SMC Networks 8126L2 Management Manual Download

Page: 1 / 502

MANAGEMENT GUIDE

TigerSwitch

10/100/1000

26-Port Gigabit Managed Switch
50-Port Gigabit Managed Switch

SMC8126L2

SMC8150L2

Summary of Contents for 8126L2

Page 1: ...MANAGEMENT GUIDE TigerSwitchTM 10 100 1000 26 Port Gigabit Managed Switch 50 Port Gigabit Managed Switch SMC8126L2 SMC8150L2 ta ...

Page 2: ......

Page 3: ...20 Mason Irvine CA 92618 Phone 949 679 8000 TigerSwitch 10 100 1000 Management Guide From SMC s Tiger line of feature rich workgroup LAN solutions September 2007 Pub 149100036100A E092007 AP R01 ...

Page 4: ...ted by implication or otherwise under any patent or patent rights of SMC SMC reserves the right to change specifications at any time without notice Copyright 2007 by SMC Networks Inc 20 Mason Irvine CA 92618 All rights reserved Printed in Taiwan Trademarks SMC is a registered trademark and EZ Switch TigerStack and TigerSwitch are trademarks of SMC Networks Inc Other product and company names are t...

Page 5: ...n 1 and 2c clients 2 6 Trap Receivers 2 7 Configuring Access for SNMP Version 3 Clients 2 8 Saving Configuration Settings 2 8 Managing System Files 2 9 Chapter 3 Configuring the Switch 3 1 Using the Web Interface 3 1 Navigating the Web Browser Interface 3 2 Home Page 3 2 Configuration Options 3 3 Panel Display 3 3 Main Menu 3 4 Basic Configuration 3 10 Displaying System Information 3 10 Displaying...

Page 6: ...ID 3 36 Specifying a Remote Engine ID 3 37 Configuring SNMPv3 Users 3 37 Configuring Remote SNMPv3 Users 3 40 Configuring SNMPv3 Groups 3 41 Setting SNMPv3 Views 3 45 User Authentication 3 46 Configuring User Accounts 3 46 Configuring Local Remote Logon Authentication 3 48 Configuring HTTPS 3 52 Replacing the Default Secure site Certificate 3 53 Configuring the Secure Shell 3 54 Configuring the SS...

Page 7: ...le 3 100 Changing the Aging Time 3 102 Spanning Tree Algorithm Configuration 3 102 Displaying Global Settings 3 105 Configuring Global Settings 3 107 Displaying Interface Settings 3 111 Configuring Interface Settings 3 114 Configuring Multiple Spanning Trees 3 116 Displaying Interface Settings for MSTP 3 118 Configuring Interface Settings for MSTP 3 120 VLAN Configuration 3 122 IEEE 802 1Q VLANs 3...

Page 8: ...3 162 Configuring IGMP Snooping and Query Parameters 3 163 Enabling IGMP Immediate Leave 3 164 Displaying Interfaces Attached to a Multicast Router 3 165 Specifying Static Interfaces for a Multicast Router 3 166 Displaying Port Members of Multicast Services 3 167 Assigning Ports to Multicast Services 3 168 IGMP Filtering and Throttling 3 169 Enabling IGMP Filtering and Throttling 3 170 Configuring...

Page 9: ...mmand Line Interface 4 1 Using the Command Line Interface 4 1 Accessing the CLI 4 1 Console Connection 4 1 Telnet Connection 4 2 Entering Commands 4 3 Keywords and Arguments 4 3 Minimum Abbreviation 4 3 Command Completion 4 3 Getting Help on Commands 4 3 Showing Commands 4 4 Partial Keyword Lookup 4 5 Negating the Effect of Commands 4 5 Using Command History 4 5 Understanding Command Modes 4 5 Exe...

Page 10: ...ent 4 28 Web Server Commands 4 29 ip http port 4 29 ip http server 4 30 ip http secure server 4 30 ip http secure port 4 31 Telnet Server Commands 4 32 ip telnet port 4 32 ip telnet server 4 33 Secure Shell Commands 4 33 ip ssh server 4 35 ip ssh timeout 4 36 ip ssh authentication retries 4 37 ip ssh server key size 4 37 delete public key 4 38 ip ssh crypto host key generate 4 38 ip ssh crypto zer...

Page 11: ...ock timezone 4 56 calendar set 4 56 show calendar 4 57 System Status Commands 4 57 show startup config 4 57 show running config 4 59 show system 4 61 show users 4 61 show version 4 62 Frame Size Commands 4 63 jumbo frame 4 63 Flash File Commands 4 64 copy 4 64 delete 4 67 dir 4 68 whichboot 4 69 boot system 4 69 Authentication Commands 4 70 Authentication Sequence 4 70 authentication login 4 71 au...

Page 12: ...timeout tx period 4 85 show dot1x 4 86 Access Control List Commands 4 89 IP ACLs 4 90 access list ip 4 90 permit deny Standard ACL 4 91 permit deny Extended ACL 4 91 show ip access list 4 93 ip access group 4 93 show ip access group 4 94 MAC ACLs 4 95 access list mac 4 95 permit deny MAC ACL 4 96 show mac access list 4 97 mac access group 4 98 show mac access group 4 98 ACL Information 4 99 show a...

Page 13: ...r Port Commands 4 127 port monitor 4 127 show port monitor 4 128 Rate Limit Commands 4 129 rate limit 4 129 Link Aggregation Commands 4 130 channel group 4 131 lacp 4 132 lacp system priority 4 133 lacp admin key Ethernet Interface 4 134 lacp admin key Port Channel 4 135 lacp port priority 4 136 show lacp 4 136 Address Table Commands 4 140 mac address table static 4 140 clear mac address table dyn...

Page 14: ...160 show spanning tree mst configuration 4 162 VLAN Commands 4 163 GVRP and Bridge Extension Commands 4 163 bridge ext gvrp 4 164 show bridge ext 4 164 switchport gvrp 4 165 show gvrp configuration 4 165 garp timer 4 166 show garp timer 4 166 Editing VLAN Groups 4 167 vlan database 4 167 vlan 4 168 Configuring VLAN Interfaces 4 169 interface vlan 4 169 switchport mode 4 170 switchport acceptable f...

Page 15: ...queue bandwidth 4 188 show queue cos map 4 189 Priority Commands Layer 3 and 4 4 189 map ip dscp Global Configuration 4 189 map ip dscp Interface Configuration 4 190 show map ip dscp 4 191 Quality of Service Commands 4 192 class map 4 194 match 4 194 policy map 4 195 class 4 196 set 4 197 police 4 198 service policy 4 199 show class map 4 199 show policy map 4 200 show policy map interface 4 200 E...

Page 16: ...mp profile 4 216 show ip igmp throttle interface 4 216 Multicast VLAN Registration Commands 4 217 mvr Global Configuration 4 218 mvr Interface Configuration 4 219 show mvr 4 221 IP Interface Commands 4 223 ip address 4 223 ip default gateway 4 224 ip dhcp restart 4 225 show ip interface 4 225 show ip redirects 4 226 ping 4 226 IP Source Guard Commands 4 227 ip source guard 4 227 ip source guard bi...

Page 17: ...luster 4 241 show cluster members 4 241 show cluster candidates 4 242 Appendix A Software Specifications A 1 Software Features A 1 Management Features A 2 Standards A 2 Management Information Bases A 3 Appendix B Troubleshooting B 1 Problems Accessing the Management Interface B 1 Using System Logs B 2 Glossary Index ...

Page 18: ...Contents xiv ...

Page 19: ...mmand Line Processing 4 8 Table 4 4 Command Groups 4 9 Table 4 5 Line Commands 4 10 Table 4 6 General Commands 4 19 Table 4 7 System Management Commands 4 24 Table 4 8 Device Designation Commands 4 24 Table 4 9 User Access Commands 4 25 Table 4 10 Default Login Settings 4 26 Table 4 11 IP Filter Commands 4 27 Table 4 12 Web Server Commands 4 29 Table 4 13 HTTPS System Support 4 31 Table 4 14 Telne...

Page 20: ...able 4 47 show lacp counters display description 4 137 Table 4 48 show lacp internal display description 4 138 Table 4 49 show lacp neighbors display description 4 139 Table 4 50 show lacp sysid display description 4 139 Table 4 51 Address Table Commands 4 140 Table 4 52 Spanning Tree Commands 4 144 Table 4 53 VLANs 4 163 Table 4 54 GVRP and Bridge Extension Commands 4 163 Table 4 55 Editing VLAN ...

Page 21: ...VLAN Registration Commands 4 217 Table 4 73 show mvr display description 4 221 Table 4 74 show mvr interface display description 4 222 Table 4 75 show mvr members display description 4 222 Table 4 76 IP Interface Commands 4 223 Table 4 77 IP Source Guard Commands 4 227 Table 4 78 DHCP Snooping Commands 4 231 Table 4 79 Switch Cluster Commands 4 237 Table B 1 Troubleshooting Chart B 1 ...

Page 22: ...Tables xviii ...

Page 23: ... 3 20 Renumbering the System 3 30 Figure 3 21 Resetting the System 3 30 Figure 3 22 SNTP Configuration 3 31 Figure 3 23 Setting the System Clock 3 32 Figure 3 24 Configuring SNMP Community Strings 3 34 Figure 3 25 Configuring IP Trap Managers 3 35 Figure 3 26 Enabling SNMP Agent Status 3 35 Figure 3 27 Setting an Engine ID 3 36 Figure 3 28 Setting a Remote Engine ID 3 37 Figure 3 29 Configuring SN...

Page 24: ...dress Aging Time 3 102 Figure 3 64 Displaying Spanning Tree Information 3 106 Figure 3 65 Configuring Spanning Tree 3 110 Figure 3 66 Displaying Spanning Tree Port Information 3 113 Figure 3 67 Configuring Spanning Tree per Port 3 115 Figure 3 68 Configuring Multiple Spanning Trees 3 117 Figure 3 69 Displaying MSTP Interface Settings 3 119 Figure 3 70 Displaying MSTP Interface Settings 3 122 Figur...

Page 25: ...105 IGMP Profile Configuration 3 173 Figure 3 106 MVR Global Configuration 3 176 Figure 3 107 MVR Port Information 3 177 Figure 3 108 MVR Group IP Information 3 178 Figure 3 109 MVR Port Configuration 3 180 Figure 3 110 MVR Group Member Configuration 3 181 Figure 3 111 DNS General Configuration 3 182 Figure 3 112 DNS Static Host Table 3 184 Figure 3 113 DNS Cache 3 185 Figure 3 114 DHCP Snooping C...

Page 26: ...Figures xxii ...

Page 27: ...Option 82 relay information Port Configuration Speed duplex mode and flow control Rate Limiting Input rate and output limiting per port Port Mirroring One or more port mirrored to a single analysis port Port Trunking Supports up to 32 trunks using either static or dynamic trunking LACP Broadcast Storm Control Supported Static Address Up to 8K MAC addresses in the forwarding table IEEE 802 1D Bridg...

Page 28: ...xtensible Authentication Protocol over LANs EAPOL to request user credentials from the 802 1X client and then verifies the client s right to access the network via an authentication server Other authentication options include HTTPS for secure management access via the web SSH for secure management access over a Telnet equivalent connection IP address filtering for SNMP web Telnet management access...

Page 29: ... address will be ignored and will not be written to the address table Static addresses can be used to provide network security by restricting access for a known host to a specific port IEEE 802 1D Bridge The switch supports IEEE 802 1D transparent bridging The address table facilitates data switching by learning addresses and then filtering or forwarding traffic based on this information The addre...

Page 30: ...nnection Provide data security by restricting all traffic to the originating VLAN Use private VLANs to restrict traffic to pass only between data ports and the uplink ports thereby isolating adjacent ports within the same VLAN and allowing you to limit the total number of VLANs that need to be configured Use protocol VLANs to restrict traffic to specified interfaces based on protocol type Traffic ...

Page 31: ... required priority level for the designated VLAN The switch uses IGMP Snooping and Query to manage multicast group registration It also supports Multicast VLAN Registration MVR which allows common multicast traffic such as television channels to be transmitted across a single network wide multicast VLAN shared by hosts residing in other standard or private VLAN groups while preserving security and...

Page 32: ...ication Privileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privileged Exec from Normal Exec Level Password super RADIUS Authentication Disabled TACACS Authentication Disabled 802 1X Port Authentication Disabled HTTPS Enabled SSH Disabled Port Security Disabled IP Filtering Disabled Web Management HTTP Server Enabled HTTP Port Number 80 HTTP S...

Page 33: ...ng Time 300 seconds Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Enabled Switchport Mode Egress Mode Hybrid tagged untagged frames GVRP global Disabled GVRP port interface Disabled Traffic Prioritization Ingress Port Priority 0 Weighted Round Robin Queue 0 1 2 3 Weight 1 2 4 8 IP DSCP Priority Disabled IP Settings IP Address DHCP assigned otherwise 192 168 1 1 Sub...

Page 34: ...ash Levels 0 3 SMTP Email Alerts Event Handler Enabled but no server defined SNTP Clock Synchronization Disabled DHCP Snooping Status Disabled IP Source Guard Status Disabled all ports Switch Clustering Status Enabled Commander Disabled Table 1 2 System Defaults Continued Function Parameter Default ...

Page 35: ...e RS 232 serial console port on the switch or remotely by a Telnet connection over the network The switch s management agent also supports SNMP Simple Network Management Protocol This SNMP agent permits the switch to be managed from any system in the network using network management software such as HP OpenView The switch s web interface CLI configuration program and SNMP agent allow you to perfor...

Page 36: ...serial port on a terminal or a PC running terminal emulation software and tighten the captive retaining screws on the RS 232 connector 2 Connect the other end of the cable to the RS 232 serial port on the switch 3 Make sure the terminal emulation software is set as follows Select the appropriate serial port COM port 1 or COM port 2 Set the baud rate to 9600 bps Set the data format to 8 data bits 1...

Page 37: ... basic configuration functions To access the full range of SNMP management functions you must use SNMP based network management software Basic Configuration Console Connection The CLI program provides two different command levels normal access level Normal Exec and privileged access level Privileged Exec The commands available at the Normal Exec level are a limited subset of those available at the...

Page 38: ...n for the stack to obtain management access through the network This can be done in either of the following ways Manual You have to input the information including IP address and subnet mask If your management station is not in the same IP subnet as the stack s master unit you will also need to specify the default gateway router Dynamic The switch sends IP configuration requests to BOOTP or DHCP a...

Page 39: ... therefore need to use the ip dhcp restart command to start broadcasting service requests Requests will be sent periodically in an effort to obtain IP configuration information BOOTP and DHCP values can include the IP address subnet mask and default gateway If the bootp or dhcp option is saved to the startup config file step 6 then the switch will start broadcasting service requests as soon as it ...

Page 40: ... clients To provide management access for version 1 or 2c clients you must specify a community string The switch provides a default MIB View i e an SNMPv3 construct for the default public community string that provides read access to the entire MIB tree and a default view for the private community string that provides read write access to the entire MIB tree However you may assign new views to ver...

Page 41: ...are no community strings then SNMP management access from SNMP v1 and v2c clients is disabled Trap Receivers You can also specify SNMP stations that are to receive traps from the switch To configure a trap receiver use the snmp server host command From the Privileged Exec level global configuration mode prompt type snmp server host host address community string version 1 2c 3 auth noauth priv wher...

Page 42: ...twork Management Protocol on page 3 33 or refer to the specific CLI commands for SNMP starting on page 4 100 Saving Configuration Settings Configuration commands only modify the running configuration file and are not saved when the switch is rebooted To save all your configuration changes in nonvolatile storage you must copy the running configuration file to the start up configuration file using t...

Page 43: ...d after boot up also known as run time code This code runs the switch operations and provides the CLI and web management interfaces See Managing Firmware on page 3 17 for more information Diagnostic Code Software that is run during system boot up also known as POST Power On Self Test Due to the size limit of the flash memory the switch supports only two operation code files However you can have as...

Page 44: ...Initial Configuration 2 10 2 ...

Page 45: ... user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Setting Passwords on page 2 4 3 After you enter a user name and password you will have access to the system configuration program Notes 1 You are allowed three attempts to enter the correct password on the third failed ...

Page 46: ...ith the switch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used to navigate to other menus and display configuration parameters and statistics Figure 3 1 Home Page Note The examples in this chapter are based on the SMC8126L2 Other than the number of fixed p...

Page 47: ...very visit to the page 2 When using Internet Explorer 5 0 you may have to manually refresh the screen after making configuration changes by pressing the browser s refresh button Panel Display The web agent displays an image of the switch s ports The Mode can be set to display different information for the ports including Active i e up or down Duplex i e half or full duplex or Flow Control i e with...

Page 48: ...llows the transfer and copying files 3 17 Delete Allows deletion of files from the flash memory 3 18 Set Start Up Sets the startup file 3 18 Line 3 21 Console Sets console port connection parameters 3 21 Telnet Sets Telnet connection parameters 3 23 Log 3 25 Logs Stores and displays error messages 3 25 System Logs Sends error messages to a logging process 3 26 Remote Logs Configures the logging of...

Page 49: ...reach and maximum allowed MAC addresses 3 59 802 1X Port authentication 3 60 Information Displays global configuration settings 3 62 Configuration Configures the global configuration setting 3 62 Port Configuration Sets parameters for individual ports 3 63 Statistics Displays protocol statistics for the selected port 3 66 ACL 3 67 Configuration Configures packet filtering based on IP or MAC addres...

Page 50: ...ort statistics 3 95 Address Table 3 99 Static Addresses Displays entries for interface address or VLAN 3 99 Dynamic Addresses Displays or edits static entries in the Address Table 3 100 Address Aging Sets timeout for dynamically learned entries 3 102 Spanning Tree 3 102 STA 3 102 Information Displays STA values used for the bridge 3 105 Configuration Configures global bridge settings for STA and R...

Page 51: ...k Configuration Adds trunks to a QinQ tunnel 3 138 Private VLAN 3 141 Status Enables or disables the private VLAN 3 141 Link Status Configures the private VLAN 3 141 Protocol VLAN 3 142 Configuration Configures protocol VLANs 3 142 Port Configuration Configures protocol VLAN port type and associated protocol VLANs 3 143 Priority 3 144 Default Port Priority Sets the default priority for each port 3...

Page 52: ...er Port Configuration Assigns ports that are attached to a neighboring multicast router 3 166 IP Multicast Registration Table Displays all multicast groups active on this switch including multicast IP addresses and VLAN ID 3 167 IGMP Member Port Table Indicates multicast addresses associated with the selected VLAN 3 168 IGMP Filter Profile Configuration Configures IGMP filter profile controlled gr...

Page 53: ...87 VLAN Configuration Enables DHCP Snooping for a VLAN 3 188 Information Option Configuration Enables DHCP Snooping Information Option 3 188 Port Configuration Selects the DHCP Snooping Information Option policy 3 189 Binding Information Displays the DHCP Snooping binding information 3 190 IP Source Guard 3 191 Port Configuration Enables IP source guard and selects filter type per port 3 191 Stati...

Page 54: ...his switch Web server Shows if management access via HTTP is enabled Web server port Shows the TCP port number used by the web interface Web secure server Shows if management access via HTTPS is enabled Web secure server port Shows the TCP port used by the HTTPS interface Telnet server Shows if management access via Telnet is enabled Telnet port Shows the TCP port used by the Telnet interface Jumb...

Page 55: ...f Test POST and boot code Operation Code Version Version number of runtime code Role Shows that this switch is operating as Master or Slave Console config hostname R D 5 4 25 Console config snmp server location WC 9 4 103 Console config snmp server contact Ted 4 103 Console config exit Console show system 4 61 System description TigerSwitch 10 100 1000 26 50 PORT MANAGED SWITCH System OID string 1...

