk Indicates if a port is a member of a trunk STA Port Configuration only The following interface attributes can be configured MST Instance ID Instance identifier to configure Range 0 4094 Default 0 Priority Defines the priority used for this port in the Spanni...

Page 257: ... configures the path cost according to the values shown below Path cost 0 is used to indicate auto configuration mode When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is set to 65 535 The recommended range is listed in Table 11 1 on page 11 19 The recommended path cost islisted in Table 11 2 on page 11 19 The de...

Page 258: ...1 28 CLI This example sets the MSTP attributes for port 4 Console config interface ethernet 1 4 24 2 Console config if spanning tree mst port priority 0 29 23 Console config if spanning tree mst cost 50 29 22 Console config if ...

Page 259: ...h they belong to the same physical segment VLANs help to simplify network management by allowing you to move devices to a new VLAN without having to change any physical connections VLANs can be easily organized to reflect departmental groups such as Marketing or R D usage groups such as e mail or multicast groups used for multimedia applications such as videoconferencing VLANs provide greater netw...

Page 260: ... intermediate network devices or the host at the other end of the connection supports VLANs Then assign ports on the other VLAN aware network devices along the path that will carry this traffic to the same VLAN s either manually or dynamically using GVRP However if you want a port on this switch to participate in one or more VLANs but none of the intermediate network devices nor the host at the ot...

Page 261: ...ded only between ports that are designated for the same VLAN Untagged VLANs can be used to manually isolate user groups or subnets However you should use IEEE 802 3 tagged VLANs with GVRP whenever possible to fully automate VLAN registration Automatic VLAN Registration GVRP GARP VLAN Registration Protocol defines a system whereby the switch can automatically learn the VLANs to which each end stati...

Page 262: ...e switch ports connected to these devices as described in Adding Static Members to VLANs VLAN Index on page 12 10 But you can still enable GVRP on these edge switches as well as on the core switches in the network Forwarding Tagged Untagged Frames If you want to create a small port based VLAN for devices attached directly to a single switch you can assign ports to the same untagged VLAN However to...

Page 263: ...ing the ingress port s default VID Enabling or Disabling GVRP Global Setting GARP VLAN Registration Protocol GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network GVRP must be enabled to permit automatic VLAN regis...

Page 264: ...switch Maximum Number of Supported VLANs Maximum number of VLANs that can be configured on this switch Web Click VLAN 802 1Q VLAN Basic Information Figure 12 2 VLAN Basic Information CLI Enter the following command 14 Web Only Console show bridge ext 30 3 Max support VLAN numbers 256 Max support VLAN ID 4093 Extended multicast filtering services No Static entry individual port Yes VLAN learning IV...

Page 265: ...AN for one or two switches you can disable tagging Command Attributes Web VLAN ID ID of configured VLAN 1 4093 Up Time at Creation Time this VLAN was created i e System Up Time Status Shows how this VLAN was added to the switch Dynamic GVRP Automatically learned via GVRP Permanent Added as a static entry Egress Ports Shows all the VLAN port members Untagged Ports Shows the untagged VLAN port membe...

Page 266: ...e information about VLAN groups used on this switch to external network devices you must specify a VLAN ID for each of these groups Command Attributes Current Lists all the current VLAN groups created for this system Up to 255 VLAN groups can be defined VLAN 1 is the default untagged VLAN New Allows you to specify the name and numeric identifier for a new VLAN group The VLAN name is only used for ...

Page 267: ...VLAN Active VLAN is operational Suspend VLAN is suspended i e does not pass packets Add Adds a new VLAN group to the current list Remove Removes a VLAN group from the current list If any port is assigned to this group as untagged it will be reassigned to VLAN group 1 as untagged Web Click VLAN 802 1Q VLAN Static List To create a new VLAN enter the VLAN ID and VLAN name mark the Enable checkbox to ...

Page 268: ...mbers 2 VLAN 1 is the default untagged VLAN containing all ports on the switch and can only be modified by first reassigning the default port VLAN ID as described under Configuring VLAN Behavior for Interfaces on page 12 14 Command Attributes VLAN ID of configured VLAN 1 4093 Name Name of the VLAN 1 to 32 characters Console config vlan database 30 7 Console config vlan vlan 2 name R D media ethern...

Page 269: ...rmation Untagged Interface is a member of the VLAN All packets transmitted by the port will be untagged that is not carry a tag and therefore not carry VLAN or CoS information Note that an interface must be assigned to at least one group as an untagged port Forbidden Interface is forbidden from automatically joining the VLAN via GVRP For more information see Automatic VLAN Registration on page 12 ...

Page 270: ... 12 5 VLAN Static Table Adding Static Members CLI The following example adds tagged and untagged ports to VLAN 2 Console config interface ethernet 1 1 24 2 Console config if switchport allowed vlan add 2 tagged 30 14 Console config if exit Console config interface ethernet 1 2 Console config if switchport allowed vlan add 2 untagged Console config if exit Console config interface ethernet 1 13 Con...

Page 271: ...by Port Select an interface from the scroll down box Port or Trunk Click Query to display membership information for the interface Select a VLAN ID and then click Add to add the interface as a tagged member or click Remove to remove the interface After configuring VLAN membership for each interface click Apply Figure 12 6 VLAN Static Membership by Port CLI This example adds Port 3 to VLAN 1 as a t...

Page 272: ...ed unless you are experiencing difficulties with GVRP registration deregistration Command Attributes PVID VLAN ID assigned to untagged frames received on the interface Default 1 If an interface is not a member of VLAN 1 and you assign its PVID to this VLAN the interface will automatically be added to VLAN 1 as an untagged member For all other VLANs an interface must first be configured as an untag...

Page 273: ...he interval between transmitting requests queries to participate in a VLAN group Range 20 1000 centiseconds Default 20 GARP Leave Timer15 The interval a port waits before leaving a VLAN group This time should be set to more than twice the join time This ensures that after a Leave or LeaveAll message has been issued the applicants can rejoin before the port actually leaves the group Range 60 3000 c...

Page 274: ...IEEE 802 1Q Tunneling on page 12 17 for a detailed description of this feature TPID 0 65535 Tag Protocol Identifier specifies the ether type of incoming packets on a tunnel port See Configuring IEEE 802 1Q Tunneling on page 12 17 for a detailed description of this parameter Trunk Member Indicates if a port is a member of a trunk To add a trunk to the selected VLAN use the last table on the VLAN St...

Page 275: ...es required by different customers in the same service provider network might easily overlap and traffic passing through the infrastructure might be mixed Assigning a unique range of VLAN IDs to each customer would restrict customer configurations require intensive processing of VLAN mapping tables and could easily exceed the maximum VLAN limit of 4096 QinQ tunneling uses a single Service Provider...

Page 276: ...ce provider s metro network must also be added to this SPVLAN The uplink port can be added to multiple SPVLANs to carry inbound traffic for different customers onto the service provider s network When a double tagged packet enters another trunk port in an intermediate or core switch in the service provider s network the outer tag is stripped for packet processing When the packet exits another trun...

Page 277: ...VLAN ID and Tag Protocol Identifier TPID that is the ether type of the tag This outer tag is used for learning and switching packets The priority of the inner tag is copied to the outer tag if it is a tagged or priority tagged packet 2 After successful source and destination lookup the ingress process sends the packet to the switching process with two tags If the incoming packet is untagged the ou...

Page 278: ...ing a QinQ uplink port are processed in the following manner 1 If incoming packets are untagged the PVID VLAN native tag is added 2 If the ether type of an incoming packet single or double tagged is not equal to the TPID of the uplink port the VLAN tag is determined to be a Customer VLAN CVLAN tag The uplink port s PVID VLAN native tag is added to the packet This outer tag is used for learning and...

Page 279: ...PVLAN the outer tag will be stripped If it is a tagged member the outgoing packet will have two tags Configuration Limitations for QinQ The native VLAN of uplink ports should not be used as the SPVLAN If the SPVLAN is the uplink port s native VLAN the uplink port must be an untagged member of the SPVLAN Then the outer SPVLAN tag will be stripped when the packets are sent out Another reason is that...

Page 280: ...nterface to a QinQ Tunnel on page 12 23 4 Set the Tag Protocol Identifier TPID value of the tunnel port This step is required is the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is 0x8100 See Adding an Interface to a QinQ Tunnel on page 12 23 5 Configure the QinQ tunnel port to join the SPVLAN as an untagged member see Adding...

Page 281: ...terface This feature allows the switch to interoperate with third party switches that do not use the standard 0x8100 ethertype to identify 802 1Q tagged frames For example 0x1234 is set as the custom 802 1Q ethertype on a trunk port incoming frames containing that ethertype are assigned to the VLAN contained in the tag following the ethertype field as they would be with a standard 802 1Q trunk Fra...

Page 282: ...example sets port 2 to tunnel mode indicates that the TPID used for 802 1Q tagged frames will be 9100 hexadecimal and enables address monitor mode to pass traffic between the management VLANs and the tunnel port Console config interface ethernet 1 2 24 2 Console config if switchport mode dot1q tunnel 30 25 Console config if switchport dot1q ethertype 9100 30 27 Console config if Console show dot1q...

Page 283: ...rmal VLANs can exist simultaneously within the same switch Enabling Private VLANs Use the Private VLAN Status page to enable disable the Private VLAN function Web Click VLAN Private VLAN Status Select Enable or Disable from the scroll down box and click Apply Figure 12 9 Private VLAN Status CLI This example enables private VLANs Console config pvlan 30 17 Console config Uplink Ports Primary VLAN p...

Page 284: ...ignated downlink ports Web Click VLAN Private VLAN Link Status Mark the ports that will serve as uplinks and downlinks for the private VLAN then click Apply Figure 12 10 Private VLAN Link Status CLI This configures port 3 as an uplink and port 5 and 6 as downlinks Console config pvlan up link ethernet 1 3 down link ethernet 1 5 30 17 Console config pvlan up link ethernet 1 3 down link ethernet 1 6...

Page 285: ...is received at a port its VLAN membership can then be determined based on the protocol type being used by the inbound packets Command Usage To configure protocol based VLANs follow these steps 1 First configure VLAN groups for the protocols you want to use page 8 Although not mandatory we suggest configuring a separate VLAN for each major protocol running on your network Do not add port members at...

Page 286: ...s Ethernet frames with IP and ARP protocol types Mapping Protocols to VLANs Map a protocol group to a VLAN for each interface that will participate in the group Command Usage When creating a protocol based VLAN only assign interfaces using this configuration screen If you assign interfaces using any of the other VLAN menus such as the VLAN Static Table page 10 or VLAN Static 16 SNAP frame types ar...

Page 287: ...nd the protocol type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the default VLAN for this interface Command Attributes Interface Port or trunk identifier Protocol Group ID Group identifier of this protocol group Range 1 2147483647 VLAN ID VLAN to which matching protocol traffic is forwarded Range 1 ...

Page 288: ... following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 3 Console config interface ethernet 1 1 Console config if protocol vlan protocol group 1 vlan 3 30 21 Console config if ...

Page 289: ...n priority command on page 9 Layer 2 Queue Settings Setting the Default Priority for Interfaces You can specify the default port priority for each interface on the switch All untagged packets entering the switch are tagged with the specified default port priority and then sorted into the appropriate priority queue at the output port Command Usage This switch provides eight priority queues for each...

Page 290: ...hat is assigned to untagged frames received on the specified interface Range 0 7 Default 0 Number of Egress Traffic Classes The number of queue buffers provided for each port Web Click Priority Default Port Priority or Default Trunk Priority Modify the default priority for any interface then click Apply Figure 13 1 Default Port Priority 17 CLI displays this information as Priority for untagged tra...

Page 291: ...shown in the following table Console config interface ethernet 1 3 24 2 Console config if switchport priority default 5 31 4 Console config if end Console show interfaces switchport ethernet 1 3 24 16 Information of Eth 1 3 Broadcast threshold Enabled 500 packets second LACP status Disabled Ingress rate limit Disable 1000M bits per second Egress rate limit Disable 1000M bits per second VLAN member...

Page 292: ...our own network Command Attributes Priority CoS value Range 0 7 where 7 is the highest priority Traffic Class18 Output queue buffer Range 0 7 where 7 is the highest CoS priority queue Table 13 2 CoS Priority Levels Priority Level Traffic Type 1 Background 2 Spare 0 default Best Effort 3 Excellent Effort 4 Controlled Load 5 Video less than 100 milliseconds latency and jitter 6 Voice less than 10 mi...

Page 293: ...S priorities is implemented as an interface configura tion command but any changes will apply to the all interfaces on the switch Console config interface ethernet 1 1 24 2 Console config queue cos map 0 0 31 7 Console config queue cos map 1 1 Console config queue cos map 2 2 Console config exit Console show queue cos map 31 9 Information of Eth 1 1 CoS Value 0 1 2 3 4 5 6 7 Priority Queue 0 1 2 3...

Page 294: ...ents the head of line blocking that can occur with strict priority queuing Command Attributes WRR Weighted Round Robin shares bandwidth at the egress ports by using scheduling weights 1 2 4 6 8 10 12 14 for queues 0 through 7 respectively This is the default selection Strict Services the egress queues in sequential order transmitting all traffic in the higher priority queues before servicing lower...

Page 295: ...ueues and thereby to the corresponding traffic priorities This weight sets the frequency at which each queue will be polled for service and subsequently affects the response time for software applications assigned a specific priority value Command Attributes WRR Setting Table19 Displays a list of weights for each traffic class i e queue Weight Value Set a new weight for the selected traffic class ...

Page 296: ...ervice When these services are enabled the priorities are mapped to a Class of Service value by the switch and the traffic then sent to the corresponding output queue Because different priority information may be contained in the traffic this switch maps priority values to the output queues in the following manner The precedence for priority mapping is IP Port Priority IP Precedence or DSCP Priori...

Page 297: ...e default setting IP Precedence Maps layer 3 4 priorities using IP Precedence IP DSCP Maps layer 3 4 priorities using Differentiated Services Code Point Mapping Web Click Priority IP Precedence DSCP Priority Status Select Disabled IP Precedence or IP DSCP from the scroll down menu then click Apply Figure 13 5 IP Precedence DSCP Priority Status CLI The following example enables IP Precedence servic...

Page 298: ... value 0 and so forth Bits 6 and 7 are used for network control and the other bits for various application types ToS bits are defined in the following table Command Attributes IP Precedence Priority Table Shows the IP Precedence to CoS map Class of Service Value Maps a CoS value to the selected IP Precedence value Note that 0 represents low priority and 7 represent high priority Table 13 3 Mapping...

Page 299: ... and then displays the IP Precedence settings Mapping specific values for IP Precedence is implemented as an interface configu ration command but any changes will apply to the all interfaces on the switch Console config map ip precedence 31 13 Console config interface ethernet 1 1 24 2 Console config if map ip precedence 1 cos 0 31 13 Console config if end Console show map ip precedence ethernet 1...

Page 300: ... marked for different kinds of forwarding The DSCP default values are defined in the following table Note that all the DSCP values that are not specified are mapped to CoS value 0 Command Attributes DSCP Priority Table Shows the DSCP Priority to CoS map Class of Service Value Maps a CoS value to the selected DSCP Priority value Note that 0 represents low priority and 7 represent high priority Note...

Page 301: ... 1 and then displays the DSCP Priority settings Mapping specific values for IP DSCP is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Console config map ip dscp 31 14 Console config interface ethernet 1 1 24 2 Console config if map ip dscp 1 cos 0 31 15 Console config if end Console show map ip dscp ethernet 1 1 31 18 DSCP mapping s...

Page 302: ...IP Port Priority Status Enables or disables the IP port priority IP Port Priority Table Shows the IP port to CoS map IP Port Number TCP UDP Set a new IP port number Class of Service Value Sets a CoS value for a new IP port Note that 0 represents low priority and 7 represent high priority Note Up to 8 entries can be specified IP Port Priority settings apply to all interfaces Web Click Priority IP P...

Page 303: ...switch maps HTTP traffic on port 1 to CoS value 0 and then displays the IP Port Priority settings Mapping specific values for IP Port Priority is implemented as an interface config uration command but any changes will apply to the all interfaces on the switch Console config map ip port 31 11 Console config interface ethernet 1 1 24 2 Console config if map ip port 80 cos 0 31 12 Console config if e...

Page 304: ...CLASS OF SERVICE 13 16 ...

Page 305: ...or different kinds of forwarding All switches or routers that access the Internet rely on class information to provide the same forwarding treatment to packets in the same class Class information can be assigned by end hosts or switches or routers along the path Priority can then be assigned based on a general policy or a detailed examination of the packet However note that detailed examination of...

Page 306: ...based on an access list a DSCP or IP Precedence value or a VLAN 3 Set an ACL mask to enable filtering for the criteria specified in the Class Map See Configuring an IP ACL Mask on page 12 or Configuring a MAC ACL Mask on page 14 4 Use the Policy Map to designate a policy name for a specific manner in which ingress traffic will be handled 5 Add one or more classes to the Policy Map Assign policy ru...

Page 307: ...k to enable filtering for the criteria specified in the Class Map See Configuring an IP ACL Mask on page 12 or Configuring a MAC ACL Mask on page 14 for information on configuring an appropriate ACL mask The class map is used with a policy map page 14 6 to create a service policy page 14 10 for a specific interface that defines packet classification service tagging and bandwidth policing Note that...

Page 308: ...rief description of a class map Range 1 256 characters Add Adds the specified class Back Returns to previous page with making any changes Match Class Settings Class Name List of class maps ACL List Name of an access control list Any type of ACL can be specified including standard or extended IP ACLs and MAC ACLs Range 1 16 characters IP DSCP A DSCP value Range 0 63 IP Precedence An IP Precedence v...

Page 309: ...CONFIGURING QUALITY OF SERVICE PARAMETERS 14 5 Web Click QoS DiffServ then click Add Class to create a new class or Edit Rules to change the rules of an existing class Figure 14 1 Configuring Class Maps ...

Page 310: ...the Action field defining the maximum throughput and burst rate in the Meter field and the action that results from a policy violation in the Exceed field Then finally click Add to register the new policy A policy map can contain multiple class statements that can be applied to the same interface with the Service Policy Settings page 14 10 You can configure up to 63 policers i e class maps for Fas...

Page 311: ...gress traffic on this page Add Policy Opens the Policy Configuration page Enter a policy name and description on this page and click Add to open the Policy Rule Settings page Enter the criteria used to service ingress traffic on this page Remove Policy Deletes a specified policy Policy Configuration Policy Name Name of policy map Range 1 32 characters Description A brief description of a policy ma...

Page 312: ...acket as specified in Match Class Settings on page 14 3 Range CoS 0 7 DSCP 0 63 IP Precedence 0 7 IPv6 DSCP 0 63 Meter Check this to define the maximum throughput burst rate and the action that results from a policy violation Rate kbps Rate in kilobits per second Range 1 100000 kbps or maximum port speed whichever is lower Burst byte Burst in bytes Range 64 1522 Exceed Specifies whether the traffi...