Page 56: ...lowing command to display version information Console show version 4 62 Unit 1 Serial number Hardware version EPLD Version 4 04 Number of ports 26 Main power status Up Redundant power status Not present Agent master Unit ID 1 Loader version 0 0 0 5 Boot ROM version 0 0 0 8 Operation code version 0 0 1 2 Console ...

Page 57: ...tic filtering for unicast and multicast addresses Refer to Setting Static Addresses on page 3 99 VLAN Learning This switch uses Shared VLAN Learning SVL where all VLANs share the same address table Configurable PVID Tagging This switch allows you to override the default Port VLAN ID PVID used in frame tags and egress status VLAN Tagged or Untagged on each port Refer to VLAN Configuration on page 3...

Page 58: ... has been assigned an IP address IP Address Mode Specifies whether IP functionality is enabled via manual configuration Static Dynamic Host Configuration Protocol DHCP or Boot Protocol BOOTP If DHCP BOOTP is enabled IP will not function until a reply has been received from the server Requests will be broadcast periodically by the switch for an IP address DHCP BOOTP values can include the IP addres...

Page 59: ...o Static enter the IP address subnet mask and gateway then click Apply Figure 3 6 Manual IP Configuration CLI Specify the management interface IP address and default gateway Console config Console config interface vlan 1 4 116 Console config if ip address 192 168 1 1 255 255 255 0 4 223 Console config if exit Console config ip default gateway 0 0 0 0 4 224 Console config ...

Page 60: ...connection and enter show ip interface to determine the new switch address CLI Specify the management interface and set the IP address mode to DHCP or BOOTP and then enter the ip dhcp restart command Renewing DCHP DHCP may lease addresses to clients indefinitely or for a specific period of time If the address expires or the switch is moved to another network segment you will lose management access...

Page 61: ...server or copy files to and from switch units in a stack By saving runtime code to a file on a TFTP server that file can later be downloaded to the switch to restore operation You can also set the switch to use new firmware without overwriting the previous version You must specify the method of file transfer along with the file type and file names as required Command Attributes File Transfer Metho...

Page 62: ...ownload the file using a different name from the current runtime code file and then set the new file as the startup file Web Click System File Management Copy Operation Select tftp to file as the file transfer method enter the IP address of the TFTP server set the file type to opcode enter the file name of the software to download select a file on the switch to overwrite or specify a new file name...

Page 63: ... options file to file Copies a file within the switch directory assigning it a new name file to running config Copies a file in the switch to the running configuration file to startup config Copies a file in the switch to the startup configuration file to tftp Copies a file from the switch to a TFTP server running config to file Copies the running configuration to a file running config to startup ...

Page 64: ...h memory space Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file or you can specify the current startup configuration file as the destination file to directly replace it Note that the file Factory_Default_Config cfg can be copied to the TFTP server but cannot be used as the destination on the switch We...

Page 65: ...onfigured via the web or CLI interface Command Attributes Login Timeout Sets the interval that the system waits for a user to log into the CLI If a login attempt is not detected within the timeout interval the connection is terminated for the session Range 0 300 seconds Default 0 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input is not detected...

Page 66: ...Specify Even Odd or None Default None Speed Sets the terminal line s baud rate for transmit to terminal and receive from terminal Set the speed to match the baud rate of the device connected to the serial port Range 9600 19200 38400 baud or Auto Default Auto Stop Bits Sets the number of the stop bits transmitted per byte Range 1 2 Default 1 stop bit Password1 Specifies a password for the line conn...

Page 67: ...s Default 300 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is terminated Range 0 65535 seconds Default 600 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the Console ...

Page 68: ...e with password protection the system prompts for the password If you enter the correct password the system shows a prompt Default No password Login2 Enables password checking at login You can select authentication by a single global password as configured for the Password parameter or by passwords set up for specific user name accounts Default Local Web Click System Line Telnet Specify the connec...

Page 69: ... The switch can store up to 2048 log entries in temporary random access memory RAM i e memory flushed on power reset and up to 4096 entries in permanent flash memory Web Click System Log Logs Figure 3 16 Displaying Logs Console config line vty 4 11 Console config line login local 4 11 Console config line password 0 secret 4 12 Console config line timeout login response 300 4 13 Console config line...

Page 70: ...ed level For example if level 3 is specified all messages from level 0 to level 3 will be logged to flash Range 0 7 Default 3 RAM Level Limits log messages saved to the switch s temporary RAM memory for all levels up to the specified level For example if level 7 is specified all messages from level 0 to level 7 will be logged to RAM Range 0 7 Default 6 Note The Flash Level must be equal to or less...

Page 71: ...cility types specified by values of 16 to 23 The facility type is used by the syslog server to dispatch log messages to an appropriate service The attribute specifies the facility type tag sent in syslog messages See RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to process messages such as sorting or storing messages in ...

Page 72: ...s between servers The messages can be retrieved using POP or IMAP clients Command Attributes Admin Status Enables disables the SMTP function Default Enabled Email Source Address This command specifies SMTP servers email addresses that can send alert messages Console config logging host 192 168 1 15 4 45 Console config logging facility 23 4 45 Console config logging trap 4 4 46 Console config end C...

Page 73: ...n or free memory error resource exhausted Level 2 Alert Sends urgent notification that immediate action must be taken Level 1 Emergency Sends an emergency notification that the system is now unusable Level 0 SMTP Server List Specifies a list of recipient SMTP servers SMTP Server Specifies a new SMTP server address to add to the SMTP Server List Email Destination Address List Specifies a list of re...

Page 74: ...ll always run the Power On Self Test Resetting the System Web Click System Reset Click the Reset button to reboot the switch When prompted confirm that you want reset the switch Figure 3 21 Resetting the System CLI Use the reload command to restart the switch When prompted confirm that you want to reset the switch Note When restarting the system it will always run the Power On Self Test Console re...

Page 75: ...p to three time server IP addresses The switch will attempt to poll each server in the configured sequence Configuring SNTP You can configure the switch to send time synchronization requests to time servers Command Attributes SNTP Client Configures the switch to operate as an SNTP client This requires at least one time server to be specified in the SNTP Server field Default Disabled SNTP Poll Inte...

Page 76: ...12 The number of hours before after UTC Minutes 0 59 The number of minutes before after UTC Direction Configures the time zone to be before east or after west UTC Web Select SNTP Clock Time Zone Set the offset for your time zone relative to the UTC and click Apply Figure 3 23 Setting the System Clock CLI This example shows how to set the time zone for the system clock Console config sntp server 10...

Page 77: ...must first submit a valid community string for authentication The options for configuring community strings trap functions and restricting access to clients with specified IP addresses are described in the following sections Setting Community Access Strings You may configure up to five community strings authorized for management access All community strings used for IP Trap Managers should be list...

Page 78: ... switch Command Attributes Trap Manager Capability This switch supports up to five trap managers Current Displays a list of the trap managers currently configured Trap Manager IP Address IP address of the host the targeted recipient Trap Manager Community String Community string sent with the notification operation Range 1 32 characters case sensitive Trap UDP Port Sets the UDP port number Default...

Page 79: ... Figure 3 25 Configuring IP Trap Managers CLI This example adds a trap manager and enables both authentication and link up link down traps Enabling SNMP Agent Status Enables SNMPv3 service for all management clients i e versions 1 2c 3 Command Attributes SNMP Agent Status Check the box to enable or disable the SNMP Agent Web Click SNMP Agent Status Figure 3 26 Enabling SNMP Agent Status Console co...

Page 80: ...ith user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A local engine ID is automatically generated that is unique to the switch This is referred to as the default engine ID If the local engine ID is deleted or changed all SNMP users will be cleared You will need to reconfigure all existing users A new engine ID can be specified by entering 5 to 32 octets...

Page 81: ...e specified a trailing zero is added to the value to fill the octet For example entering the value 123456789 results in an engine ID of 1234567890 Web Click SNMP SNMPv3 Remote Engine ID Figure 3 28 Setting a Remote Engine ID CLI This example specifies a remote SNMPv3 engine ID Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name Users must be configured with a specific security le...

Page 82: ...y available for the SNMPv3 security model AuthPriv SNMP communications use both authentication and encryption only available for the SNMPv3 security model Authentication The method used for user authentication Options MD5 SHA Default MD5 Authentication Password A minimum of eight plain text characters is required Privacy The encryption algorithm use for data privacy only 56 bit DES is currently av...

Page 83: ...ned group of a user click Change Group in the Actions column of the users table and select the new group Figure 3 29 Configuring SNMPv3 Users CLI Use the snmp server user command to configure a new user name and assign it to a group Console config snmp server user chris group r d v3 auth md5 greenpeacepriv des56 einstien 4 113 Console config exit Console show snmp user 4 113 EngineId 8301000003000...

Page 84: ...t the remote engine identifier must be specified before you configure a remote user See Specifying a Remote Engine ID on page 44 Model The user security model SNMP v1 v2c or v3 Level The security level used for the user noAuthNoPriv There is no authentication or encryption used in SNMP communications This is the default for SNMPv3 AuthNoPriv SNMP communications use authentication but the data is n...

Page 85: ...SNMP communications use both authentication and encryption only available for the SNMPv3 security model Read View The configured view for read access Range 1 64 characters Write View The configured view for write access Range 1 64 characters Notify View The configured view for notifications Range 1 64 characters Console config snmp server user mark group r d remote 192 168 1 19 v3 auth md5 greenpe...

Page 86: ...y the included value of ifOperStatus linkUp 1 3 6 1 6 3 1 1 5 4 A linkUp trap signifies that the SNMP entity acting in an agent role has detected that the ifOperStatus object for one of its communication links left the down state and transitioned into some other state but not into the notPresent state This other state is indicated by the included value of ifOperStatus authenticationFailure 1 3 6 1...

Page 87: ...thPsePortPower MaintenanceStatus Notification 1 3 6 1 4 1 202 20 68 2 1 0 1 This notification indicates a Port Change Status and is sent on every status change pethMainPower UsageOnNotification 1 3 6 1 4 1 202 20 68 2 1 0 1 This notification indicates PSE Threshold usage indication is on the power usage is above the threshold pethMainPower UsageOffNotification 1 3 6 1 4 1 202 20 68 2 1 0 1 This no...

Page 88: ... Delete Figure 3 31 Configuring SNMPv3 Groups CLI Use the snmp server group command to configure a new group specifying the security model and level and restricting MIB access to defined read and write views Console config snmp server group secure users v3 priv read defaultview write defaultview notify defaultview4 116 Console config exit Console show snmp group4 118 Group Name secure users Securi...

Page 89: ...in the MIB tree Wild cards can be used to mask a specific portion of the OID string Type Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view Web Click SNMP SNMPv3 Views Click New to configure a new view In the New View page define a name and specify OID subtrees in the switch MIB to be included or excluded in the view Click Back to save the...

Page 90: ...uring User Accounts The guest only has read access for most configuration parameters However the administrator has write access for all parameters governing the onboard agent You should therefore assign a new administrator password as soon as possible and store it in a safe place The default guest name is guest with the password guest The default administrator name is admin with the password admin...

Page 91: ...moves an account from the list Web Click Security User Accounts To configure a new user account specify a user name select the user s access level then enter a password and confirm it Click Add to save the new user account and add it to the Account List To change the password for a specific user enter the user name and new password confirm the password by entering it again then click Apply Figure ...

Page 92: ...he packet Command Usage By default management access is always checked against the authentication database stored on the local switch If a remote authentication server is used you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol Local and remote logon authentication control management access via the console port web browser or Telnet ...

Page 93: ...on server used for authentication messages Range 1 65535 Default 1812 Secret Text String Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 20 characters Number of Server Transmits Number of times the switch tries to authenticate logon access via the authentication server Range 1 30 Default 2 Timeout for a reply The number of seconds th...

Page 94: ...tication Settings To configure local or remote authentication preferences specify the authentication sequence i e one to three methods fill in the parameters for RADIUS or TACACS authentication if selected and click Apply Figure 3 34 Authentication Settings ...

Page 95: ...emote RADIUS server configuration Global settings Communication key with RADIUS server Server port number 181 Retransmit times 5 Request timeout 10 Server 1 Server IP address 192 168 1 25 Communication key with RADIUS server Server port number 1812 Retransmit times 2 Request timeout 5 Console configure Console config authentication login tacacs 4 71 Console config tacacs server host 10 20 30 40 4 ...

Page 96: ...d decrypting data The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 5 x or above and Netscape Navigator 6 2 or above The following web browsers and operating systems currently support HTTPS To specify a secure site certificate see Replacing the Default Secure site Certificate on page 3 53 Command Attributes HTTPS Stat...

Page 97: ...from a recognized certification authority Caution For maximum security we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity This is because the default certificate for the switch is not unique to the hardware you have purchased When you have obtained these place them on your TFTP server and use the following command at the switch s command line interface to...

Page 98: ...word authentication is specified by the SSH client then the password can be authenticated either locally or via a RADIUS or TACACS remote authentication server as specified on the Authentication Settings page 3 48 If public key authentication is specified by the client then you must configure authentication keys on both the client and the switch as described in the following section Note that rega...

Page 99: ...e SSH server on the switch 6 Challenge Response Authentication When an SSH client attempts to contact the switch the SSH server uses the host key pair to negotiate a session key and encryption method Only clients that have a private key corresponding to the public keys stored on the switch can access The following exchanges take place during this process a The client sends its public key to the sw...

Page 100: ... 120 seconds Default 120 seconds SSH Authentication Retries Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process Range 1 5 times Default 3 SSH Server Key Size Specifies the SSH server key size Range 512 896 bits Default 768 The server key is a private key that is never shared outside the switch...

Page 101: ... Version 1 DSA Version 2 Both Default RSA The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch and then negotiates with the client to select either DES 56 bit or 3DES 168 bit for data encryption Save Host Key from Memory to Flash Saves the host key from RAM i e volatile memory to flash memory Otherwise the host key pair is stored to RAM by ...

Page 102: ...8320102524878965977592168322225584652387791546479807396314033 86925793105105765212243052807865885485789272602937866089236841423275912127 60325919683697053439336438445223335188287173896894511729290510813919642025 190932104328579045764891 DSA ssh dss AAAAB3NzaC1kc3MAAACBAN6zwIqCqDb3869jYVXlME1sHL0EcE Re6hlasfEthIwmj hLY4O0jqJZpcEQUgCfYlum0Y2uoLka Py9ieGWQ8f2gobUZKIICuKg6vjO9XTs7XKc05xfzkBi KviDa 2Or...

Page 103: ... port will stop learning The MAC addresses already in the address table will be retained and will not age out Any other device that attempts to use the port will be prevented from accessing the switch Command Usage A secure port has the following restrictions It cannot use port monitoring It cannot be a multi VLAN port It cannot be used as a member of a static or dynamic trunk It should not be con...

Page 104: ...k resources by simply attaching a client PC Although this automatic configuration and access is a desirable feature it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data The IEEE 802 1X dot1X standard defines a port based access control procedure that prevents unauthorized access to a network by requiring users to first submit credentials for au...

Page 105: ... network Otherwise network access is denied and the port remains blocked The operation of 802 1X on the switch requires the following The switch must have an IP address assigned RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified 802 1X must be enabled globally for the switch Each switch port that will be used must be set to dot1X Auto mode Each cl...

Page 106: ...lobal setting for 802 1X Default Disabled Web Select Security 802 1X Configuration Enable 802 1X globally for the switch and click Apply Figure 3 40 802 1X Global Configuration CLI This example enables 802 1X globally for the switch Console show dot1x 4 86 Global 802 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Hos...

Page 107: ...Unauthorized Forces the port to deny access to all clients either dot1x aware or otherwise Re authen Sets the client to be re authenticated after the interval specified by the Re authentication Period Re authentication can be used to detect if a new device is plugged into a switch port Default Disabled Max Req Sets the maximum number of times the switch port will retransmit an EAP request packet t...

Page 108: ...Configuring the Switch 3 64 3 Figure 3 41 802 1X Port Configuration ...

Page 109: ... 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 enabled Single Host auto yes 1 26 disabled Single Host ForceAuthorized n a 802 1X Port Details 802 1X is disabled on port 1 1 802 1X is enabled on port 1 2 reauth enabled Enable reauth period 1800 quiet period 30 tx period 40 supplicant time...

Page 110: ...es of any type that have been received by this Authenticator Rx EAP Resp Id The number of EAP Resp Id frames that have been received by this Authenticator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx EAP LenError The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Len...

Page 111: ...ket is accepted Command Usage The following restrictions apply to ACLs Each ACL can have up to 32 rules The maximum number of ACLs is also 32 The maximum number of rules that can be bound to the ports is 96 for each of the following list types MAC ACLs IP ACLs including Standard and Extended ACLs When an ACL is bound to an interface as an egress filter all entries in the ACL must be deny rules Oth...

Page 112: ...sed on the source IP address Extended IP ACL mode that filters packets based on source or destination IP address as well as protocol type and protocol port number MAC MAC ACL mode that filters packets based on the source or destination MAC address and the Ethernet frame type RFC 1060 Web Select Security ACL Configuration Enter an ACL name in the Name field select the list type IP Standard IP Exten...

Page 113: ... for each IP packet entering the port s to which this ACL has been assigned Web Specify the action i e Permit or Deny Select the address type Any Host or IP If you select Host enter a specific address If you select IP enter a subnet address and the mask for an address range Then click Add Figure 3 44 Configuring Standard IP ACLs CLI This example configures one permit rule for the specific address ...

Page 114: ...hat specifies flag bits in byte 14 of the TCP header Range 0 63 Control Code Bit Mask Decimal number representing the code bits to match The control bitmask is a decimal number for an equivalent binary bit mask that is applied to the control code Enter a decimal number where the equivalent binary bit 1 means to match a bit and 0 means to ignore a bit The following bits may be specified 1 fin Finis...

Page 115: ...d i e the rule 10 7 1 0 255 255 255 0 equals the masked address 10 7 1 2 255 255 255 0 the packet passes through 2 Allow TCP packets from class C addresses 192 168 1 0 to any destination address when set for destination TCP port 80 i e HTTP Console config ext acl permit 10 7 1 1 255 255 255 0 any 4 91 Console config ext acl permit tcp 192 168 1 0 255 255 255 0 any destination port 80 Console confi...

Page 116: ...found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX Ethernet Type Bitmask Protocol bitmask Range 600 fff hex Packet Format This attribute includes the following packet types Any Any Ethernet packet type Untagged eth2 Untagged Ethernet II packets Untagged 802 3 Untagged Ethernet 802 3 packets Tagged 802 3 Tagged Ethernet 802 3 packets Tagged 802 3 Tagged Ethernet 802 ...

Page 117: ...ge This switch supports ACLs for ingress filtering only Command Attributes Port Fixed port or SFP module Range 1 26 50 IP Specifies the IP ACL to bind to a port MAC Specifies the MAC ACL to bind to a port IN ACL for ingress packets Web Click Security ACL Port Binding Click Edit to open the configuration page for the ACL type Mark the Enable field for the port you want to bind to an ACL for ingress...

Page 118: ...face on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respectively Each of these groups can include up to five different sets of addresses either individual addresses or address ranges When entering addresses for the same group ...

Page 119: ...address es for the SNMP group Telnet IP Filter Configures IP address es for the Telnet group IP Filter List IP address which are allowed management access to this interface Start IP Address A single IP address or the starting address of a range End IP Address The end address of a range Add Remove Filtering Entry Adds removes an IP address from the list Web Click Security IP Filter Enter the IP add...

Page 120: ...l Status Indicates the type of flow control currently in use IEEE 802 3x Back Pressure or None Autonegotiation Shows if auto negotiation is enabled or disabled Media Type3 Media type used for the combo ports 21 24 SMC8126L2 or 45 48 SMC8150L2 Options Coppper Forced SFP Forced or SFP Preferred Auto Default SFP Preferred Auto Trunk Member4 Shows if port is a trunk member Creation5 Shows if a trunk i...