Page 313: ...CE PARAMETERS 14 9 Web Click QoS DiffServ Policy Map to display the list of existing policy maps To add a new policy map click Add Policy To configure the policy rule settings click Edit Classes Figure 14 2 Configuring Policy Maps ...

Page 314: ...define a policy map and finally bind the service policy to the required interface You can only bind one policy map to an interface The current firmware does not allow you to bind a policy map to an egress queue Command Attributes Ports Specifies a port Ingress Applies the rule to ingress traffic Enabled Check this to enable a policy map on the specified port Policy Map Select the appropriate polic...

Page 315: ...nabled and choose a Policy Map for a port from the scroll down box then click Apply Figure 14 3 Service Policy Settings CLI This example applies a service policy to an ingress interface Console config interface ethernet 1 5 24 2 Console config if service policy input rd_policy 3 32 10 Console config if ...

Page 316: ...QUALITY OF SERVICE 14 12 ...

Page 317: ...e hosts which subscribed to this service This switch can use Internet Group Management Protocol IGMP to filter multicast traffic IGMP Snooping can be used to passively monitor or snoop on exchanges between attached hosts and an IGMP enabled device most commonly a multicast router In this way the switch can discover the ports that want to join a multicast group and set its filters accordingly If th...

Page 318: ...outing is not supported on other switches in your network you can use IGMP Snooping and IGMP Query page 15 4 to monitor IGMP service requests passing between multicast clients and servers and dynamically configure the switch ports which need to forward multicast traffic When using IGMPv3 snooping service requests from IGMP Version 1 2 or 3 hosts are all forwarded to the upstream router as IGMPv3 r...

Page 319: ...pecifying Static Interfaces for a Multicast Router on page 15 8 Using this method the router port is never timed out and will continue to function until explicitly removed The other method relies on the switch to dynamically create multicast routing ports whenever multicast routing protocol packets or IGMP query packets are detected on a port 3 A maximum of up to 255 multicast entries can be maint...

Page 320: ...p members It simply monitors the IGMP packets passing through it picks out the group registration information and configures the multicast filters accordingly Note Unknown multicast traffic is flooded to all ports in the VLAN for several seconds when first received If a multicast router port exists on the VLAN the traffic will be filtered by subjecting it to IGMP snooping If no router port exists ...

Page 321: ...ient from the multicast group Range 2 10 Default 2 IGMP Query Interval Sets the frequency at which the switch sends IGMP host query messages Range 60 125 seconds Default 125 IGMP Report Delay Sets the time between receiving an IGMP Report for an IP multicast address on a port before the switch sends an IGMP Query out of that port and removes the entry from its list Range 5 25 seconds Default 10 IG...

Page 322: ...p snooping querier 33 9 Console config ip igmp snooping query count 10 33 10 Console config ip igmp snooping query interval 100 33 11 Console config ip igmp snooping query max response time 20 33 11 Console config ip igmp snooping router port expire time 300 33 12 Console config ip igmp snooping version 2 33 4 Console config exit Console show ip igmp snooping 33 7 Service status Enabled Querier st...

Page 323: ...erface on the switch You can use the Multicast Router Port Information page to display the ports on this switch attached to a neighboring multicast router switch for each VLAN ID Command Attributes VLAN ID ID of configured VLAN 1 4093 Multicast Router List Multicast routers dynamically discovered by this switch or those that are statically assigned to an interface on this switch Web Click IGMP Sno...

Page 324: ...e that multicast traffic is passed to all the appropriate interfaces within the switch Command Attributes Interface Activates the Port or Trunk scroll down list VLAN ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router Port or Trunk Specifies the interface attached to a multicast router Web Click IGMP Snooping Static Multicast Router Port Configuration S...

Page 325: ...te VLAN ID Selects the VLAN for which to display port members Multicast IP Address The IP address for a specific multicast service Multicast Group Port List Shows the interfaces that have already been assigned to the selected VLAN to propagate a specific multicast service Console config ip igmp snooping vlan 1 mrouter ethernet 1 1 33 13 Console config exit Console show ip igmp snooping mrouter vla...

Page 326: ... multicast service Figure 15 4 IP Multicast Registration Table CLI This example displays all the known multicast services supported on VLAN 1 along with the ports propagating the corresponding services The Type field shows if this entry was learned dynamically or was statically configured Console show mac address table multicast vlan 1 33 8 VLAN M cast IP addr Member ports Type 1 224 1 1 12 Eth1 1...

Page 327: ...cipating hosts to a common VLAN and then assign the multicast service to that VLAN group Command Usage Static multicast addresses are never aged out When a multicast address is assigned to an interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN Command Attributes Interface Activates the Port or Trunk scroll down list VLAN ID Selects the VLAN to pro...

Page 328: ... on VLAN 1 Multicast VLAN Registration Multicast VLAN Registration MVR is a protocol that controls access to a single network wide VLAN most commonly used for transmitting multicast traffic such as television channels or video on demand across a service provider s network Any multicast traffic entering an MVR VLAN is sent to all attached subscribers This protocol can significantly reduce to proces...

Page 329: ...h upper level routing services General Configuration Guidelines for MVR 1 Enable MVR globally on the switch select the MVR VLAN and add the multicast groups that will stream traffic to attached hosts see Configuring Global MVR Settings on page 15 14 2 Set the interfaces that will join the MVR as source ports or receiver ports see Web Click MVR Port Information or Trunk Information on page 15 16 3 ...

Page 330: ...ulticast data associated an MVR group is sent from all designated source ports and to all receiver ports that have registered to receive data from that multicast group Default Disabled MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied Running status is true as long as MVR Status is enabled and the specified MVR VLAN exists MVR VLAN Identifier...

Page 331: ...onfiguration CLI This example first enables IGMP snooping enables MVR globally and then configures a range of MVR group addresses Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN Field Attributes Type Shows the MVR port type Oper Status Shows the link status Console config ip igmp snooping 33 2 Console config mvr 33 16 Console config mvr gro...

Page 332: ... has been statically assigned to an interface Immediate Leave Shows if immediate leave is enabled or disabled Trunk Member20 Shows if port is a trunk member Web Click MVR Port Information or Trunk Information Figure 15 7 MVR Port Information CLI This example shows information about interfaces attached to the MVR VLAN 20 Port Information only Console show mvr interface 33 19 Port Type Status Immedi...

Page 333: ...Interfaces on page 15 20 Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message When immediate leave is disabled the switch follows the standard rules by sending a group specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that mul...

Page 334: ...rt is a trunk member Web Click MVR Port Configuration or Trunk Configuration Figure 15 8 MVR Port Configuration CLI This example configures an MVR source port and receiver port and then enables immediate leave on the receiver port 21 Port Information only Console config interface ethernet 1 1 24 2 Console config if mvr type source 33 17 Console config if exit Console config interface ethernet 1 2 ...

Page 335: ...ovided through the MVR VLAN Web Click MVR Group IP Information Figure 15 9 MVR Group IP Information CLI This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN Console show mvr members 33 19 MVR Group IP Status Members 225 0 0 1 ACTIVE eth1 1 d eth1 2 s 225 0 0 2 INACTIVE None 225 0 0 3 INACTIVE None 225 0 0 4 INACTIVE None 225 0 0 5 ...

Page 336: ...MVR Configuration menu see Configuring Global MVR Settings on page 15 14 The IP address range from 224 0 0 0 to 239 255 255 255 is used for multicast streams MVR group addresses cannot fall within the reserved IP multicast address range of 224 0 0 x Command Attributes Interface Indicates a port or trunk Member Shows the IP addresses for MVR multicast groups which have been statically assigned to t...

Page 337: ...igned multicast groups Select a multicast address from the displayed lists and click the Add or Remove button to modify the Member list Figure 15 10 MVR Group Member Configuration CLI This example statically assigns a multicast group to a receiver port Console config interface ethernet 1 2 24 2 Console config if mvr group 228 1 23 1 33 17 Console config if ...

Page 338: ...MULTICAST FILTERING 15 22 ...

Page 339: ...o address translation Configuring General DNS Service Parameters Command Usage To enable DNS service on this switch first configure one or more name servers and then enable domain lookup status To append domain names to incomplete host names received from a DNS client i e not formatted with dotted notation you can specify a default domain name or a list of domain names to be tried in sequential or...

Page 340: ...es DNS host name to address translation Default Domain Name22 Defines the default domain name appended to incomplete host names Range 1 64 alphanumeric characters Domain Name List22 Defines a list of domain names that can be appended to incomplete host names Range 1 64 alphanumeric characters 1 5 names Name Server List Specifies the address of one or more domain name servers to use for name to add...

Page 341: ...16 3 Web Select DNS General Configuration Set the default domain name or list of domain names specify one or more name servers to use to use for address resolution enable domain lookup status and click Apply Figure 16 1 DNS General Configuration ...

Page 342: ...work devices may support one or more connections via multiple IP addresses If more than one IP address is associated with a host name in the static table or via information returned from a name server a DNS client can try each address in succession until it establishes a connection with the target device Console config ip domain name sample com 34 4 Console config ip domain list sample com uk 34 5...

Page 343: ... Range 1 64 characters IP Address Internet address es associated with a host name Range 1 8 addresses Alias Displays the host names that are mapped to the same address es as a previously configured entry Web Select DNS Static Host Table Enter a host name and one or more corresponding addresses then click Apply Figure 16 2 DNS Static Host Table ...

Page 344: ...e entry and therefore unreliable Type This field includes CNAME which specifies the canonical or primary name for the owner and ALIAS which specifies multiple domain names which are mapped to the same IP address as an existing entry IP The IP address associated with this record TTL The time to live reported by the name server Domain The domain name associated with this record Console config ip hos...

Page 345: ...ME 207 46 134 190 51 www microsoft akadns net 2 4 CNAME 207 46 134 155 51 www microsoft akadns net 3 4 CNAME 207 46 249 222 51 www microsoft akadns net 4 4 CNAME 207 46 249 27 51 www microsoft akadns net 5 4 ALIAS POINTER TO 4 51 www microsoft com 6 4 CNAME 207 46 68 27 71964 msn com tw 7 4 ALIAS POINTER TO 6 71964 www msn com tw 8 4 CNAME 65 54 131 192 605 passportimages com 9 4 ALIAS POINTER TO ...

Page 346: ...DOMAIN NAME SERVICE 16 8 ...

Page 347: ...ands 19 1 SNMP Commands 20 1 User Authentication Commands 21 1 Client Security Commands 22 1 Access Control List Commands 23 1 Interface Commands 24 1 Link Aggregation Commands 25 1 Mirror Port Commands 26 1 Rate Limit Commands 27 1 Address Table Commands 28 1 Spanning Tree Commands 29 1 VLAN Commands 30 1 Class of Service Commands 31 1 Quality of Service Commands 32 1 Multicast Filtering Commands...

Page 348: ...COMMAND LINE INTERFACE IP Interface Commands 35 1 ...

Page 349: ...ommands on a UNIX system Console Connection To access the switch through the console port perform these steps 1 At the console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged ...

Page 350: ...s obtained via DHCP by default To access the switch through a Telnet session you must first set the IP address for the Master unit and set the default gateway if you are managing the switch from a different IP subnet For example If your corporate network is connected to another network outside your office or to the Internet you need to apply for a registered IP address However if you are attached ...

Page 351: ...er the necessary commands to complete your desired tasks 4 When finished exit the session with the quit or exit command After entering the Telnet command the login screen displays Note You can open up to four sessions to the device via Telnet Entering Commands This section describes how to enter CLI commands Keywords and Arguments A CLI command is a series of keywords and arguments Keywords identi...

Page 352: ...e admin password 0 smith Minimum Abbreviation The CLI will accept a minimum number of characters that uniquely identify a command For example the command configure can be entered as con If an entry is ambiguous the system will prompt for further input Command Completion If you terminate input with a Tab key the CLI will print the remaining characters of a partial keyword up to the point of ambigui...

Page 353: ...formation of interfaces ip IP information lacp Show LACP statistic line TTY line information log Login records logging Show the contents of logging buffers mac MAC access lists mac address table Set configuration of the address table management Show management IP filter map Map priority mvr Show mvr interface information policy map Display policy maps port Characteristics of the port protocol vlan...

Page 354: ...og system messages to a host server To disable logging specify the no logging command This guide describes the negation effect for all applicable commands Using Command History The CLI maintains a history of commands that have been entered You can scroll back through the history of commands by pressing the up arrow key Any command displayed in the history list can be executed again or first modifi...

Page 355: ...ew console session on the switch with the user name and password guest the system enters the Normal Exec command mode or guest mode displaying the Console command prompt Only a limited number of the commands are available in this mode You can access all commands only from the Privileged Exec command mode or administrator mode To access Privilege Exec mode open a new console session with the user n...

Page 356: ... copy running config startup config command The configuration commands are organized into different modes Global Configuration These commands modify the system level configuration and include commands such as hostname and snmp server community Access Control List Configuration These commands are used for packet filtering Class Map Configuration Creates a DiffServ class map for a specified traffic ...

Page 357: ...ee Configuration These commands configure settings for the selected multiple spanning tree instance Policy Map Configuration Creates a DiffServ policy map for multiple interfaces VLAN Configuration Includes the command to create VLAN groups To enter the Global Configuration mode enter the command configure in Privileged Exec mode The system prompt will change to Console config which gives you acce...

Page 358: ...trol List access list ip standard access list ip extended access list ip mask precedence access list mac access list mac mask precedence Console config std acl Console config ext acl Console config ip mask acl Console config mac acl Console config mac mask acl 23 3 23 3 23 8 23 16 23 20 Class Map class map Console config cmap 32 3 Interface interface ethernet port port channel id vlan id Console c...

Page 359: ...e Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor to the right one character Ctrl K Deletes all characters from the cursor to the end of the line Ctrl L Repeats current command line on a new line Ctrl N Enters the next command line in the history buffer Ctrl P Enters t...

Page 360: ... logon access using local or remote authentication management access through the web server Telnet server and Secure Shell as well as port security IEEE 802 1X port access control and restricted access based on specified IP addresses 21 1 Access Control List Provides filtering for IPv4 frames based on address protocol TCP UDP port number or TCP control code or non IP frames based on MAC address or...

Page 361: ... for the switch 29 1 VLANs Configures VLAN settings and defines port membership for VLAN groups also enables or configures private VLANs protocol VLANs and QinQ tunneling 30 1 Class of Service Sets port priority for untagged frames selects strict priority or weighted round robin relative weight for each priority queue also sets priority for TCP UDP traffic types IP precedence and DSCP 31 1 Quality...

Page 362: ...OVERVIEW OF COMMAND LINE INTERFACE 17 14 ...

Page 363: ...rivileged mode PE 18 3 configure Activates global configuration mode PE 18 3 show history Shows the command history buffer NE PE 18 4 reload Restarts the system PE 18 5 prompt Customizes the CLI prompt GC 18 6 end Returns to Privileged Exec mode any config mode 18 6 exit Returns to the previous configuration mode or exits the CLI any 18 7 quit Exits a CLI session NE PE 18 7 help Shows how to use h...

Page 364: ... 0 Normal Exec 15 Privileged Exec Enter level 15 to access Privileged Exec mode Default Setting Level 15 Command Mode Normal Exec Command Usage super is the default password required to change the command mode from Normal Exec to Privileged Exec To set this password see the enable password command on page 21 4 The character is appended to the end of the prompt to indicate that the system is in pri...

Page 365: ... appended to the end of the prompt to indicate that the system is in normal access mode Example Related Commands enable 18 2 configure This command activates Global Configuration mode You must enter this mode to modify any settings on the switch You must also enter Global Configuration mode prior to enabling some of the other configuration modes including Interface Configuration Line Configuration...

Page 366: ... Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands Example In this example the show history command lists the contents of the command history buffer Console configure Console config Console show history Execution command history 2 config 1 show history Configuration command history 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console ...

Page 367: ... history buffer config reload This command restarts the system Note When the system is restarted it will always run the Power On Self Test It will also retain all configuration information stored in non volatile memory by the copy running config startup config command Default Setting None Command Mode Privileged Exec Command Usage This command resets the entire system Example This example shows ho...

Page 368: ...ting Console Command Mode Global Configuration Example end This command returns to Privileged Exec mode Default Setting None Command Mode Global Configuration Interface Configuration Line Configuration VLAN Database Configuration and Multiple Spanning Tree Configuration Example This example shows how to return to the Privileged Exec mode from the Interface Configuration mode Console config prompt ...

Page 369: ...rn to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session quit This command exits the configuration program Default Setting None Command Mode Normal Exec Privileged Exec Command Usage The quit and exit commands can both exit the configuration program Console config exit Console exit Press ENTER to start session User Access Verification Username ...

Page 370: ...GENERAL COMMANDS 18 8 Example This example shows how to quit a CLI session Console quit Press ENTER to start session User Access Verification Username ...

Page 371: ...on active managers and version information 19 3 System Mode Configures the switch to operate in normal mode or QinQ mode 19 10 System MTU Enables support for jumbo frames sets the maximum transfer unit size 19 12 File Management Manages code image or ECN330 switch configuration files 19 13 Line Sets communication parameters for the serial port including baud rate and console time out 19 23 Event L...

Page 372: ...the default host name Syntax hostname name no hostname name The name of this host Maximum length 255 characters Default Setting None Command Mode Global Configuration Example Table 19 2 Device Designation Commands Command Function Mode Page hostname Specifies the host name for the switch GC 19 2 snmp server contact Sets the system contact string GC 20 5 snmp server location Sets the system locatio...

Page 373: ...volatile memory This command displays settings for key command modes Each mode group is separated by symbols and includes the configuration Table 19 3 System Status Commands Command Function Mode Page show startup config Displays the contents of the configuration file stored in flash memory that is used to start up the system PE 19 3 show running config Displays the configuration data currently in...

Page 374: ...Console show startup config building startup config please wait stackingDB 00 stackingDB stackingMac 01_00 12 cf 21 dc e0_01 stackingMac phymap 00 12 cf 21 dc e0 SNTP server 0 0 0 0 0 0 0 0 0 0 0 0 snmp server community public ro snmp server community private rw username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest pa...

Page 375: ...g memory to the information stored in non volatile memory This command displays settings for key command modes Each mode group is separated by symbols and includes the configuration mode command and corresponding commands This command displays the following information MAC address for the switch SNTP server settings SNMP community strings Users names access levels and encrypted passwords VLAN data...

Page 376: ...P server 0 0 0 0 0 0 0 0 0 0 0 0 snmp server community private rw snmp server community public ro username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethernet state acti...

Page 377: ...tem information Default Setting None Command Mode Normal Exec Privileged Exec Command Usage For a description of the items shown by this command refer to Displaying System Information on page 4 1 The POST results should all display PASS If any POST test indicates FAIL contact your distributor for assistance ...

Page 378: ...d 44 61 seconds System Name NONE System Location NONE System Contact NONE MAC Address Unit1 00 20 1A DF 9C A0 MAC Address Unit2 00 20 1A DF 9E C0 Web Server Enabled Web Server Port 80 Web Secure Server Enabled Web Secure Server Port 443 Telnet Server Enable Telnet Server Port 23 Jumbo Frame Disabled Power Module A Status UP Power Module B Status Not present Power Module A Type Power Module B Type ...

Page 379: ... Exec Command Usage See Displaying Switch Hardware Software Versions on page 4 8 for detailed information on the items displayed by this command Console show users Username accounts Username Privilege Public Key admin 15 None guest 0 None steve 15 RSA Online users Line Username Idle time h m s Remote IP addr 0 console admin 0 14 14 1 VTY 0 admin 0 00 00 192 168 1 19 2 SSH 1 steve 0 00 06 192 168 1...

Page 380: ...o QinQ mode and allows the dot1q tunnel port to be configured For an explanation of QinQ see Configuring IEEE 802 1Q Tunneling on page 30 24 Console show version Unit1 Serial Number 0000E8900000 Hardware Version R01 EPLD Version 0 01 Number of Ports 29 Agent Master Unit ID 1 Loader Version 1 0 0 1 Boot ROM Version 1 0 0 7 Operation Code Version 1 0 1 5 Console Table 19 4 System Mode Commands Comma...

Page 381: ...here are any dot1q tunnel ports set on the switch the no system mode command will fail Example Related Commands show system mode 19 11 show system mode This command displays the switch system mode Command Mode Privileged Exec Command Usage The system mode displays as QinQ or Normal mode Example Related Commands system mode 19 10 Console config system mode qinq Console config Console config system ...

Page 382: ...to standard Ethernet frames that run only up to 1 5 KB using jumbo frames for local Gigabit Ethernet connections significantly reduces the per packet overhead required to process protocol encapsulation fields Frame sizes for Fast Ethernet ports can be extended up to 1546 bytes and are used primarily to allow for additional header fields not to significantly increase the per packet data size These ...

Page 383: ... remember to use the jumbo frame command to implement the new setting by enabling jumbo frames The current setting for jumbo frames can be displayed with the show system command page 19 7 Example Related Commands show system mtu 19 14 system mtu This command sets the maximum transfer unit for traffic crossing the switch Use the no form to restore the default settings Syntax system mtu FE size jumb...

Page 384: ...system mtu 19 14 show system mtu This command shows the maximum transfer unit size for Fast Ethernet and Gigabit Ethernet ports Command Mode Global Configuration Example File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from a TFTP server By saving runtime code to a file on a TFTP server that file can later be downloaded to the switch to restore operation The...

Page 385: ...le can be downloaded under a new file name and then set as the startup file or the current startup configuration file can be specified as the destination file to directly replace it Note that the file Factory_Default_Config cfg can be copied to the TFTP server but cannot be used as the destination on the switch Table 19 6 Flash File Commands Command Function Mode Page copy Copies a code image or a...

Page 386: ...tartup config https certificate public key file Keyword that allows you to copy to from a file running config Keyword that allows you to copy to from the current running configuration startup config The configuration used for system initialization tftp Keyword that allows you to copy to from a TFTP server https certificate Keyword that allows you to copy the HTTPS secure site certificate public ke...

Page 387: ...ot ROM and Loader cannot be uploaded or downloaded from the TFTP server You must follow the instructions in the release notes for new firmware or contact your distributor for help For information on specifying an https certificate see Replacing the Default Secure site Certificate on page 6 9 For information on configuring the switch to use HTTPS for a secure connection see ip http secure server on...

Page 388: ...file name startup TFTP server ip address 10 1 0 99 Destination file name startup 01 TFTP completed Success Console Console copy running config file destination file name startup Write to FLASH Programming Write to FLASH finish Success Console Console copy tftp startup config TFTP server ip address 10 1 0 99 Source configuration file name startup 01 Startup configuration file name startup Write to ...

Page 389: ...age Default Setting None Command Mode Privileged Exec Command Usage If the file type is used for system startup then this file cannot be deleted Factory_Default_Config cfg cannot be deleted Example This example shows how to delete the test2 cfg configuration file from flash memory Console copy tftp public key TFTP server IP address 192 168 1 19 Choose public key type 1 RSA 2 DSA 1 2 1 Source file ...

Page 390: ...e Name of configuration file or code image If this file exists but contains errors information on this file cannot be shown Default Setting None Command Mode Privileged Exec Command Usage If you enter the command dir without any parameters the system displays all files File information is shown below Table 19 7 File Directory Information Column Heading Description file name The name of the file fi...

Page 391: ...oot command See the table under the dir command for a description of the file information displayed by this command Console dir File name File type Startup Size byte Unit1 D1 0 0 7 Boot Rom Image Y 1159752 V1 0 1 5 Operation Code Y 3545724 Factory_Default_Config cfg Config File N 455 startup1 cfg Config File Y 3336 Total free space 10092544 Console Console whichboot File name File type Startup Siz...

Page 392: ... set as a default includes boot rom Boot ROM config Configuration file opcode Run time operation code filename Name of configuration file or code image Default Setting None Command Mode Global Configuration Command Usage If the file contains an error it cannot be set as the default file Example Related Commands dir 19 20 whichboot 19 21 Console config boot system config startup Console config ...

Page 393: ... the interval that the command interpreter waits until user input is detected LC 19 28 password thresh Sets the password intrusion threshold which limits the number of failed logon attempts LC 19 29 silent time These commands only apply to the serial port Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the ...

Page 394: ...elnet Default Setting There is no default line Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as VTY in screen displays such as show users However the serial communication parameters e g databits do not affect Telnet connections Example To enter console line mode enter the following command Related Commands show line 19 34 show ...

Page 395: ...d by the password line configuration command When using this method the management interface starts in Normal Exec NE mode login local selects authentication via the user name and password specified by the username command i e default setting When using this method the management interface starts in Normal Exec NE or Privileged Exec PE mode depending on the user s privilege level 0 or 15 respectiv...

Page 396: ...ommand Mode Line Configuration Command Usage When a connection is started on a line with password protection the system prompts for the password If you enter the correct password the system shows a prompt You can use the password thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle sta...

Page 397: ...conds no timeout login response seconds Integer that specifies the timeout interval Range 0 300 seconds 0 disabled Default Setting CLI Disabled 0 seconds Telnet 300 seconds Command Mode Line Configuration Command Usage If a login attempt is not detected within the timeout interval the connection is terminated for the session This command applies to both the local console and Telnet connections The...

Page 398: ...ting CLI No timeout Telnet 10 minutes Command Mode Line Configuration Command Usage If user input is detected within the timeout interval the session is kept open otherwise the session is terminated This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the default setting Example To se...

Page 399: ... The default value is three attempts Command Mode Line Configuration Command Usage When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time before allowing the next logon attempt Use the silent time command to set this interval When this threshold is reached for Telnet the Telnet logon interface shuts down Example To set the password threshold ...

Page 400: ...nsole response Range 0 65535 0 no silent time Default Setting The default value is no silent time Command Mode Line Configuration console only Example To set the silent time to 60 seconds enter this command Related Commands password thresh 19 29 databits This command sets the number of data bits per character that are interpreted and generated by the console port Use the no form to restore the def...

Page 401: ...data bits per character If no parity is required specify 8 data bits per character Example To specify 7 data bits enter this command Related Commands parity 19 31 parity This command defines the generation of a parity bit Use the no form to restore the default setting Syntax parity none even odd no parity none No parity even Even parity odd Odd parity Default Setting No parity Command Mode Line Co...

Page 402: ...ax speed bps no speed bps Baud rate in bits per second Options 9600 19200 38400 57600 115200 bps or auto Default Setting auto Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port Some baud rates available on devices connected to the port might not be supported The system indicates if the speed you selected is not supported If...

Page 403: ...stop bits Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits enter this command disconnect This command terminates an SSH Telnet or console connection Syntax disconnect session id session id The session identifier for an SSH Telnet or console connection Range 0 4 Command Mode Privileged Exec Console config line speed 57600 Console config line Console config l...

Page 404: ...l disconnect an SSH or Telnet connection Example Related Commands show ssh 21 31 show users 19 8 show line This command displays the terminal line s parameters Syntax show line console vty console Console terminal line vty Virtual terminal for remote console access i e Telnet Default Setting Shows all lines Command Mode Normal Exec Privileged Exec Console disconnect 1 Console ...

Page 405: ... line Console configuration Password threshold 3 times Interactive timeout Disabled Login timeout Disabled Silent time Disabled Baudrate auto Databits 8 Parity none Stopbits 1 VTY configuration Password threshold 3 times Interactive timeout 600 sec Login timeout 300 sec Console ...

Page 406: ...og servers You can use the logging history Table 19 9 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages GC 19 36 logging history Limits syslog messages saved to switch memory based on severity GC 19 37 logging host Adds a syslog server host IP address that will receive logging messages GC 19 38 logging facility Sets the facility type for remote logging...

Page 407: ...he default level Syntax logging history flash ram level no logging history flash ram flash Event history stored in flash memory i e permanent memory ram Event history stored in temporary RAM i e memory flushed on power reset level One of the levels listed below Messages sent include the selected level down to level 0 Range 0 7 Console config logging on Console config Table 19 10 Logging Levels Lev...

Page 408: ...log server host Syntax no logging host host_ip_address host_ip_address The IP address of a syslog server Default Setting None 4 warnings Warning conditions e g return false unexpected return 3 errors Error conditions e g invalid input default used 2 critical Critical conditions e g memory allocation or free memory error resource exhausted 1 alerts Immediate action needed 0 emergencies System unusa...

Page 409: ...ty type type A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service Range 16 23 Default Setting 23 Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog messages See RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog serve...

Page 410: ... no logging trap level One of the syslog severity levels listed in the table on page 19 37 Messages sent include the selected level up through level 0 Default Setting Disabled Level 7 0 Command Mode Global Configuration Command Usage Using this command with a specified level enables remote logging and sets the minimum severity level to be saved Using this command without a specified level also ena...

Page 411: ...yntax clear log flash ram flash Event history stored in flash memory i e permanent memory ram Event history stored in temporary RAM i e memory flushed on power reset Default Setting Flash and RAM Command Mode Privileged Exec Example Related Commands show log 19 44 Console clear log Console ...

Page 412: ...r Syntax show logging flash ram sendmail trap flash Displays settings for storing event messages in flash memory i e permanent memory ram Displays settings for storing event messages in temporary RAM i e memory flushed on power reset sendmail Displays settings for the SMTP event handler page 19 49 trap Displays settings for the trap function Default Setting None Command Mode Privileged Exec ...

Page 413: ... The message level s reported based on the logging history command History logging in RAM The message level s reported based on the logging history command Console show logging trap Syslog logging Enable REMOTELOG status disable REMOTELOG facility type local use 7 REMOTELOG level type Debugging messages REMOTELOG server IP address 1 2 3 4 REMOTELOG server IP address 0 0 0 0 REMOTELOG server IP add...

Page 414: ...llowing example shows the event message stored in RAM REMOTELOG level type The severity threshold for syslog messages sent to a remote server as specified in the logging trap command REMOTELOG server IP address The address of syslog servers as specified in the logging host command Console show log ram 1 00 01 30 2001 01 01 VLAN 1 link up notification level 6 module 5 function 1 and event no 1 0 00...

Page 415: ...nd Mode Global Configuration Command Usage You can specify up to three SMTP servers for event handing However you must enter a separate command to specify each server Table 19 13 SMTP Alert Commands Command Function Mode Page loggingsendmailhost SMTP servers to receive alert messages GC 19 45 logging sendmail level Severity threshold used to trigger alert messages GC 19 46 logging sendmail source ...

Page 416: ...essfully open a connection Example logging sendmail level This command sets the severity threshold used to trigger alert messages Syntax logging sendmail level level level One of the system message levels page 19 37 Messages sent include the selected level down to level 0 Range 0 7 Default 7 Default Setting Level 7 Command Mode Global Configuration Command Usage The specified level indicates an ev...

Page 417: ...ay use an symbolic email address that identifies the switch or the address of an administrator responsible for the switch Example logging sendmail destination email This command specifies the email recipients of alert messages Use the no form to remove a recipient Syntax no logging sendmail destination email email address email address The source email address used in alert messages Range 1 41 cha...

Page 418: ...ecify each recipient Example logging sendmail This command enables SMTP event handling Use the no form to disable this function Syntax no logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console config logging sendmail destination email ted this company com Console config Console config logging sendmail Console config ...

Page 419: ... the SMTP event handler Command Mode Normal Exec Privileged Exec Example Console show logging sendmail SMTP servers 192 168 1 19 SMTP minimum severity level 7 SMTP destination email addresses ted this company com SMTP source email address bill this company com SMTP status Enabled Console ...

Page 420: ...rvers specified with the sntp servers command Use the no form to disable SNTP client requests Syntax no sntp client Default Setting Disabled Command Mode Global Configuration Table 19 14 Time Commands Command Function Mode Page sntp client Accepts time from specified time servers GC 19 50 sntp server Specifies one or more time servers GC 19 51 sntp poll Sets the interval at which the client polls ...

Page 421: ... Commands sntp server 19 51 sntp poll 19 52 show sntp 19 53 sntp server This command sets the IP address of the servers to which SNTP time requests are issued Use the this command with no arguments to clear all time servers from the current list Syntax sntp server ip1 ip2 ip3 ip IP address of an time server NTP or SNTP Range 1 3 addresses Default Setting None Console config sntp server 10 1 0 19 C...

Page 422: ...ed on the interval set via the sntp poll command Example Related Commands sntp client 19 50 sntp poll 19 52 show sntp 19 53 sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode Use the no form to restore to the default Syntax sntp poll seconds no sntp poll seconds Interval between time requests Range 16 16384 seconds Default Setting 16 s...

Page 423: ...operly updated Command Mode Normal Exec Privileged Exec Command Usage This command displays the current time the poll interval used for sending time synchronization requests and the current SNTP mode i e unicast Example Console show sntp Current time Dec 23 05 13 28 2002 Poll interval 16 Current mode unicast SNTP status Enabled SNTP server 137 92 140 80 0 0 0 0 0 0 0 0 Current server 137 92 140 80...

Page 424: ...e zone before east of UTC after utc Sets the local time zone after west of UTC Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time UTC formerly Greenwich Mean Time or GMT based on the earth s prime meridian zero degrees longitude To display a time corresponding to your local time you must indicate the...

Page 425: ... 23 min Minute Range 0 59 sec Second Range 0 59 day Day of month Range 1 31 month january february march april may june july august september october november december year Year 4 digit Range 2001 2100 Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15 12 34 February 1st 2002 show calendar This command displays the system clock Default Se...

Page 426: ...SYSTEM MANAGEMENT COMMANDS 19 56 Example Console show calendar 15 12 34 February 1 2002 Console ...

Page 427: ...ication and privacy and then assign SNMP users to these groups along with their specific authentication and privacy passwords Table 20 1 SNMP Commands Command Function Mode Page snmp server Enables the SNMP agent GC 20 2 show snmp Displays the status of SNMP communications NE PE 20 2 snmp server community Sets up the community access string to permit access to SNMP commands GC 20 4 snmp server con...

Page 428: ...he status of SNMP communications Default Setting None Command Mode Normal Exec Privileged Exec snmp server view Adds an SNMP view GC 20 13 show snmp view Shows the SNMP views PE 20 14 snmp server group Adds an SNMP group mapping users to views GC 20 15 show snmp group Shows the SNMP groups PE 20 16 snmp server user Adds a user to an SNMP group GC 20 18 show snmp user Shows the SNMP users PE 20 20 ...

Page 429: ...e Link up down enable SNMP communities 1 private and the privilege is read write 2 public and the privilege is read only 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get request PDUs 0 Get next PDUs 0 Set request PDUs 0 SNMP packets output 0 T...

Page 430: ...ensitive Maximum number of strings 5 ro Specifies read only access Authorized management stations are only able to retrieve MIB objects rw Specifies read write access Authorized management stations are able to both retrieve and modify MIB objects Default Setting public Read only access Authorized management stations are only able to retrieve MIB objects private Read write access Authorized managem...

Page 431: ...ion Maximum length 255 characters Default Setting None Command Mode Global Configuration Example Related Commands snmp server location 20 5 snmp server location This command sets the system location string Use the no form to remove the location string Syntax snmp server location text no snmp server location text String that describes the system location Maximum length 255 characters Default Settin...

Page 432: ...ss entries inform Notifications are sent as inform messages Note that this option is only available for version 2c and 3 hosts Default traps are used retries The maximum number of times to resend an inform message if the recipient does not acknowledge receipt Range 0 255 Default 3 seconds The number of seconds to wait for an acknowledgment before resending an inform message Range 0 2147483647 cent...

Page 433: ...on Command Usage If you do not enter an snmp server host command no notifications are sent In order to configure the switch to send SNMP notifications you must enter at least one snmp server host command In order to enable multiple hosts you must issue a separate snmp server host command for each host The snmp server host command is used in conjunction with the snmp server enable traps command Use...

Page 434: ...ew with the required notification messages page 20 13 5 Create a group that includes the required notify view page 20 15 To send an inform to a SNMPv3 host complete these steps 1 Enable the SNMP agent page 20 2 2 Allow the switch to send SNMP traps i e notifications page 20 9 3 Specify the target host that will receive inform messages with the snmp server host command as described in this section ...

Page 435: ... Use the no form to disable SNMP notifications Syntax no snmp server enable traps authentication link up down authentication Keyword to issue authentication failure notifications link up down Keyword to issue link up or link down notifications Default Setting Issue authentication and link up down traps Command Mode Global Configuration Command Usage If you do not enter an snmp server enable traps ...

Page 436: ...responding entries in the Notify View assigned by the snmp server group command page 20 15 Example Related Commands snmp server host 20 6 snmp server engine id This command configures an identification string for the SNMPv3 engine Use the no form to restore the default Syntax snmp server engine id local remote ip address engineid string no snmp server engine id local remote ip address local Specif...

Page 437: ...rds are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it Trailing zeroes need not be entered to uniquely specify a engine ID In other words the value 0123456789 is equivalent to 0123456789 followed by 22 zeroes A ...

Page 438: ... engineID IP address 80000000030004e2b316c54321 192 168 1 19 Console Table 20 2 show snmp engine id display description Field Description Local SNMP engineID String identifying the engine ID Local SNMP engineBoots The number of times that the engine has re initialized since the snmp EngineID was last configured Remote SNMP engineID String identifying an engine ID on a remote device IP address IP a...

Page 439: ...n included view excluded Defines an excluded view Default Setting defaultview includes access to the entire MIB tree Command Mode Global Configuration Command Usage Views are used in the snmp server group command to restrict user access to specified portions of the MIB tree The predefined view defaultview includes access to the entire MIB tree Examples This view includes MIB 2 This view includes t...

Page 440: ...sole show snmp view View Name mib 2 Subtree OID 1 2 2 3 6 2 1 View Type included Storage Type permanent Row Status active View Name defaultview Subtree OID 1 View Type included Storage Type volatile Row Status active Console Table 20 3 show snmp view display description Field Description View Name Name of an SNMP view Subtree OID A branch in the MIB tree View Type Indicates if the view is included...

Page 441: ...ocol on page 5 1 for further information about these authentication and encryption options readview Defines the view for read access 1 64 characters writeview Defines the view for write access 1 64 characters notifyview Defines the view for notifications 1 64 characters Default Setting Default groups public23 read only private24 read write readview Every object belonging to the Internet OID space ...