Page 121: ...e capabilities to be advertised for a port during auto negotiation To access this item on the web see 3 78 The following capabilities are supported 10half Supports 10 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 100half Supports 100 Mbps half duplex operation 100full Supports 100 Mbps full duplex operation 1000full Supports 1000 Mbps full duplex operation Sym Transmits ...

Page 122: ...k Configuration page to enable disable an interface set auto negotiation and the interface capabilities to advertise or manually fix the speed duplex mode and flow control Command Attributes Name Allows you to label an interface Range 1 64 characters Admin Allows you to manually disable an interface You can disable an interface due to abnormal behavior e g excessive collisions and then reenable it...

Page 123: ...0full Supports 100 Mbps full duplex operation 1000full Combo ports only Supports 1000 Mbps full duplex operation Default Autonegotiation enabled Advertised capabilities for 100BASE TX 10half 10full 100half 100full 1000BASE T 10half 10full 100half 100full 1000full 1000BASE SX LX ZX 1000full Media Type Media type used for the combo ports 21 24 SMC8126L2 or 45 48 SMC8150L2 Options Coppper Forced SFP ...

Page 124: ... standby mode Should one link in the trunk fail one of the standby ports will automatically be activated to replace it Command Usage Besides balancing the load across each port in the trunk the other ports provide redundancy by taking over the load if a port in the trunk fails However before making any physical connections between devices use the web interface or CLI to specify the trunk on the de...

Page 125: ...the static trunks on this switch are Cisco EtherChannel compatible To avoid creating a loop in the network be sure you add a static trunk via the configuration interface before connecting the ports and also disconnect the ports before removing a static trunk via the configuration interface Command Attributes Member List Current Shows configured trunks Trunk ID Unit Port New Includes entry fields f...

Page 126: ... of an LACP trunk must be configured for full duplex and auto negotiation Trunks dynamically established through LACP will also be shown in the Member List on the Trunk Membership menu see 3 81 Console config interface port channel 2 4 116 Console config if exit Console config interface ethernet 1 1 4 116 Console config if channel group 2 4 131 Console config if exit Console config interface ether...

Page 127: ...w Includes entry fields for creating new trunks Port Port identifier Range 1 26 50 Web Click Port LACP Configuration Select any of the switch ports from the scroll down port list and click Add After you have completed adding ports to the member list click Apply Figure 3 52 LACP Trunk Configuration ...

Page 128: ...ibutes Set Port Actor This menu sets the local side of an aggregate link i e the ports on this switch Port Port number Range 1 26 50 System Priority LACP system priority is used to determine link aggregation group LAG membership and to identify this device to other switches during LAG negotiations Range 0 65535 Default 32768 Ports must be configured with the same system priority to join the same L...

Page 129: ...hed device The command attributes have the same meaning as those used for the port actor However configuring LACP settings for the partner only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with the partner Web Click Port LACP Aggregation Port Set the System Priority Admin Key and Port Priority for the Port Ac...

Page 130: ...onsole show lacp sysid 4 136 Port Channel System Priority System MAC Address 1 3 00 12 CF 31 31 31 2 32768 00 12 CF 31 31 31 3 32768 00 12 CF 31 31 31 4 32768 00 12 CF 31 31 31 Console show lacp 1 internal 4 136 Port channel 1 Oper Key 120 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP System Priority 3 LACP Port Priority 128 Admin Key 120 Oper Key 120 Admin State defaulted aggregation long time...

Page 131: ... value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type Marker Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value but contain a badly formed PDU or an illegal value of Protocol Subtype Console show lacp counters 4 136 Port channel 1 Eth 1 1 LACPDUs Sent 91 LACPDUs Receive 43 Marker S...

Page 132: ...information administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is...

Page 133: ... LACP configuration settings and operational state for the local side of port channel 1 Console show lacp 1 internal 4 136 Port channel 1 Oper Key 120 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP System Priority 3 LACP Port Priority 128 Admin Key 120 Oper Key 120 Admin State defaulted aggregation long timeout LACP activity Oper State distributing collecting synchronization aggregation long tim...

Page 134: ...signed by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port Oper Priority Priority value assigned to this aggregation p...

Page 135: ...Control is enabled by default Broadcast control does not effect IP multicast traffic Command Attributes Port Port number Type Indicates the port type 100BASE TX 1000BASE T or SFP Protect Status Shows whether or not broadcast storm control has been enabled Default Enabled Threshold Threshold as percentage of port bandwidth Options 500 262143 packets per second Default 500 pps Trunk Shows if a port ...

Page 136: ...122 Console config if exit Console config interface ethernet 1 2 Console config if switchport broadcast packet rate 500 4 122 Console config if end Console show interfaces switchport ethernet 1 2 4 125 Information of Eth 1 2 Broadcast threshold Enabled 500 packets second LACP status Disabled Ingress Rate Limit Disabled 100000 Kbits per second Egress Rate Limit Disabled 100000 Kbits per second VLAN...

Page 137: ...Attributes Mirror Sessions Displays a list of current mirror sessions Source Port The port whose traffic will be monitored Range 1 26 50 Type Allows you to select which traffic to mirror to the target port Rx receive or Tx transmit Default Rx Target Port The port that will mirror the traffic on the source port Range 1 26 50 Web Click Port Mirror Port Configuration Specify the source port the traff...

Page 138: ...c rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped conforming traffic is forwarded without any changes Rate Limit Configuration Use the rate limit configuration pages to apply rate limiting Command Usage Input and output rate limits can be enabled or disabled for individual interfaces Command Attributes Port Trunk Displays the port trunk number Input Ou...

Page 139: ...mber of octetts received on the interface including framing characters Received Unicast Packets The number of subnetwork unicast packets delivered to a higher layer protocol Received Multicast Packets The number of packets delivered by this sub layer to a higher sub layer which were addressed to a multicast address at this sub layer Received Broadcast Packets The number of packets delivered by thi...

Page 140: ...ude frames received with frame too long or frame too short error Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions This counter does not increment when the interface is operating in full duplex mode Single Collision Frames The number of successfully transmitted frames for which transmission is inhibited by exactly one collisio...

Page 141: ...he number of CRC alignment errors FCS or alignment errors Undersize Frames The total number of frames received that were less than 64 octets long excluding framing bits but including FCS octets and were otherwise well formed Oversize Frames The total number of frames received that were longer than 1518 octets excluding framing bits but including FCS octets and were otherwise well formed Fragments ...

Page 142: ...ing the Switch 3 98 3 Web Click Port Port Statistics Select the required interface and click Query You can also use the Refresh button at the bottom of the page to update the screen Figure 3 60 Port Statistics ...

Page 143: ...ddress of a device mapped to this interface VLAN ID of configured VLAN 1 4094 Console show interfaces counters ethernet 1 13 4 124 Ethernet 1 13 Iftable stats Octets input 868453 Octets output 3492122 Unicast input 7315 Unitcast output 6658 Discard input 0 Discard output 0 Error input 0 Error output 0 Unknown protos input 0 QLen output 0 Extended iftable stats Multi cast input 0 Multi cast output ...

Page 144: ... for inbound traffic is found in the database the packets intended for that address are forwarded directly to the associated port Otherwise the traffic is flooded to all ports Command Attributes Interface Indicates a port or trunk MAC Address Physical address associated with this interface VLAN ID of configured VLAN 1 4094 Address Table Sort Key You can sort the information displayed based on MAC ...

Page 145: ...e method of sorting the displayed addresses and then click Query Figure 3 62 Configuring a Dynamic Address Table CLI This example also displays the address table entries for port 1 Console show mac address table interface ethernet 1 1 4 141 Interface Mac Address Vlan Type Eth 1 1 00 12 CF 48 82 93 1 Delete on reset Eth 1 1 00 12 CF 94 34 DE 2 Learned Console ...

Page 146: ... backup links which automatically take over when a primary link goes down The spanning tree algorithms supported by this switch include these versions STP Spanning Tree Protocol IEEE 802 1D RSTP Rapid Spanning Tree Protocol IEEE 802 1w MSTP Multiple Spanning Tree Protocol IEEE 802 1s Note MSTP is not supported in the current software STP uses a distributed algorithm to select a bridging device STP...

Page 147: ...ds or more for STP by reducing the number of state changes before active ports start learning predefining an alternate route that can be used when a node or port fails and retaining the forwarding database for ports insensitive to changes in the tree structure when reconfiguration occurs MSTP When using STP or RSTP it may be difficult to maintain a stable path between all VLAN members Frequent cha...

Page 148: ...nd acts as a virtual bridge node for communications with STP or RSTP nodes in the global network MSTP connects all bridges and LAN segments with a single Common and Internal Spanning Tree CIST The CIST is formed as a result of the running spanning tree algorithm between switches that support the STP RSTP MSTP protocols Once you specify the VLANs to include in a Multiple Spanning Tree Instance MSTI...

Page 149: ... before changing states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to a discarding state otherwise temporary data loops might result Designated Root The priority and MAC address ...

Page 150: ...ports in this section means interfaces which includes both ports and trunks Root Forward Delay The maximum time in seconds this device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting infor...

Page 151: ...ically adjusting the type of protocol messages the RSTP node transmits as described below STP Mode If the switch receives an 802 1D BPDU i e STP BPDU after a port s migration delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires RSTP ...

Page 152: ...ort and designated port The device with the highest priority becomes the STA root device However if all devices have the same priority the device with the lowest MAC address will then become the root device Note that lower numeric values indicate higher priority Default 32768 Range 0 61440 in steps of 4096 Options 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 ...

Page 153: ...s The path cost method is used to determine the range of values that can be assigned to each interface Long Specifies 32 bit based values that range from 1 200 000 000 This is the default Short Specifies 16 bit based values that range from 1 65535 Transmission Limit The maximum transmission rate for BPDUs is specified by setting the minimum interval between the transmission of consecutive protocol...

Page 154: ...onfigures the STA and RSTP parameters Console config spanning tree 4 145 Console config spanning tree mode rstp 4 145 Console config spanning tree priority 45056 4 148 Console config spanning tree hello time 5 4 147 Console config spanning tree max age 38 4 147 Console config spanning tree forward time 20 4 146 Console config spanning tree pathcost method long 4 149 Console config spanning tree tr...

Page 155: ...e Learning state to the Forwarding state Designated Cost The cost for a packet to travel from this port to the root in the current Spanning Tree configuration The slower the media the higher the cost Designated Bridge The bridge priority and MAC address of the device through which this port must communicate to reach the root of the Spanning Tree Designated Port The port priority and number of the ...

Page 156: ... Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Algorithm is detecting network loops Where more than one port is assigned the highest priority the port with the lowest numeric identifier will be enabled Designated root The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device Fast forwarding This fie...

Page 157: ...uto The switch automatically determines if the interface is attached to a point to point link or to shared media Web Click Spanning Tree STA Port Information or STA Trunk Information Figure 3 66 Displaying Spanning Tree Port Information CLI This example shows the STA attributes for port 5 Console show spanning tree ethernet 1 5 4 160 Eth 1 5 information Admin status enabled Role disable State disc...

Page 158: ...tes if a port is a member of a trunk STA Port Configuration only The following interface attributes can be configured Spanning Tree Enables disables STA on this interface Default Enabled Priority Defines the priority used for this port in the Spanning Tree Protocol If the path cost for all ports on a switch are the same the port with the highest priority i e lowest value will be configured as an a...

Page 159: ...tree to initiate reconfiguration when the interface changes state and also overcomes other STA related timeout problems However remember that Edge Port should only be enabled for ports connected to an end node device Default Disabled Migration If at any time the switch detects STP BPDUs including Configuration or Topology Change Notification BPDUs it will automatically set the selected interface t...

Page 160: ...o note that RSTP treats each MSTI region as a single node connecting all regions to the Common Spanning Tree To use multiple spanning trees 1 Set the spanning tree type to MSTP STA Configuration page 3 102 2 Enter the spanning tree priority for the selected MST instance MSTP VLAN Configuration 3 Add the VLANs that will share this MSTI MSTP VLAN Configuration Note All VLANs are automatically added ...

Page 161: ...ply To add the VLAN members to an MSTI instance enter the instance identifier the VLAN identifier and click Add Figure 3 68 Configuring Multiple Spanning Trees CLI This example sets the priority for MSTI 1 and adds VLANs 1 5 to this MSTI Console config spanning tree mst configuration Console config mst mst 1 priority 4096 Console config mstp mst 1 vlan 1 5 Console config mst ...

Page 162: ...figuration 2 Priority 4096 Bridge Hello Time sec 2 Bridge Max Age sec 20 Bridge Forward Delay sec 15 Root Hello Time sec 2 Root Max Age sec 20 Root Forward Delay sec 15 Max hops 20 Remaining hops 20 Designated Root 4096 2 0000E9313131 Current root port 0 Current root cost 0 Number of topology changes 0 Last topology changes time sec 646 Transmission limit 3 Path Cost Method long Eth 1 7 informatio...

Page 163: ...ee Algorithm Configuration 3 119 3 Web Click Spanning Tree MSTP Port or Trunk Information Select the required MST instance to display the current spanning tree values Figure 3 69 Displaying MSTP Interface Settings ...

Page 164: ...formation Spanning tree mode MSTP Spanning tree enable disable enable Instance 0 Vlans configuration 1 4094 Priority 32768 Bridge Hello Time sec 2 Bridge Max Age sec 20 Bridge Forward Delay sec 15 Root Hello Time sec 2 Root Max Age sec 20 Root Forward Delay sec 15 Max hops 20 Remaining hops 20 Designated Root 32768 0 0000ABCD0000 Current root port 1 Current root cost 200000 Number of topology chan...

Page 165: ...lue will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Default 128 Range 0 240 in steps of 16 MST Path Cost This parameter is used by the MSTP to determine t...

Page 166: ...802 1Q VLAN is a group of ports that can be located anywhere in the network but communicate as though they belong to the same physical segment VLANs help to simplify network management by allowing you to move devices to a new VLAN without having to change any physical connections VLANs can be easily organized to reflect departmental groups such as Marketing or R D usage groups such as e mail or mu...

Page 167: ...o participate in one or more VLANs but none of the intermediate network devices nor the host at the other end of the connection supports VLANs then you should add this port to the VLAN as an untagged port Note VLAN tagged frames can pass through VLAN aware or VLAN unaware network interconnection devices but the VLAN tags should be stripped off before passing it on to any end node host that does no...

Page 168: ...pports GVRP it will also place the receiving port in the specified VLANs and pass the message on to all other ports VLAN requirements are propagated in this way throughout the network This allows GVRP compliant devices to be automatically configured for VLAN groups based solely on endstation requests To implement GVRP in a network first add the host devices to the required VLANs using the operatin...

Page 169: ...ding the frame When the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag However when this switch receives an untagged frame from a VLAN unaware device it first decides where to forward the frame and then inserts a VLAN tag reflecting the ingress port s default VID Enabling or Disabling GVRP Global Setting GARP VLAN Registration Protocol GVRP define...

Page 170: ...g Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging Ports assigned to a large VLAN group that crosses several switches should use VLAN tagging However if you just want to create a small port based VLAN for one or two switches you can disable tagging Command Attributes Web VLAN ID ID of configured VLAN 1 4094 Up Time a...

Page 171: ... Select any ID from the scroll down list Figure 3 73 Displaying Current VLANs Command Attributes CLI VLAN ID of configured VLAN 1 4094 no leading zeroes Type Shows how this VLAN was added to the switch Dynamic Automatically learned via GVRP Static Added as a static entry Name Name of the VLAN 1 to 32 characters Status Shows if this VLAN is enabled or disabled Active VLAN is operational Suspend VLA...

Page 172: ...94 no leading zeroes VLAN Name Name of the VLAN 1 to 32 characters Status Web Enables or disables the specified VLAN Enabled VLAN is operational Disabled VLAN is suspended i e does not pass packets State CLI Enables or disables the specified VLAN Active VLAN is operational Suspend VLAN is suspended i e does not pass packets Add Adds a new VLAN group to the current list Remove Removes a VLAN group ...

Page 173: ...ding it to a VLAN via the GVRP protocol Notes 1 You can also use the VLAN Static Membership by Port page to configure VLAN groups based on the port index page 3 131 However note that this configuration page can only add ports to a VLAN as tagged members Console config vlan database 4 167 Console config vlan vlan 2 name R D media ethernet state active 4 168 Console config vlan end Console show vlan...

Page 174: ...Interface is a member of the VLAN All packets transmitted by the port will be untagged that is not carry a tag and therefore not carry VLAN or CoS information Note that an interface can only have one untagged VLAN which must be the same as the Port VID See Configuring VLAN Behavior for Interfaces on page 3 132 for configuring PVID Forbidden Interface is forbidden from automatically joining the VLA...

Page 175: ...ormation for the interface Select a VLAN ID and then click Add to add the interface as a tagged member or click Remove to remove the interface After configuring VLAN membership for each interface click Apply Figure 3 76 VLAN Static Membership by Port CLI This example adds Port 3 to VLAN 1 as a tagged port and removes Port 3 from VLAN 2 Console config interface ethernet 1 1 4 116 Console config if ...

Page 176: ...ged or untagged member Acceptable Frame Type Sets the interface to accept all frame types including tagged or untagged frames or only tagged frames When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Options All Tagged Default All Ingress Filtering Determines how to process frames tagged for VLANs for which the ingress port is not a member Ing...

Page 177: ...A service provider s customers may have specific requirements for their internal VLAN IDs and number of VLANs supported VLAN ranges required by different customers in the same service provider network might easily overlap and traffic passing through the infrastructure might be mixed Assigning a unique range of VLAN IDs to each customer would restrict customer configurations require intensive proce...

Page 178: ... the outer tag is stripped for packet processing When the packet exits another trunk port on the same core switch the same SPVLAN tag is again added to the packet When a packet enters the trunk port on the service provider s egress switch the outer tag is again stripped for packet processing However the SPVLAN tag is not added when it is sent out the tunnel access port on the edge switch into the ...

Page 179: ...ups are successful the ingress process writes the packet to memory Then the egress process transmits the packet Packets entering a QinQ uplink port are processed in the following manner 1 If incoming packets are untagged the PVID VLAN native tag is added 2 If the ether type of an incoming packet single or double tagged is not equal to the TPID of the uplink port the VLAN tag is determined to be a ...

Page 180: ...tead use VLAN 1 as a management VLAN instead of a data VLAN in the service provider network There are some inherent incompatibilities between Layer 2 and Layer 3 switching Tunnel ports do not support IP Access Control Lists Layer 3 Quality of Service QoS and other QoS features containing Layer 3 information are not supported on tunnel ports Spanning tree bridge protocol data unit BPDU filtering is...

Page 181: ...unneling mode which is used for passing Layer 2 traffic across a service provider s metropolitan area network Command Attributes 802 1Q Tunnel Sets the switch to QinQ mode and allows the QinQ tunnel port to be configured The default is for the switch to function in normal mode 802 1Q Ethernet Type The Tag Protocol Identifier TPID specifies the ethertype of incoming packets on a tunnel port Range h...

Page 182: ...o the VLAN contained in the tag following the ethertype field as they would be with a standard 802 1Q trunk Frames arriving on the port containing any other ethertype are looked upon as untagged frames and assigned to the native VLAN of that port All members of a VLAN should be set to the same ethertype Command Attributes Mode Set the VLAN membership mode of the port Default Normal Normal The port...

Page 183: ...e provider network Web Click VLAN 802 1Q VLAN Tunnel Configuration or Tunnel Trunk Configuration Set the mode for a tunnel access port to 802 1Q Tunnel and a tunnel uplink port to 802 1Q Tunnel Uplink Set the TPID of the ports if the client is using a non standard ethertype to identify 802 1Q tagged frames Click Apply Figure 3 79 Tunnel Port Configuration ...