Page 442: ...enable traps command page 20 9 Example show snmp group Four default groups are provided SNMPv1 read only access and read write access and SNMPv2c read only access and read write access Command Mode Privileged Exec Example Console config snmp server group r d v3 auth write daily Console config Console show snmp group Group Name r d Security Model v3 Read View defaultview Write View daily Notify Vie...

Page 443: ...tatus active Group Name private Security Model v2c Read View defaultview Write View defaultview Notify View none Storage Type volatile Row Status active Console Table 20 4 show snmp group display description Field Description groupname Name of an SNMP group security model The SNMP version readview The associated read view writeview The associated write view notifyview The associated notify view st...

Page 444: ...igned Range 1 32 characters remote Specifies an SNMP engine on a remote device ip address The Internet address of the remote device v1 v2c v3 Use SNMP version 1 2c or 3 encrypted Accepts the password as encrypted input auth Uses SNMPv3 with authentication md5 sha Uses MD5 or SHA authentication auth password Authentication password Enter as plain text if the encrypted option is not used Otherwise e...

Page 445: ...e user resides The remote agent s SNMP engine ID is used to compute authentication privacy digests from the user s password If the remote engine ID is not first configured the snmp server user command specifying a remote user will fail SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to confi...

Page 446: ...e mark Authentication Protocol mdt Privacy Protocol des56 Storage Type nonvolatile Row Status active Console Table 20 5 show snmp user display description Field Description EngineId String identifying the engine ID User Name Name of user connecting to the SNMP agent Authentication Protocol The authentication protocol used with SNMPv3 Privacy Protocol The privacy protocol used with SNMPv3 Storage T...

Page 447: ...on Page User Accounts Configures the basic user names and passwords for management access 21 2 Authentication Sequence Defines logon authentication method and precedence 21 5 RADIUS Client Configures settings for authentication via a RADIUS server 21 8 TACACS Client Configures settings for authentication via a TACACS server 21 13 Web Server Settings Enables management access via a web browser 21 1...

Page 448: ...d or specifies or changes a user s access level Use the no form to remove a user name Syntax username name access level level nopassword password 0 7 password no username name name The name of the user Maximum length 8 characters case sensitive Maximum users 16 access level level Specifies the user level The device has two predefined privilege levels 0 Normal Exec 15 Privileged Exec nopassword No ...

Page 449: ...uired for compatibility with legacy password settings i e plain text or encrypted when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server There is no need for you to manually configure encrypted passwords Example This example shows how the set the access level and password for a user Table 21 3 Default Login Settings username access le...

Page 450: ...privilege level Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting The default is level 15 The default password is super Command Mode Global Configuration Command Usage You cannot set a null password You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command page 18 2 The encrypted password is required fo...

Page 451: ...e login authentication method and precedence Use the no form to restore the default Syntax authentication login local radius tacacs no authentication login local Use local password radius Use RADIUS server password tacacs Use TACACS server password Default Setting Local Command Mode Global Configuration Table 21 4 Authentication Sequence Commands Command Function Mode Page authentication login Def...

Page 452: ...The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command to indicate the authentication sequence For example if you enter authentication login radius tacacs local the user name and password on the RADIUS server is verified first If the RADIUS server is not available then authentication is attempted o...

Page 453: ... a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You c...

Page 454: ...s with associated privilege levels for each user or group that require management access to a switch Console config authentication enable radius Console config Table 21 5 RADIUS Client Commands Command Function Mode Page radius server host Specifies the RADIUS server GC 21 9 radius server port Sets the RADIUS server network port GC 21 10 radius server key Sets the RADIUS encryption key GC 21 10 ra...

Page 455: ...server host_alias Symbolic name of server Maximum length 20 characters port_number RADIUS server UDP port used for authentication messages Range 1 65535 timeout Number of seconds the switch waits for a reply before resending a request Range 1 65535 retransmit Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 key Encryption key used to authenticate lo...

Page 456: ...e 1 65535 Default Setting 1812 Command Mode Global Configuration Example radius server key This command sets the RADIUS encryption key Use the no form to restore the default Syntax radius server key key_string no radius server key key_string Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters Default Setting None Command Mo...

Page 457: ...0 Default Setting 2 Command Mode Global Configuration Example radius server timeout This command sets the interval between transmitting authentication requests to the RADIUS server Use the no form to restore the default Syntax radius server timeout number_of_seconds no radius server timeout number_of_seconds Number of seconds the switch waits for a reply before resending a request Range 1 65535 De...

Page 458: ...rivileged Exec Example Console config radius server timeout 10 Console config Console show radius server Remote RADIUS server configuration Global settings Communication key with RADIUS server Server port number 1812 Retransmit times 2 Request timeout 5 Server 1 Server IP address 192 168 1 1 Communication key with RADIUS server Server port number 1812 Retransmit times 2 Request timeout 5 Console ...

Page 459: ...t This command specifies the TACACS server Use the no form to restore the default Syntax tacacs server host host_ip_address no tacacs server host host_ip_address IP address of a TACACS server Default Setting 10 11 12 13 Command Mode Global Configuration Example Table 21 6 TACACS Client Commands Command Function Mode Page tacacs server host Specifies the TACACS server GC 21 13 tacacs server port Sp...

Page 460: ...ge 1 65535 Default Setting 49 Command Mode Global Configuration Example tacacs server key This command sets the TACACS encryption key Use the no form to restore the default Syntax tacacs server key key_string no tacacs server key key_string Encryption key used to authenticate logon access for the client Do not use blank spaces in the string Maximum length 48 characters Default Setting None Command...

Page 461: ...nfig Console show tacacs server Remote TACACS server configuration Server IP address 10 11 12 13 Communication key with TACACS server Server port number 49 Console Table 21 7 Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the web browser interface GC 21 16 ip http server Allows the switch to be monitored or configured from a browser GC 21 16 ip http se...

Page 462: ... The TCP port to be used by the browser interface Range 1 65535 Default Setting 80 Command Mode Global Configuration Example Related Commands ip http server 21 16 ip http server This command allows this device to be monitored or configured from a browser Use the no form to disable this function Syntax no ip http server Default Setting Enabled Command Mode Global Configuration Console config ip htt...

Page 463: ...age Both HTTP and HTTPS service can be enabled independently on the switch However you cannot configure the HTTP and HTTPS servers to use the same UDP port If you enable HTTPS you must indicate this in the URL that you specify in your browser https device port_number When you start HTTPS the connection is established in this way The client authenticates the server using the server s digital certif...

Page 464: ...p http secure port 21 18 copy tftp https certificate 19 16 ip http secure port This command specifies the UDP port number used for HTTPS connection to the switch s web interface Use the no form to restore the default port Syntax ip http secure port port_number no ip http secure port port_number The UDP port used for HTTPS Range 1 65535 Table 21 8 HTTPS System Support Web Browser Operating System I...

Page 465: ...e HTTP and HTTPS servers to use the same port If you change the HTTPS port number clients attempting to connect to the HTTPS server must specify the port number in the URL in this format https device port_number Example Related Commands ip http secure server 21 17 Console config ip http secure port 1000 Console config ...

Page 466: ...t keyword to use the default port Syntax ip telnet server port port number no telnet server port port The TCP port used by the Telnet interface port number The TCP port number to be used by the browser interface Range 1 65535 Default Setting Server Enabled Server Port 23 Command Mode Global Configuration Example Table 21 9 Telnet Server Commands Command Function Mode Page ip telnet server Allows t...

Page 467: ... key size Sets the SSH server key size GC 21 27 copy tftp public key Copies the user s public key from a TFTP server to the switch PE 19 16 delete public key Deletes the public key for the specified user PE 21 28 ip ssh crypto host key generate Generates the host key PE 21 28 ip ssh crypto zeroize Clear the host key from RAM PE 21 29 ip ssh save host key Saves the host key from RAM to flash memory...

Page 468: ...utomatically import the host public key during the initial connection setup with the switch Otherwise you need to manually create a known hosts file on the management station and place the host public key in it An entry for a public key in the known hosts file would appear similar to the following example 10 1 0 54 1024 35 15684995401867669259333946775054617325313674890836547254 150202455931998685...

Page 469: ... SSH v1 5 or V2 Clients a The client sends its password to the server b The switch compares the client s password to those stored in memory c If a match is found the connection is allowed Note To use SSH with only password authentication the host public key must still be given to the client either during initial connection or manually entered into the known host file However you do not need to con...

Page 470: ... queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable b If the specified algorithm is supported by the switch it notifies the client to proceed with the authentication process Otherwise it rejects the request c The client sends a signature generated using the private key to the switch d When the server receives this message it checks whether th...

Page 471: ...s with the client to select either DES 56 bit or 3DES 168 bit for data encryption You must generate DSA and RSA host keys before enabling the SSH server Example Related Commands ip ssh crypto host key generate 21 28 show ssh 21 31 ip ssh timeout This command configures the timeout for the SSH server Use the no form to restore the default setting Syntax ip ssh timeout seconds no ip ssh timeout seco...

Page 472: ... command for vty sessions Example Related Commands exec timeout 19 28 show ip ssh 21 31 ip ssh authentication retries This command configures the number of times the SSH server attempts to reauthenticate a user Use the no form to restore the default setting Syntax ip ssh authentication retries count no ip ssh authentication retries count The number of authentication attempts permitted after which ...

Page 473: ...ze no ip ssh server key size key size The size of server key Range 512 896 bits Default Setting 768 bits Command Mode Global Configuration Command Usage The server key is a private key that is never shared outside the switch The host key is shared with the SSH client and is fixed at 1024 bits Example Console config ip ssh authentication retires 2 Console config Console config ip ssh server key siz...

Page 474: ...A and RSA key Command Mode Privileged Exec Example ip ssh crypto host key generate This command generates the host key pair i e public and private Syntax ip ssh crypto host key generate dsa rsa dsa DSA Version 2 key type rsa RSA Version 1 key type Default Setting Generates both the DSA and RSA key pairs Command Mode Privileged Exec Command Usage The switch uses only RSA Version 1 for SSHv1 5 clien...

Page 475: ...t key to negotiate a session key and encryption method with the client trying to connect to it Example Related Commands ip ssh crypto zeroize 21 29 ip ssh save host key 21 30 ip ssh crypto zeroize This command clears the host key from memory i e RAM Syntax ip ssh crypto zeroize dsa rsa dsa DSA key type rsa RSA key type Default Setting Clears both the DSA and RSA key Command Mode Privileged Exec Co...

Page 476: ... no ip ssh server 21 24 ip ssh save host key This command saves the host key from RAM to flash memory Syntax ip ssh save host key dsa rsa dsa DSA key type rsa RSA key type Default Setting Saves both the DSA and RSA key Command Mode Privileged Exec Example Related Commands ip ssh crypto host key generate 21 28 Console ip ssh crypto zeroize dsa Console Console ip ssh save host key dsa Console ...

Page 477: ... SSH Enabled version 2 0 Negotiation timeout 120 secs Authentication retries 3 Server key size 768 bits Console Console show ssh Connection Version State Username Encryption 0 2 0 Session Started admin ctos aes128 cbc hmac md5 stoc aes128 cbc hmac md5 Console Table 21 11 show ssh display description Field Description Session The session number Range 0 3 Version The Secure Shell version number Stat...

Page 478: ...nt algorithms for the client to server ctos and server to client stoc aes128 cbc hmac sha1 aes192 cbc hmac sha1 aes256 cbc hmac sha1 3des cbc hmac sha1 blowfish cbc hmac sha1 aes128 cbc hmac md5 aes192 cbc hmac md5 aes256 cbc hmac md5 3des cbc hmac md5 blowfish cbc hmac md5 Terminology DES Data Encryption Standard 56 bit key 3DES Triple DES Uses three iterations of DES 112 bit key aes Advanced Enc...

Page 479: ...36375927835525327972629521130241 0719421061655759424590939236096954050362775257556251003866130989393 8345231033280214988866192159556859887989191950588394018138744046890 8779160305837768185490002831341625008348718449522087429212255691665 6552963281635169640408315547660664151657116381 DSA ssh dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV yrDbKStIlnzD Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW a4PAtp1K...

Page 480: ...values GC 21 35 dot1x max req Sets the maximum number of times that the switch retransmits an EAP request identity packet to the client before it times out the authentication session IC 21 36 dot1x port control Sets dot1x mode for a port interface IC 21 36 dot1x operation mode Allows single or multiple hosts on an dot1x port IC 21 37 dot1x re authenticate Forces re authentication on specific ports...

Page 481: ...sets all configurable dot1x global and port settings to their default values Command Mode Global Configuration Example dot1x timeout tx period Sets the time period during an authentication session that the switch waits before re transmitting an EAP packet IC 21 41 show dot1x Shows all dot1x related information PE 21 41 Console config dot1x system auth control Console config Console config dot1x de...

Page 482: ...rt control This command sets the dot1x mode on a port interface Use the no form to restore the default Syntax dot1x port control auto force authorized force unauthorized no dot1x port control auto Requires a dot1x aware connected client to be authorized by the RADIUS server Clients that are not dot1x aware will be denied access force authorized Configures the port to grant access to all clients ei...

Page 483: ...host max count count no dot1x operation mode multi host max count single host Allows only a single host to connect to this port multi host Allows multiple host to connect to this port max count Keyword for the maximum number of hosts count The maximum number of hosts that can connect to a port Range 1 1024 Default 5 Default Single host Command Mode Interface Configuration Command Usage The max cou...

Page 484: ...ax dot1x re authenticate interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 Command Mode Privileged Exec Command Usage The re authentication process verifies the connected client s user ID and password on the RADIUS server During re authentication the client remains connected the network and the process is handled transparently by the dot1x client software O...

Page 485: ... client software Only if re authentication fails is the port blocked The connected client is re authenticated after the interval specified by the dot1x timeout re authperiod command The default is 3600 seconds Example Related Commands dot1x timeout re authperiod 21 40 dot1x timeout quiet period This command sets the time that a switch port waits after the Max Request Count has been exceeded before...

Page 486: ...o form of this command to reset the default Syntax dot1x timeout re authperiod seconds no dot1x timeout re authperiod seconds The number of seconds Range 1 65535 Default 3600 seconds Command Mode Interface Configuration Example Console config interface eth 1 2 Console config if dot1x timeout quiet period 350 Console config if Console config interface eth 1 2 Console config if dot1x timeout re auth...

Page 487: ...he number of seconds Range 1 65535 Default 30 seconds Command Mode Interface Configuration Example show dot1x This command shows general port authentication related settings on the switch or a specific interface Syntax show dot1x statistics interface interface statistics Displays dot1x status for each port interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 Command Mod...

Page 488: ...reauth enabled Periodic re authentication page 21 39 reauth period Time after which a connected client must be re authenticated page 21 40 quiet period Time a port waits after Max Request Count is exceeded before attempting to acquire a new client page 21 39 tx period Time a port waits during authentication session before re transmitting EAP packet page 21 41 supplicant timeout Supplicant timeout ...

Page 489: ...connecting authenticating authenticated aborting held force_authorized force_unauthorized Reauth Count Number of times connecting state is re entered Backend State Machine State Current state including request response success fail timeout idle initialize Request Count Number of EAP Request packets sent to the Supplicant without receiving a response Identifier Server Identifier carried in the most...

Page 490: ... Host Auto yes 802 1X Port Details 802 1X is enabled on port 1 1 802 1X is enabled on port 26 reauth enabled Enable reauth period 3600 quiet period 60 tx period 30 supplicant timeout 30 server timeout 10 reauth max 2 max req 2 Status Authorized Operation mode Multi Host Max count 5 Port control Auto Supplicant 00 e0 29 94 34 65 Current Identifier 3 Authenticator State Machine State Authenticated R...

Page 491: ...ss all client Adds IP address es to the SNMP web and Telnet groups http client Adds IP address es to the web group snmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group start address A single IP address or the starting address of a range end address The end address of a range Default Setting All addresses Command Mode Global Configuration Table 21 13...

Page 492: ...You cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses You can delete an address range just by specifying the start address or by specifying both the start address and end address Example This example restricts management access to the indicated addresses show management This command displays the client IP addresses that are allowe...

Page 493: ... Ip Filter HTTP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 SNMP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 TELNET Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 Console ...

Page 494: ...USER AUTHENTICATION COMMANDS 21 48 ...

Page 495: ...ion to these methods several other options of providing client security are supported by this switch These include port based authentication which can be configured for network client access by specifying a fixed set of MAC addresses either by freezing a set of dynamically learned entries or through static configuration or by statically configured MAC IP address pairs The addresses assigned to DHC...

Page 496: ...ort the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message Table 22 1 Client Security Commands Command Group Function Page Private VLANs Configures private VLANs including uplink and downlink ports 30 17 Port Authentication Configures host authentication on specific ports using 802 1X 21 34 Port Security Configures secure addres...

Page 497: ...take when port security is violated shutdown Disable port only trap Issue SNMP trap message only trap and shutdown Issue SNMP trap message and disable port max mac count address count The maximum number of MAC addresses that can be learned on a port Range 0 1024 where 0 means disabled Default Setting Status Disabled Action None Maximum Addresses 0 Command Mode Interface Configuration Ethernet Tabl...

Page 498: ... port has the following restrictions Cannot be connected to a network interconnection device Cannot be a trunk port If a port is disabled due to a security violation it must be manually re enabled using the no shutdown command Example The following example enables port security for port 5 and sets the response to a security violation to issue a trap message Related Commands shutdown 24 9 mac addre...

Page 499: ...ng table sip mac Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table Default Setting Disabled Command Mode Interface Configuration Ethernet Table 22 3 IP Source Guard Commands Command Function Mode Page ip source guard Configures the switch to filter inbound traffic based on source IP address or source IP address and corresponding MAC address IC 22 5 i...

Page 500: ...LAN identifier and port identifier Static addresses entered in the source guard binding table with the ip source guard binding command page 22 7 are automatically configured with an infinite lease time Dynamic entries learned via DHCP snooping are configured by the DHCP server itself static entries include a manually configured lease time If the IP source guard is enabled an inbound packet s IP ad...

Page 501: ...nooping 22 11 ip dhcp snooping vlan 22 13 ip source guard binding This command adds a static address to the source guard binding table Use the no form to remove a static entry Syntax ip source guard binding mac address vlan vlan id ip address interface ethernet unit port no ip source guard binding mac address vlan vlan id mac address A valid unicast MAC address vlan id ID of a configured VLAN Rang...

Page 502: ...c bindings are processed as follows If there is no entry with same VLAN ID and MAC address a new entry is added to binding table using the type of static IP source guard binding If there is an entry with same VLAN ID and MAC address and the type of entry is static IP source guard binding then the new entry will replace the old one If there is an entry with same VLAN ID and MAC address and the type...

Page 503: ...ng This command shows the source guard binding table Command Mode Privileged Exec Example Console show ip source guard Interface Filter type Eth 1 1 DISABLED Eth 1 2 DISABLED Eth 1 3 DISABLED Eth 1 4 DISABLED Eth 1 5 SIP Eth 1 6 DISABLED Console show ip source guard binding MacAddress IpAddress Lease sec Type VLAN Interface 11 22 33 44 55 66 192 168 0 99 0 Static IP SG binding 1 Eth 1 5 Console ...