Page 184: ...t1q tunnel 52 16 Current double tagged status of the system is Enabled The dot1q tunnel mode of the set interface 1 1 is Access mode TPID is 0x9100 The dot1q tunnel mode of the set interface 1 2 is Uplink mode TPID is 0x8100 The dot1q tunnel mode of the set interface 1 3 is Normal mode TPID is 0x8100 The dot1q tunnel mode of the set interface 1 4 is Normal mode TPID is 0x8100 The dot1q tunnel mode...

Page 185: ...nd from uplink ports Note that private VLANs and normal VLANs can exist simultaneously within the same switch Enabling Private VLANs Use the Private VLAN Status page to enable disable the Private VLAN function Web Click VLAN Private VLAN Status Select Enable or Disable from the scroll down box and click Apply Figure 3 80 Private VLAN Status CLI This example enables private VLANs Console config pvl...

Page 186: ...and port 5 and 6 as downlinks Protocol VLANs You can configure VLAN behavior to support multiple protocols to allow traffic to pass through different VLANS When a packet is received at a port its VLAN membership is determined by the protocol type of the packet Protocol VLAN Group Configuration Command Attributes Protocol Group ID Protocol Group ID assigned to the Protocol VLAN Group Range 1 214748...

Page 187: ...iguration Configuring Protocol VLAN Interfaces Use the Protocol VLAN Port Configuration menu to set the protocol VLAN settings per port Command Attributes Interface Port or Trunk indentifier Protocol Group ID Protocol Group ID assigned to the Protocol VLAN Group Range 1 2147483647 VLAN ID VLAN to which matching protocol traffic is forwarded Range 1 4094 Web Click VLAN Protocol VLAN Port Configurat...

Page 188: ...rity and then sorted into the appropriate priority queue at the output port Command Usage This switch provides four priority queues for each port It uses Weighted Round Robin to prevent head of queue blockage The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged frames This priority does not apply to IEEE 802 1Q VL...

Page 189: ...ls are assigned according to recommendations in the IEEE 802 1p standard as shown in the following table Console config interface ethernet 1 3 4 116 Console config if switchport priority default 5 4 185 Console config if end Console show interfaces switchport ethernet 1 3 4 125 Information of Eth 1 3 Broadcast threshold Enabled 500 packets second LACP status Disabled Ingress rate limit enable K bi...

Page 190: ...Output queue buffer Range 0 3 where 3 is the highest CoS priority queue Web Click Priority Traffic Classes Select a port or trunk for the current mapping of CoS values to output queues to be displayed Assign priorities to the traffic classes i e output queues then click Apply Figure 3 85 Traffic Classes Table 3 12 CoS Priority Levels Priority Level Traffic Type 1 Background 2 Spare 0 default Best ...

Page 191: ...each queue that determines the percentage of service time the switch services each queue before moving on to the next queue This prevents the head of line blocking that can occur with strict priority queuing Command Attributes WRR Weighted Round Robin shares bandwidth at the egress ports by using scheduling weights 1 2 4 8 for queues 0 through 3 respectively This is the default selection Strict Se...

Page 192: ...and thereby to the corresponding traffic priorities This weight sets the frequency at which each queue will be polled for service and subsequently affects the response time for software applications assigned a specific priority value Command Attributes Interface Select port or trunk as an interface WRR Setting Table11 Displays a list of weights for each traffic class i e queue Weight Value Set a n...

Page 193: ...d the traffic then sent to the corresponding output queue Because different priority information may be contained in the traffic this switch maps priority values to the output queues in the following manner The precedence for priority mapping is IP Port Priority IP Precedence or DSCP Priority and then Default Port Priority IP Precedence and DSCP Priority cannot both be enabled Enabling one of thes...

Page 194: ... IP Precedence values are mapped one to one to Class of Service values i e Precedence value 0 maps to CoS value 0 and so forth Bits 6 and 7 are used for network control and the other bits for various application types ToS bits are defined in the following table Command Attributes IP Precedence Priority Table Shows the IP Precedence to CoS map Class of Service Value Maps a CoS value to the selected...

Page 195: ...n port 1 and then displays the IP Precedence settings Note Mapping specific values for IP Precedence is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Console config map ip precedence 4 204 Console config interface ethernet 1 1 4 131 Console config if map ip precedence 1 cos 0 4 206 Console config if end Console show map ip preceden...

Page 196: ...the DSCP values that are not specified are mapped to CoS value 0 Command Attributes DSCP Priority Table Shows the DSCP Priority to CoS map Class of Service Value Maps a CoS value to the selected DSCP Priority value Note that 0 represents low priority and 7 represent high priority Note IP DSCP settings apply to all interfaces Web Click Priority IP DSCP Priority Select an entry from the DSCP table e...

Page 197: ...FTP 21 Telnet 23 and POP3 110 Command Attributes IP Port Priority Status Enables or disables the IP port priority IP Port Priority Table Shows the IP port to CoS map IP Port Number TCP UDP Set a new IP port number Class of Service Value Sets a CoS value for a new IP port Note that 0 represents low priority and 7 represent high priority Web Click Priority IP Port Priority Status Set IP Port Priorit...

Page 198: ... configure Quality of Service QoS classification criteria and service policies Differentiated Services DiffServ provides policy based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis Each packet is classified upon entry into the network based on access lists IP Precedence DSCP values or VLAN lists Using access lists...

Page 199: ...unction cannot be enabled at the same time Thus if the user has already enabled the IP source guard function it needs to be disabled first in order for the QoS function to work and vice versa Configuring Quality of Service Parameters To create a service policy for a specific category or ingress traffic follow these steps 1 Use the Class Map to designate a class name for a specific category of traf...

Page 200: ... Class Opens the Class Configuration page Enter a class name and description on this page and click Add to open the Match Class Settings page Enter the criteria used to classify ingress traffic on this page Remove Class Removes the selected class Class Configuration Class Name Name of the class map Range 1 16 characters Type Only one match command is permitted per class map so the match any field ...

Page 201: ...ules to change the rules of an existing class Figure 3 94 Configuring Class Maps CLI This example creates a class map call rd class and sets it to match packets marked for DSCP service value 3 Console config class map rd_class match any 4 198 Console config cmap match ip dscp 3 4 199 Console config cmap ...

Page 202: ...L Also note that the maximum number of classes that can be applied to a policy map is 16 Policing is based on a token bucket where bucket depth i e the maximum burst before the bucket overflows is by specified the Burst field and the average rate tokens are removed from the bucket is by specified by the Rate option After using the policy map to define packet classification service tagging and band...

Page 203: ...ap Action Configures the service provided to ingress traffic by setting a CoS DSCP or IP Precedence value in a matching packet as specified in Match Class Settings on 3 155 Range CoS 0 7 DSCP 0 63 IP Precedence 0 7 DSCP 0 63 Meter Check this to define the maximum throughput burst rate and the action that results from a policy violation Rate kbps Rate in kilobits per second Range 1 100000 kbps or m...

Page 204: ...ng Policy Maps CLI This example creates a policy map called rd policy sets the average bandwidth the 1 Mbps the burst rate to 1522 bps and the response to reduce the DSCP value for violating packets to 0 Console config policy map rd_policy 3 4 200 Console config pmap class rd_class 3 4 200 Console config pmap c set ip dscp 4 4 201 Console config pmap c police 100000 1522 exceed action set ip dscp ...

Page 205: ...o an egress queue Command Attributes Ports Specifies a port Ingress Applies the rule to ingress traffic Enabled Check this to enable a policy map on the specified port Policy Map Select the appropriate policy map from the scroll down box Web Click QoS DiffServ Service Policy Settings Check Enabled and choose a Policy Map for a port from the scroll down box then click Apply Figure 3 96 Service Poli...

Page 206: ...This procedure is called multicast filtering The purpose of IP multicast filtering is to optimize a switched network s performance so multicast packets will only be forwarded to those ports containing multicast group hosts or multicast routers switches instead of flooding traffic to all ports in the subnet VLAN Layer 2 IGMP Snooping and Query IGMP Snooping and Query If multicast routing is not sup...

Page 207: ...rotocol such as DVMRP or PIM to support IP multicasting across the Internet Command Attributes IGMP Status When enabled the switch will monitor network traffic to determine which hosts want to receive multicast traffic This is also referred to as IGMP Snooping Default Enabled Act as IGMP Querier When enabled the switch can serve as the Querier which is responsible for asking hosts if they want to ...

Page 208: ...try for that multicast group unless a multicast router was learned on the port IGMP immediate leave improves bandwidth management for all hosts in a switched network Console config ip igmp snooping 4 202 Console config ip igmp snooping querier 4 206 Console config ip igmp snooping query count 10 4 206 Console config ip igmp snooping query interval 100 4 207 Console config ip igmp snooping query ma...

Page 209: ...overed by the switch or statically assigned to an interface on the switch You can use the Multicast Router Port Information page to display the ports on this switch attached to a neighboring multicast router switch for each VLAN ID Command Attributes VLAN ID ID of configured VLAN 1 4094 Multicast Router List Multicast routers dynamically discovered by this switch or those that are statically assig...

Page 210: ...e if the IGMP querier is a known multicast router switch connected over the network to an interface port or trunk on your switch you can manually configure the interface and a specified VLAN to join all the current multicast groups supported by the attached router This can ensure that multicast traffic is passed to all the appropriate interfaces within the switch Command Attributes Interface Activ...

Page 211: ... within VLAN 1 Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service Command Attributes VLAN ID Selects the VLAN for which to display port members Multicast IP Address The IP address for a specific multicast service Multicast Group Port List Shows the interfaces that have already been assigned to the selected VLAN to p...

Page 212: ...cations that require tighter control you may need to statically configure a multicast service on the switch First add all the ports attached to participating hosts to a common VLAN and then assign the multicast service to that VLAN group Command Usage Static multicast addresses are never aged out When a multicast address is assigned to an interface in a specific VLAN the corresponding traffic can ...

Page 213: ...ulticast groups a port can join IGMP filtering enables you to assign a profile to a switch port that specifies multcast groups that are permitted or denied on the port An IGMP filter profile can contain one or more or a range of multicast addresses but only one profile can be assigned to a port When enabled IGMP join reports received on the port are checked against the filter profile If a requeste...

Page 214: ...globally for the switch Default Disabled IGMP Profile Creates IGMP profile numbers Range 1 4294967295 Web Click IGMP Snooping IGMP Filter Configuration Create a profile number by entering the number in text box and clicking Add Enable the IGMP filter status then click Apply Figure 3 103 Enabling IGMP Filtering and Throttling CLI This example enables IGMP filtering and creates a profile number then...

Page 215: ...ons either deny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group Command Attributes Profile Selects an existing profile number to assign to an interface Max Multicast Groups Sets the maximum number of multicast groups an interface can join at t...

Page 216: ...st groups to filter and set the access mode Command Usage Each profile has only one access mode either permit or deny When the access mode is set to permit IGMP join reports are processed when a multicast group falls within the controlled range When the access mode is set to Console config interface ethernet 1 1 Console config if ip igmp filter 19 4 223 Console config if ip igmp max groups 10 4 22...

Page 217: ...ticast group range by entering a start and end IP address Specify a single multicast group by entering the same IP address for the start and end of the range Click the Add button to add a range to the current list Current Multicast Address Range List Lists multicast groups currently included in the profile Select an entry and click the Remove button to delete it from the list Web Click IGMP Snoopi...

Page 218: ...n tree for a normal multicast VLAN This makes it possible to support common multicast services over a wide part of the network without having to use any multicast routing protocol MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong Even though common multicast streams are passed onto diff...

Page 219: ...g or disabling MVR for the switch selecting the VLAN that will serve as the sole channel for common multicast streams supported by the service provider and assigning the multicast group address for each of these services to the MVR VLAN Command Attributes MVR Status When MVR is enabled on both the switch any multicast data associated an MVR group is sent from all designated source ports and to all...

Page 220: ...he MVR VLAN Field Attributes Type Shows the MVR port type Oper Status Shows the link status MVR Status Shows the MVR status MVR status for source ports is ACTIVE if MVR is globally enabled on the switch MVR status for receiver ports is ACTIVE only if there are subscribers receiving multicast traffic from one of the MVR groups or a multicast group has been statically assigned to an interface Immedi...

Page 221: ...formation Figure 3 107 MVR Port Information CLI This example shows information about interfaces attached to the MVR VLAN Console show mvr interface 4 221 Port Type Status Immediate Leave eth1 1 SOURCE ACTIVE UP Disable eth1 2 RECEIVER ACTIVE UP Disable Console ...

Page 222: ...ded through the MVR VLAN Web Click MVR Group IP Information Figure 3 108 MVR Group IP Information CLI This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN Console show mvr interface 4 221 MVR Group IP Status Members 225 0 0 1 ACTIVE eth1 1 d eth1 2 s 225 0 0 2 INACTIVE None 225 0 0 3 INACTIVE None 225 0 0 4 INACTIVE None 225 0 0 5 ...

Page 223: ...tified in the leave message When immediate leave is disabled the switch follows the standard rules by sending a group specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list Using immediate leave can speed up leave latency but should only be enabled on a port attached to...

Page 224: ...menu see Configuring Global MVR Settings on page 3 175 The IP address range from 224 0 0 0 to 239 255 255 255 is used for multicast streams MVR group addresses cannot fall within the reserved IP multicast address range of 224 0 0 x Command Attributes Interface Indicates a port or trunk Member Shows the IP addresses for MVR multicast groups which have been statically assigned to the selected interf...

Page 225: ...resolve host names into IP addresses by forwarding DNS queries to the switch and waiting for a response You can manually configure entries in the DNS table used for mapping domain names to IP addresses configure default domain names or specify one or more name servers to use for domain name to address translation Configuring General DNS Service Parameters Command Usage To enable DNS service on thi...

Page 226: ...n Lookup Status Enables DNS host name to address translation Default Domain Name14 Defines the default domain name appended to incomplete host names Range 1 64 alphanumeric characters Domain Name List Defines a list of domain names that can be appended to incomplete host names Range 1 64 alphanumeric characters 1 5 names Name Server List Specifies the address of one or more domain name servers to ...

Page 227: ...tatic table or via information returned from a name server a DNS client can try each address in succession until it establishes a connection with the target device Field Attributes Host Name Name of a host device that is mapped to one or more IP addresses Range 1 64 characters IP Address Internet address es associated with a host name Range 1 8 addresses Alias Displays the host names that are mapp...

Page 228: ...ply Figure 3 112 DNS Static Host Table CLI This example maps two address to a host name and then configures an alias host name for the same addresses Console config ip host rd5 192 168 1 55 10 1 0 55 4 233 Console config ip host rd6 10 1 0 55 Console show hosts 4 237 Hostname rd5 Inet address 10 1 0 55 192 168 1 55 Alias 1 rd6 Console ...

Page 229: ...ays 4 indicating a cache entry and therefore unreliable Type This field includes CNAME which specifies the canonical or primary name for the owner and ALIAS which specifies multiple domain names which are mapped to the same IP address as an existing entry IP The IP address associated with this record TTL The time to live reported by the name server Domain The domain name associated with this recor...

Page 230: ... If the received packet is a DHCP ACK message a dynamic DHCP snooping entry is also added to the binding table If DHCP snooping is enabled globally and also enabled on the VLAN where the DHCP packet is received but the port is not trusted it is processed as follows If the DHCP packet is a reply packet from a DHCP server including OFFER ACK or NAK messages the packet is dropped If the DHCP packet i...

Page 231: ...te that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server Also when the switch sends out DHCP client packets for itself no filtering takes place However when the switch receives any messages from a DHCP server any packets received from untrusted ports are dropped DHCP Snooping Configuration Command Attributes DHCP Snooping St...

Page 232: ...Option 82 it allows compatible DHCP servers to use the information when assigning IP addresses or to set other services or policies for clients When the DHCP Snooping Information Option is enabled clients can be identified by the switch port to which they are connected rather than just their MAC address DHCP client server exchange messages are then forwarded directly between the server and client ...

Page 233: ...b Click DHCP Snooping Information Option Configuration Figure 3 116 DHCP Snooping Information Option Configuration CLI This example enables DHCP Snooping Information Option and sets the policy as replace DHCP Snooping Port Configuration Configures switch ports as trusted or untrusted An untrusted interface is an interface that is configured to receive messages from outside the network or firewall ...

Page 234: ... binding information Command Attributes No Entry number for DHCP snooping binding information Unit Stack unit Port Port number VLAN ID ID of a configured VLAN Range 1 4094 MAC Address A valid unicast MAC address IP Address A valid unicast IP address IP Address Type Indicates an IPv4 address type Lease Time Seconds The time after which an entry is removed from the table Console config interface eth...

Page 235: ... QoS function cannot be enabled at the same time Thus if the user has already enabled the IP source guard function it needs to be disabled first in order for the QoS function to work and vice versa IP Source Guard Port Configuration IP Source Guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall and therefore may be subject to traffic atta...

Page 236: ...3 119 IP Source Guard Port Configuration CLI This example shows how to enable IP source guard on port 5 Static IP Source Guard Binding Configuration Adds a static addresses to the source guard binding table Table entries include a MAC address IP address lease time entry type Static Dynamic VLAN identifier and port identifier All static entries are configured with an infinite lease time which is in...

Page 237: ... This example shows how to configure a static source guard binding on port 5 Dynamic IP Source Guard Binding Information Displays the source guard binding table for a selected interface Command Attributes Query by Select an interface to display the source guard binding Options Port VLAN MAC Address or IP Address Dynamic Binding Table Counts Displays the number of IP addresses in the source guard b...

Page 238: ...witch type as long as they are connected to the same local network A switch cluster has a Commander unit that is used to manage all other Member switches in the cluster The management station can use both the web interface and Telnet to communicate directly while the Commander throught its IP address and the Commander manages Member switches using cluster internal IP addresses There can be up to 1...

Page 239: ...e network IP subnet Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander Command Attributes Cluster Status Enables or disables clustering on the switch Cluster Commander Enables or disables the switch as a cluster Commander Role Indicates the current role of the switch in the cluster either Commander Member ...

Page 240: ...l Cluster Member Configuration Adds Candidate switches to the cluster as Members Command Attributes Member ID Specify a Member ID number for the selected Candidate switch Range 1 16 MAC Address Select a discoverd switch MAC address from the Candidate Table or enter a specific MAC address of a known switch Console config cluster 4 238 Console config cluster commander 4 239 Console config cluster ip...

Page 241: ...ormation Command Attributes Member ID The ID number of the Member switch Range 1 16 Role Indicates the current status of the switch in the cluster IP Address The internal cluster IP address assigned to the Member switch MAC Address The MAC address of the Member switch Description The system description string of the Member switch Web Click Cluster Member Information Figure 3 125 Cluster Member Inf...

Page 242: ...scription The system description string of the Candidate switch Web Click Cluster Candidate Information Figure 3 126 Cluster Candidate Information CLI This example shows information about cluster Candidate switches Vty 0 sh cluster members 4 241 Cluster Members ID 1 Role Active member IP Address 10 254 254 2 MAC Address 00 12 cf 23 49 c0 Description TigerSwitch 10 100 1000 SPORT MANAGE Vty 0 Vty 0...

Page 243: ...console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec But when the guest user name and password is entered the CLI displays the Console prompt and enters normal access ...

Page 244: ...ated network then you can use any IP address that matches the network segment to which you are attached After you configure the switch with an IP address you can open a Telnet session by performing these steps 1 From the remote host enter the Telnet command and the IP address of the device you want to access 2 At the prompt enter the user name and system password The CLI will display the Vty n pro...

Page 245: ...how startup config To enter commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username admin password 0 smith Minimum Abbreviation The CLI will accept a minimum number of characters that uniquely identify a command For example the command configure can be entered as con If an entry is am...

Page 246: ...tion lacp LACP statistics line TTY line information log Login records logging Login setting mac address table Configuration of the address table management Management IP filter map Maps priority port Port characteristics public key Public key information queue Priority queue information radius server RADIUS server information running config Information on the running configuration snmp Simple Netw...