Page 504: ... dhcp snooping vlan Enables DHCP snooping on the specified VLAN GC 22 13 ip dhcp snooping binding Adds a static address to the DHCP snooping table GC 22 14 ip dhcp snooping verify mac address Verifies the client s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header GC 22 16 ip dhcp snooping database flash Writes all dynamically learned snooping entries ...

Page 505: ...nterface as specified by the no ip dhcp snooping trust command page 22 17 from a device not listed in the DHCP snooping table will be dropped When enabled DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping and static entries configured in the DHCP snooping table Table entries are only learned for untrusted interfaces Each entry includes ...

Page 506: ... specified by the ip dhcp snooping verify mac address command page 22 16 However if MAC address verification is enabled then the packet will only be forwarded if the client s hardware address stored in the DHCP packet is the same as the source MAC address in the Ethernet header If the DHCP packet is not a recognizable type it is dropped If a DHCP packet from a client passes the filtering criteria ...

Page 507: ...st 22 17 ip dhcp snooping binding 22 14 ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN Use the no form to restore the default setting Syntax no ip dhcp snooping vlan vlan id vlan id ID of a configured VLAN Range 1 4093 Default Setting Disabled Command Mode Global Configuration Command Usage When DHCP snooping enabled globally using the ip dhcp snooping command page ...

Page 508: ...d on a VLAN any previously configured static bindings stored in the binding table will take effect again Example This example enables DHCP snooping for VLAN 1 Related Commands ip dhcp snooping 22 11 ip dhcp snooping trust 22 17 ip dhcp snooping binding 22 14 ip dhcp snooping binding This command adds a static address to the DHCP snooping binding table Use the no form to remove an entry from the bi...

Page 509: ...ding Static DHCP Binding VLAN identifier and port identifier If the DHCP snooping is disabled globally all dynamic bindings are removed from the binding table all static bindings are retained in the binding table but will have no effect until DHCP snooping is globally re enabled If DHCP snooping is enabled globally and then disabled on a VLAN all dynamic bindings learned for this VLAN are removed ...

Page 510: ... the DHCP packet against the source MAC address in the Ethernet header Use the no form to disable this function Syntax no ip dhcp binding verify mac address Default Setting Enabled Command Mode Global Configuration Command Usage If MAC address verification is enabled and the source MAC address in the Ethernet header of the packet is not same as the client s hardware address in the DHCP packet the ...

Page 511: ... entries to flash memory These entries will be restored to the snooping table when the switch is reset However note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid Example ip dhcp snooping trust This command configures the specified interface as trusted Use the no form to restore the default setting Syntax no ip dhcp snooping trust Def...

Page 512: ...ust command When an untrusted port is changed to a trusted port all the dynamic DHCP snooping bindings associated with this port are removed All static bindings are retained but will have no effect unless the port is changed back to the untrusted state Additional considerations when the switch itself is a DHCP client The port s through which it submits a client request to the DHCP server must be c...

Page 513: ...show ip dhcp snooping Global DHCP Snooping status disable DHCP Snooping is configured on the following VLANs 1 Verify Source Mac Address enable Interface Trusted Eth 1 1 No Eth 1 2 No Eth 1 3 No Eth 1 4 No Eth 1 5 Yes Console show ip dhcp snooping binding MacAddress IpAddress Lease sec Type VLAN Interface 11 22 33 44 55 66 192 168 0 99 0 Static DHCPSNP 1 Eth 1 5 Console ...

Page 514: ...CLIENT SECURITY COMMANDS 22 20 ...

Page 515: ...mask to modify the precedence in which the rules are checked and then bind the list to a specific port This section describes the Access Control List commands Table 23 1 Access Control List Commands Command Groups Function Page IP ACLs Configures ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code 23 2 MAC ACLs Configures ACLs based on hardware addresses packet form...

Page 516: ... 23 3 permit deny Filters packets matching a specified source IPv4 address IP STD ACL 23 4 permit deny Filters packets meeting the specified criteria including source and destination IPv4 address TCP UDP port number protocol type and TCP control code IP EXT ACL 23 5 show ip access list Displays the rules for configured IPv4 ACLs PE 23 7 access list ip mask precedence Changes to the IP Mask mode us...

Page 517: ..._name Name of the ACL Maximum length 16 characters Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the ex...

Page 518: ...ended to the end of the list Address bitmasks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned Example...

Page 519: ...source any destination address bitmask host destination precedence precedence tos tos dscp dscp source port sport bitmask destination port dport port bitmask control flag control flags flag bitmask protocol number A specific protocol number Range 0 255 source Source IP address destination Destination IP address address bitmask Decimal number representing the address bits to match host Keyword foll...

Page 520: ...d with the address for each IP packet entering the port s to which this ACL has been assigned You can specify both Precedence and ToS in the same rule However if DSCP is used then neither Precedence nor ToS can be specified The control code bitmask is a decimal number representing an equivalent bit mask that is applied to the control code Enter a decimal number where the equivalent binary bit 1 me...

Page 521: ...1 0 with the TCP control code set to SYN Related Commands access list ip 23 3 show ip access list This command displays the rules for configured IP ACLs Syntax show ip access list standard extended acl_name standard Specifies a standard IP ACL extended Specifies an extended IP ACL acl_name Name of the ACL Maximum length 16 characters Command Mode Privileged Exec Console config ext acl permit 10 7 ...

Page 522: ...cording to specified IP ACLs Command Mode Global Configuration Command Usage A mask can only be used by all ingress ACLs or all egress ACLs The precedence of the ACL rules applied to a packet is not determined by order of the rules but instead by the order of the masks i e the first mask that matches a rule will determine the rule that is applied to a packet You must configure a mask for an ACL ru...

Page 523: ...d host The address must be for a host device not a subnetwork source bitmask Source address of rule must match this bitmask destination bitmask Destination address of rule must match this bitmask precedence Check the IP precedence field tos Check the TOS field dscp Check the DSCP field source port Check the protocol source port field destination port Check the protocol destination port field port ...

Page 524: ...p you cannot enter tos or precedence You can enter both tos and precedence without dscp Masks that include an entry for a Layer 4 protocol source port or destination port can only be applied to packets with a header length of exactly five bytes Example This example creates an IP ingress mask with two rules Each rule is checked in order of precedence to look for a match in the ACL entries The first...

Page 525: ... 255 255 255 Console config std acl exit Console config access list ip mask precedence in Console config ip mask acl mask host any Console config ip mask acl mask 255 255 255 0 any Console config ip mask acl Console config access list ip standard A2 Console config std acl permit any Console config std acl deny host 171 69 198 102 Console config std acl end Console show access list IP standard acce...

Page 526: ...e show access list IP extended access list A3 deny host 171 69 198 5 any deny 171 69 198 0 255 255 255 0 any source port 23 Console config Console config access list ip mask precedence out Console config ip mask acl mask 255 255 255 0 any source port Console config ip mask acl exit Console config interface ethernet 1 15 Console config if ip access group A3 out Console config if end Console show ac...

Page 527: ... list ip extended 6 Switch config ext acl permit any any Switch config ext acl deny tcp any any control flag 2 2 Switch config ext acl end Console show access list IP extended access list A6 permit any any deny tcp any any control flag 2 2 Console configure Switch config access list ip mask precedence in Switch config ip mask acl mask protocol any any control flag 2 Switch config ip mask acl end C...

Page 528: ...kets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one You must configure a mask for an ACL rule before you can bind it to a port Example Console show access list ip mask precedence IP ingress mask ACL ma...

Page 529: ... a precedence mask to control the filter sequence and then bind the access list to one or more ports Console show ip access group Interface ethernet 1 2 IP standard access list david Console Table 23 3 MAC ACL Commands Command Function Mode Page access list mac Creates a MAC ACL and enters configuration mode GC 23 16 permit deny Filters packets matching a specified source and destination address p...

Page 530: ...les to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 32 rules Example mask Sets a precedence mask for the ACL rules MAC Mask 23 21 show access list mac mask precedence Shows the ingress or egress rule masks for MAC ACLs PE 23...

Page 531: ...thertype protocol protocol bitmask Note The default is for Ethernet II packets no permit deny tagged eth2 any host source source address bitmask any host destination destination address bitmask vid vid vid bitmask ethertype protocol protocol bitmask no permit deny untagged eth2 any host source source address bitmask any host destination destination address bitmask ethertype protocol protocol bitma...

Page 532: ...C address in hexidecimal format vid VLAN ID Range 1 4093 vid bitmask27 VLAN bitmask Range 1 4093 protocol A specific Ethernet protocol number Range 600 fff hex protocol bitmask27 Protocol bitmask Range 600 fff hex Default Setting None Command Mode MAC ACL Command Usage New rules are added to the end of the list The ethertype option can only be used to filter Ethernet II formatted packets A detaile...

Page 533: ... displays the rules for configured MAC ACLs Syntax show mac access list acl_name acl_name Name of the ACL Maximum length 16 characters Command Mode Privileged Exec Example Related Commands permit deny 23 17 mac access group 23 23 Console config mac acl permit any host 00 e0 29 94 34 de ethertype 0800 Console config mac acl Console show mac access list MAC access list jerry permit any 00 e0 29 94 3...

Page 534: ...e Global Configuration Command Usage You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule A mask can only be used by all ingress ACLs or all egress ACLs The precedence of the ACL rules applied to a packet is not determined by order of the rules but instead by the order of the masks i e the first mask that matches a...

Page 535: ...ss of rule must match this bitmask destination bitmask Destination address of rule must match this bitmask vid Check the VLAN ID field vid bitmask VLAN ID of rule must match this bitmask ethertype Check the Ethernet type field ethertype bitmask Ethernet type of rule must match this bitmask Default Setting None Command Mode MAC Mask Command Usage Up to seven masks can be assigned to an ingress or e...

Page 536: ...st MAC access list M4 deny tagged eth2 host 00 11 11 11 11 11 any vid 3 permit any any MAC ingress mask ACL mask pktformat host any vid Console Console config access list mac M5 Console config mac acl deny tagged 802 3 host 00 11 11 11 11 11 any Console config mac acl deny tagged eth2 00 11 11 11 11 11 ff ff ff ff ff ff any vid 3 ethertype 0806 Console config mac acl end Console show access list M...

Page 537: ...ated Commands mask MAC ACL 23 21 mac access group This command binds a port to a MAC ACL Use the no form to remove the port Syntax mac access group acl_name in acl_name Name of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL Console show a...

Page 538: ...d to MAC ACLs Command Mode Privileged Exec Example Related Commands mac access group 23 23 ACL Information This section describes commands used to display ACL information Console config interface ethernet 1 2 Console config if mac access group jerry in Console config if Console show mac access group Interface ethernet 1 5 MAC access list M5 in Console Table 23 4 ACL Information Commands Command Fu...

Page 539: ...w access list IP standard access list david permit host 10 1 1 21 permit 168 92 0 0 255 255 15 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 255 255 255 0 any destination port 80 80 permit 192 168 1 0 255 255 255 0 any protocol tcp control code 2 2 MAC access list jerry permit any host 00 30 29 94 34 de ethertype 800 800 IP extended access list A6 deny tcp any ...

Page 540: ...ACCESS CONTROL LIST COMMANDS 23 26 ...

Page 541: ...s disabled IC 24 3 negotiation Enables autonegotiation of a given interface IC 24 5 capabilities Advertises the capabilities of a given interface for use in autonegotiation IC 24 6 flowcontrol Enables flow control on a given interface IC 24 7 media type Force port type selected for combination ports IC 24 8 shutdown Disables an interface IC 24 9 switchport packet rate Configures broadcast and mult...

Page 542: ...hannel id Range 1 32 vlan vlan id Range 1 4093 channel id Tuunk identifier Range 1 32 Default Setting None Command Mode Global Configuration Example To specify port 4 enter the following command show interfaces counters Displays statistics for the specified interfaces NE PE 24 14 show interfaces switchport Displays the administrative and operational status of an interface NE PE 24 16 Console confi...

Page 543: ...s a description to port 4 speed duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled Use the no form to restore the default Syntax speed duplex 10000full 1000full 100full 100half 10full 10half no speed duplex 1000full Forces 1 Gbps full duplex operation 100full Forces 100 Mbps full duplex operation 100half Forces 100 Mbps half duplex operat...

Page 544: ...negotiation command to enable auto negotiation the optimal settings will be determined by the capabilities command To set the speed duplex mode under auto negotiation the required mode must be specified in the capabilities list for an interface 100BASE BX ports are fixed at 100 Mbps full duplex The 1000BASE T standard does not support forced mode Auto negotiation must always be used to establish a...

Page 545: ...e best settings for a link based on the capabilities command When auto negotiation is disabled you must manually specify the link attributes with the speed duplex and flowcontrol commands If autonegotiation is disabled auto MDI MDI X pin signal configuration will also be disabled for the RJ 45 ports Example The following example configures port 11 to use autonegotiation Related Commands capabiliti...

Page 546: ...flowcontrol Supports flow control symmetric Gigabit only When specified the port transmits and receives pause frames when not specified the port will auto negotiate to determine the sender and receiver for asymmetric pause frames The current switch ASIC only supports symmetric pause frames Default Setting 100BASE TX 10half 10full 100half 100full 1000BASE T 10half 10full 100half 100full 1000full 10...

Page 547: ...c from end stations or segments connected directly to the switch when its buffers fill When enabled back pressure is used for half duplex operation and IEEE 802 3 2005 formally IEEE 802 3x for full duplex operation To force flow control on or off with the flowcontrol or no flowcontrol command use the no negotiation command to disable auto negotiation on the selected interface When using the negoti...

Page 548: ... capabilities flowcontrol symmetric 24 6 media type This command forces the port type selected for combination ports 27 28 Use the no form to restore the default mode Syntax media type mode no media type mode copper forced Always uses the built in RJ 45 port sfp forced Always uses the SFP port even if module not installed sfp preferred auto Uses SFP port if both combination types are functioning a...

Page 549: ...onfiguration Ethernet Port Channel Command Usage This command allows you to disable a port due to abnormal behavior e g excessive collisions and then reenable it after the problem has been resolved You may also want to disable a port for security reasons Example The following example disables port 5 Console config interface ethernet 1 28 Console config if media type copper forced Console config if...

Page 550: ...per second Range 500 262143 Default Setting Broadcast Storm Control Enabled for all ports packet rate limit 500 pps Multicast Storm Control Disabled Command Mode Interface Configuration Ethernet Command Usage When traffic exceeds the threshold specified for broadcast and multicast traffic packets exceeding the threshold are dropped until the rate falls back down beneath the threshold Example The f...

Page 551: ...thernet Port Channel Default Setting Unknown unicast and multicast packets are not blocked Command Usage By default unknown unicast or multicast traffic is flooded to all ports This occurs if a MAC address has been timed out or not yet learned by the switch If this kind of traffic is flooded to an isolated port on a private VLAN there could be security issues Example The following example blocks u...

Page 552: ...one Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset This command sets the base value for displayed statistics to zero for the current management session However if you log out and back into the management interface the statistics displayed will show the absolute value accumulated since the last power reset Example The following example clears statistics...

Page 553: ... unit Range 1 port Port number Range 1 28 port channel channel id Range 1 32 vlan vlan id Range 1 4093 Default Setting Shows the status for all interfaces Command Mode Normal Exec Privileged Exec Command Usage If no interface is specified information on all interfaces is displayed For a description of the items displayed by this command see Displaying Connection Status on page 9 1 ...

Page 554: ...n of Eth 1 5 Basic information Port type 1000T Mac address 00 30 F1 D4 73 A5 Configuration Name Port admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full 1000full Broadcast storm Enabled Broadcast storm limit 500 packets second Flow control Disabled LACP Disabled Port security Disabled Max MAC count 0 Port security action None Media type None Current status Link status Up Port ope...

Page 555: ...t 0 Multi cast output 3064 Broadcast input 262 Broadcast output 1 Ether like stats Alignment errors 0 FCS errors 0 Single Collision frames 0 Multiple collision frames 0 SQE Test errors 0 Deferred transmissions 0 Late collisions 0 Excessive collisions 0 Internal mac transmit errors 0 Internal mac receive errors 0 Frame too longs 0 Carrier sense errors 0 Symbol errors 0 RMON stats Drop events 0 Octe...

Page 556: ...s specified information on all interfaces is displayed Example This example shows the configuration setting for port 4 Console show interfaces switchport ethernet 1 4 Broadcast Threshold Enabled 500 packets second Muilticast Threshold Disabled LACP Status Disabled Ingress Rate Limit Disable 1000M bits per second Egress Rate Limit Disable 1000M bits per second VLAN Membership Mode Hybrid Ingress Ru...

Page 557: ...e as Trunk or Hybrid page 30 10 Ingress rule Shows if ingress filtering is enabled or disabled page 30 12 Acceptable frame type Shows if acceptable VLAN frames include all types or tagged frames only page 30 11 Native VLAN Indicates the default Port VLAN ID page 30 13 Priority for untagged traffic Indicates the default priority for untagged frames page 31 4 GVRP status Shows if GARP VLAN Registrat...

Page 558: ...INTERFACE COMMANDS 24 18 ...

Page 559: ...LACP This switch supports up to 12 trunks For example a trunk consisting of two 1000 Mbps ports can support an aggregate bandwidth of 4 Gbps when operating at full duplex Table 25 1 Link Aggregation Commands Command Function Mode Page Manual Configuration Commands interface port channel Configures a trunk and enters interface configuration mode for the trunk GC 24 2 channel group Adds a port to a ...

Page 560: ...k have to be treated as a whole when moved from to added or deleted from a VLAN via the specified port channel STP VLAN and IGMP settings can only be made for the entire trunk via the specified port channel Dynamically Creating a Port Channel Ports assigned to a common port channel must meet the following criteria Ports must have the same LACP system priority Ports must have the same port admin ke...

Page 561: ...to join a channel group If a link goes down LACP port priority is used to select the backup link channel group This command adds a port to a trunk Use the no form to remove a port from a trunk Syntax channel group channel id no channel group channel id Trunk index Range 1 32 Default Setting The current port will be added to this trunk Command Mode Interface Configuration Ethernet Command Usage Whe...

Page 562: ... either by forced mode or auto negotiation A trunk formed with another switch using LACP will automatically be assigned the next available port channel ID If the target switch has also enabled LACP on the connected ports the trunk will be activated automatically If more than eight ports attached to the same target switch have LACP enabled the additional ports will be placed in standby mode and wil...

Page 563: ... config if lacp Console config if exit Console config interface ethernet 1 48 Console config if lacp Console config if end Console show interfaces status port channel 1 Information of Trunk 1 Basic information Port type 1000T Mac address 00 30 F1 D4 73 A4 Configuration Name Port admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full 1000full Flow control Disabled Port security Disab...

Page 564: ...ode Interface Configuration Ethernet Command Usage Port must be configured with the same system priority to join the same LAG System priority is combined with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a link has been established LACP operational settings are already in u...

Page 565: ...CP system priority matches 2 the LACP port admin key matches and 3 the LACP port channel key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group Once the remote sid...

Page 566: ... Command Usage Ports are only allowed to join the same LAG if 1 the LACP system priority matches 2 the LACP port admin key matches and 3 the LACP port channel key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Inte...

Page 567: ...r effective priority If an active port link goes down the backup port with the highest priority is selected to replace the downed link However if two or more ports have the same LACP port priority the port with the lowest physical port number will be selected as the backup port Once the remote side of a link has been established LACP operational settings are already in use on that side Configuring...

Page 568: ... messages internal Configuration settings and operational state for local side neighbors Configuration settings and operational state for remote side sys id Summary of system priority and MAC address for all channel groups Default Setting Port Channel all Command Mode Privileged Exec Example Console show lacp 1 counters Port channel 1 Eth 1 2 LACPDUs Sent 10 LACPDUs Receive 5 Marker Sent 0 Marker ...

Page 569: ... MAC Address but do not carry the Slow Protocols Ethernet Type LACPDUs Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value but contain a badly formed PDU or an illegal value of Protocol Subtype Console show lacp 1 internal Port channel 1 Oper Key 3 Admin Key 0 Eth 1 2 LACPDUs Internal 30 sec LACP System Priority 32768 LACP Port Priority 32768 Admin Key 3 Oper Key 3 Admi...

Page 570: ...administrative changes or changes in received protocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information Synchronization The System considers this link to be IN_SYNC i e it has been allocated to the correct Link Aggre...

Page 571: ...y the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port...

Page 572: ...00 30 F1 D4 73 A0 8 32768 00 30 F1 D4 73 A0 9 32768 00 30 F1 D4 73 A0 10 32768 00 30 F1 D4 73 A0 11 32768 00 30 F1 D4 73 A0 12 32768 00 30 F1 D4 73 A0 Table 25 5 show lacp sysid display description Field Description Channel group A link aggregation group configured on this switch System Priority LACP system priority for this channel group System MAC Address System MAC address The LACP system prior...

Page 573: ... unit Stack unit Range 1 port Port number Range 1 28 rx Mirror received packets tx Mirror transmitted packets both Mirror both received and transmitted packets Default Setting No mirror session is defined When enabled the default mirroring is for both received and transmitted packets Command Mode Interface Configuration Ethernet destination port Table 26 1 Mirror Port Commands Command Function Mod...

Page 574: ...or port You can create multiple mirror sessions but all sessions must share the same destination port However you should avoid sending too much traffic to the destination port from multiple source ports Example The following example configures the switch to mirror all packets from port 6 to 11 show port monitor This command displays mirror information Syntax show port monitor interface interface e...

Page 575: ...ode i e RX TX RX TX Example The following shows mirroring configured from port 6 to port 11 Console config interface ethernet 1 11 Console config if port monitor ethernet 1 6 Console config if end Console show port monitor Port Mirroring Destination port listen port Eth1 1 Source port monitored port Eth1 6 Mode RX TX Console ...

Page 576: ...MIRROR PORT COMMANDS 26 4 ...

Page 577: ...transmitted while packets that exceed the acceptable amount of traffic are dropped Rate limiting can be applied to individual ports or trunks When an interface is configured with this feature the traffic rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped conforming traffic is forwarded without any changes Table 27 1 Rate Limit Commands Command Function Mo...

Page 578: ...put output rate no rate limit input output input Input rate output Output rate rate Maximum value in Mbps Range Fast Ethernet 1 to 100 Mbps Gigabit Ethernet 1 to 1000 Mbps Default Setting Fast Ethernet 100 Mbps Gigabit Ethernet 1000 Mbps Command Mode Interface Configuration Ethernet Port Channel Example Related Command show interfaces switchport 24 16 Console config interface ethernet 1 1 Console ...

Page 579: ...s cannot exceed the overall output rate limit specified by the rate limit output command see page 27 2 If the rate exceeds the limit set for a specific priority frames of that type are dropped until the rate falls below the limit If the rate exceeds the overall limit set the rate limit output command frames of any priority type may be dropped until the rate falls back below the limit This switch s...

Page 580: ... of priority level 0 to 50 Mbps on Port 1 Table 27 2 Mapping Default to Per Port CoS Priority Levels Queue 0 1 2 3 4 5 6 7 Priority default CoS 1 2 0 3 4 5 6 7 Priority per port CoS 0 0 1 1 2 2 3 3 Console config interface ethernet 1 1 Console config if rate limit cos 0 50 Console config if ...

Page 581: ... corresponding interface Example The following example shows that the rate limit set in the preceding example for CoS priority class 0 affects both priority class 0 and 3 which are now effectively treated as priority class 1 Table 27 2 on page 27 4 illustrates the priority mapping Console show rate limit cos Interface Cos Ratelimit Eth 1 1 0 50 Eth 1 1 1 0 Eth 1 1 2 0 Eth 1 1 3 50 Eth 1 1 4 0 Eth ...

Page 582: ...RATE LIMIT COMMANDS 27 6 ...

Page 583: ...and Function Mode Page mac address table static Maps a static address to a port in a VLAN GC 28 2 clear mac address table dynamic Removes any learned entries from the forwarding database PE 28 3 show mac address table Displays entries in the bridge forwarding database PE 28 4 mac address table aging time Sets the aging time of the address table GC 28 5 show mac address table aging time Shows the a...

Page 584: ...lasts until the switch is reset permanent Assignment is permanent Default Setting No static addresses are defined The default mode is permanent Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add static addresses to the MAC Address Table Static addresses have the following characteris...

Page 585: ...amic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries Default Setting None Command Mode Privileged Exec Example Console config mac address table static 00 e0 29 94 34 de interface ethernet 1 1 vlan 1 delete on reset Console config Console clear mac address table dynamic Console ...

Page 586: ... Default Setting None Command Mode Privileged Exec Command Usage The MAC Address Table contains the MAC addresses associated with each interface Note that the Type field may include the following types Learned Dynamic address entries Permanent Static entry Delete on reset Static entry to be deleted when system is reset The mask should be hexadecimal numbers representing an equivalent bit mask in t...

Page 587: ...ble aging time seconds no mac address table aging time seconds Aging time Range 10 1000000 seconds 0 to disable aging Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information Example Console show mac address table Interface MAC Address VLAN Type Eth 1 1 00 e0 29 94 34 de 1 Delete on reset Console Consol...

Page 588: ... show mac address table aging time This command shows the aging time for entries in the address table Default Setting None Command Mode Privileged Exec Example Console show mac address table aging time Aging time 300 sec Console ...

Page 589: ...ree hello time Configures the spanning tree bridge hello time GC 29 6 spanning tree max age Configures the spanning tree bridge maximum age GC 29 7 spanning tree priority Configures the spanning tree bridge priority GC 29 8 spanning tree path cost method Configures the path cost method for RSTP MSTP GC 29 9 spanning tree transmission limit Configures the transmission limit for RSTP MSTP GC 29 10 s...

Page 590: ...18 spanning tree portfast Sets an interface to fast forwarding IC 29 19 spanning tree link type Configures the link type for RSTP MSTP IC 29 21 spanning tree mst cost Configures the path cost of an instance in the MST IC 29 22 spanning tree mst port priority Configures the priority of an instance in the MST IC 29 23 spanning tree protocol migration Re checks the appropriate BPDU format PE 29 24 sh...

Page 591: ...nd disable network loops and to provide backup links between switches bridges or routers This allows the switch to interact with other bridging devices that is an STA compliant switch bridge or router in your network to ensure that only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes down Example This example ...

Page 592: ... multiple VLANs are implemented on a network the path between specific VLAN members may be inadvertently disabled to prevent network loops thus isolating group members When operating multiple VLANs we recommend selecting the MSTP option Rapid Spanning Tree Protocol RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type ...

Page 593: ...en spanning tree modes Changing modes stops all spanning tree instances for the previous mode and restarts the system in the new mode temporarily disrupting user traffic Example The following example configures the switch to use Rapid Spanning Tree spanning tree forward time This command configures the spanning tree bridge forward time globally for this switch Use the no form to restore the defaul...

Page 594: ...ry data loops might result Example spanning tree hello time This command configures the spanning tree bridge hello time globally for this switch Use the no form to restore the default Syntax spanning tree hello time time no spanning tree hello time time Time in seconds Range 1 10 seconds The maximum value is the lower of 10 or max age 2 1 Default Setting 2 seconds Command Mode Global Configuration...

Page 595: ...r of 40 or 2 x forward time 1 Default Setting 20 seconds Command Mode Global Configuration Command Usage This command sets the maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in t...

Page 596: ... Range 0 61440 in steps of 4096 Options 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440 Default Setting 32768 Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device root port and designated port The device with the highest priority i e lower numeric value becomes the STA root device However if all devices have ...

Page 597: ...802 1w Rapid Spanning Tree Protocol short Specifies 16 bit based values that range from 1 65535 This method is based on the IEEE 802 1 Spanning Tree Protocol Default Setting Long method Command Mode Global Configuration Command Usage The path cost method is used to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values ...

Page 598: ... Range 1 10 Default Setting 3 Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs Example spanning tree mst configuration This command changes to Multiple Spanning Tree MST configuration mode Default Setting No VLANs are mapped to any MST instance The region name is set the switch s MAC address Command Mode Global Configuration Example Consol...

Page 599: ...p VLANs into spanning tree instances MSTP generates a unique spanning tree for each instance This provides multiple pathways across the network thereby balancing the traffic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new topology for the failed instance By default all VLANs are assigned to the Internal Spanning Tree ...

Page 600: ...ge 0 61440 in steps of 4096 Options 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440 Default Setting 32768 Command Mode MST Configuration Command Usage MST priority is used in selecting the root bridge and alternate bridge of the specified instance The device with the highest priority i e lowest numerical value becomes the MSTI root device However if all de...

Page 601: ...ode MST Configuration Command Usage The MST region name and revision number page 29 14 are used to designate a unique MST region A bridge i e spanning tree compliant device such as this switch can only belong to one MST region And all bridges in the same region must be configured with the same MST instances Example Related Commands revision 29 14 Console config mstp mst 1 priority 4096 Console con...

Page 602: ...d revision number are used to designate a unique MST region A bridge i e spanning tree compliant device such as this switch can only belong to one MST region And all bridges in the same region must be configured with the same MST instances Example Related Commands name 29 13 max hops This command configures the maximum number of hops in the region before a BPDU is discarded Use the no form to rest...

Page 603: ...count to specify the maximum number of bridges that will propagate a BPDU Each bridge decrements the hop count by one before passing on the BPDU When the hop count reaches zero the message is dropped Example spanning tree spanning disabled This command disables the spanning tree algorithm for the specified interface Use the no form to reenable the spanning tree algorithm for the specified interfac...

Page 604: ...1 200 000 000 for long path cost method Console config interface ethernet 1 5 Console config if spanning tree spanning disabled Console config if Table 29 2 Recommended STA Path Cost Range Port Type IEEE 802 1D 1998 IEEE 802 1w 2001 Fast Ethernet 10 60 20 000 2 000 000 Gigabit Ethernet 3 10 2 000 200 000 Table 29 3 Recommended STA Path Cost Port Type Link Type IEEE 802 1D 1998 IEEE 802 1w 2001 Fas...

Page 605: ...sage This command is used by the Spanning Tree Algorithm to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Path cost takes precedence over port priority When the spanning tree pathcost method page 29 9 is set to short the maximum value for path cost is 65 535 Example Table 29 ...

Page 606: ...y for the use of a port in the Spanning Tree Algorithm If the path cost for all ports on a switch are the same the port with the highest priority that is lowest value will be configured as an active link in the spanning tree Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Example Related Commands spanning tree cost 29 16 spanning tr...

Page 607: ...of frame flooding required to rebuild address tables during reconfiguration events does not cause the spanning tree to initiate reconfiguration when the interface changes state and also overcomes other STA related timeout problems However remember that Edge Port should only be enabled for ports connected to an end node device This command has the same effect as the spanning tree portfast Example R...

Page 608: ...e time Fast forwarding can achieve quicker convergence for end node workstations and servers and also overcome other STA related timeout problems Remember that fast forwarding should only be enabled for ports connected to a LAN segment that is at the end of a bridged LAN or for an end node device This command is the same as spanning tree edge port and is only included for backward compatibility wi...

Page 609: ...e Specify a point to point link if the interface can only be connected to exactly one other bridge or a shared link if it can be connected to two or more bridges When automatic detection is selected the switch derives the link type from the duplex mode A full duplex interface is considered a point to point link while a half duplex interface is assumed to be on a shared link RSTP only works on poin...

Page 610: ...listed in Table 29 3 on page 29 16 Default Setting By default the system automatically detects the speed and duplex mode used on each port and configures the path cost according to the values shown below Path cost 0 is used to indicate auto configuration mode When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is s...

Page 611: ...x spanning tree mst instance_id port priority priority no spanning tree mst instance_id port priority instance_id Instance identifier of the spanning tree Range 0 4094 no leading zeroes priority Priority for an interface Range 0 240 in steps of 16 Default Setting 128 Command Mode Interface Configuration Ethernet Port Channel Command Usage This command defines the priority for the use of an interfa...

Page 612: ... unit Range 1 port Port number Range 1 28 port channel channel id Range 1 32 Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs including Configuration or Topology Change Notification BPDUs it will automatically set the selected interface to forced STP compatible mode However you can also use the spanning tree protocol migration command at any time to manually r...

Page 613: ...ivileged Exec Command Usage Use the show spanning tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree CST and for every interface in the tree Use the show spanning tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree CST Use the show spanning tree mst instance_id command...

Page 614: ... 20 Designated Root 32768 0 0000ABCD0000 Current root port 1 Current root cost 10000 Number of topology changes 1 Last topology changes time sec 22 Transmission limit 3 Path Cost Method long Eth 1 1 information Admin status enable Role root State forwarding External admin path cost 10000 Internal admin cost 10000 External oper path cost 10000 Internal oper path cost 10000 Priority 128 Designated c...

Page 615: ...mst configuration This command shows the configuration of the multiple spanning tree Command Mode Privileged Exec Example Console show spanning tree mst configuration Mstp Configuration Information Configuration name R D Revision level 0 Instance Vlans 1 2 Console ...

Page 616: ...SPANNING TREE COMMANDS 29 28 ...

Page 617: ...ation for bridge extension MIB 30 2 Editing VLAN Groups Sets up VLAN groups including name VID and state 30 7 Configuring VLAN Interfaces Configures VLAN interface parameters including ingress and egress tagging mode ingress filtering PVID and GVRP 30 9 Displaying VLAN Information Displays VLAN groups status port members and MAC addresses 30 16 Configuring Private VLANs Configures private VLANs in...

Page 618: ...he no form to disable it Syntax no bridge ext gvrp Default Setting Disabled Command Mode Global Configuration Table 30 2 GVRP and Bridge Extension Commands Command Function Mode Page bridge ext gvrp Enables GVRP globally for the switch GC 30 2 show bridge ext Shows the global bridge extension configuration PE 30 3 switchport gvrp Enables GVRP for an interface IC 30 4 switchport forbidden vlan Conf...

Page 619: ...tension commands Default Setting None Command Mode Privileged Exec Command Usage See Displaying Basic VLAN Information on page 12 6 and Displaying Bridge Extension Capabilities on page 4 10 for a description of the displayed items Example Console config bridge ext gvrp Console config Console show bridge ext Max support VLAN numbers 256 Max support VLAN ID 4093 Extended multicast filtering services...

Page 620: ...RP is enabled Syntax show gvrp configuration interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 32 Default Setting Shows both global and interface specific configuration Command Mode Normal Exec Privileged Exec Example Console config interface ethernet 1 1 Console config if switchport gvrp Console config if Console show gvrp c...

Page 621: ... Mode Interface Configuration Ethernet Port Channel Command Usage Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are independent of the media access method or data rate These values should not be changed unless you are experiencing difficulties with GMRP or GVRP...

Page 622: ...rt Port number Range 1 28 port channel channel id Range 1 32 Default Setting Shows all GARP timers Command Mode Normal Exec Privileged Exec Example Related Commands garp timer 30 5 Console config interface ethernet 1 1 Console config if garp timer join 100 Console config if Console show garp timer ethernet 1 1 Eth 1 1 GARP timer status Join timer 20 centiseconds Leave timer 60 centiseconds Leaveal...

Page 623: ...e show vlan command Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN The results of these commands are written to the running configuration file and you can display this file by entering the show running config command Example Related Commands show vlan 30 16 Table 30 3 Commands for Editing VLAN Groups Command Function Mode Page vlan databa...

Page 624: ...lowed by the VLAN state active VLAN is operational suspend VLAN is suspended Suspended VLANs do not pass packets Default Setting By default only VLAN 1 exists and is active Command Mode VLAN Database Configuration Command Usage no vlan vlan id deletes the VLAN no vlan vlan id name removes the VLAN name no vlan vlan id state returns the VLAN to the default state i e active You can configure up to 2...

Page 625: ...e for a specified VLAN IC 30 9 switchport mode Configures VLAN membership mode for an interface IC 30 10 switchport acceptable frame types Configures frame types to be accepted by an interface IC 30 11 switchport ingress filtering Enables ingress filtering on an interface IC 30 12 switchport native vlan Configures the PVID native VLAN of an interface IC 30 13 switchportallowedvlan Configures the V...

Page 626: ...AN interface The port may transmit tagged or untagged frames trunk Specifies a port as an end point for a VLAN trunk A trunk is a direct link between two switches so the port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames dot1q tunnel For an explanation of this command se...

Page 627: ... types all The port accepts all frames tagged or untagged tagged The port only receives tagged frames Default Setting All frame types Command Mode Interface Configuration Ethernet Port Channel Command Usage When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Example The following example shows how to restrict the traffic received on port 1 to ...

Page 628: ...for VLANs for which it is not a member these frames will be flooded to all other ports except for those VLANs explicitly forbidden on this port If ingress filtering is enabled and a port receives frames tagged for VLANs for which it is not a member these frames will be discarded Ingress filtering does not affect VLAN independent BPDU frames such as GVRP or STA However they do affect VLAN dependent...

Page 629: ...erface is not a member of VLAN 1 and you assign its PVID to this VLAN the interface will automatically be added to VLAN 1 as an untagged member For all other VLANs an interface must first be configured as an untagged member before you can assign its PVID to that group If acceptable frame types is set to all or switchport mode is set to hybrid the PVID will be inserted into all untagged frames ente...

Page 630: ...ged Command Mode Interface Configuration Ethernet Port Channel Command Usage A port or a trunk with switchport mode set to hybrid must be assigned to at least one VLAN as untagged If a trunk has switchport mode set to trunk i e 1Q Trunk then you can only assign an interface to VLAN groups as a tagged member Frames are always tagged within the switch The tagged untagged parameter used when adding a...

Page 631: ... List of VLAN identifiers to add remove vlan list List of VLAN identifiers to remove vlan list Separate nonconsecutive VLAN identifiers with a comma and no spaces use a hyphen to designate a range of IDs Do not enter leading zeros Range 1 4093 Default Setting No VLANs are included in the forbidden list Command Mode Interface Configuration Ethernet Port Channel Command Usage This command prevents a...