Page 247: ...ntered You can scroll back through the history of commands by pressing the up arrow key Any command displayed in the history list can be executed again or first modified and then executed Using the show history command displays a longer list of recently executed commands Understanding Command Modes The command set is divided into Exec and Configuration classes Exec commands generally display infor...

Page 248: ...ing the enable command followed by the privileged level password super page 4 26 To enter Privileged Exec mode enter the following user names and passwords Table 4 1 Command Modes Class Mode Exec Normal Privileged Configuration Global Access Control List Class Map Interface Line Multiple Spanning Tree Policy Map VLAN Database You must be in Privileged Exec mode to access the Global configuration m...

Page 249: ...obal Configuration mode enter the command configure in Privileged Exec mode The system prompt will change to Console config which gives you access privilege to all Global Configuration commands To enter the other modes at the configuration prompt type one of the following commands Use the exit or end command to return to the Privileged Exec mode For example you can use the following commands to en...

Page 250: ... line Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor to the right one character Ctrl K Deletes all characters from the cursor to the end of the line Ctrl L Repeats current command line on a new line Ctrl N Enters the next command line in the history buffer Ctrl P Ente...

Page 251: ...irrors data to another port for analysis without affecting the data passing through or the performance of the monitored port 4 127 Rate Limiting Controls the maximum rate for traffic transmitted or received on a port 4 129 Link Aggregation Statically groups multiple ports into a single logical trunk configures Link Aggregation Control Protocol for port trunks 4 130 Address Table Configures the add...

Page 252: ... login LC 4 11 password Specifies a password on a line LC 4 12 timeout login response Sets the interval that the system waits for a user to log into the CLI LC 4 13 exec timeout Sets the interval that the command interpreter waits until user input is detected LC 4 13 password thresh Sets the password intrusion threshold which limits the number of failed logon attempts LC 4 14 silent time Sets the ...

Page 253: ...erial communication parameters e g databits do not affect Telnet connections Example To enter console line mode enter the following command Related Commands show line 4 18 show users 4 61 login This command enables password checking at login Use the no form to disable password checking and allow connections without a password Syntax login local no login local Selects local password checking Authen...

Page 254: ...rvers Example Related Commands username 4 25 password 4 12 password This command specifies the password for a line Use the no form to remove the password Syntax password 0 7 password no password 0 7 0 means plain password 7 means encrypted password password Character string that specifies the line password Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting No passwo...

Page 255: ...bled 0 seconds Telnet 600 seconds Command Mode Line Configuration Command Usage If a login attempt is not detected within the timeout interval the connection is terminated for the session This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the default setting Example To set the timeo...

Page 256: ...r Telnet cannot be disabled Using the command without specifying a timeout restores the default setting Example To set the timeout to two minutes enter this command Related Commands silent time 4 15 timeout login response 4 13 password thresh This command sets the password intrusion threshold which limits the number of failed logon attempts Use the no form to remove the threshold value Syntax pass...

Page 257: ...gement console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password thresh command Use the no form to remove the silent time value Syntax silent time seconds no silent time seconds The number of seconds to disable console response Range 0 65535 0 no silent time Default Setting The default value is no silent time Command Mode Line Configuration E...

Page 258: ...r character If no parity is required specify 8 data bits per character Example To specify 7 data bits enter this command Related Commands parity 4 16 parity This command defines the generation of a parity bit Use the no form to restore the default setting Syntax parity none even odd no parity none No parity even Even parity odd Odd parity Default Setting No parity Command Mode Line Configuration C...

Page 259: ...sage Set the speed to match the baud rate of the device connected to the serial port Some baud rates available on devices connected to the port might not be supported The system indicates if the speed you selected is not supported Example To specify 57600 bps enter this command stopbits This command sets the number of the stop bits transmitted per byte Use the no form to restore the default settin...

Page 260: ...ifier 0 will disconnect the console connection Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection Example Related Commands show ssh 4 40 show users 4 61 show line This command displays the terminal line s parameters Syntax show line console vty console Console terminal line vty Virtual terminal for remote console access i e Telnet Default Setting Sho...

Page 261: ...isabled Login timeout Disabled Silent time Disabled Baudrate 9600 Databits 8 Parity none Stopbits 1 VTY configuration Password threshold 3 times Interactive timeout 600 sec Login timeout 300 sec console Table 4 6 General Commands Command Function Mode Page enable Activates privileged mode NE 4 19 disable Returns to normal mode from privileged mode PE 4 20 configure Activates global configuration m...

Page 262: ...4 20 enable password 4 26 disable This command returns to Normal Exec mode from privileged mode In normal access mode you can only display basic information on the switch s configuration or Ethernet statistics To gain access to all commands you must use the privileged mode See Understanding Command Modes on page 4 5 Default Setting None Command Mode Privileged Exec Command Usage The character is a...

Page 263: ...ne Command Mode Privileged Exec Example Related Commands end 4 22 show history This command shows the contents of the command history buffer Default Setting None Command Mode Normal Exec Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands Example In this example the show history command lists the contents of the command history buff...

Page 264: ...so retain all configuration information stored in non volatile memory by the copy running config startup config command Default Setting None Command Mode Privileged Exec Command Usage This command resets the entire system Example This example shows how to reset the switch end This command returns to Privileged Exec mode Default Setting None Command Mode Global Configuration Interface Configuration...

Page 265: ...on mode and then quit the CLI session quit This command exits the configuration program Default Setting None Command Mode Normal Exec Privileged Exec Command Usage The quit and exit commands can both exit the configuration program Example This example shows how to quit a CLI session Console config exit Console exit Press ENTER to start session User Access Verification Username Console quit Press E...

Page 266: ... basic user names and passwords for management access 4 25 IP Filter Configures IP addresses that are allowed management access 4 27 Web Server Enables management access via a web browser 4 29 Telnet Server Enables management access via Telnet 4 32 Secure Shell Provides secure replacement for Telnet 4 33 Event Logging Controls logging of error messages 4 43 Time System Clock Sets the system clock ...

Page 267: ...ication via a remote authentication server page 4 70 and host access authentication for specific ports page 4 81 username This command adds named users requires authentication at login specifies or changes a user s password or specify that no password is required or specifies or changes a user s access level Use the no form to remove a user name Syntax username name access level level nopassword p...

Page 268: ...r encrypted when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server There is no need for you to manually configure encrypted passwords Example This example shows how to set the access level and password for a user enable password After initially logging onto the system you should set the Privileged Exec password Remember to record it i...

Page 269: ...no need for you to manually configure encrypted passwords Example Related Commands enable 4 19 authentication enable 4 72 IP Filter Commands management This command specifies the client IP addresses that are allowed management access to the switch through various protocols Use the no form to restore the default setting Syntax no management all client http client snmp client telnet client start add...

Page 270: ...n entering addresses for different groups the switch will accept overlapping address ranges You cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses You can delete an address range just by specifying the start address or by specifying both the start address and end address Example This example restricts management access to the indic...

Page 271: ...ress End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 SNMP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 TELNET Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 Console Table 4 12 Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the web br...

Page 272: ...TPS over the Secure Socket Layer SSL providing secure access i e an encrypted connection to the switch s web interface Use the no form to disable this function Syntax no ip http secure server Default Setting Enabled Command Mode Global Configuration Command Usage Both HTTP and HTTPS service can be enabled independently on the switch However you cannot configure the HTTP and HTTPS servers to use th...

Page 273: ... on page 3 53 Also refer to the copy command on page 4 64 Example Related Commands ip http secure port 4 31 copy tftp https certificate 4 64 ip http secure port This command specifies the UDP port number used for HTTPS connection to the switch s web interface Use the no form to restore the default port Syntax ip http secure port port_number no ip http secure port port_number The UDP port used for ...

Page 274: ...o use the default port Syntax ip telnet port port number no ip telnet port port number The TCP port to be used by the browser interface Range 1 65535 Default Setting 23 Command Mode Global Configuration Example Related Commands ip telnet server 4 33 Console config ip http secure port 1000 Console config Table 4 14 Telnet Server Commands Command Function Mode Page ip telnet port Specifies the port ...

Page 275: ... a secure replacement for Telnet When a client contacts the switch via the SSH protocol the switch uses a public key that the client must match along with a local user name and password for access authentication SSH also encrypts all data transfers passing between the switch and SSH enabled management station clients and ensures that data traveling over the network arrives unaltered This section d...

Page 276: ...13674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 76546801726272571413428762941301196195566782 59566410486957427888146206 51941746772984865468615717739390164779355942303577413098022737087794545 24083971752646358058176716709574804776117 3 Import Client s Public Key to the Switch Use the copy tftp public key command to copy a file containing the public key for...

Page 277: ...in access The following exchanges take place during this process a The client sends its public key to the switch b The switch compares the client s public key to those stored in memory c If a match is found the switch uses the public key to encrypt a random sequence of bytes and sends this string to the client d The client uses its private key to decrypt the bytes and sends the decrypted bytes bac...

Page 278: ...the default setting Syntax ip ssh timeout seconds no ip ssh timeout seconds The timeout for client response during SSH negotiation Range 1 120 Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase Once an SSH session has been established the timeout for user ...

Page 279: ...figuration Example Related Commands show ip ssh 4 40 ip ssh server key size This command sets the SSH server key size Use the no form to restore the default setting Syntax ip ssh server key size key size no ip ssh server key size key size The size of server key Range 512 896 bits Default Setting 768 bits Command Mode Global Configuration Command Usage The server key is a private key that is never ...

Page 280: ... rsa RSA Version 1 key type Default Setting Generates both the DSA and RSA key pairs Command Mode Privileged Exec Command Usage This command stores the host key pair in memory i e RAM Use the ip ssh save host key command to save the host key pair to flash memory Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process Otherwise you must...

Page 281: ...rs the host key from volatile memory RAM Use the no ip ssh save host key command to clear the host key from flash memory The SSH server must be disabled before you can execute this command Example Related Commands ip ssh crypto host key generate 4 38 ip ssh save host key 4 39 no ip ssh server 4 35 ip ssh save host key This command saves host key from RAM to flash memory Syntax ip ssh save host key...

Page 282: ...ey dsa Console Console show ip ssh SSH Enabled version 1 99 Negotiation timeout 120 secs Authentication retries 3 Server key size 768 bits Console Console show ssh Connection Version State Username Encryption 0 2 0 Session Started admin ctos aes128 cbc hmac md5 stoc aes128 cbc hmac md5 Console Table 4 16 show ssh display description Field Description Session The session number Range 0 3 Version Th...

Page 283: ...used by SSH is based on the Digital Signature Standard DSS and the last string is the encoded modulus Encryption The encryption method is automatically negotiated between the client and server Options for SSHv1 5 include DES 3DES Options for SSHv2 0 can include different algorithms for the client to server ctos and server to client stoc aes128 cbc hmac sha1 aes192 cbc hmac sha1 aes256 cbc hmac sha...

Page 284: ... ssh dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV yrDbKStIlnzD Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjw bvwrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw Kjw6Bm iFq7O jAhf1Dg45loAc27s6TLdtny1...

Page 285: ...istory 4 44 clear logging 4 46 Table 4 17 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages GC 4 43 logging history Limits syslog messages saved to switch memory based on severity GC 4 44 logging host Adds a syslog server host IP address that will receive logging messages GC 4 45 logging facility Sets the facility type for remote logging of syslog mess...

Page 286: ...Mode Global Configuration Command Usage The message level specified for flash memory must be a higher priority i e numerically lower than that specified for RAM Example Table 4 18 Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition such as cold start 4 warnings Warning conditions ...

Page 287: ...sets the facility type for remote logging of syslog messages Use the no form to return the type to the default Syntax no logging facility type type A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service Range 16 23 Default Setting 23 Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog ...

Page 288: ...g Enabled Level 6 0 Command Mode Global Configuration Command Usage Using this command with a specified level enables remote logging and sets the minimum severity level to be saved Using this command without a specified level also enables remote logging but restores the minimum severity level to the default Example clear logging This command clears messages from the log buffer Syntax clear logging...

Page 289: ... Default Setting None Command Mode Privileged Exec Example The following example shows that system logging is enabled the message level for flash memory is errors i e default level 3 0 the message level for RAM is informational i e default level 6 0 Console show logging flash Syslog logging Enabled History logging in FLASH level errors Console show logging ram Syslog logging Enabled History loggin...

Page 290: ...how logging trap Syslog logging Enable REMOTELOG status disable REMOTELOG facility type local use 7 REMOTELOG level type Debugging messages REMOTELOG server IP address 1 2 3 4 REMOTELOG server IP address 0 0 0 0 REMOTELOG server IP address 0 0 0 0 REMOTELOG server IP address 0 0 0 0 REMOTELOG server IP address 0 0 0 0 Console Table 4 20 show logging trap display description Field Description Syslo...

Page 291: ...01 01 STA root change notification level 6 module 6 function 1 and event no 1 3 00 00 54 2001 01 01 STA root change notification level 6 module 6 function 1 and event no 1 2 00 00 50 2001 01 01 STA topology change notification level 6 module 6 function 1 and event no 1 1 00 00 48 2001 01 01 VLAN 1 link up notification level 6 module 6 function 1 and event no 1 Console Table 4 21 SMTP Alert Command...

Page 292: ...e process at a periodic interval A trap will be triggered if the switch cannot successfully open a connection Example logging sendmail level This command sets the severity threshold used to trigger alert messages Syntax logging sendmail level level level One of the system message levels page 4 44 Messages sent include the selected level down to level 0 Range 0 7 Default 7 Default Setting Level 7 C...

Page 293: ...or the switch Example This example will set the source email john acme com logging sendmail destination email This command specifies the email recipients of alert messages Use the no form to remove a recipient Syntax no logging sendmail destination email email address email address The source email address used in alert messages Range 1 41 characters Default Setting None Command Mode Global Config...

Page 294: ...figuration Example show logging sendmail This command displays the settings for the SMTP event handler Command Mode Normal Exec Privileged Exec Example Console config logging sendmail Console config Console show logging sendmail SMTP servers 1 192 168 1 200 SMTP minimum severity level 4 SMTP destination email addresses 1 geoff acme com SMTP source email address john acme com SMTP status Enabled Co...

Page 295: ...rom time servers is used to record accurate dates and times for log events Without SNTP the switch only records the time starting from the factory default set at the last bootup i e 00 00 00 Jan 1 2001 This command enables client time requests to time servers specified via the sntp servers command It issues time synchronization requests based on the interval set via the sntp poll command Table 4 2...

Page 296: ... time servers from which the switch will poll for time updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issues time synchronization requests based on the interval set via the sntp poll command Example Related Commands sntp client 4 53 sntp poll 4 55 show sntp 4 55 Console config sntp server 10 1 0 19 Console config sn...

Page 297: ... sntp This command displays the current time and configuration settings for the SNTP client and indicates whether or not the local time has been properly updated Command Mode Normal Exec Privileged Exec Command Usage This command displays the current time the poll interval used for sending time synchronization requests and the current SNTP mode i e unicast Example Console config sntp poll 60 Conso...

Page 298: ...eenwich Mean Time or GMT based on the earth s prime meridian zero degrees longitude To display a time corresponding to your local time you must indicate the number of hours and minutes your time zone is east before or west after of UTC Example Related Commands show sntp 4 55 calendar set This command sets the system clock It may be used if there is no time server on your network or if you have not...

Page 299: ... None Command Mode Privileged Exec Console calendar set 15 12 34 1 April 2004 Console Console show calendar 15 12 43 April 1 2004 Console Table 4 23 System Status Commands Command Function Mode Page show startup config Displays the contents of the configuration file stored in flash memory that is used to start up the system PE 4 57 show running config Displays the configuration data currently in u...

Page 300: ...onfiguration settings for each interface IP address configured for the switch Spanning tree settings Any configured settings for the console port and Telnet Example Console show startup config building startup config please wait username admin access level 15 username admin password 0 admin username guest access level 0 username guest password 0 guest enable password level 15 0 super snmp server c...

Page 301: ...ory This command displays settings for key command modes Each mode group is separated by symbols and includes the configuration mode command and corresponding commands This command displays the following information MAC address for each switch in the stack SNTP server settings Local time zone SNMP community strings Users names access levels and encrypted passwords Event log settings VLAN database ...

Page 302: ...server community private rw SNMP server community public ro username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca logging history ram 6 logging history flash 3 vlan database vlan 1 name DefaultVlan media ethernet st...

Page 303: ...IP address of Telnet client Default Setting None Command Mode Normal Exec Privileged Exec Console show system System Description TigerSwitch 10 100 1000 26 50 PORT MANAGED SWITCH System OID String 1 3 6 1 4 1 202 20 68 System Information System Up Time 0 days 0 hours 1 minutes and 32 18 seconds System Name NONE System Location NONE System Contact NONE MAC Address Unit1 00 00 35 28 10 03 Web Server...

Page 304: ...d Exec Command Usage See Displaying Switch Hardware Software Versions on page 3 11 for detailed information on the items displayed by this command Console show users Username accounts Username Privilege Public Key admin 15 None guest 0 None steve 15 RSA Online users Line Username Idle time h m s Remote IP addr 0 console admin 0 14 14 1 VTY 0 admin 0 00 00 192 168 1 19 2 SSH 1 steve 0 00 06 192 168...

Page 305: ...the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extended frame size And for half duplex connections all devices in the collision domain would need to support jumbo frames Console show version Unit1 Serial number S416000937...

Page 306: ...e quality of the network connection Syntax copy file file running config startup config tftp unit copy running config file startup config tftp copy startup config file running config tftp copy tftp file running config startup config https certificate public key copy unit file file Keyword that allows you to copy to from a file running config Keyword that allows you to copy to from the current runn...

Page 307: ...only two operation code files The maximum number of user defined configuration files depends on available memory You can use Factory_Default_Config cfg as the source to copy from the factory default configuration file but you cannot use it as the destination To replace the startup configuration you must use startup config as the destination Use the copy file unit command to copy a local file to an...

Page 308: ...ce file name startup TFTP server ip address 10 1 0 99 Destination file name startup 01 TFTP completed Success Console Console copy running config file destination file name startup Write to FLASH Programming Write to FLASH finish Success Console Console copy tftp startup config TFTP server ip address 10 1 0 99 Source configuration file name startup 01 Startup configuration file name startup Write ...

Page 309: ...ivileged Exec Command Usage If the file type is used for system startup then this file cannot be deleted Factory_Default_Config cfg cannot be deleted A colon is required after the specified unit number Example This example shows how to delete the test2 cfg configuration file from flash memory for unit 1 Related Commands dir 4 68 delete public key 4 38 Console copy tftp public key TFTP server IP ad...

Page 310: ...ommand dir without any parameters the system displays all files A colon is required after the specified unit number File information is shown below Example The following example shows how to display all file information Table 4 26 File Directory Information Column Heading Description file name The name of the file file type File types Boot Rom Operation Code and Config file startup Shows if this f...

Page 311: ...tem This command specifies the image used to start up the system Syntax boot system unit boot rom config opcode filename The type of file or image to set as a default includes boot rom Boot ROM config Configuration file opcode Run time operation code filename Name of the configuration file or code image unit Specifies the unit number Always unit 1 The colon is required Default Setting None Command...

Page 312: ...t system config startup Console config Table 4 27 Authentication Commands Command Group Function Page Authentication Sequence Defines logon authentication method and precedence 4 70 RADIUS Client Configures settings for authentication via a RADIUS server 4 73 TACACS Client Configures settings for authentication via a TACACS server 4 77 Port Security Configures secure addresses for a port 4 79 Port...

Page 313: ...he server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command to indicate the authentication sequence For example if you enter authen...

Page 314: ...and mode to Privileged Exec command mode with the enable command see page 4 19 Use the no form to restore the default Syntax authentication enable local radius tacacs no authentication enable local Use local password only radius Use RADIUS server password only tacacs Use TACACS server password Default Setting Local Command Mode Global Configuration ...

Page 315: ... If the TACACS server is not available the local user name and password is checked Example Related Commands enable password sets the password for changing command modes 4 26 RADIUS Client Remote Authentication Dial in User Service RADIUS is a logon authentication protocol that uses software running on a central server to control access to RADIUS aware devices on the network An authentication serve...

Page 316: ...ssages Range 1 65535 timeout Number of seconds the switch waits for a reply before resending a request Range 1 65535 retransmit Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 key Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 20 characters Default Setting auth port 1812 timeout 5 se...

Page 317: ... Setting None Command Mode Global Configuration Example radius server retransmit This command sets the number of retries Use the no form to restore the default Syntax radius server retransmit number_of_retries no radius server retransmit number_of_retries Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 Default Setting 2 Command Mode Global Configur...

Page 318: ...ult Setting 5 Command Mode Global Configuration Example show radius server This command displays the current settings for the RADIUS server Default Setting None Command Mode Privileged Exec Example Console config radius server timeout 10 Console config Console show radius server Remote RADIUS server configuration Global settings Communication key with RADIUS server Server port number 1812 Retransm...

Page 319: ... tacacs server host host_ip_address IP address of a TACACS server Default Setting 10 11 12 13 Command Mode Global Configuration Example tacacs server port This command specifies the TACACS server network port Use the no form to restore the default Syntax tacacs server port port_number no tacacs server port port_number TACACS server TCP port used for authentication messages Range 1 65535 Default Se...

Page 320: ...k spaces in the string Maximum length 20 characters Default Setting None Command Mode Global Configuration Example show tacacs server This command displays the current settings for the TACACS server Default Setting None Command Mode Privileged Exec Example Console config tacacs server port 181 Console config Console config tacacs server key green Console config Console show tacacs server Remote TA...

Page 321: ...e the no form without any keywords to disable port security Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses Syntax port security action shutdown trap trap and shutdown max mac count address count no port security action max mac count action Response to take when port security is violate...

Page 322: ...set the maximum number of addresses to the default You can also manually add secure addresses with the mac address table static command A secure port has the following restrictions Cannot use port monitoring Cannot be a multi VLAN port Cannot be connected to a network interconnection device Cannot be a trunk port If a port is disabled due to a security violation it must be manually re enabled usin...

Page 323: ...2 dot1x max req Sets the maximum number of times that the switch retransmits an EAP request identity packet to the client before it times out the authentication session IC 4 82 dot1x port control Sets dot1x mode for a port interface IC 4 82 dot1x operation mode Allows single or multiple hosts on an dot1x port IC 4 83 dot1x re authenticate Forces re authentication on specific ports PE 4 84 dot1x re...

Page 324: ...nd Mode Interface Configuration Example dot1x port control This command sets the dot1x mode on a port interface Use the no form to restore the default Syntax dot1x port control auto force authorized force unauthorized no dot1x port control auto Requires a dot1x aware connected client to be authorized by the RADIUS server Clients that are not dot1x aware will be denied access force authorized Confi...

Page 325: ... Keyword for the maximum number of hosts count The maximum number of hosts that can connect to a port Range 1 1024 Default 5 Default Single host Command Mode Interface Configuration Command Usage The max count parameter specified by this command is only effective if the dot1x mode is set to auto by the dot1x port control command page 4 82 In multi host mode only one host connected to a port needs ...

Page 326: ...e the no form to disable re authentication Syntax no dot1x re authentication Command Mode Interface Configuration Example dot1x timeout quiet period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client Use the no form to reset the default Syntax dot1x timeout quiet period seconds no dot1x timeout quiet period se...

Page 327: ...ple dot1x timeout tx period This command sets the time that an interface on the switch waits during an authentication session before re transmitting an EAP packet Use the no form to reset to the default value Syntax dot1x timeout tx period seconds no dot1x timeout tx period seconds The number of seconds Range 1 65535 Default 30 seconds Command Mode Interface Configuration Console config interface ...

Page 328: ...sage This command displays the following information Global 802 1X Parameters Shows whether or not 802 1X port authentication is globally enabled on the switch 802 1X Port Summary Displays the port access control parameters for each interface including the following items Status Administrative state for port access control Operation Mode Dot1x port control operation mode page 4 83 Mode Dot1x port ...

Page 329: ...gle or multiple hosts clients can connect to an 802 1X authorized port Max Count The maximum number of hosts allowed to access this port page 4 83 Port control Shows the dot1x mode on a port as auto force authorized or force unauthorized page 4 82 Supplicant MAC address of authorized client Current Identifier The integer 0 255 used by the Authenticator to identify the current authentication sessio...

Page 330: ...s disabled on port 1 1 802 1X is enabled on port 1 2 reauth enabled Enable reauth period 1800 quiet period 30 tx period 40 supplicant timeout 30 server timeout 10 reauth max 2 max req 5 Status Authorized Operation mode Single Host Max count 5 Port control Auto Supplicant 00 12 cf 49 5e dc Current Identifier 3 Authenticator State Machine State Authenticated Reauth Count 0 Backend State Machine Stat...

Page 331: ...ed on the source IP address Extended IP ACL mode EXT ACL filters packets based on source or destination IP address as well as protocol type and protocol port number The following restrictions apply to ACLs Each ACL can have up to 96 rules However due to resource restrictions the average number of rules bound the ports should not exceed 20 This switch supports ACLs for ingress filtering only You ca...

Page 332: ...ny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 96 rules Example Table 4 34 IP ACLs Command Function Mode Page access list ip Creates an IP ACL and enters configuration mode GC 4 90 permit deny Fi...

Page 333: ...ontaining four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned Example This example configures one permit rule for the specific address 10 1 1 21 ...

Page 334: ...5 end Upper bound of the protocol port range Range 0 65535 Default Setting None Command Mode Extended ACL Command Usage All new rules are appended to the end of the list Address bitmasks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the spec...

Page 335: ...ngth 16 characters Command Mode Privileged Exec Example Related Commands permit deny 4 91 ip access group 4 93 ip access group This command binds a port to an IP ACL Use the no form to remove the port Syntax no ip access group acl_name in acl_name Name of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets Default Setting None Command Mode Interface Configur...

Page 336: ...re a mask for an ACL rule before you can bind it to a port Example Related Commands show ip access list 4 93 show ip access group This command shows the ports assigned to IP ACLs Command Mode Privileged Exec Example Related Commands ip access group 4 93 Console config int eth 1 25 Console config if ip access group david in Console config if Console show ip access group Interface ethernet 1 25 IP a...

Page 337: ...the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 32 rules Example Related Commands permit deny 4 96 mac access group 4 98 show mac access list 4 97 Table 4 35 MAC ACL Commands Comma...

Page 338: ...ination address bitmask ethertype protocol protocol bitmask no permit deny tagged 802 3 any host source source address bitmask any host destination destination address bitmask vid vid vid bitmask no permit deny untagged 802 3 any host source source address bitmask any host destination destination address bitmask tagged eth2 Tagged Ethernet II packets untagged eth2 Untagged Ethernet II packets tagg...

Page 339: ...rom any source MAC address to the destination address 00 e0 29 94 34 de where the Ethernet type is 0800 Related Commands access list mac 4 95 show mac access list This command displays the rules for configured MAC ACLs Syntax show mac access list acl_name acl_name Name of the ACL Maximum length 16 characters Command Mode Privileged Exec Example Related Commands permit deny 4 96 mac access group 4 ...

Page 340: ... A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one Example Related Commands show mac access list 4 97 show mac access group This command shows the ports assigned to MAC ACLs Command Mode Privileged Exec Example Related Commands mac access group 4 98 Console config interface ethernet 1...

Page 341: ...ble 4 36 ACL Information Command Function Mode Page show access list Show all ACLs and associated rules PE 4 99 show access group Shows the ACLs assigned to each port PE 4 99 Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 16 0 255 255 240 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 255 255 255 0 any destination port...

Page 342: ...ds Command Function Mode Page snmp server Enables the SNMP agent GC 4 101 show snmp Displays the status of SNMP communications NE PE 4 101 snmp server community Sets up the community access string to permit access to SNMP commands GC 4 102 snmp server contact Sets the system contact string GC 4 103 snmp server location Sets the system location string GC 4 103 snmp server host Specifies the recipie...

Page 343: ...onfiguration Example show snmp This command can be used to check the status of SNMP communications Default Setting None Command Mode Normal Exec Privileged Exec Command Usage This command provides information on the community access strings counter information for SNMP input and output protocol data units and whether or not SNMP logging has been enabled with the snmp server enable traps command Co...

Page 344: ...ent stations are able to both retrieve and modify MIB objects Default Setting public Read only access Authorized management stations are only able to retrieve MIB objects Console show snmp SNMP Agent enabled SNMP traps Authentication enable Link up down enable SNMP communities 1 private and the privilege is read write 2 public and the privilege is read only 0 SNMP packets input 0 Bad SNMP version ...

Page 345: ...hat describes the system contact information Maximum length 255 characters Default Setting None Command Mode Global Configuration Example Related Commands snmp server location 4 103 snmp server location This command sets the system location string Use the no form to remove the location string Syntax snmp server location text no snmp server location text String that describes the system location Ma...

Page 346: ...e 0 255 Default 3 seconds The number of seconds to wait for an acknowledgment before resending an inform message Range 0 2147483647 centiseconds Default 1500 centiseconds community string Password like community string sent with the notification operation to SNMP V1 and V2c hosts Although you can set this string using the snmp server host command by itself we recommend that you define this string ...

Page 347: ...ure that critical information is received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider these effects when deciding whether to issue notifications as traps or informs To send an inform to a SNMPv2c host complete these steps 1 Enable the SNMP agent page 4 10...

Page 348: ...uthentication Keyword to issue authentication failure notifications link up down Keyword to issue link up or link down notifications Default Setting Issue authentication and link up down traps Command Mode Global Configuration Command Usage If you do not enter an snmp server enable traps command no notifications controlled by this command are sent In order to configure this device to send SNMP not...

Page 349: ...ent SNMP agent that resides either on this switch or on a remote device This engine protects against message replay delay and redirection The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A remote engine ID is required when using SNMPv3 informs See snmp server host on page 4 104 The remote engine ID is used ...

Page 350: ...e shows the default engine ID Console config snmp server engine id local 12345abcdef Console config snmp server engineID remote 54321fedcba Console config Console show snmp engine id Local SNMP engineID 8000002a8000000000e8666672 Local SNMP engineBoots 1 Remote SNMP engineID IP address 80000000030004e2b316c54321 192 168 1 19 Console Table 4 38 show snmp engine id display description Field Descript...

Page 351: ... access to the entire MIB tree Command Mode Global Configuration Command Usage Views are used in the snmp server group command to restrict user access to specified portions of the MIB tree The predefined view defaultview includes access to the entire MIB tree Examples This view includes MIB 2 This view includes the MIB 2 interfaces table ifDescr The wild card is used to select all the index values...

Page 352: ...e Simple Network Management Protocol on page 5 1 for further information about these authentication and encryption options readview Defines the view for read access 1 64 characters writeview Defines the view for write access 1 64 characters notifyview Defines the view for notifications 1 64 characters Console show snmp view View Name mib 2 Subtree OID 1 2 2 3 6 2 1 View Type included Storage Type ...

Page 353: ...ithm is used as specified in the snmp server user command When privacy is selected the DES 56 bit algorithm is used for data encryption For additional information on the notification messages supported by this switch see Supported Notification Messages on page 5 13 Also note that the authentication link up and link down messages are legacy traps and must therefore be enabled in conjunction with th...

Page 354: ...us active Group Name public Security Model v1 Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name public Security Model v2c Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name private Security Model v1 Read View defaultview Write View defaultview Notify View none Storage Type volatile Row St...

Page 355: ...v1 v2c v3 Use SNMP version 1 2c or 3 encrypted Accepts the password as encrypted input auth Uses SNMPv3 with authentication md5 sha Uses MD5 or SHA authentication auth password Authentication password Enter as plain text if the encrypted option is not used Otherwise enter an encrypted password A minimum of eight characters is required priv des56 Uses SNMPv3 with privacy with DES56 encryption priv ...

Page 356: ...s for the remote device where the user resides The remote agent s SNMP engine ID is used to compute authentication privacy digests from the user s password If the remote engine ID is not first configured the snmp server user command specifying a remote user will fail SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote a...

Page 357: ...me mark Authentication Protocol mdt Privacy Protocol des56 Storage Type nonvolatile Row Status active Console Table 4 41 show snmp user display description Field Description EngineId String identifying the engine ID User Name Name of user connecting to the SNMP agent Authentication Protocol The authentication protocol used with SNMPv3 Privacy Protocol The privacy protocol used with SNMPv3 Storage ...

Page 358: ...scription Adds a description to an interface configuration IC 4 117 speed duplex Configures the speed and duplex operation of a given interface when autonegotiation is disabled IC 4 117 negotiation Enables autonegotiation of a given interface IC 4 118 capabilities Advertises the capabilities of a given interface for use in autonegotiation IC 4 119 flowcontrol Enables flow control on a given interf...

Page 359: ...e following example adds a description to port 24 speed duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled Use the no form to restore the default Syntax speed duplex 1000full 100full 100half 10full 10half no speed duplex 1000full Forces 1000 Mbps full duplex operation 100full Forces 100 Mbps full duplex operation 100half Forces 100 Mbps h...

Page 360: ...o negotiation the required mode must be specified in the capabilities list for an interface Example The following example configures port 5 to 100 Mbps half duplex operation Related Commands negotiation 4 118 capabilities 4 119 negotiation This command enables autonegotiation for a given interface Use the no form to disable autonegotiation Syntax no negotiation Default Setting Enabled Command Mode...

Page 361: ...ull Supports 10 Mbps full duplex operation 10half Supports 10 Mbps half duplex operation flowcontrol Supports flow control symmetric Gigabit only When specified the port transmits and receives pause frames when not specified the port will auto negotiate to determine the sender and receiver for asymmetric pause frames The current switch ASIC only supports symmetric pause frames Default Setting 100B...

Page 362: ... 802 3x for full duplex operation To force flow control on or off with the flowcontrol or no flowcontrol command use the no negotiation command to disable auto negotiation on the selected interface When using the negotiation command to enable auto negotiation the optimal settings will be determined by the capabilities command To enable flow control under auto negotiation flowcontrol must be includ...

Page 363: ...mand Mode Interface Configuration Ethernet Port Channel Command Usage This command allows you to disable a port due to abnormal behavior e g excessive collisions and then reenable it after the problem has been resolved You may also want to disable a port for security reasons Example The following example disables port 5 Console config interface ethernet 1 5 Console config if flowcontrol Console co...

Page 364: ...pecified threshold packets above that threshold are dropped This command can enable or disable broadcast storm control for the selected interface However the specified threshold value applies to all ports on the switch Example The following shows how to configure broadcast storm control at 500 packets per second clear counters This command clears statistics on an interface Syntax clear counters in...

Page 365: ...s statistics on port 5 show interfaces status This command displays the status for an interface Syntax show interfaces status interface interface ethernet unit port unit Stack unit Always unit 1 port Port number Range 1 26 50 port channel channel id Range 1 32 vlan vlan id Range 1 4094 Default Setting Shows the status for all interfaces Command Mode Normal Exec Privileged Exec Command Usage If no ...

Page 366: ...f the items displayed by this command see Showing Port Statistics on page 3 95 Console show interfaces status ethernet 1 5 Information of Eth 1 5 Basic information Port type 100TX Mac address 00 12 CF 12 34 61 Configuration Name Port admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full Broadcast storm Enabled Broadcast storm limit 500 packets second Flow control Disabled Lacp Disa...

Page 367: ...tput 0 Error input 0 Error output 0 Unknown protos input 0 QLen output 0 Extended iftable stats Multi cast input 0 Multi cast output 3064 Broadcast input 262 Broadcast output 1 Ether like stats Alignment errors 0 FCS errors 0 Single Collision frames 0 Multiple collision frames 0 SQE Test errors 0 Deferred transmissions 0 Late collisions 0 Excessive collisions 0 Internal mac transmit errors 0 Inter...

Page 368: ...nd the current rate limit page 4 129 Egress rate limit Shows if egress rate limiting is enabled and the current rate limit page 4 129 VLAN membership mode Indicates membership mode as Trunk or Hybrid page 4 170 Ingress rule Shows if ingress filtering is enabled or disabled page 4 171 Note Ingress filtering is always enabled Acceptable frame type Shows if acceptable VLAN frames include all types or...

Page 369: ...mand Usage You can mirror traffic from any source port to a destination port for real time analysis You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner The destination port is set by specifying an Ethernet interface The mirror port and monitor port speeds should match otherwise traffic may be d...

Page 370: ...s Command Mode Privileged Exec Command Usage This command displays the currently configured source port destination port and mirror mode i e RX TX Example The following shows mirroring configured from port 6 to port 11 Console config interface ethernet 1 11 Console config if port monitor ethernet 1 6 rx Console config if Console config interface ethernet 1 11 Console config if port monitor etherne...

Page 371: ...affic is dropped conforming traffic is forwarded without any changes rate limit Use this command to define the rate limit level for a specific interface Use this command without specifying a rate to restore the default rate limit level Use the no form to restore the default status of disabled Syntax rate limit input output rate no rate limit input output input Input rate limit output Output rate l...

Page 372: ...perating at full duplex Table 4 46 Link Aggregation Commands Command Function Mode Page Manual Configuration Commands interface port channel Configures a trunk and enters interface configuration mode for the trunk GC 4 116 channel group Adds a port to a trunk IC Ethernet 4 131 Dynamic Configuration Command lacp Configures LACP for the current interface IC Ethernet 4 132 lacp system priority Config...

Page 373: ...ity Ports must have the same port admin key Ethernet Interface If the port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group However if the port channel admin key is set then the port admin key mu...

Page 374: ...ull duplex and auto negotiation A trunk formed with another switch using LACP will automatically be assigned the next available port channel ID If the target switch has also enabled LACP on the connected ports the trunk will be activated automatically If more than eight ports attached to the same target switch have LACP enabled the additional ports will be placed in standby mode and will only be e...

Page 375: ...bership and to identify this device to other switches during LAG negotiations Range 0 65535 Default Setting 32768 Console config interface ethernet 1 11 Console config if lacp Console config if exit Console config interface ethernet 1 12 Console config if lacp Console config if exit Console config interface ethernet 1 13 Console config if lacp Console config if exit Console config exit Console sho...

Page 376: ...key Use the no form to restore the default setting Syntax lacp actor partner admin key key no lacp actor partner admin key actor The local side an aggregate link partner The remote side of an aggregate link key The port admin key must be set to the same value for ports that belong to the same link aggregation group LAG Range 0 65535 Default Setting 0 Command Mode Interface Configuration Ethernet C...

Page 377: ... during local LACP setup on this switch Range 0 65535 Default Setting 0 Command Mode Interface Configuration Port Channel Command Usage Ports are only allowed to join the same LAG if 1 the LACP system priority matches 2 the LACP port admin key matches and 3 the LACP port channel key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a channel group is f...

Page 378: ...th the lowest physical port number will be selected as the backup port Once the remote side of a link has been established LACP operational settings are already in use on that side Configuring LACP settings for the partner only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with the partner Example show lacp Th...

Page 379: ...er of valid Marker PDUs received by this channel group LACPDUs Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type LACPDUs Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value but contain a b...

Page 380: ...lection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information Synchronization The System considers this link to be IN_SYNC i e it has been allocated to the correct Link Aggregation Group the group has been associated with a compatible Aggregator and the i...

Page 381: ...he partner Admin Key Current administrative value of the Key for the protocol partner Oper Key Current operational value of the Key for the protocol partner Admin State Administrative values of the partner s state parameters See preceding table Oper State Operational values of the partner s state parameters See preceding table Console show lacp sysid Port Channel System Priority System MAC Address...

Page 382: ...mber Range 1 26 50 port channel channel id Range 1 32 vlan id VLAN ID Range 1 4094 action delete on reset Assignment lasts until the switch is reset permanent Assignment is permanent Default Setting No static addresses are defined The default mode is permanent Command Mode Global Configuration Table 4 51 Address Table Commands Command Function Mode Page mac address table static Maps a static addre...

Page 383: ...his command Example clear mac address table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries Default Setting None Command Mode Privileged Exec Example show mac address table This command shows classes of entries in the bridge forwarding database Syntax show mac address table address ...

Page 384: ...it 0 means to match a bit and 1 means to ignore a bit For example a mask of 00 00 00 00 00 00 means an exact match and a mask of FF FF FF FF FF FF means any The maximum number of address entries is 8191 Example mac address table aging time This command sets the aging time for entries in the address table Use the no form to restore the default aging time Syntax mac address table aging time seconds ...

Page 385: ...ing time This command shows the aging time for entries in the address table Default Setting None Command Mode Privileged Exec Example Console config mac address table aging time 100 Console config Console show mac address table aging time Aging time 100 sec Console ...

Page 386: ...ing tree instance MST 4 151 name Configures the name for the multiple spanning tree MST 4 152 revision Configures the revision number for the multiple spanning tree MST 4 153 max hops Configures the maximum number of hops allowed in the region before a BPDU is discarded MST 4 153 spanning tree spanning disabled Disables spanning tree for an interface IC 4 154 spanning tree cost Configures the span...

Page 387: ... between any two stations on the network and provide backup links which automatically take over when a primary link goes down Example This example shows how to enable the Spanning Tree Algorithm for the switch spanning tree mode This command selects the spanning tree mode for this switch Use the no form to restore the default Note MSTP is not supported in the current software Syntax spanning tree ...

Page 388: ...d begins using RSTP BPDUs on that port Multiple Spanning Tree Protocol To allow multiple spanning trees to operate over the network you must configure a related set of bridges with the same MSTP configuration allowing them to participate in a specific set of spanning tree instances A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments Be careful when swi...

Page 389: ...nning tree hello time This command configures the spanning tree bridge hello time globally for this switch Use the no form to restore the default Syntax spanning tree hello time time no spanning tree hello time time Time in seconds Range 1 10 seconds The maximum value is the lower of 10 or max age 2 1 Default Setting 2 seconds Command Mode Global Configuration Command Usage This command sets the t...

Page 390: ...pt for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message becomes the designated port for the attached LAN If it is a root port a new root port is selected from among the device ports attached to the network Example Related Commands spanning tree forward time 4 146 spanning tree hello time 4 ...

Page 391: ...st method long short no spanning tree pathcost method long Specifies 32 bit based values that range from 1 200 000 000 This method is based on the IEEE 802 1w Rapid Spanning Tree Protocol short Specifies 16 bit based values that range from 1 65535 This method is based on the IEEE 802 1 Spanning Tree Protocol Default Setting Long method Command Mode Global Configuration Command Usage The path cost ...

Page 392: ...obal Configuration Command Usage This command limits the maximum transmission rate for BPDUs Example spanning tree mst configuration This command changes to Multiple Spanning Tree MST configuration mode Default Setting No VLANs are mapped to any MST instance The region name is set the switch s MAC address Command Mode Global Configuration Example Related Commands mst vlan 4 151 mst priority 4 151 ...

Page 393: ...ed to the Internal Spanning Tree MSTI 0 that connects all bridges and LANs within the MST region This switch supports up to 58 instances You should try to group VLANs which cover the same general area of your network However remember that you must configure all bridges within the same MSTI Region page 4 152 with the same set of instances and the same instance on each bridge with the same set of VL...

Page 394: ...ecifying a priority of 16384 Example name This command configures the name for the multiple spanning tree region in which this switch is located Use the no form to clear the name Syntax name name name Name of the spanning tree Default Setting Switch s MAC address Command Mode MST Configuration Command Usage The MST region name and revision number page 4 153 are used to designate a unique MST regio...

Page 395: ... in the same region must be configured with the same MST instances Example Related Commands name 4 152 max hops This command configures the maximum number of hops in the region before a BPDU is discarded Use the no form to restore the default Syntax max hops hop number hop number Maximum hop number for multiple spanning tree Range 1 40 Default Setting 20 Command Mode MST Configuration Command Usag...

Page 396: ... command configures the spanning tree path cost for the specified interface Use the no form to restore the default Syntax spanning tree cost cost no spanning tree cost cost The path cost for the port Range 0 for auto configuration or 1 200 000 000 The recommended range is Ethernet 200 000 20 000 000 Fast Ethernet 20 000 2 000 000 Gigabit Ethernet 2 000 200 000 10 Gigabit Ethernet 200 20 000 Defaul...

Page 397: ...command configures the priority for the specified interface Use the no form to restore the default Syntax spanning tree port priority priority no spanning tree port priority priority The priority for a port Range 0 240 in steps of 16 Default Setting 128 Command Mode Interface Configuration Ethernet Port Channel Command Usage This command defines the priority for the use of a port in the Spanning T...

Page 398: ...rvers retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events does not cause the spanning tree to initiate reconfiguration when the interface changes state and also overcomes other STA related timeout problems However remember that Edge Port should only be enabled for ports connected to an end node device This ...

Page 399: ...mmand may be removed for future software versions Example Related Commands spanning tree edge port 4 156 spanning tree link type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree Use the no form to restore the default Syntax spanning tree link type auto point to point shared no spanning tree link type auto Automatically derived from the duplex mode setting po...

Page 400: ...peed and duplex mode used on each port and configures the path cost according to the values shown below Path cost 0 is used to indicate auto configuration mode Ethernet half duplex 2 000 000 full duplex 1 000 000 trunk 500 000 Fast Ethernet half duplex 200 000 full duplex 100 000 trunk 50 000 Gigabit Ethernet full duplex 10 000 trunk 5 000 10 Gigabit Ethernet full duplex 1000 trunk 500 Command Mod...

Page 401: ...d Mode Interface Configuration Ethernet Port Channel Command Usage This command defines the priority for the use of an interface in the multiple spanning tree If the path cost for all interfaces on a switch are the same the interface with the highest priority that is lowest value will be configured as an active link in the spanning tree Where more than one interface is assigned the highest priorit...

Page 402: ...ompatible mode However you can also use the spanning tree protocol migration command at any time to manually re check the appropriate BPDU format to send on the selected interfaces i e RSTP or STP compatible Example show spanning tree This command shows the configuration for the common spanning tree CST or for an instance within the multiple spanning tree MST Syntax show spanning tree interface ms...

Page 403: ... items displayed under Spanning tree information see Configuring Global Settings on page 3 128 For a description of the items displayed for specific interfaces see Displaying Interface Settings on page 3 132 Example Console show spanning tree Spanning tree information Spanning tree mode MSTP Spanning tree enable disable enable Instance 0 Vlans configuration 1 4094 Priority 32768 Bridge Hello Time ...

Page 404: ...nal oper path cost 10000 Internal oper path cost 10000 Priority 128 Designated cost 200000 Designated port 128 24 Designated root 32768 0 0000ABCD0000 Designated bridge 32768 0 0030F1552000 Fast forwarding disable Forward transitions 1 Admin edge port enable Oper edge port disable Admin Link type auto Oper Link type point to point Spanning Tree Status enable Console show spanning tree mst configur...

Page 405: ...the configuration for bridge extension MIB 4 163 Editing VLAN Groups Sets up VLAN groups including name VID and state 4 167 Configuring VLAN Interfaces Configures VLAN interface parameters including ingress and egress tagging mode ingress filtering PVID and GVRP 4 169 Displaying VLAN Information Displays VLAN groups status port members and MAC addresses 4 175 Configuring Private VLANs Configures p...

Page 406: ...ocal switch Example show bridge ext This command shows the configuration for bridge extension commands Default Setting None Command Mode Privileged Exec Command Usage See Displaying Basic VLAN Information on page 3 126 and Displaying Bridge Extension Capabilities on page 3 13 for a description of the displayed items Example Console config bridge ext gvrp Console config Console show bridge ext Max ...

Page 407: ... is enabled Syntax show gvrp configuration interface interface ethernet unit port unit Stack unit Always unit 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting Shows both global and interface specific configuration Command Mode Normal Exec Privileged Exec Example Console config interface ethernet 1 6 Console config if switchport gvrp Console config if Console show...

Page 408: ...VRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are independent of the media access method or data rate These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration deregistration Timer values are applied to GVRP for all the ports on all VLANs Timer values must mee...

Page 409: ... vlan database This command enters VLAN database mode All commands in this mode will take effect immediately Default Setting None Command Mode Global Configuration Console show garp timer ethernet 1 1 Eth 1 1 GARP timer status Join timer 100 centiseconds Leave timer 60 centiseconds Leaveall timer 1000 centiseconds Console Table 4 55 Editing VLAN Groups Command Function Mode Page vlan database Ente...

Page 410: ...s or delete a VLAN Syntax vlan vlan id name vlan name media ethernet state active suspend no vlan vlan id name state vlan id ID of configured VLAN Range 1 4094 no leading zeroes name Keyword to be followed by the VLAN name vlan name ASCII string from 1 to 32 characters media ethernet Ethernet media type state Keyword to be followed by the VLAN state active VLAN is operational suspend VLAN is suspe...

Page 411: ...n Table 4 56 Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN GC 4 169 switchport mode Configures VLAN membership mode for an interface IC 4 170 switchport acceptable frame types Configures frame types to be accepted by an interface IC 4 171 switchport ingress filtering Enables ingress filtering on an interface IC 4 171 ...

Page 412: ...e port s default VLAN i e associated with the PVID are also transmitted as tagged frames hybrid Specifies a hybrid VLAN interface The port may transmit tagged or untagged frames private vlan For an explanation of this command see switchport mode private vlan on page 4 182 Default Setting All ports are in hybrid mode with the PVID set to VLAN 1 Command Mode Interface Configuration Ethernet Port Cha...

Page 413: ...e default VLAN Example The following example shows how to restrict the traffic received on port 1 to tagged frames Related Commands switchport mode 4 170 switchport ingress filtering This command enables ingress filtering for an interface Note Although the ingress filtering command is available the switch has ingress filtering permanently set to enable Therefore trying to disable the filtering wit...

Page 414: ...ive vlan vlan id no switchport native vlan vlan id Default VLAN ID for a port Range 1 4094 no leading zeroes Default Setting VLAN 1 Command Mode Interface Configuration Ethernet Port Channel Command Usage Setting the native VLAN for a port can only be performed when the port is a member of the VLAN and the VLAN is untagged The no switchport native vlan command will set the native VLAN of the port ...

Page 415: ...gged Command Mode Interface Configuration Ethernet Port Channel Command Usage A port or a trunk with switchport mode set to hybrid must be assigned to a VLAN as untagged If a trunk has switchport mode set to trunk i e 1Q Trunk then you can only assign an interface to VLAN groups as a tagged member Frames are always tagged within the switch The tagged untagged parameter used when adding a VLAN to a...

Page 416: ... designate a range of IDs Do not enter leading zeros Range 1 4094 Default Setting No VLANs are included in the forbidden list Command Mode Interface Configuration Ethernet Port Channel Command Usage This command prevents a VLAN from being automatically added to the specified interface via GVRP If a VLAN has been added to the set of allowed VLANs for an interface then you cannot add it to the set o...

Page 417: ...LANs Command Mode Normal Exec Privileged Exec Example The following example shows how to display information for VLAN 1 Table 4 57 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE PE 4 175 show interfaces status vlan Displays status for the specified VLAN interface NE PE 4 123 show interfaces switchport Displays the administrative and operational status of an inter...

Page 418: ...fy 802 1Q tagged frames The standard ethertype value is 0x8100 See switchport dot1q tunnel tpid page 4 178 5 Configure the QinQ tunnel access port to join the SPVLAN as an untagged member switchport allowed vlan page 4 173 6 Configure the SPVLAN ID as the native VID on the QinQ tunnel access port switchport native vlan page 4 172 7 Configure the QinQ tunnel uplink port to dot1Q tunnel uplink mode ...

Page 419: ... tunnel mode access uplink no switchport dot1q tunnel mode access Sets the port as an 802 1Q tunnel access port uplink Sets the port as an 802 1Q tunnel uplink port Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage Use the dot1q tunnel system tunnel control command to set the switch to QinQ mode before entering this command Example Related Commands s...

Page 420: ...ed interface This feature allows the switch to interoperate with third party switches that do not use the standard 0x8100 ethertype to identify 802 1Q tagged frames For example 0x1234 is set as the custom 802 1Q ethertype on a trunk port incoming frames containing that ethertype are assigned to the VLAN contained in the tag following the ethertype field as they would be with a standard 802 1Q trun...

Page 421: ...nfig if end Console show dot1q tunnel Current double tagged status of the system is Enabled The dot1q tunnel mode of the set interface 1 1 is Access mode TPID is 0x8100 The dot1q tunnel mode of the set interface 1 2 is Uplink mode TPID is 0x8100 The dot1q tunnel mode of the set interface 1 3 is Normal mode TPID is 0x8100 The dot1q tunnel mode of the set interface 1 4 is Normal mode TPID is 0x8100 ...

Page 422: ...imultaneously within the same switch Entering the pvlan command without any parameters enables the private VLAN Entering no pvlan disables the private VLAN Example This example enables the private VLAN and then sets port 12 as the uplink and ports 5 8 as the downlinks show pvlan This command displays the configured private VLAN Command Mode Privileged Exec Example Console config pvlan Console conf...

Page 423: ... the protocols you want to assign to a VLAN using the protocol vlan protocol group command General Configuration mode 3 Then map the protocol for each interface to the appropriate VLAN using the protocol vlan protocol group command Interface Configuration mode protocol vlan protocol group Configuring Groups This command creates a protocol group or to add specific protocols to a group Use the no fo...

Page 424: ...7 vlan id VLAN to which matching protocol traffic is forwarded Range 1 4094 Default Setting No protocol groups are mapped for any interface Command Mode Interface Configuration Ethernet Port Channel Command Usage When creating a protocol based VLAN only assign interfaces via this command If you assign interfaces using any of the other VLAN commands such as vlan on page 4 168 these interfaces will ...

Page 425: ...All protocol groups are displayed Command Mode Privileged Exec Example This shows protocol group 1 configured for IP over Ethernet show interfaces protocol vlan protocol group This command shows the mapping from protocol groups to VLANs for the selected interfaces Syntax show interfaces protocol vlan protocol group interface interface ethernet unit port unit Stack unit Range 1 8 port Port number R...

Page 426: ...lan ID Eth 1 1 1 vlan2 Console Table 4 61 Priority Commands Command Groups Function Page Priority Layer 2 Configures default priority for untagged frames sets queue weights and maps class of service tags to hardware queues 4 184 Priority Layer 3 and 4 Maps IP DSCP tags to class of service values 4 189 Table 4 62 Priority Commands Layer 2 Command Function Mode Page queue mode Sets the queue mode to...

Page 427: ...in a higher priority queue to be processed before lower priority queues are serviced or use Weighted Round Robin WRR queuing that specifies a relative weight of each queue WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue This prevents the head of line blocking that can occur with st...

Page 428: ...d with the input port s default ingress user priority and then placed in the appropriate priority queue at the output port The default priority for all ingress ports is zero Therefore any inbound frames that do not have priority tags will be placed in queue 0 of the output port Note that if the output port is an untagged member of the associated VLAN these frames are stripped of all VLAN tags prio...

Page 429: ...are 0 to 3 where 3 is the highest priority queue cos1 cosn The CoS values that are mapped to the queue ID It is a space separated list of numbers The CoS value is a number from 0 to 7 where 7 is the highest priority Default Setting This switch supports Class of Service by using four priority queues with Weighted Round Robin queuing for each port Eight separate traffic classes are defined in IEEE 8...

Page 430: ... Exec Example show queue bandwidth This command displays the weighted round robin WRR bandwidth allocation for the four priority queues Default Setting None Command Mode Privileged Exec Console config interface ethernet 1 1 Console config if queue cos map 0 0 Console config if queue cos map 1 1 Console config if queue cos map 2 2 Console config if exit Console show queue cos map ethernet 1 1 Infor...

Page 431: ...figuration This command enables IP DSCP mapping i e Differentiated Services Code Point mapping Use the no form to disable IP DSCP mapping Console show queue bandwidth Queue ID Weight 0 1 1 2 2 4 3 8 Console Console show queue cos map ethernet 1 1 Information of Eth 1 1 Traffic Class 0 1 2 3 4 5 6 7 Priority Queue 1 0 0 1 2 2 3 3 Console Table 4 64 Priority Commands Layer 3 and 4 Command Function M...

Page 432: ...fferentiated Services Code Point priority Use the no form to restore the default table Syntax map ip dscp dscp value cos cos value no map ip dscp dscp value 8 bit DSCP value Range 0 63 cos value Class of Service value Range 0 7 Default Setting The DSCP default values are defined in the following table Note that all the DSCP values that are not specified are mapped to CoS value 0 Console config map...

Page 433: ... the four hardware priority queues This command sets the IP DSCP priority for all interfaces Example The following example shows how to map IP DSCP value 1 to CoS value 0 show map ip dscp This command shows the IP DSCP priority map Syntax show map ip dscp interface interface ethernet unit port unit Stack unit Always unit 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default S...

Page 434: ...VLANs Using access lists allows you select traffic based on Layer 2 Layer 3 or Layer 4 information contained in each packet Note Due to a chip limitation IP source guard and Quality of Service only for IP related QoS function cannot be enabled at the same time Thus if the user has already enabled the IP source guard function it needs to be disabled first in order for the QoS function to work and v...

Page 435: ...tes 1 You can configure up to 16 rules per Class Map You can also include multiple classes in a Policy Map 2 You should create a Class Map page 4 194 before creating a Policy Map page 4 195 Otherwise you will not be able to specify a Class Map with the class command page 4 196 after entering Policy Map Configuration mode Table 4 66 Quality of Service Commands Command Function Mode Page class map C...

Page 436: ...mmands are permitted per class map The class map is used with a policy map page 4 195 to create a service policy page 4 199 for a specific interface that defines packet classification service tagging and bandwidth policing Example This example creates a class map call rd_class and sets it to match packets marked for DSCP service value 3 Related Commands show class map 4 199 match This command defi...

Page 437: ...rked for IP Precedence service value 5 This example creates a class map call rd_class 3 and sets it to match packets marked for VLAN 1 policy map This command creates a policy map that can be attached to multiple interfaces and enters Policy Map configuration mode Use the no form to delete a policy map and return to Global configuration mode Syntax no policy map policy map name policy map name Nam...

Page 438: ...ification upon which a policy can act and enters Policy Map Class configuration mode Use the no form to delete a class map and return to Policy Map configuration mode Syntax no class class map name class map name Name of the class map Range 1 16 characters Default Setting None Command Mode Policy Map Configuration Command Usage Use the policy map command to specify a policy map and enter Policy Ma...

Page 439: ... new dscp New Differentiated Service Code Point DSCP value Range 0 63 new precedence New IP Precedence value Range 0 7 Default Setting None Command Mode Policy Map Class Configuration Example This example creates a policy called rd_policy uses the class command to specify the previously defined rd_class uses the set command to classify the service that incoming packets will receive and then uses t...

Page 440: ...ypes MAC ACL IP ACL including Standard ACL and Extended ACL Policing is based on a token bucket where bucket depth i e the maximum burst before the bucket overflows is by specified the burst byte field and the average rate tokens are removed from the bucket is by specified by the rate bps option Example This example creates a policy called rd_policy uses the class command to specify the previously...

Page 441: ...net Port Channel Command Usage You can only assign one policy map to an interface You must first define a class map then define a policy map and finally use the service policy command to bind the policy map to the required interface Example This example applies a service policy to an ingress interface show class map This command displays the QoS class maps which define matching criteria used for c...

Page 442: ... Privileged Exec Example show policy map interface This command displays the service policy assigned to the specified interface Syntax show policy map interface interface input interface ethernet unit port unit Stack unit Always unit 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Console show class map Class Map match any rd_class 1 Match ip dscp 3 Class Map match any rd_class...

Page 443: ... 4 201 IGMP Query Configures IGMP query parameters for multicast filtering at Layer 2 4 206 Static Multicast Routing Configures static multicast router ports 4 209 IGMP Filtering and Throttling Configures IGMP filtering and throttling 4 211 Multicast VLAN Registration Configures a single network wide multicast VLAN shared by hosts residing in other standard or private VLAN groups preserving securi...

Page 444: ...m to remove the port Syntax no ip igmp snooping vlan vlan id static ip address interface vlan id VLAN ID Range 1 4094 ip address IP address for multicast group interface ethernet unit port unit Stack unit Always unit 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting None Command Mode Global Configuration Example The following shows how to statically configure a mu...

Page 445: ...itch to use Version 1 Some commands are only enabled for IGMPv2 including ip igmp query max response time and ip igmp query timeout Example The following configures the switch to use IGMP Version 1 ip igmp snooping leave proxy This command enables IGMP leave proxy on the switch Use the no form to disable the feature Syntax no ip igmp snooping leave proxy Default Setting Disabled Command Mode Globa...

Page 446: ...ng table without first sending an IGMP group specific query to the interface Upon receiving a group specific IGMPv2 leave message the switch immediately removes the interface from the Layer 2 forwarding table entry for that multicast group unless a multicast router was learned on the port Example show ip igmp snooping This command shows the IGMP snooping configuration Default Setting None Command ...

Page 447: ...and Mode Privileged Exec Command Usage Member types displayed include IGMP or USER depending on selected options Example The following shows the multicast entries learned through IGMP snooping for VLAN 1 Console show ip igmp snooping Service status Enabled Querier status Enabled Leave proxy status Disabled Query count 10 Query interval 100 sec Query max response time 20 sec Router port expire time...

Page 448: ...ip igmp snooping query count count no ip igmp snooping query count count The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group Range 2 10 Table 4 69 IGMP Query Commands Layer 2 Command Function Mode Page ip igmp snooping querier Allows this device to act as the querier for IGMP snooping GC 4 206 ip igmp sn...

Page 449: ... have left the multicast group Example The following shows how to configure the query count to 10 Related Commands ip igmp snooping query max response time 4 208 ip igmp snooping query interval This command configures the query interval Use the no form to restore the default Syntax ip igmp snooping query interval seconds no ip igmp snooping query interval seconds The frequency at which the switch ...

Page 450: ...sponded a countdown timer is started using an initial value set by this command If the countdown finishes and the client still has not responded then that client is considered to have left the multicast group Example The following shows how to configure the maximum response time to 20 seconds Related Commands ip igmp snooping version 4 203 ip igmp snooping query max response time 4 208 ip igmp sno...

Page 451: ...e no form to remove the configuration Syntax no ip igmp snooping vlan vlan id mrouter interface vlan id VLAN ID Range 1 4094 interface ethernet unit port unit Stack unit Always unit 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting No static multicast router ports are configured Command Mode Global Configuration Console config ip igmp snooping router port expire t...

Page 452: ...show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports Syntax show ip igmp snooping mrouter vlan vlan id vlan id VLAN ID Range 1 4094 Default Setting Displays multicast router ports for all configured VLANs Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static Example The foll...

Page 453: ...reports received on the port are checked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP filtering and throttling only applies to dynamically learned multicast groups it does not apply to statically configured groups Table 4 71 IGMP Filtering and Throttli...

Page 454: ...ion Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join The same profile can be applied to many interfaces but only one profile can be assigned to one interface Each profile has only one access mode either permit or deny Example permit deny This command sets the access mode for an IGMP filter profile Use the no form to delete a profile number Synta...

Page 455: ...for the end of a multicast group range Default Setting None Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile Example ip igmp filter Interface Configuration This command assigns an IGMP filtering profile to an interface on the switch Use the no form to remove a profile from an interface ...

Page 456: ...ups number The maximum number of multicast groups an interface can join at the same time Range 0 64 Default Setting 64 Command Mode Interface Configuration Command Usage IGMP throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can take one of two actions either deny or replace If the action is ...

Page 457: ...place If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group Example show ip igmp filter This command displays the global and interface settings for IGMP filtering Syntax show ip igmp filter interface interface interface ethernet unit port unit Stack unit Range...

Page 458: ...terface This command displays the interface settings for IGMP throttling Syntax show ip igmp throttle interface interface interface ethernet unit port unit Stack unit Range 1 Console show ip igmp filter IGMP filter enabled onsole show ip igmp filter interface ethernet 1 1 Ethernet 1 1 information IGMP Profile 19 Deny range 239 1 1 1 239 1 1 1 range 239 2 3 1 239 2 3 100 Console Console show ip igm...

Page 459: ...e for a normal multicast VLAN Also note that MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong Console show ip igmp throttle interface ethernet 1 1 Eth 1 1 Information Status TRUE Action Deny Max Multicast Groups 32 Current Multicast Groups 0 Console Table 4 72 Multicast VLAN Registrati...

Page 460: ...MVR group address is defined The default number of contiguous addresses is 0 MVR VLAN ID is 1 Command Mode Global Configuration Command Usage Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN Any multicast data associated an MVR group is sent from all source ports and to all receiver ports that have registered to receive data from that mult...

Page 461: ...r port that can receive multicast data source Configure the interface as an uplink port that can send and receive multicast data for the configured multicast groups immediate Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group ip address Statically configures an interface to receive multicast traffic from the IP add...

Page 462: ...n immediate leave is disabled the switch follows the standard rules by sending a group specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list Using immediate leave can speed up leave latency but should only be enabled on a port attached to one multicast subscriber to av...

Page 463: ...splay the global settings for MVR Use the interface keyword to display information about interfaces attached to the MVR VLAN Or use the members keyword to display information about multicast groups assigned to the MVR VLAN Example The following shows the global MVR settings Console show mvr MVR Status enable MVR running status TRUE MVR multicast vlan 1 MVR Max Multicast Groups 255 MVR Current mult...

Page 464: ...iving multicast traffic from one of the MVR groups or a multicast group has been statically assigned to an interface Immediate Leave Shows if immediate leave is enabled or disabled Console show mvr members MVR Group IP Status Members 225 0 0 1 ACTIVE eth1 1 d eth1 2 s 225 0 0 2 INACTIVE None 225 0 0 3 INACTIVE None 225 0 0 4 INACTIVE None 225 0 0 5 INACTIVE None 225 0 0 6 INACTIVE None 225 0 0 7 I...

Page 465: ...s bootp Obtains IP address from BOOTP dhcp Obtains IP address from DHCP Default Setting DHCP Command Mode Interface Configuration VLAN Command Usage You must assign an IP address to this device to gain management access over the network You can manually configure a specific IP address or direct the device to obtain an address from a BOOTP or DHCP server Valid IP addresses consist of four numbers 0...

Page 466: ...original IP address and this becomes the new management VLAN Example In the following example the device is assigned an address in VLAN 1 Related Commands ip dhcp restart 4 225 ip default gateway This command establishes a static route between this switch and devices that exist on another network segment Use the no form to remove the static route Syntax ip default gateway gateway no ip default gat...

Page 467: ...o the client will be based on this new domain Example In the following example the device is reassigned the same address Related Commands ip address 4 223 show ip interface This command displays the settings of an IP interface Default Setting All interfaces Command Mode Privileged Exec Example Related Commands show ip redirects 4 226 Console config interface vlan 1 Console config if ip address dhc...

Page 468: ...count Number of packets to send Range 1 16 default 5 Default Setting This command has no default for the host Command Mode Normal Exec Privileged Exec Command Usage Use the ping command to see if another site on the network can be reached Following are some results of the ping command Normal response The normal response occurs in one to ten seconds depending on network traffic Destination does not...

Page 469: ... ip source guard This command configures the switch to filter inbound traffic based source IP address or source IP address and corresponding MAC address Use the no form to disable this function Console ping 10 1 0 9 Type ESC to abort PING to 10 1 0 9 by 5 32 byte payload ICMP packets timeout is 5 seconds response time 10 ms response time 10 ms response time 10 ms response time 10 ms response time ...

Page 470: ...d in the source guard binding table Table entries include a MAC address IP address lease time entry type Static IP SG Binding Dynamic DHCP Binding Static DHCP Binding VLAN identifier and port identifier Static addresses entered in the source guard binding table with the ip source guard binding command page 4 229 are automatically configured with an infinite lease time Dynamic entries learned via D...

Page 471: ...ss interface ethernet unit port no ip source guard binding mac address vlan vlan id mac address A valid unicast MAC address vlan id ID of a configured VLAN Range 1 4094 ip address A valid unicast IP address including classful types A B or C unit Stack unit Always unit 1 port Port number Range 1 28 Default Setting No configured entries Command Mode Global Configuration Command Usage Table entries i...

Page 472: ...e new entry will replace the old one and the entry type will be changed to static IP source guard binding Example This example configures a static source guard binding on port 5 Related Commands ip source guard 4 227 ip dhcp snooping 4 231 ip dhcp snooping vlan 4 233 show ip source guard This command shows whether source guard is enabled or disabled on each interface Command Mode Privileged Exec E...

Page 473: ...e show ip source guard binding MacAddress IpAddress Lease sec Type VLAN Interface 11 22 33 44 55 66 192 168 0 99 0 Static 1 Eth 1 5 Console Table 4 78 DHCP Snooping Commands Command Function Mode Page ip dhcp snooping Enables DHCP snooping globally GC 4 231 ip dhcp snooping vlan Enables DHCP snooping on the specified VLAN GC 4 233 ip dhcp snooping trust Configures the specified interface as truste...

Page 474: ...he DHCP packet is received but the port is not trusted it is processed as follows If the DHCP packet is a reply packet from a DHCP server including OFFER ACK or NAK messages the packet is dropped If the DHCP packet is from a client such as a DECLINE or RELEASE message the switch forwards the packet only if the corresponding entry is found in the binding table If the DHCP packet is from client such...

Page 475: ...d Mode Global Configuration Command Usage When DHCP snooping enabled globally using the ip dhcp snooping command page 4 231 and enabled on a VLAN with this command DHCP packet filtering will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust command page 4 234 When the DHCP snooping is globally disabled DHCP snooping can still be configured for specific ...

Page 476: ...ng enabled globally using the ip dhcp snooping command page 4 231 and enabled on a VLAN with this command DHCP packet filtering will be performed on any untrusted ports within the VLAN according to the default status or as specifically configured for an interface with the no ip dhcp snooping trust command When an untrusted port is changed to a trusted port all the dynamic DHCP snooping bindings as...

Page 477: ...ss verification Related Commands ip dhcp snooping 4 231 ip dhcp snooping vlan 4 233 ip dhcp snooping trust 4 234 ip dhcp snooping information option This command enables the DHCP Option 82 information relay for the switch Use the no form to disable this function Syntax no ip dhcp snooping information option Default Setting Disabled Command Mode Global Configuration Command Usage DHCP provides a re...

Page 478: ...n Syntax ip dhcp snooping information policy drop keep replace drop Discards the Option 82 information in a packet and then floods it to the entire VLAN keep Retains the client s DHCP information replace Overwrites the DHCP client packet information with the switch s relay information Default Setting replace Command Mode Global Configuration Command Usage When the switch receives DHCP packets from...

Page 479: ...he Commander throught its IP address and the Commander manages Member switches using cluster internal IP addresses There can be up to 16 Member switches in one cluster Cluster switches are limited to within a single IP subnet Console show ip dhcp snooping Global DHCP Snooping status disable DHCP Snooping is configured on the following VLANs 1 Verify Source Mac Address enable Interface Trusted Eth ...

Page 480: ...etween Member switches and the Commander Switch clusters are limited to a single IP subnet Layer 2 domain A switch can only be a Member of one cluster Configured switch clusters are maintained across power resets and network changes Example cluster ip pool Sets the cluster IP address pool for Members GC 4 239 cluster member Sets Candidate switches as cluster members GC 4 240 rcommand Provides conf...

Page 481: ...m the Commander CLI prompt use the rcommand id command to connect to the Member switch Example cluster ip pool This command sets the cluster IP address pool Use the no form to reset to the default address Syntax cluster ip pool ip address no cluster ip pool ip address The base IP address for IP addresses assigned to cluster Members The IP address must start 10 x x x Default Setting 10 254 254 1 Co...

Page 482: ...MAC address of the Candidate switch member id The ID number to assign to the Member switch Range 1 16 Default Setting No Members Command Mode Global Configuration Command Usage The maximum number of cluster Members is 16 The maximum number of switch Candidates is 100 Example rcommand This command provides access to a cluster Member CLI for configuration Syntax rcommand id member id member id The I...

Page 483: ...s the current switch cluster members Command Mode Privileged Exec Example Vty 0 rcommand id 1 CLI session with the TigerSwitch 10 100 1000 is opened To end the CLI session enter Exit Vty 0 Console show cluster Role commander Interval heartbeat 30 Heartbeat loss count 3 Number of Members 1 Number of Candidates 2 Console Console show cluster members Cluster Members ID 1 Role Active member IP Address...

Page 484: ...ed Candidate switches in the network Command Mode Privileged Exec Example Console show cluster candidates Cluster Candidates Role Mac Description ACTIVE MEMBER 00 12 cf 23 49 c0 TigerSwitch 10 100 1000 SPORT MANAGE CANDIDATE 00 12 cf 0b 47 a0 TigerSwitch 10 100 1000 SPORT MANAGE Console ...

Page 485: ...e a critical threshold Port Mirroring Multiple source ports one destination port Rate Limits Input limit Output limit Port Trunking Static trunks Cisco EtherChannel compliant Dynamic trunks Link Aggregation Control Protocol Spanning Tree Algorithm Spanning Tree Protocol STP IEEE 802 1D Rapid Spanning Tree Protocol RSTP IEEE 802 1w Multiple Spanning Trees MSTP VLAN Support Up to 256 groups port bas...

Page 486: ...nagement RS 232 console port Software Loading TFTP in band or XModem out of band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1 2 3 9 Statistics History Alarm Event Standards IEEE 802 1D Spanning Tree Protocol and traffic priorities IEEE 802 1p Priority tags IEEE 802 1Q VLAN IEEE 802 1v Protocol based VLANs IEEE 802 1w Rapid Spanning Tree Protocol IEEE 802...

Page 487: ...roup MIB RFC 2233 Interfaces Evolution MIB RFC 2863 IP Multicasting related MIBs MAU MIB RFC 2668 MIB II RFC 1213 Port Access Entity MIB IEEE 802 1X Port Access Entity Equipment MIB Private MIB Quality of Service MIB RADIUS Authentication Client MIB RFC 2621 RMON MIB RFC 2819 RMON II Probe Configuration Group RFC 2021 partial implementation SNMPv2 IP MIB RFC 2011 SNMP Community MIB RFC 3584 SNMP F...

Page 488: ...Software Specifications A 4 A ...

Page 489: ...d the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH clien...

Page 490: ...r messages reported to include all categories 3 Designate the SNMP host that is to receive the error messages 4 Repeat the sequence of commands or other actions that lead up to the error 5 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 6 Contact your distributor s service engineer For example Console config logging on Console con...

Page 491: ... Point Service DSCP DSCP uses a six bit tag to provide for up to 64 different forwarding behaviors Based on network policies different kinds of traffic can be marked for different kinds of forwarding The DSCP bits are mapped to the Class of Service categories and then into the output queues Domain Name Service DNS A system used for translating host names for network nodes into IP addresses Dynamic...

Page 492: ...s comply with the IEEE 802 1p standard Group Attribute Registration Protocol GARP See Generic Attribute Registration Protocol IEEE 802 1D Specifies a general method for the operation of MAC bridges including the Spanning Tree Protocol IEEE 802 1Q VLAN Tagging Defines Ethernet frame tags which carry VLAN information It allows switches to assign endstations to different virtual LANs and defines a st...

Page 493: ...nt of the network from a station attached directly to the network IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts Layer 2 Data Link layer in the ISO 7 Layer Data Communications Protocol This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses Link Aggregation See Port Trunk Link ...

Page 494: ...n the target port to be studied unobstructively Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high speed logical link that combines several lower speed physical links Private VLANs Private VLANs provide port based security and isolation between ports within the assigned VLAN Data traffic on downlink ports can only be forwarded to and from ...

Page 495: ...the shortest available path maximizing the performance and efficiency of the network Telnet Defines a remote communication facility for interfacing to a terminal device over TCP IP Terminal Access Controller Access Control System Plus TACACS TACACS is a logon authentication protocol that uses software running on a central server to control access to TACACS compliant devices on the network Transmis...

Page 496: ...dless of their physical location or connection point in the network A VLAN serves as a logical workgroup with no physical barriers and allows users to share information and resources as though located on the same LAN XModem A protocol used to transfer files between devices Data is grouped in 128 byte blocks and error corrected ...

Page 497: ...4 189 queue mapping 3 145 4 187 queue mode 3 147 4 185 traffic class weights 3 148 4 186 D default gateway configuration 3 14 4 224 default priority ingress port 3 144 4 185 default settings system 1 6 DHCP 3 16 4 223 client 3 14 dynamic configuration 2 5 DHCP snooping global configuration 4 231 4 238 4 239 specifying trusted interfaces 4 234 verifying MAC addresses 4 235 4 236 VLAN configuration ...

Page 498: ... entries 4 229 setting filter criteria 4 227 J jumbo frame 4 63 L LACP local parameters 4 136 partner parameters 4 136 protocol message statistics 4 136 link type STA 3 113 3 115 3 117 3 119 3 122 4 157 logging syslog traps 4 46 to syslog servers 4 45 log in Web interface 3 2 logon authentication 3 46 4 70 RADIUS client 4 73 RADIUS server 4 73 TACACS client 3 48 4 77 TACACS server 3 48 4 77 logon ...

Page 499: ...the system 3 30 4 22 RSTP 3 102 4 145 global configuration 3 105 4 145 S secure shell 3 54 4 33 configuration 3 54 4 36 4 37 serial port configuring 4 10 show dot1q tunnel 4 178 Simple Network Management Protocol See SNMP SNMP 3 33 community string 3 33 3 37 3 40 3 41 3 45 4 102 enabling traps 3 34 4 106 filtering IP addresses 3 74 trap manager 3 34 4 104 software displaying version 3 11 4 62 down...

Page 500: ... B 1 trunk configuration 3 80 4 130 LACP 3 82 4 132 static 3 81 4 131 U upgrading software 3 18 user password 3 46 4 25 4 26 V VLANs 3 122 3 142 3 144 4 163 802 1Q tunnel mode 3 138 adding static members 3 129 3 131 4 173 creating 3 128 4 168 description 3 122 3 144 displaying basic information 3 126 4 164 displaying port members 3 126 4 175 egress mode 3 132 4 170 interface configuration 3 132 4 ...

Page 501: ......

Page 502: ...m DEUTSCH Technischer Support und weitere Information unter www smc com SPANISH En www smc com Ud podrá encontrar la información relativa a servicios de soporte técnico DUTCH Technische ondersteuningsinformatie beschikbaar op www smc com PORTUGUES Informações sobre Suporte Técnico em www smc com SWEDISH Information om Teknisk Support finns tillgängligt på www smc com INTERNET E mail address techsu...

Search results

Summary of Contents for 8126L2

Reviews:

Related manuals for 8126L2

Brands by name

Popular brands

SMC Networks 8126L2, Management Manual

Search results

Summary of Contents for 8126L2

Reviews:

Related manuals for 8126L2

Brands by name

Popular brands