Page 632: ...es name Keyword to be followed by the VLAN name vlan name ASCII string from 1 to 32 characters Default Setting Shows all VLANs Command Mode Normal Exec Privileged Exec Console config interface ethernet 1 1 Console config if switchport forbidden vlan add 3 Console config if Table 30 5 Commands for Displaying VLAN Information Command Function Mode Page show vlan Shows VLAN information NE PE 30 16 sh...

Page 633: ...ce list no pvlan up link Specifies an uplink interface down link Specifies a downlink interface Default Setting No private VLANs are defined Console show vlan id 1 VLAN ID 1 Type Static Name DefaultVlan Status Active Ports Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 9 S Eth1 10 S Eth1 11 S Eth1 12 S Eth1 13 S Eth1 14 S Eth1 15 S Eth1 16 S Eth1 17 S Et...

Page 634: ...hout any parameters enables the private VLAN Entering no pvlan disables the private VLAN Example This example enables the private VLAN and then sets port 12 as the uplink and ports 5 8 as the downlinks show pvlan This command displays the configured private VLAN Command Mode Privileged Exec Example Console config pvlan Console config pvlan up link ethernet 1 12 down link ethernet 1 5 8 Console con...

Page 635: ...ype in use by the inbound packets To configure protocol based VLANs follow these steps 1 First configure VLAN groups for the protocols you want to use page 30 8 Although not mandatory we suggest configuring a separate VLAN for each major protocol running on your network Do not add port members at this time 2 Create a protocol group for each of the protocols you want to assign to a VLAN using the p...

Page 636: ...tocol group Range 1 2147483647 frame28 Frame type used by this protocol Options ethernet rfc_1042 llc_other protocol Protocol type The only option for the llc_other frame type is ipx_raw The options for all other frames types include ip arp rarp Default Setting No protocol groups are configured Command Mode Global Configuration Example The following creates protocol group 1 and specifies Ethernet ...

Page 637: ... Mode Interface Configuration Ethernet Port Channel Command Usage When creating a protocol based VLAN only assign interfaces via this command If you assign interfaces using any of the other VLAN commands such as vlan on page 30 8 these interfaces will admit traffic of any protocol type into the associated VLAN When a frame enters a port that has been assigned to a protocol VLAN it is processed in ...

Page 638: ...show protocol vlan protocol group group id group id Group identifier for a protocol group Range 1 2147483647 Default Setting All protocol groups are displayed Command Mode Privileged Exec Example This shows protocol group 1 configured for IP over Ethernet Console config interface ethernet 1 1 Console config if protocol vlan protocol group 1 vlan 2 Console config if Console show protocol vlan proto...

Page 639: ...interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 32 Default Setting The mapping for all interfaces is displayed Command Mode Privileged Exec Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2 Console show interfaces protocol vlan protocol group Port ProtocolGro...

Page 640: ...N vlan page 30 8 3 Configure the QinQ tunnel port to dot1Q tunnel port mode switchport mode dot1q tunnel page 30 25 4 Set the Tag Protocol Identifier TPID value of the tunnel port This step is required if the attached client is using a nonstandard 2 byte Table 30 8 IEEE 802 1Q Tunneling Commands Command Function Mode Page system mode Configures the switch to operate in normal mode or QinQ mode GC ...

Page 641: ...rames are not enabled see System MTU Commands on page 19 12 8 Configure the QinQ uplink port to join the SPVLAN as a tagged member switchport allowed vlan page 30 14 switchport mode dot1q tunnel This command configures an interface as a QinQ tunnel port Use the no form to restore the default setting Syntax switchport mode dot1q tunnel no switchport mode dot1q tunnel Sets the port as an 802 1Q tunn...

Page 642: ...e Related Commands switchport mode dot1q tunnel page 30 25 Console config interface ethernet 1 1 Console config if switchport mode dot1q tunnel Console config if Console config system mode qinq Console config interface ethernet 1 1 Console config if switchport mode dot1q tunnel Console config if end Console show dot1q tunnel Dot1q Tunnel Port List eth 1 1 Total 1 Dot1q Tunnel Ports 0 Dot1q Tunnel ...

Page 643: ...ethertype command to set a custom 802 1Q ethertype value on the selected interface This feature allows the switch to interoperate with third party switches that do not use the standard 0x8100 ethertype to identify 802 1Q tagged frames For example 0x1234 is set as the custom 802 1Q ethertype on a trunk port incoming frames containing that ethertype are assigned to the VLAN contained in the tag foll...

Page 644: ...VLAN COMMANDS 30 28 ...

Page 645: ...l be transmitted before those in the lower priority queues You can set the default priority for each interface the relative weight of each queue and the mapping of frame priority tags to the switch s priority queues Table 31 1 Priority Commands Command Groups Function Page Priority Layer 2 Configures default priority for untagged frames sets queue weights and maps class of service tags to hardware...

Page 646: ...r incoming untagged frames IC 31 4 queue bandwidth Assigns round robin weights to the priority queues IC 31 6 queue cos map Assigns class of service values to the priority queues IC 31 7 show queue bandwidth Shows round robin weights assigned to the priority queues PE 31 8 show queue cos map Shows the class of service map PE 31 9 show interfaces switchport Displays the administrative and operation...

Page 647: ...ively Default Setting Weighted Round Robin Command Mode Global Configuration Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced or use Weighted Round Robin WRR queuing that specifies a relative weight of each queue WRR uses a predefined relative weight for e...

Page 648: ...s Use the no form to restore the default value Syntax switchport priority default default priority id no switchport priority default default priority id The priority number for untagged ingress traffic The priority is a number from 0 to 7 Seven is the highest priority Default Setting The priority is not set and the default value for untagged frames received on the interface is zero Command Mode In...

Page 649: ...Round Robin which can be viewed with the show queue bandwidth command Inbound frames that do not have VLAN tags are tagged with the input port s default ingress user priority and then placed in the appropriate priority queue at the output port The default priority for all ingress ports is zero Therefore any inbound frames that do not have priority tags will be placed in queue 0 of the output port ...

Page 650: ...weights used by the WRR scheduler Range 1 15 Default Setting Weights 1 2 4 6 8 10 12 14 are assigned to queues 0 7 respectively Command Mode Interface Configuration Ethernet Port Channel Command Usage WRR controls bandwidth sharing at the egress port by defining scheduling weights Example This example shows how to assign WRR weights to each of the priority queues Related Commands show queue bandwi...

Page 651: ...CoS value is a number from 0 to 7 where 7 is the highest priority Default Setting This switch supports Class of Service by using eight priority queues with Weighted Round Robin queuing for each port Eight separate traffic classes are defined in IEEE 802 1p The default priority levels are assigned according to recommendations in the IEEE 802 1p standard as shown below Command Mode Interface Configu...

Page 652: ...riority queues Default Setting None Command Mode Privileged Exec Example Console config interface ethernet 1 1 Console config if queue cos map 0 0 Console config if queue cos map 1 1 Console config if queue cos map 2 2 Console config if exit Console show queue cos map ethernet 1 1 Information of Eth 1 1 Traffic Class 0 1 2 3 4 5 6 7 Priority Queue 0 1 2 3 4 5 6 7 Console Console show queue bandwid...

Page 653: ...nd Mode Privileged Exec Example vlan priority This command sets a fixed priority for all frames entering the specified VLAN through a selected interface Use the no form to restore the default status Syntax vlan vlan id priority cos_value no vlan vlan id priority vlan id VLAN ID Range 1 4094 cos_value A number from 0 to 7 where 7 is the highest priority Console show queue cos map ethernet 1 1 Infor...

Page 654: ...riority can only be fixed for up to four VLANs on this switch Each CoS priority maps to one transmit queue as shown in Table 31 3 Default CoS Priority Levels on page 7 Example This example sets the priority for all traffic entering VLAN 1 on port 1 to CoS 7 show vlan based priority This command displays the modified CoS priority for frames entering a VLAN Command Mode Privileged Exec Command Usage...

Page 655: ...le 31 4 Priority Commands Layer 3 and 4 Command Function Mode Page map ip port Enables TCP UDP class of service mapping GC 31 11 map ip port Maps TCP UDP socket to a class of service IC 31 12 map ip precedence Enables IP precedence class of service mapping GC 31 13 map ip precedence Maps IP precedence value to a class of service IC 31 13 map ip dscp Enables IP DSCP class of service mapping GC 31 1...

Page 656: ...rt number port number 16 bit TCP UDP port number Range 0 65535 cos value Class of Service value Range 0 7 Default Setting None Command Mode Interface Configuration Ethernet Port Channel Command Usage The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority Up to 8 entries can be specified for IP Port priority mapping This command sets the IP port prio...

Page 657: ...rity IP Precedence and IP DSCP cannot both be enabled Enabling one of these priority types will automatically disable the other type Example The following example shows how to enable IP precedence mapping globally map ip precedence Interface Configuration This command sets IP precedence priority i e IP Type of Service priority Use the no form to restore the default table Syntax map ip precedence i...

Page 658: ...ently mapped to the eight hardware priority queues This command sets the IP Precedence for all interfaces Example The following example shows how to map IP precedence value 1 to CoS value 0 map ip dscp Global Configuration This command enables IP DSCP mapping i e Differentiated Services Code Point mapping Use the no form to disable IP DSCP mapping Syntax no map ip dscp Default Setting Disabled Com...

Page 659: ...ommand sets IP DSCP priority i e Differentiated Services Code Point priority Use the no form to restore the default table Syntax map ip dscp dscp value cos cos value no map ip dscp dscp value 8 bit DSCP value Range 0 63 cos value Class of Service value Range 0 7 Default Setting The DSCP default values are defined in the following table Note that all the DSCP values that are not specified are mappe...

Page 660: ...bsequently mapped to the eight hardware priority queues This command sets the IP DSCP priority for all interfaces Example The following example shows how to map IP DSCP value 1 to CoS value 0 show map ip port This command shows the IP port priority map Syntax show map ip port interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 ...

Page 661: ...Configuration 31 12 show map ip precedence This command shows the IP precedence priority map Syntax show map ip precedence interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 32 Default Setting None Command Mode Privileged Exec Console show map ip port TCP port mapping status disabled Port Port no COS Eth 1 5 80 0 Console ...

Page 662: ... map Syntax show map ip dscp interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 32 Default Setting None Command Mode Privileged Exec Console show map ip precedence ethernet 1 5 Precedence mapping status disabled Port Precedence COS Eth 1 5 0 0 Eth 1 5 1 1 Eth 1 5 2 2 Eth 1 5 3 3 Eth 1 5 4 4 Eth 1 5 5 5 Eth 1 5 6 6 Eth 1 5 7 7 ...

Page 663: ...nds map ip dscp Global Configuration 31 14 map ip dscp Interface Configuration 31 15 Console show map ip dscp ethernet 1 1 DSCP mapping status disabled Port DSCP COS Eth 1 1 0 0 Eth 1 1 1 0 Eth 1 1 2 0 Eth 1 1 3 0 Eth 1 1 61 0 Eth 1 1 62 0 Eth 1 1 63 0 Console ...

Page 664: ...CLASS OF SERVICE COMMANDS 31 20 ...

Page 665: ...de Page class map Creates a class map for a type of traffic GC 32 3 match Defines the criteria used to classify traffic CM 32 4 policy map Creates a policy map for multiple interfaces GC 32 6 class Defines a traffic classification for the policy to act on PM 32 7 set Classifies IP traffic by setting a CoS DSCP or IP precedence value in a packet PM C 32 8 police Defines an enforcer for classified t...

Page 666: ... identify the class map and enter Policy Map Class configuration mode A policy map can contain multiple class statements 6 Use the set command to modify the QoS value for matching traffic class and use the policer command to monitor the average flow and burst rate and drop any traffic that exceeds the specified rate or just reduce the DSCP service level for traffic exceeding the specified rate 7 U...

Page 667: ...tch any condition within a class map class map name Name of the class map Range 1 32 characters Default Setting None Command Mode Global Configuration Command Usage First enter this command to designate a class map and enter the Class Map configuration mode Then use the match command page 32 4 to specify the criteria for ingress traffic that will be classified under this class map Only one match c...

Page 668: ...m to delete the matching criteria Syntax no match access list acl name ip dscp dscp ip precedence ip precedence vlan vlan acl name Name of the access control list Any type of ACL can be specified including standard or extended IP ACLs and MAC ACLs Range 1 32 characters dscp A DSCP value Range 0 63 ip precedence An IP Precedence value Range 0 7 vlan A VLAN Range 1 4093 Default Setting None Command ...

Page 669: ...mple creates a class map call rd_class 2 and sets it to match packets marked for IP Precedence service value 5 This example creates a class map call rd_class 3 and sets it to match packets marked for VLAN 1 Console config class map rd_class 1_ match any Console config cmap match ip dscp 3 Console config cmap exit Console config access list ip mask precedence in Console config ip mask acl mask any ...

Page 670: ...class map A policy map can contain multiple class statements that can be applied to the same interface with the service policy command page 32 10 You must create a Class Map page 32 6 before assigning it to a Policy Map Example This example creates a policy called rd_policy uses the class command to specify the previously defined rd_class uses the set command to classify the service that incoming ...

Page 671: ...nfiguration Command Usage Use the policy map command to specify a policy map and enter Policy Map configuration mode Then use the class command to enter Policy Map Class configuration mode And finally use the set and police commands to specify the match criteria where the set command classifies the service that an IP packet will receive police command defines the maximum throughput burst rate and ...

Page 672: ... a CoS DSCP or IP Precedence value in a matching packet as specified by the match command on page 32 4 Use the no form to remove the traffic classification Syntax no set cos new cos ip dscp new dscp ip precedence new precedence new cos New Class of Service CoS value Range 0 7 new dscp New Differentiated Service Code Point DSCP value Range 0 63 new precedence New IP Precedence value Range 0 7 Defau...

Page 673: ...ilobits per second Range 1 100000 kbps or maximum port speed whichever is lower burst byte Burst in bytes Range 64 1522 bytes drop Drop packet when specified rate or burst are exceeded set Set DSCP service to the specified value Range 0 63 Default Setting Drop out of profile packets Command Mode Policy Map Class Configuration Command Usage You can configure up to 63 policers i e class maps for Fas...

Page 674: ...vice policy This command applies a policy map defined by the policy map command to the ingress queue of a particular interface Use the no form to remove the policy map from this interface Syntax no service policy input policy map name input Apply to the input traffic policy map name Name of the policy map for this interface Range 1 32 characters Default Setting No policy map is attached to an inte...

Page 675: ...define matching criteria used for classifying traffic Syntax show class map class map name class map name Name of the class map Range 1 32 characters Default Setting Displays all class maps Command Mode Privileged Exec Example Console config interface ethernet 1 1 Console config if service policy input rd_policy Console config if Console show class map Class Map match any rd_class 1 Match ip dscp ...

Page 676: ...icy map name class class map name policy map name Name of the policy map Range 1 32 characters class map name Name of the class map Range 1 32 characters Default Setting Displays all policy maps and all classes Command Mode Privileged Exec Example Console show policy map Policy Map rd_policy class rd_class set ip dscp 3 Console show policy map rd_policy class rd_class Policy Map rd_policy class rd...

Page 677: ... the specified interface Syntax show policy map interface interface input interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 32 Command Mode Privileged Exec Example Console show policy map interface ethernet 1 5 Service policy rd_policy input Console ...

Page 678: ...QUALITY OF SERVICE COMMANDS 32 14 ...

Page 679: ...rvice Table 33 1 Multicast Filtering Commands Command Groups Function Page IGMP Snooping Configures multicast groups via IGMP snooping or static assignment sets the IGMP version displays current snooping and query settings and displays the multicast service and group members 33 2 IGMP Query Configures IGMP query parameters for multicast filtering 33 9 Static Multicast Routing Configures static mul...

Page 680: ...n static Adds an interface as a member of a multicast group GC 33 3 ip igmp snooping version Configures the IGMP version for snooping GC 33 4 ip igmp snooping leave proxy Suppresses leave messages unless received from the last member port in the group GC 33 5 ip igmp snooping immediate leave Immediately deletes a member port of a multicast service if a leave packet is received at that port and imm...

Page 681: ...address interface vlan id VLAN ID Range 1 4093 ip address IP address for multicast group interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 32 Default Setting None Command Mode Global Configuration Example The following shows how to statically configure a multicast group on a port Console config ip igmp snooping Console config Console c...

Page 682: ...Configuration Command Usage All systems on the subnet must support the same version If there are legacy devices in your network that only support Version 1 you will also have to configure this switch to use Version 1 Some commands are only enabled for IGMPv2 and v3 snooping including ip igmp snooping query max response time ip igmp snooping query interval and ip igmp snooping immediate leave Examp...

Page 683: ...eam multicast router to ensure that it will continue to receive the multicast service Multicast router ports not serving as an IGMP querier also forward group leave messages on to the local querier When a non querier port receives an unsolicited leave message it first checks whether this port is the last dynamic member port in the group If this is 1 not the last member port 2 not a multicast route...

Page 684: ...snooping immediate leave no ip igmp snooping immediate leave Default Setting Disabled Command Mode Interface Configuration VLAN Command Usage If immediate leave is not used a multicast router or querier will send a group specific query message when an IGMPv2 v3 group leave message is received The router querier stops forwarding traffic for that group only if no host replies to the query within the...

Page 685: ... Snooping and Query Parameters on page 15 4 for a description of the displayed items Example The following shows the current IGMP snooping configuration Console config interface vlan 1 Console config if ip igmp snooping immediate leave Console config if Console show ip igmp snooping Service status Enabled Querier status Disabled Leave proxy status Enabled Query count 2 Query interval 125 sec Query...

Page 686: ...ed multicast entries igmp snooping Display only entries learned through IGMP snooping Default Setting None Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER depending on selected options Example The following shows the multicast entries learned through IGMP snooping for VLAN 1 Console show mac address table multicast vlan 1 igmp snooping VLAN M cast IP addr Mem...

Page 687: ...p snooping version page 33 4 If enabled the switch will serve as querier if elected The querier is responsible for asking hosts if they want to receive multicast traffic Table 33 3 IGMP Query Commands Command Function Mode Page ip igmp snooping querier Allows this device to act as the querier for IGMP snooping GC 33 9 ip igmp snooping query count Configures the query count GC 33 10 ip igmp snoopin...

Page 688: ... count defines how long the querier waits for a response from a multicast client before taking action If a querier has sent a number of queries defined by this command but a client has not responded a countdown timer is started using the time defined by ip igmp snooping query max response time If the countdown finishes and the client still has not responded then that client is considered to have l...

Page 689: ...nds Command Mode Global Configuration Example The following shows how to configure the query interval to 100 seconds ip igmp snooping query max response time This command configures the query report delay Use the no form to restore the default Syntax ip igmp snooping query max response time seconds no ip igmp snooping query max response time seconds The report delay advertised in IGMP queries Rang...

Page 690: ...ed to have left the multicast group Example The following shows how to configure the maximum response time to 20 seconds Related Commands ip igmp snooping version 33 4 ip igmp snooping router port expire time This command configures the query timeout Use the no form to restore the default Syntax ip igmp snooping router port expire time seconds no ip igmp snooping router port expire time seconds Th...

Page 691: ...an mrouter This command statically configures a multicast router port Use the no form to remove the configuration Syntax no ip igmp snooping vlan vlan id mrouter interface vlan id VLAN ID Range 1 4093 interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 32 Console config ip igmp snooping router port expire time 300 Console config Table 33...

Page 692: ...re that interface to join all the current multicast groups Example The following shows how to configure port 11 as a multicast router port within VLAN 1 show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports Syntax show ip igmp snooping mrouter vlan vlan id vlan id VLAN ID Range 1 4093 Default Setting Displays multica...

Page 693: ...so note that MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong Console show ip igmp snooping mrouter vlan 1 VLAN M cast Router Ports Type 1 Eth 1 11 Static Console Table 33 5 Multicast VLAN Registration Commands Command Function Mode Page mvr Globally enables MVR statically configures M...

Page 694: ...ess for an MVR multicast group Range 224 0 1 0 239 255 255 255 count The number of contiguous MVR group addresses Range 1 255 vlan id MVR VLAN ID Range 1 4094 Default Setting MVR is disabled No MVR group address is defined The default number of contiguous addresses is 0 MVR VLAN ID is 1 Command Mode Global Configuration Command Usage Use the mvr group command to statically configure all multicast ...

Page 695: ... no form to restore the default settings Syntax no mvr type receiver source immediate group ip address receiver Configures the interface as a subscriber port that can receive multicast data source Configure the interface as an uplink port that can send and receive multicast data for the configured multicast groups immediate Configures the switch to immediately remove an interface from a multicast ...

Page 696: ...sing the group keyword The IP address range from 224 0 0 0 to 239 255 255 255 is used for multicast streams MVR group addresses cannot fall within the reserved IP multicast address range of 224 0 0 x Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message When immediate leave is disabled the switc...

Page 697: ...roups assigned to the MVR VLAN using the members keyword Syntax show mvr interface interface members ip address interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 port channel channel id Range 1 32 ip address IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 Default Setting Displays global configuration settings for MVR when no keywords are used Co...

Page 698: ... vlan 1 MVR Max Multicast Groups 255 MVR Current multicast groups 10 Console Table 33 6 show mvr display description Field Description MVR Status Shows if MVR is globally enabled on the switch MVR running status Indicates whether or not all necessary conditions in the MVR environment are satisfied Running status is true as long as MVR Status is enabled and the specified MVR VLAN exists MVR multica...

Page 699: ...TIVE DOWN Disable Console Table 33 7 show mvr interface display description Field Description Port Shows interfaces attached to the MVR Type Shows the MVR port type Status Shows the MVR status and interface status MVR status for source ports is ACTIVE if MVR is globally enabled on the switch MVR status for receiver ports is ACTIVE only if there are subscribers receiving multicast traffic from one ...

Page 700: ...NACTIVE None 225 0 0 9 INACTIVE None 225 0 0 10 INACTIVE None Console Table 33 8 show mvr members display description Field Description MVR Group IP Multicast groups assigned to the MVR VLAN Status Shows whether or not the there are active subscribers for this multicast group Note that this field will also display INACTIVE if MVR is globally disabled Members Shows the interfaces with subscribers f...

Page 701: ...ookup command Table 34 1 DNS Commands Command Function Mode Page ip host Creates a static host name to address mapping GC 34 2 clear host Deletes entries from the host name to address table PE 34 3 ip domain name Defines a default domain name for incomplete host names GC 34 4 ip domain list Defines a list of default domain names for incomplete host names GC 34 5 ip name server Specifies the addres...

Page 702: ...resses Default Setting No static entries Command Mode Global Configuration Command Usage Servers or other network devices may support one or more connections via multiple IP addresses If more than one IP address is associated with a host name using this command a DNS client can try each address in succession until it establishes a connection with the target device show dns cache Displays entries i...

Page 703: ... of the host Range 1 64 characters Removes all entries Default Setting None Command Mode Privileged Exec Example This example clears all static entries from the DNS table Console config ip host rd5 192 168 1 55 10 1 0 55 Console config end Console show hosts Hostname rd5 Inet address 10 1 0 55 192 168 1 55 Alias Console Console config clear host Console config ...

Page 704: ...ame name no ip domain name name Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 64 characters Default Setting None Command Mode Global Configuration Example Related Commands ip domain list 34 5 ip name server 34 6 ip domain lookup 34 7 Console config ip domain name sample com Console config end Console show dns Domain Lookup Status DNS disa...

Page 705: ...st name from the domain name Range 1 64 characters Default Setting None Command Mode Global Configuration Command Usage Domain names are added to the end of the list one at a time When an incomplete host name is received by the DNS service on this switch it will work through the domain list appending each domain name in the list to the host name and checking with the specified name servers for a m...

Page 706: ...address6 server address1 IP address of domain name server server address2 server address6 IP address of additional domain name servers Default Setting None Command Mode Global Configuration Command Usage The listed name servers are queried in the specified sequence until a response is received or the end of the list is reached with no response Console config ip domain list sample com jp Console co...

Page 707: ...tax no ip domain lookup Default Setting Disabled Command Mode Global Configuration Command Usage At least one name server must be specified before you can enable DNS If all name servers are deleted DNS will automatically be disabled Console config ip domain server 192 168 1 55 10 1 0 55 Console config end Console show dns Domain Lookup Status DNS disabled Default Domain Name sample com Domain Name...

Page 708: ... Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address es as a previously configured entry Console config ip domain lookup Console config end Console show dns Domain Lookup Status DNS enabled Default Domain Name sample com Domain Name List sample com jp sample com uk Name Server List 192 168 1 55 10 1 0 55 Console show hosts Hostname rd5 In...

Page 709: ...55 Console Console show dns cache NO FLAG TYPE IP TTL DOMAIN 2 4 CNAME 66 218 71 84 298 www yahoo akadns net 3 4 CNAME 66 218 71 83 298 www yahoo akadns net 4 4 CNAME 66 218 71 81 298 www yahoo akadns net 5 4 CNAME 66 218 71 80 298 www yahoo akadns net 6 4 CNAME 66 218 71 89 298 www yahoo akadns net 7 4 CNAME 66 218 71 86 298 www yahoo akadns net 8 4 ALIAS POINTER TO 7 298 www yahoo com Console Ta...

Page 710: ... for the owner and ALIAS which specifies multiple domain names which are mapped to the same IP address as an existing entry IP The IP address associated with this record TTL The time to live reported by the name server DOMAIN The domain name associated with this record Console clear dns cache Console show dns cache NO FLAG TYPE IP TTL DOMAIN Console Table 34 2 show dns cache display description Fi...

Page 711: ...on This section describes commands used to configure an IP address for the switch Table 35 1 Basic IP Configuration Commands Command Function Mode Page ip address Sets the IP address for the current interface IC 35 2 ip default gateway Defines the default gateway through which this router can reach other subnetworks GC 35 3 ip dhcp restart Submits a BOOTP or DHCP client request PE 35 4 show ip int...

Page 712: ...o gain management access over the network or to connect the switch to existing IP subnets You can manually configure a specific IP address or direct the device to obtain an address from a BOOTP or DHCP server Valid IP addresses consist of four numbers 0 to 255 separated by periods Anything outside this format will not be accepted by the configuration program If you select the bootp or dhcp option ...

Page 713: ...and Example In the following example the device is assigned an address in VLAN 1 Related Commands ip dhcp restart 35 4 ip default gateway This command specifies the IP default gateway for destinations not found in the local routing tables Use the no form to remove a default gateway Syntax ip default gateway gateway no ip default gateway gateway IP address of the default gateway Default Setting No ...

Page 714: ... BOOTP or DHCP client request Default Setting None Command Mode Privileged Exec Command Usage This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command DHCP requires the server to reassign the client s last address if available If the BOOTP or DHCP server has been moved to a different domain the network portion of the...

Page 715: ...e Command Mode Normal Exec Privileged Exec Example Related Commands show ip redirects 35 5 show ip redirects This command shows the IP default gateway configured for this device Default Setting None Command Mode Privileged Exec Console config interface vlan 1 Console config if ip address dhcp Console config if end Console ip dhcp restart Console show ip interface Console Console show ip interface ...

Page 716: ... shows each cache entry including the corresponding IP address MAC address type static dynamic other and VLAN interface Note that entry type other indicates local addresses for this switch Example This example displays all entries in the ARP cache Console show ip redirects ip default gateway 10 1 0 254 Console Console show arp IP Address MAC Address Type Interface 192 168 0 1 00 0f 3d 12 40 e1 dyn...

Page 717: ...ting This command has no default for the host Command Mode Normal Exec Privileged Exec Command Usage Use the ping command to see if another site on the network can be reached The following are some results of the ping command Normal response The normal response occurs in one to ten seconds depending on network traffic Destination does not respond If the host does not respond a timeout appears in t...

Page 718: ...9 by 5 32 byte payload ICMP packets timeout is 5 seconds response time 10 ms response time 10 ms response time 10 ms response time 10 ms response time 0 ms Ping statistics for 10 1 0 9 5 packets transmitted 5 packets received 100 0 packets lost 0 Approximate round trip times Minimum 0 ms Maximum 10 ms Average 8 ms Console ...

Page 719: ...SECTION IV APPENDICES This section provides additional information on the following topics Software Specifications A 1 Troubleshooting B 1 Glossary Index ...

Page 720: ...APPENDICES ...

Page 721: ...es 4 masks DHCP Client DNS Proxy Port Configuration 100BASE BX 100 Mbps at full duplex 100BASE TX 10 100 Mbps at half full duplex 1000BASE T 10 100 Mbps at half full duplex 1000 Mbps at full duplex 1000BASE SX LX ZX BX 1000 Mbps at full duplex SFP Flow Control Full Duplex IEEE 802 3x Half Duplex Back pressure Broadcast Storm Control Traffic throttled above a critical threshold Port Mirroring Singl...

Page 722: ...Up to 255 groups port based protocol based or tagged 802 1Q GVRP for automatic VLAN learning private VLANs Class of Service Supports eight levels of priority and Weighted Round Robin Queueing which can be configured by VLAN tag or port Layer 3 4 priority mapping IP Port IP Precedence IP DSCP Quality of Service DiffServ supports class maps policy maps and service policies Multicast Filtering IGMP S...

Page 723: ...ts RMON Groups 1 2 3 9 Statistics History Alarm Event Standards IEEE 802 1D Spanning Tree Protocol and traffic priorities IEEE 802 1p Priority tags IEEE 802 1Q VLAN IEEE 802 1v Protocol based VLANs IEEE 802 1w Rapid Spanning Tree Protocol IEEE 802 1X Port Authentication IEEE 802 3 2005 Ethernet Fast Ethernet Gigabit Ethernet Link Aggregation Control Protocol LACP Full duplex flow control ISO IEC 8...

Page 724: ...Resolver MIB RFC 1612 Differentiated Services MIB RFC 3289 Entity MIB RFC 2737 Ether like MIB RFC 2665 Extended Bridge MIB RFC 2674 Extensible SNMP Agents MIB RFC 2742 Forwarding Table MIB RFC 2096 IGMP MIB RFC 2933 Interface Group MIB RFC 2233 Interfaces Evolution MIB RFC 2863 IP MIB RFC 2011 IP Multicasting related MIBs MAU MIB RFC 3636 MIB II RFC 1213 Port Access Entity MIB IEEE 802 1X Port Acc...

Page 725: ...p RFC 2021 partial implementation SNMPv2 IP MIB RFC 2011 SNMP Framework MIB RFC 3411 SNMP MPD MIB RFC 3412 SNMP Target MIB SNMP Notification MIB RFC 3413 SNMP User Based SM MIB RFC 3414 SNMP View Based ACM MIB RFC 3415 SNMP Community MIB RFC 3584 TACACS Authentication Client MIB TCP MIB RFC 2012 Trap RFC 1215 UDP MIB RFC 2013 ...

Page 726: ...SOFTWARE SPECIFICATIONS A 6 ...

Page 727: ...ed the VLAN interface through which the management station is connected with a valid IP address subnet mask and default gateway Be sure the management station has an IP address in the same subnet as the switch s IP interface to which it is connected If you are trying to connect to the switch via the IP address for a tagged VLAN group your management station and the ports connecting intermediate sw...

Page 728: ...et up an account on the switch for each SSH user including user name authentication level and password Be sure you have imported the client s public key to the switch if public key authentication is used Cannot access the on board configuration program via a serial port connection Be sure you have set the terminal emulator program to VT100 compatible 8 data bits 1 stop bit no parity and the baud r...

Page 729: ...r messages reported to include all categories 3 Designate the SNMP host that is to receive the error messages 4 Repeat the sequence of commands or other actions that lead up to the error 5 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 6 Contact your distributor s service engineer For example Console config logging on Console con...

Page 730: ...TROUBLESHOOTING B 4 ...

Page 731: ... of lower level queues Priority may be set according to the port default the packet s priority bit in the VLAN tag TCP UDP port number IP Precedence bit or DSCP priority bit Differentiated Services DiffServ DiffServ provides quality of service on large networks by employing a well defined set of building blocks from which a variety of aggregate forwarding behaviors may be built Each packet carries...

Page 732: ...ghts for any device that is plugged into the switch A user name and password is requested by the switch and then passed to an authentication server e g RADIUS for verification EAPOL is implemented as part of the IEEE 802 1X Port Authentication standard GARP VLAN Registration Protocol GVRP Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports a...

Page 733: ...me tags which carry VLAN information It allows switches to assign endstations to different virtual LANs and defines a standard way for VLANs to communicate across switched networks IEEE 802 1p An IEEE standard for providing quality of service QoS in Ethernet networks The standard uses packet tags that define up to eight traffic classes and allows switches to transmit packets based on the tagged pr...

Page 734: ...report on the IP multicast groups they wish to join or to which they already belong The elected querier will be the device with the lowest IP address in the subnetwork Internet Group Management Protocol IGMP A protocol through which hosts can register with their local router for multicast services If there is more than one multicast switch router on a given subnetwork one of the devices is made th...

Page 735: ...hardware interface for network devices and passes on traffic based on MAC addresses Link Aggregation See Port Trunk Link Aggregation Control Protocol LACP Allows ports to automatically negotiate a trunked link with LACP configured ports on another device Management Information Base MIB An acronym for Management Information Base It is a set of database objects that contains information about a spec...

Page 736: ...olation for subscribers residing in both the MVR VLAN and other standard or private VLAN groups Multiple Spanning Tree Protocol MSTP MSTP can provide an independent spanning tree for different VLANs It simplifies network management provides for even faster convergence than RSTP by limiting the size of each region and prevents VLAN members from being segmented from the rest of the group Network Tim...

Page 737: ...s Quality of Service QoS QoS refers to the capability of a network to provide better service to selected traffic flows using features such as data prioritization queuing congestion avoidance and traffic shaping These features effectively provide preferential treatment to specific flows either by raising the priority of one flow or limiting the priority of another flow Remote Authentication Dial in...

Page 738: ...ol SNMP The application protocol in the Internet suite of protocols which offers network management services Simple Network Time Protocol SNTP SNTP allows a device to set its internal clock based on periodic updates from a Network Time Protocol NTP server Updates can be requested from a specific NTP server or can be received via broadcasts sent by NTP servers Spanning Tree Algorithm STA A technolo...

Page 739: ... s rotation rate with highly accurate atomic time The UTC does not have daylight saving time User Datagram Protocol UDP UDP provides a datagram mode for packet switched communications It uses IP as the underlying transport mechanism to provide access to IP like services UDP packets are delivered just like IP packets connection less datagrams that may be discarded before reaching their targets UDP ...

Page 740: ...GLOSSARY Glossary 10 XModem A protocol used to transfer files between devices Data is grouped in 128 byte blocks and error corrected ...

Page 741: ...connections 2 2 CoS configuring 13 1 31 1 32 1 DSCP 13 12 31 14 IP port priority 13 14 31 11 IP precedence 13 10 31 13 layer 3 4 priorities 13 8 31 11 queue mapping 13 3 31 7 queue mode 13 6 31 3 setting static priority for VLANs 31 9 traffic class weights 13 7 31 6 D default gateway configuration 4 12 35 3 default priority ingress port 13 1 31 4 default settings system 1 8 DHCP 4 14 35 2 client 4...

Page 742: ...E 802 1D 11 1 29 4 IEEE 802 1s 29 4 IEEE 802 1w 11 1 29 4 IEEE 802 1X 6 19 21 34 IGMP groups displaying 15 9 33 8 Layer 2 15 2 33 2 query 15 2 33 9 query Layer 2 15 4 33 9 snooping 15 2 33 2 snooping configuring 15 4 33 2 snooping leave proxy 33 5 snooping setting immediate leave 33 6 snooping suppressing leave messages 33 5 ingress filtering 12 14 30 12 IP address BOOTP DHCP 4 14 35 2 35 4 settin...

Page 743: ...5 8 33 13 MVR assigning static multicast groups 15 20 setting interface type 15 17 33 17 setting multicast groups 15 14 33 16 specifying a VLAN 15 14 33 16 using immediate leave 15 17 33 17 P password line 19 26 passwords 2 5 administrator setting 6 1 21 2 path cost 11 5 11 15 method 11 10 29 9 STA 11 5 11 15 29 9 port authentication 6 19 21 34 port priority configuring 13 1 31 1 32 1 default ingr...

Page 744: ... 11 13 11 24 11 26 29 16 29 24 29 26 link type 11 16 11 19 29 21 path cost 11 5 11 15 29 16 path cost method 11 10 29 9 port priority 11 15 29 18 protocol migration 11 20 29 24 transmission limit 11 10 29 10 standards IEEE A 3 startup files creating 4 20 19 16 displaying 4 16 19 3 setting 4 16 19 22 static addresses setting 10 1 28 2 statistics port 9 28 24 14 STP 11 8 29 4 STP Also see STA switch...

Page 745: ...0 12 13 30 14 creating 12 8 30 8 description 12 1 displaying basic information 12 6 30 3 displaying port members 12 7 30 16 egress mode 12 15 30 10 interface configuration 12 14 30 11 30 15 private 12 25 30 17 protocol 12 27 30 19 W Web interface access requirements 3 1 configuration buttons 3 4 home page 3 3 menu list 3 5 panel display 3 4 ...

Page 746: ...INDEX Index 6 ...

Page 747: ......

Page 748: ... 38 01 58 Italy 39 0 335 5708602 Fax 39 02 739 14 17 Benelux 31 33 455 72 88 Fax 31 33 455 73 30 Central Europe 49 0 89 92861 0 Fax 49 0 89 92861 230 Nordic 46 0 868 70700 Fax 46 0 887 62 62 Eastern Europe 34 93 477 4920 Fax 34 93 477 3774 Sub Saharian Africa 216 712 36616 Fax 216 71751415 North West Africa 34 93 477 4920 Fax 34 93 477 3774 CIS 7 095 7893573 Fax 7 095 789 35 73 PRC 86 10 6235 4958...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands