SMC Networks 8126PL2-F Management Manual Download

Page: 1 / 614

MANAGEMENT GUIDE

TigerSwitch

10/100/1000

L2-Lite SMB PoE Gigabit Switch

SMC8126PL2-F

Summary of Contents for 8126PL2-F

Page 1: ...MANAGEMENT GUIDE ta TigerSwitchTM 10 100 1000 L2 Lite SMB PoE Gigabit Switch SMC8126PL2 F ...

Page 2: ......

Page 3: ...20 Mason Irvine CA 92618 Phone 949 679 8000 TigerSwitch 10 100 1000 Management Guide From SMC s Tiger line of feature rich workgroup LAN solutions August 2009 Pub 149100000023A E082009 MW R01 ...

Page 4: ...e is granted by implication or otherwise under any patent or patent rights of SMC SMC reserves the right to change specifications at any time without notice Copyright 2009 by SMC Networks Inc 20 Mason Irvine CA 92618 All rights reserved Trademarks SMC is a registered trademark and EZ Switch TigerStack and TigerSwitch are trademarks of SMC Networks Inc Other product and company names are trademarks...

Page 5: ...ur attention to related features or instructions Caution Alerts you to a potential hazard that could cause loss of data or damage the system or equipment Warning Alerts you to a potential hazard that could cause personal injury Related Publications The following publication details the hardware features of the switch including the physical and performance related characteristics and how to install...

Page 6: ...vi ...

Page 7: ...on 1 and 2c clients 2 6 Trap Receivers 2 7 Configuring Access for SNMP Version 3 Clients 2 8 Managing System Files 2 8 Saving Configuration Settings 2 9 Chapter 3 Configuring the Switch 3 1 Using the Web Interface 3 1 Navigating the Web Browser Interface 3 2 Home Page 3 2 Configuration Options 3 3 Panel Display 3 3 Main Menu 3 4 Basic Configuration 3 11 Displaying System Information 3 11 Displayin...

Page 8: ...ccess 3 43 Setting the Local Engine ID 3 43 Specifying a Remote Engine ID 3 44 Configuring SNMPv3 Users 3 45 Configuring Remote SNMPv3 Users 3 47 Configuring SNMPv3 Groups 3 49 Setting SNMPv3 Views 3 52 User Authentication 3 54 Configuring User Accounts 3 54 Configuring Local Remote Logon Authentication 3 56 Configuring Encryption Keys 3 59 AAA Authorization and Accounting 3 61 Configuring AAA RAD...

Page 9: ... 3 103 DHCP Snooping Information Option Configuration 3 103 DHCP Snooping Port Configuration 3 105 DHCP Snooping Binding Information 3 106 IP Source Guard 3 107 Configuring Ports for IP Source Guard 3 107 Configuring Static Binding for IP Source Guard 3 109 Displaying Information for Dynamic IP Source Guard Bindings 3 111 Port Configuration 3 112 Displaying Connection Status 3 112 Configuring Inte...

Page 10: ... 3 169 Creating VLANs 3 170 Adding Static Members to VLANs VLAN Index 3 173 Adding Static Members to VLANs Port Index 3 175 Configuring VLAN Behavior for Interfaces 3 176 Configuring IEEE 802 1Q Tunneling 3 178 Enabling QinQ Tunneling on the Switch 3 181 Adding an Interface to a QinQ Tunnel 3 182 Configuring Private VLANs 3 184 Enabling Private VLANs 3 184 Configuring Uplink and Downlink Ports 3 1...

Page 11: ...ottling for Interfaces 3 221 Multicast VLAN Registration 3 223 Configuring Global MVR Settings 3 224 Displaying MVR Interface Status 3 226 Displaying Port Members of Multicast Groups 3 227 Configuring MVR Interface Status 3 228 Assigning Static Multicast Groups to Interfaces 3 230 Configuring Domain Name Service 3 231 Configuring General DNS Service Parameters 3 231 Configuring Static DNS Host to ...

Page 12: ...nd 4 14 exit 4 15 quit 4 15 System Management Commands 4 16 Device Designation Commands 4 16 hostname 4 16 System Status Commands 4 17 show startup config 4 17 show running config 4 18 show system 4 21 show users 4 21 show version 4 22 Frame Size Commands 4 23 jumbo frame 4 23 File Management Commands 4 24 copy 4 25 delete 4 28 dir 4 28 whichboot 4 29 boot system 4 30 Line Commands 4 31 line 4 31 ...

Page 13: ...ation email 4 49 logging sendmail 4 50 show logging sendmail 4 50 Time Commands 4 51 sntp client 4 51 sntp server 4 52 sntp poll 4 53 show sntp 4 53 clock timezone 4 54 calendar set 4 55 show calendar 4 55 Switch Cluster Commands 4 56 cluster 4 56 cluster commander 4 57 cluster ip pool 4 58 cluster member 4 58 rcommand 4 59 show cluster 4 59 show cluster members 4 60 show cluster candidates 4 60 S...

Page 14: ... RADIUS Client 4 83 radius server host 4 83 radius server port 4 84 radius server key 4 84 radius server retransmit 4 85 radius server timeout 4 85 show radius server 4 85 TACACS Client 4 86 tacacs server host 4 87 tacacs server port 4 87 tacacs server key 4 88 tacacs server retransmit 4 88 tacacs server timeout 4 89 show tacacs server 4 89 AAA Commands 4 90 aaa group server 4 90 server 4 91 aaa a...

Page 15: ...ystem auth control 4 112 dot1x default 4 113 dot1x max req 4 113 dot1x port control 4 113 dot1x operation mode 4 114 dot1x re authenticate 4 115 dot1x re authentication 4 115 dot1x timeout quiet period 4 116 dot1x timeout re authperiod 4 116 dot1x timeout tx period 4 117 dot1x timeout supp timeout 4 117 show dot1x 4 118 Management IP Filter Commands 4 121 management 4 121 show management 4 122 Gen...

Page 16: ...4 142 Access Control List Commands 4 143 IP ACLs 4 143 access list ip 4 144 permit deny Standard ACL 4 145 permit deny Extended ACL 4 146 show ip access list 4 148 ip access group 4 148 show ip access group 4 149 MAC ACLs 4 149 access list mac 4 150 permit deny MAC ACL 4 150 show mac access list 4 152 mac access group 4 152 show mac access group 4 153 ACL Information 4 154 show access list 4 154 s...

Page 17: ... mainpower maximum allocation 4 186 power inline compatible 4 187 power inline 4 188 power inline maximum allocation 4 189 power inline priority 4 189 power inline overload auto recover 4 190 show power inline status 4 191 show power mainpower 4 192 mac address table static 4 193 clear mac address table dynamic 4 194 show mac address table 4 194 mac address table aging time 4 195 show mac address ...

Page 18: ...xt 4 217 switchport gvrp 4 217 show gvrp configuration 4 218 garp timer 4 218 show garp timer 4 219 Editing VLAN Groups 4 220 vlan database 4 220 vlan 4 221 Configuring VLAN Interfaces 4 222 interface vlan 4 222 switchport mode 4 223 switchport acceptable frame types 4 224 switchport ingress filtering 4 224 switchport native vlan 4 225 switchport allowed vlan 4 226 switchport forbidden vlan 4 227 ...

Page 19: ...riority default 4 245 queue bandwidth 4 246 queue cos map 4 247 show queue mode 4 248 show queue bandwidth 4 249 show queue cos map 4 249 Priority Commands Layer 3 and 4 4 250 map ip port Global Configuration 4 250 map ip port Interface Configuration 4 251 map ip precedence Global Configuration 4 251 map ip precedence Interface Configuration 4 252 map ip dscp Global Configuration 4 252 map ip dscp...

Page 20: ...er 4 275 show ip igmp snooping mrouter 4 276 IGMP Filtering and Throttling Commands 4 277 ip igmp filter Global Configuration 4 277 ip igmp profile 4 278 permit deny 4 278 range 4 279 ip igmp filter Interface Configuration 4 279 ip igmp max groups 4 280 ip igmp max groups action 4 281 show ip igmp filter 4 281 show ip igmp profile 4 282 show ip igmp throttle interface 4 283 Multicast VLAN Registra...

Page 21: ...9 show ip redirects 4 300 ping 4 300 Appendix A Software Specifications A 1 Software Features A 1 Management Features A 2 Standards A 2 Management Information Bases A 3 Appendix B Troubleshooting B 1 Problems Accessing the Management Interface B 1 Using System Logs B 2 Glossary Index ...

Page 22: ...Contents xxii ...

Page 23: ...ng DSCP Priority Values 3 197 Table 4 1 Command Modes 4 6 Table 4 2 Configuration Modes 4 8 Table 4 3 Command Line Processing 4 9 Table 4 4 Command Groups 4 10 Table 4 5 General Commands 4 11 Table 4 6 System Management Commands 4 16 Table 4 7 Device Designation Commands 4 16 Table 4 8 System Status Commands 4 17 Table 4 9 Frame Size Commands 4 23 Table 4 10 Flash File Commands 4 24 Table 4 11 Fil...

Page 24: ... Table 4 46 MAC ACL Commands 4 149 Table 4 47 ACL Information 4 154 Table 4 48 Interface Commands 4 155 Table 4 49 Interfaces Switchport Statistics 4 166 Table 4 50 Link Aggregation Commands 4 167 Table 4 51 show lacp counters display description 4 174 Table 4 52 show lacp internal display description 4 175 Table 4 53 show lacp neighbors display description 4 176 Table 4 54 show lacp sysid display...

Page 25: ...ltering Commands 4 266 Table 4 84 IGMP Snooping Commands 4 266 Table 4 85 IGMP Query Commands Layer 2 4 271 Table 4 86 Static Multicast Routing Commands 4 275 Table 4 87 IGMP Filtering and Throttling Commands 4 277 Table 4 88 Multicast VLAN Registration Commands 4 284 Table 4 89 show mvr display description 4 288 Table 4 90 show mvr interface display description 4 288 Table 4 91 show mvr members d...

Page 26: ...Tables xxvi ...

Page 27: ...ing the System 3 33 Figure 3 21 Resetting the System 3 34 Figure 3 22 SNTP Configuration 3 36 Figure 3 23 Setting the System Clock 3 37 Figure 3 24 Enabling SNMP Agent Status 3 39 Figure 3 25 Configuring SNMP Community Strings 3 40 Figure 3 26 Configuring IP Trap Managers 3 42 Figure 3 27 Setting an Engine ID 3 43 Figure 3 28 Setting a Remote Engine ID 3 44 Figure 3 29 Configuring SNMPv3 Users 3 4...

Page 28: ...ation Option Configuration 3 104 Figure 3 65 DHCP Snooping Port Configuration 3 106 Figure 3 66 DHCP Snooping Binding Information 3 107 Figure 3 67 IP Source Guard Port Configuration 3 109 Figure 3 68 Static IP Source Guard Binding Configuration 3 110 Figure 3 69 Dynamic IP Source Guard Binding Information 3 111 Figure 3 70 Displaying Port Trunk Information 3 112 Figure 3 71 Port Trunk Configurati...

Page 29: ...tion 3 186 Figure 3 108 Protocol VLAN Port Configuration 3 188 Figure 3 109 Port Priority Configuration 3 190 Figure 3 110 Traffic Classes 3 192 Figure 3 111 Queue Mode 3 193 Figure 3 112 Configuring Queue Scheduling 3 194 Figure 3 113 IP Precedence DSCP Priority Status 3 195 Figure 3 114 Mapping IP Precedence Priority Values 3 196 Figure 3 115 Mapping IP DSCP Priority Values 3 198 Figure 3 116 IP...

Page 30: ...General Configuration 3 232 Figure 3 136 DNS Static Host Table 3 234 Figure 3 137 DNS Cache 3 235 Figure 3 138 Cluster Member Choice 3 236 Figure 3 139 Cluster Configuration 3 237 Figure 3 140 Cluster Member Configuration 3 238 Figure 3 141 Cluster Member Information 3 239 Figure 3 142 Cluster Candidate Information 3 240 ...

Page 31: ...AC address filtering Private VLANs Network Access MAC Address Authentication DHCP Snooping with Option 82 relay information IP Source Guard Access Control Lists Supports up to 128 ACLs 96 MAC rules and 96 IP rules DHCP Client DNS Client and Proxy service Port Configuration Speed duplex mode and flow control Rate Limiting Input and output rate limiting per port Port Mirroring One or more port mirro...

Page 32: ...ver LANs EAPOL to request user credentials from the 802 1X client and then verifies the client s right to access the network via an authentication server Other authentication options include HTTPS for secure management access via the web SSH for secure management access over a Telnet equivalent connection SNMP Version 3 IP address filtering for SNMP web Telnet management access MAC address filteri...

Page 33: ...the throughput across any connection and provide redundancy by taking over the load if a port in the trunk should fail The switch supports up to 32 trunks Storm Control Broadcast multicast and unknown unicast storm suppression prevents traffic from overwhelming the network When enabled on a port the level of traffic passing through the port is restricted If traffic rises above a pre defined thresh...

Page 34: ... direct extension of RSTP It can provide an independent spanning tree for different VLANs It simplifies network management provides for even faster convergence than RSTP by limiting the size of each region and prevents VLAN members from being segmented from the rest of the group as sometimes occurs with IEEE 802 1D STP Virtual LANs The switch supports up to 256 VLANs A Virtual LAN is a collection ...

Page 35: ... VLAN lists Using access lists allows you select traffic based on Layer 2 Layer 3 or Layer 4 information contained in each packet Based on network policies different kinds of traffic can be marked for different kinds of forwarding Multicast Filtering Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real tim...

Page 36: ...p bits 1 Parity none Local Console Timeout 0 disabled Authentication Privileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privileged Exec from Normal Exec Level Password super RADIUS Authentication Disabled TACACS Authentication Disabled 802 1X Port Authentication Disabled MAC Authentication Disabled HTTPS Enabled SSH Disabled Port Security Dis...

Page 37: ...ports Multicast disabled Unknown Unicast disabled Rate Limit Broadcast 500 packets per second Spanning Tree Algorithm Status Enabled RSTP Defaults Based on RSTP standard Fast Forwarding Edge Port Disabled Address Table Aging Time 300 seconds Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Enabled Switchport Mode Egress Mode Hybrid tagged untagged frames GVRP global D...

Page 38: ...uerier Enabled Multicast VLAN Registration Disabled System Log Status Enabled Messages Logged Levels 0 7 all Messages Logged to Flash Levels 0 3 SMTP Email Alerts Event Handler Enabled but no server defined SNTP Clock Synchronization Disabled DHCP Snooping Status Disabled IP Source Guard Status Disabled all ports Switch Clustering Status Enabled Commander Disabled Table 1 2 System Defaults Continu...

Page 39: ...RS 232 serial console port on the switch or remotely by a Telnet or Secure Shell SSH connection over the network The switch s management agent also supports SNMP Simple Network Management Protocol This SNMP agent permits the switch to be managed from any system in the network using network management software such as SMC s EliteView The switch s web interface CLI configuration program and SNMP age...

Page 40: ...rminal emulation software and tighten the captive retaining screws on the RS 232 connector 2 Connect the other end of the cable to the RS 232 serial port on the switch 3 Make sure the terminal emulation software is set as follows Select the appropriate serial port COM port 1 or COM port 2 Set to any of the following baud rates 9600 19200 38400 57600 115200 Note Set to 9600 baud if want to view all...

Page 41: ...provides access to basic configuration functions To access the full range of SNMP management functions you must use SNMP based network management software Basic Configuration Console Connection The CLI program provides two different command levels normal access level Normal Exec and privileged access level Privileged Exec The commands available at the Normal Exec level are a limited subset of thos...

Page 42: ...ation for the stack to obtain management access through the network This can be done in either of the following ways Manual You have to input the information including IP address and subnet mask If your management station is not in the same IP subnet as the stack s master unit you will also need to specify the default gateway router Dynamic The switch sends IP configuration requests to BOOTP or DH...

Page 43: ...d Requests will be sent periodically in an effort to obtain IP configuration information BOOTP and DHCP values can include the IP address subnet mask and default gateway If the DHCP BOOTP server is slow to respond you may need to use the ip dhcp restart command to re start broadcasting service requests If the bootp or dhcp option is saved to the startup config file step 6 then the switch will star...

Page 44: ...SNMP agent that supports SNMP version 1 2c and 3 clients To provide management access for version 1 or 2c clients you must specify a community string The switch provides a default MIB View i e an SNMPv3 construct for the default public community string that provides read access to the entire MIB tree and a default view for the private community string that provides read write access to the entire ...

Page 45: ... are no community strings then SNMP management access from SNMP v1 and v2c clients is disabled Trap Receivers You can also specify SNMP stations that are to receive traps from the switch To configure a trap receiver use the snmp server host command From the Privileged Exec level global configuration mode prompt type snmp server host host address community string version 1 2c 3 auth noauth priv whe...

Page 46: ...iles are Configuration This file type stores system configuration information and is created when configuration settings are saved Saved configuration files can be selected as a system start up file or can be uploaded via TFTP to a server for backup The file named Factory_Default_Config cfg contains all the system default settings and cannot be deleted from the system If the system is booted with ...

Page 47: ...he start up configuration file using the copy command New startup configuration files must have a name specified File names on the switch are case sensitive can be from 1 to 31 characters must not contain slashes or and the leading letter of the file name must not be a period Valid characters A Z a z 0 9 _ There can be more than one user defined configuration file saved in the switch s flash memor...

Page 48: ...Initial Configuration 2 10 2 ...

Page 49: ...age 2 4 2 Set user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Setting Passwords on page 2 4 3 After you enter a user name and password you will have access to the system configuration program Notes 1 You are allowed three attempts to enter the correct password on the ...

Page 50: ...statistics The default user name and password for the administrator is admin Home Page When your web browser connects with the switch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used to navigate to other menus and display configuration parameters and statis...

Page 51: ...r 7 x This option is available under Tools Internet Options General Browsing History Settings Temporary Internet Files 2 When using Internet Explorer 5 0 you may have to manually refresh the screen after making configuration changes by pressing the browser s refresh button Panel Display The web agent displays an image of the switch s ports The Mode can be set to display different information for t...

Page 52: ...ying files 3 20 Delete Allows deletion of files from the flash memory 3 20 Set Start Up Sets the startup file 3 20 Line 3 24 Console Sets console port connection parameters 3 24 Telnet Sets Telnet connection parameters 3 26 Log 3 28 Logs Stores and displays error messages 3 28 System Logs Sends error messages to a logging process 3 28 Remote Logs Configures the logging of messages to a remote logg...

Page 53: ...s accounting of requested services for billing or security purposes 3 63 Periodic Update Sets the interval at which accounting updates are sent to RADIUS AAA servers 3 65 802 1X Port Settings Applies the specified accounting method to an interface 3 66 Command Privileges Specifies a method name to apply to commands entered at specific CLI privilege levels 3 67 Exec Settings Specifies console or Te...

Page 54: ...ation Allows ports to dynamically join trunks 3 118 Aggregation Port Configures parameters for link aggregation group members 3 120 Port Counters Information Displays statistics for LACP protocol messages 3 122 Port Internal Information Displays settings and operational state for the local side 3 124 Port Neighbors Information Displays settings and operational state for the remote side 3 126 Port ...

Page 55: ...Protocol 3 158 VLAN Configuration Configures priority and VLANs for a spanning tree instance 3 158 Port Information Displays port settings for a specified MST instance 3 161 Trunk Information Displays trunk settings for a specified MST instance 3 161 Port Configuration Configures port settings for a specified MST instance 3 163 Trunk Configuration Configures trunk settings for a specified MST inst...

Page 56: ...ghted Round Robin 3 193 Queue Scheduling Configures Weighted Round Robin queueing 3 194 IP Precedence DSCP Priority Status Globally selects IP Precedence or DSCP Priority or disables both 3 195 IP Precedence Priority Sets IP Type of Service priority mapping the precedence tag to a class of service value 3 196 IP DSCP Priority Sets IP Differentiated Services Code Point priority mapping a DSCP tag t...

Page 57: ...24 Port Information Displays MVR interface type MVR operational and activity status and immediate leave status 3 226 Trunk Information Displays MVR interface type MVR operational and activity status and immediate leave status 3 226 Group IP Information Displays the ports attached to an MVR multicast stream 3 227 Port Configuration Configures MVR interface type and immediate leave status 3 228 Trun...

Page 58: ...e source guard binding table 3 109 Dynamic Information Displays the source guard binding table for a selected interface 3 111 Cluster 3 236 Configuration Globally enables clustering for the switch 3 236 Member Configuration Adds switch Members to the cluster 3 238 Member Information Displays cluster Member switch information 3 239 Candidate Information Displays network Candidate switch information...

Page 59: ...or the system System Up Time Length of time the management agent has been up These additional parameters are displayed for the CLI MAC Address The physical layer address for this switch Web Server Shows if management access via is enabled Web Server Port Shows the TCP port number used by the web interface Web Secure Server Shows if management access via HTTPS is enabled Web Secure Server Port Show...

Page 60: ...le config snmp server contact Ted 4 64 Console config exit Console show system 4 21 System Description SMC TigerSwitch 10 100 1000 PoE SMC8126PL2 F System OID String 1 3 6 1 4 1 202 20 74 System information System Up Time 0 days 2 hours 18 minutes and 36 38 seconds System Name NONE System Location NONE System Contact NONE MAC Address Unit1 00 D0 CB 6A 23 F3 Web Server Enabled Web Server Port 80 We...

Page 61: ...built in RJ 45 ports Hardware Version Hardware version of the main board Internal Power Status Displays the status of the internal power supply Management Software EPLD Version Version number of the Electronically Programmable Logic Device code Loader Version Version number of loader code Boot ROM Version Version of Power On Self Test POST and boot code Operation Code Version Version number of run...

Page 62: ...onsole show version 4 22 Unit 1 Unit 1 Serial Number MWOR0AA134A0009 Hardware Version R01 EPLD Version 0 00 Number of Ports 26 Main Power Status Up Redundant Power Status Not present Agent Master Unit ID 1 Loader Version 1 0 0 2 Boot ROM Version 1 0 0 2 Operation Code Version 1 0 0 10 Console ...

Page 63: ...ffic classes Refer to Class of Service Configuration on page 3 189 Static Entry Individual Port This switch allows static filtering for unicast and multicast addresses Refer to Setting Static Addresses on page 3 139 VLAN Learning This switch uses Independent VLAN Learning IVL where all VLANs share the same address table Configurable PVID Tagging This switch allows you to override the default Port ...

Page 64: ...ess IP Address Mode Specifies whether IP functionality is enabled via manual configuration Static Dynamic Host Configuration Protocol DHCP or Boot Protocol BOOTP If DHCP BOOTP is enabled IP will not function until a reply has been received from the server Requests will be broadcast periodically by the switch for an IP address DHCP BOOTP values can include the IP address subnet mask and default gat...

Page 65: ...o Static enter the IP address subnet mask and gateway then click Apply Figure 3 6 Manual IP Configuration CLI Specify the management interface IP address and default gateway Console config Console config interface vlan 1 4 155 Console config if ip address 192 168 1 1 255 255 255 0 4 297 Console config if exit Console config ip default gateway 0 0 0 0 4 298 Console config ...

Page 66: ...lso broadcast a request for IP configuration settings on each power reset Figure 3 7 DHCP IP Configuration Note If you lose your management connection use a console connection and enter show ip interface to determine the new switch address CLI Specify the management interface and set the IP address mode to DHCP or BOOTP and then enter the ip dhcp restart command Console config Console config inter...

Page 67: ... frames that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields Command Usage To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able...

Page 68: ...ssigning it a new name file to tftp Copies a file from the switch to a TFTP server tftp to file Copies a file from a TFTP server to the switch TFTP Server IP Address The IP address of a TFTP server File Type Specify opcode operational code to copy firmware File Name The file name should not contain slashes or the leading letter of the file name should not be a period and the maximum length for fil...

Page 69: ... to start using the new operation code reboot the system via the System Reset menu Figure 3 9 Copy Firmware If you download to a new destination file go to the System File Set Start Up menu mark the operation code file used at startup and click Apply To start the new firmware reboot the system via the System Reset menu Figure 3 10 Setting the Startup Code To delete a file select System File Delete...

Page 70: ...ftp Copies the running configuration to a TFTP server startup config to file Copies the startup configuration to a file on the switch startup config to running config Copies the startup config to the running config startup config to tftp Copies the startup configuration to a TFTP server tftp to file Copies a file from a TFTP server to the switch tftp to running config Copies a file from a TFTP ser...

Page 71: ...tp to startup config or tftp to file and enter the IP address of the TFTP server Specify the name of the file to download and select a file on the switch to overwrite or specify a new file name then click Apply Figure 3 12 Downloading Configuration Settings for Startup If you download to a new file name using tftp to startup config or tftp to file the file is automatically set as the start up conf...

Page 72: ...Range 0 65535 seconds Default 600 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time set by the Silent Time parameter before allowing the next logon attempt Range 0 120 Default 3 attempts Silent Time Sets the amount of time th...

Page 73: ... for the line connection When a connection is started on a line with password protection the system prompts for the password If you enter the correct password the system shows a prompt Default No password Login1 Enables password checking at login You can select authentication by a single global password as configured for the Password parameter or by passwords set up for specific user name accounts...

Page 74: ...s the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is terminated Range 0 65535 seconds Default 600 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specifie...

Page 75: ... the connection parameters for Telnet access then click Apply Figure 3 15 Enabling Telnet CLI Enter Line Configuration mode for a virtual terminal then specify the connection parameters as required To display the current virtual terminal settings use the show line command from the Normal Exec level 2 CLI only Console config line vty 4 31 Console config line login local 4 32 Console config line pas...

Page 76: ... Enables disables the logging of debug or error messages to the logging process Default Enabled Flash Level Limits log messages saved to the switch s permanent flash memory for all levels up to the specified level For example if level 3 is specified all messages from level 0 to level 3 will be logged to flash Range 0 7 Default 3 RAM Level Limits log messages saved to the switch s temporary RAM mem...

Page 77: ...acility types specified by values of 16 to 23 The facility type is used by the syslog server to dispatch log messages to an appropriate service The attribute specifies the facility type tag sent in syslog messages See RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to process messages such as sorting or storing messages in...

Page 78: ...he syslog server host IP address choose the facility type and set the logging trap Console config logging host 192 168 1 15 4 43 Console config logging facility 23 4 43 Console config logging trap 4 4 44 Console config end Console show logging trap 4 44 Syslog logging Enabled REMOTELOG status Enabled REMOTELOG facility type local use 7 REMOTELOG level type Warning conditions REMOTELOG server ip ad...

Page 79: ...he SMTP function Default Enabled Email Source Address Sets the email address used for the From field in alert messages You may use a symbolic email address that identifies the switch or the address of an administrator responsible for the switch Severity Sets the syslog severity threshold level see table on 3 28 used to trigger alert messages All events at this level or higher will be sent to the c...

Page 80: ...he list Email Destination Address This command specifies SMTP servers that may receive alert messages Web Click System Log SMTP Enable SMTP specify a source email address and select the minimum severity level To add an IP address to the SMTP Server List type the new IP address in the SMTP Server field and click Add To delete an IP address click the entry in the Server IP List and click Remove Spec...

Page 81: ...ber button to renumber the switch When prompted confirm that you want to renumber the switch Figure 3 20 Renumbering the System Console config logging sendmail host 192 168 1 4 4 47 Console config logging sendmail level 3 4 48 Console config logging sendmail source email big wheels matel com 4 49 Console config logging sendmail destination email chris matel com 4 49 Console config logging sendmail...

Page 82: ...confirm that you want to reset the switch Note When restarting the system it will always run the Power On Self Test It will also retain all configuration information stored in non volatile memory see Saving or Restoring Configuration Settings on page 3 22 Console reload 4 22 System will be restarted continue y n y Console config logging sendmail host 192 168 1 19 Console config logging sendmail le...

Page 83: ...d sequence Setting the Time Manually You can set the system time on the switch manually without using SNTP CLI This example sets the system clock time and then displays the current time and date Configuring SNTP You can configure the switch to send time synchronization requests to time servers Command Attributes SNTP Client Configures the switch to operate as an SNTP client This requires at least ...

Page 84: ... number of hours and minutes your time zone is east before or west after of UTC Command Attributes Current Time Displays the current time Name Assigns a name to the time zone Range 1 29 characters Hours 0 13 The number of hours before after UTC Minutes 0 59 The number of minutes before after UTC Direction Configures the time zone to be before east or after west UTC Console config sntp server 10 1 ...

Page 85: ...n agent A defined set of variables known as managed objects is maintained by the SNMP agent and used to manage the device These objects are defined in a Management Information Base MIB that provides a standard presentation of the information controlled by the agent SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network The switch in...

Page 86: ...d from the system You can then define customized groups and views for the SNMP clients that require access Table 3 4 SNMPv3 Security Models and Levels Model Level Group Read View Write View Notify View Security v1 noAuthNoPriv public read only defaultview none none Community string only v1 noAuthNoPriv private read write defaultview defaultview none Community string only v1 noAuthNoPriv user defin...

Page 87: ...P Trap Managers should be listed in this table For security reasons you should consider removing the default strings Command Attributes SNMP Community Capability The switch supports up to five community strings Current Displays a list of the community strings currently configured Community String A community string that acts like a password and permits access to the SNMP protocol Default strings p...

Page 88: ...encryption options authNoPriv or authPriv the user name must first be defined in the SNMPv3 Users page 3 45 Otherwise the authentication password and or privacy password will not exist and the switch will not authorize SNMP access for the host However if you specify a V3 host with the no authentication noAuth option an SNMP user account will be automatically generated and the switch will authorize...

Page 89: ...mmend that you define this string in the SNMP Community section at the top of the SNMP Configuration page for Version 1 or 2c clients or define a corresponding User Name in the SNMPv3 Users page for Version 3 clients Range 1 32 characters case sensitive Trap UDP Port Specifies the UDP port number used by the trap manager Default 162 Trap Version Specifies whether to send notifications as SNMP v1 v...

Page 90: ...messages specify the UDP port trap version trap security level for v3 clients trap inform settings for v2c v3 clients and then click Add Select the trap types required using the check boxes for Authentication and Link up down traps and then click Apply Figure 3 26 Configuring IP Trap Managers CLI This example adds a trap manager and enables both authentication and link up link down traps 3 These a...

Page 91: ...cts against message replay delay and redirection The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A local engine ID is automatically generated that is unique to the switch This is referred to as the default engine ID If the local engine ID is deleted or changed all SNMP users will be cleared You will need t...

Page 92: ... therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it See Specifying Trap Managers and Trap Types on page 3 40 and Configuring Remote SNMPv3 Users on page 3 47 A new engine ID can be specified by entering 10 to 64 hexadecimal characters Web Click SNMP SNMPv3 Remote Engine ID Figure 3 28 Setting a Remote Engine ID CLI This example specifi...

Page 93: ...ser noAuthNoPriv There is no authentication or encryption used in SNMP communications This is the default for SNMPv3 AuthNoPriv SNMP communications use authentication but the data is not encrypted only available for the SNMPv3 security model AuthPriv SNMP communications use both authentication and encryption only available for the SNMPv3 security model Authentication Protocol The method used for u...

Page 94: ...roup of a user click Change Group in the Actions column of the users table and select the new group Figure 3 29 Configuring SNMPv3 Users CLI Use the snmp server user command to configure a new user name and assign it to a group Console config snmp server user chris group r d v3 auth md5 greenpeace priv des56 einstien 4 74 Console config exit Console show snmp user 4 74 EngineId 8301000003000035281...

Page 95: ...ier for the SNMP agent on the remote device where the remote user resides Note that the remote engine identifier must be specified before you configure a remote user See Specifying a Remote Engine ID on page 3 44 Remote IP The Internet address of the remote device where the user resides Security Model The user security model SNMP v1 v2c or v3 Default v3 Security Level The security level used for t...

Page 96: ...click Delete Figure 3 30 Configuring Remote SNMPv3 Users CLI Use the snmp server user command to configure a new user name and assign it to a group Console config snmp server user mark group r d remote 192 168 1 19 v3 auth md5 greenpeace priv des56 einstien 4 74 Console config exit Console show snmp user 4 74 No user exist SNMP remote user EngineId 80000000030004e2b316c54321 User Name mark Authent...

Page 97: ...view for write access Range 1 64 characters Notify View The configured view for notifications Range 1 64 characters Table 3 5 Supported Notification Messages Object Label Object ID Description RFC 1493 Traps newRoot 1 3 6 1 2 1 17 0 1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree the trap is sent by a bridge soon after its election as the new root e...

Page 98: ...SNMP trap that is generated when an alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps fallingAlarm 1 3 6 1 2 1 16 0 2 The SNMP trap that is generated when an alarm entry crosses its falling threshold and generates an event that is configured for sending SNMP traps Private Traps swPowerStatus ChangeTrap 1 3 6 1 4 1 202 20 74 2 1 0 1 This trap ...

Page 99: ...ck Delete Figure 3 31 Configuring SNMPv3 Groups CLI Use the snmp server group command to configure a new group specifying the security model and level and restricting MIB access to defined read write and notify views Console config snmp server group secure users v3 priv read defaultview write defaultview notify defaultview 4 71 Console config exit Console show snmp group 4 73 Group Name secure use...

Page 100: ... MIB tree Wild cards can be used to mask a specific portion of the OID string Type Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view Web Click SNMP SNMPv3 Views Click New to configure a new view In the New View page define a name and specify OID subtrees in the switch MIB to be included or excluded in the view Click Back to save the new v...

Page 101: ...erver view ifEntry a 1 3 6 1 2 1 2 2 1 1 included 4 69 Console config exit Console show snmp view 4 71 View Name ifEntry a Subtree OID 1 3 6 1 2 1 2 2 1 1 View Type included Storage Type nonvolatile Row Status active View Name readaccess Subtree OID 1 3 6 1 2 View Type included Storage Type nonvolatile Row Status active View Name defaultview Subtree OID 1 View Type included Storage Type nonvolatil...

Page 102: ...er Accounts The guest only has read access for most configuration parameters However the administrator has write access for all parameters governing the onboard agent You should therefore assign a new administrator password as soon as possible and store it in a safe place The default guest name is guest with the password guest The default administrator name is admin with the password admin Command...

Page 103: ...w user account and add it to the Account List To change the password for a specific user enter the user name and new password confirm the password by entering it again then click Apply Figure 3 33 Access Levels CLI Assign a user name to access level 15 i e administrator then specify the password Console config username bob access level 15 4 77 Console config username bob password 0 smith Console c...

Page 104: ...ed you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol Local and remote logon authentication control management access via the console port web browser or Telnet RADIUS and TACACS logon authentication assign a specific privilege level for each user name password pair The user name password and privilege level must be configured on th...

Page 105: ...65535 Default 1812 Number of Server Transmits Number of times the switch tries to authenticate logon access via the authentication server Range 1 30 Default 2 Timeout for a Reply The number of seconds the switch waits for a reply from the RADIUS server before it resends the request Range 1 65535 Default 5 TACACS Settings Global Provides globally applicable TACACS settings Server Index Specifies th...

Page 106: ...tication Settings To configure local or remote authentication preferences specify the authentication sequence i e one to three methods fill in the parameters for RADIUS or TACACS authentication if selected and click Apply Figure 3 34 Authentication Settings ...

Page 107: ...84 Console config radius server retransmit 5 4 85 Console config radius server timeout 10 4 85 Console config radius server 1 host 192 168 1 25 4 83 Console config end Console show radius server 4 85 Global Settings Communication Key with RADIUS Server Auth Port 1812 Retransmit Times 2 Request Timeout 5 Server 1 Server IP Address 192 168 1 25 Communication Key with RADIUS Server Auth Port 181 Retr...

Page 108: ...ng Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters Confirm Secret Text String Re type the string entered in the previous field to ensure no errors were made The switch will not change the encryption key if these two fields do not match Change Clicking this button adds or modifies the selected encryption key Web Click Se...

Page 109: ... switch supports the following AAA features Accounting for IEEE 802 1X authenticated users that access the network through the switch Accounting for users that access management interfaces on the switch through the console and Telnet Accounting for commands that users enter at specific CLI privilege levels Authorization of users that access management interfaces on the switch through the console a...

Page 110: ...e index for a RADIUS sever the server index must already be defined see Configuring Local Remote Logon Authentication on page 3 56 Web Click Security AAA Radius Group Settings Enter the RADIUS group name followed by the number of the server then click Add Figure 3 36 AAA Radius Group Settings CLI Specify the group name for a list of RADIUS servers and then specify the index number of a RADIUS serv...

Page 111: ...o add it to the group Configuring AAA Accounting AAA accounting is a feature that enables the accounting of requested services for billing or security purposes Command Attributes Method Name Specifies an accounting method for service requests The default methods are used for a requested service if no other methods have been defined Range 1 255 characters The method name is only used to describe th...

Page 112: ... to a server group configured on the RADIUS or TACACS Group Settings pages Web Click Security AAA Accounting Settings To configure a new accounting method specify a method name and a group name then click Add Figure 3 38 AAA Accounting Settings CLI Specify the accounting method required followed by the chosen parameters Console config aaa accounting dot1x tps start stop group radius 4 92 Console c...

Page 113: ...hich the local accounting service updates information to the accounting server Range 1 2147483647 minutes Default Disabled Web Click Security AAA Accounting Periodic Update Enter the required update interval and click Apply Figure 3 39 AAA Accounting Update CLI This example sets the periodic accounting update interval at 10 minutes Console config aaa accounting update periodic 10 4 95 Console conf...

Page 114: ...to apply to the interface This method must be defined in the AAA Accounting Settings menu 3 62 Range 1 255 characters Web Click Security AAA Accounting 802 1X Port Settings Enter the required accounting method and click Apply Figure 3 40 AAA Accounting 802 1X Port Settings CLI Specify the accounting method to apply to the selected interface Console config interface ethernet 1 2 Console config if a...

Page 115: ...ed at the specified CLI privilege level Web Click Security AAA Accounting Command Privileges Enter a defined method name for console and Telnet privilege levels Click Apply Figure 3 41 AAA Accounting Exec Command Privileges CLI Specify the accounting method to use for console and Telnet privilege levels Console config line console 4 31 Console config line accounting commands 15 tps method 4 96 Con...

Page 116: ... user sessions Command Attributes AAA Accounting Summary Accounting Type Displays the accounting service Method List Displays the user defined or default accounting method Group List Displays the accounting server group Interface Displays the port or trunk to which these rules apply This field is null if the accounting method and associated server group has not been assigned to an interface AAA Ac...

Page 117: ...User Authentication 3 69 3 Web Click Security AAA Summary Figure 3 43 AAA Accounting Summary ...

Page 118: ...cters The group name tacacs specifies all configured TACACS hosts see Configuring Local Remote Logon Authentication on page 3 56 Any other group name refers to a server group configured on the TACACS Group Settings page Authorization is only supported for TACACS servers Console show accounting 4 98 Accounting Type dot1x Method List default Group List radius Interface Method List tps method Group L...

Page 119: ...oup Authorization EXEC Settings This feature specifies an authorization method name to apply to console and Telnet connections Command Attributes Method Name Specifies a user defined method name to apply to console and Telnet connections Web Click Security AAA Authorization Exec Settings Enter a defined method name for console and Telnet connections and click Apply Figure 3 45 AAA Authorization Ex...

Page 120: ...pplies This field is null if the authorization method and associated server group has not been assigned Web Click Security AAA Authorization Summary Figure 3 46 AAA Authorization Summary CLI This example displays the configured authorization methods and the interfaces to which they are applied Console config line console 4 31 Console config line authorization exec tps auth 4 98 Console config line...

Page 121: ...ection The client and server generate session keys for encrypting and decrypting data The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 5 x or above Netscape 6 2 or above and Mozilla Firefox 2 0 0 0 or above The following web browsers and operating systems currently support HTTPS To specify a secure site certificate s...

Page 122: ... obtain a unique certificate and a private key and password from a recognized certification authority Caution For maximum security we recommend you obtain a unique Secure Sockets Layer certificate at the earliest opportunity This is because the default certificate for the switch is not unique to the hardware you have purchased When you have obtained these place them on your TFTP server and use the...

Page 123: ...ord authentication is specified by the SSH client then the password can be authenticated either locally or via a RADIUS or TACACS remote authentication server as specified on the Authentication Settings page 3 56 If public key authentication is specified by the client then you must configure authentication keys on both the client and the switch as described in the following section Note that regar...

Page 124: ...ients a The client sends its password to the server b The switch compares the client s password to those stored in memory c If a match is found the connection is allowed Note To use SSH with only password authentication the host public key must still be given to the client either during initial connection or manually entered into the known host file However you do not need to configure the client ...

Page 125: ...f Host Key The public key for the host RSA Version 1 The first field indicates the size of the host key e g 1024 the second field is the encoded public exponent e g 65537 and the last string is the encoded modulus DSA Version 2 The first field indicates that the encryption method used by SSH is based on the Digital Signature Standard DSS The last string is the encoded modulus Host Key Type The key...

Page 126: ...448320102524878965977592168322225584652387791546479807396314033 86925793105105765212243052807865885485789272602937866089236841423275912127 60325919683697053439336438445223335188287173896894511729290510813919642025 190932104328579045764891 DSA ssh dss AAAAB3NzaC1kc3MAAACBAN6zwIqCqDb3869jYVXlME1sHL0EcE Re6hlasfEthIwmj hLY4O0jqJZpcEQUgCfYlum0Y2uoLka Py9ieGWQ8f2gobUZKIICuKg6vjO9XTs7XKc05xfzkBi KviDa 2...

Page 127: ...se from a client during an authentication attempt Range 1 120 seconds Default 120 seconds SSH Authentication Retries Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process Range 1 5 times Default 3 SSH Server Key Size Specifies the SSH server key size Range 512 896 bits Default 768 The server key...

Page 128: ...APOL identity request The client provides its identity such as a user name in an EAPOL response to the switch which it forwards to the RADIUS server The RADIUS server verifies the client identity and sends an access challenge back to the client The EAP packet from the RADIUS server contains not only the challenge but the authentication method to be used The client can reject the authentication met...

Page 129: ... have an IP address assigned RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified 802 1X must be enabled globally for the switch Each switch port that will be used must be set to dot1X Auto mode Each client that needs to be authenticated must have dot1X client software installed and properly configured The RADIUS server and 802 1X client support EAP...

Page 130: ...ed Web Select Security 802 1X Configuration Enable 802 1X globally for the switch and click Apply Figure 3 51 802 1X Global Configuration CLI This example enables 802 1X globally for the switch Console show dot1x 4 118 Global 802 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 disabled Sin...

Page 131: ...e This is the default setting Force Unauthorized Forces the port to deny access to all clients either dot1x aware or otherwise Re authentication Sets the client to be re authenticated after the interval specified by the Re authentication Period Re authentication can be used to detect if a new device is plugged into a switch port Default Disabled Max Request Sets the maximum number of times the swi...

Page 132: ...Configuring the Switch 3 84 3 Web Click Security 802 1X Port Configuration Modify the parameters required and click Apply Figure 3 52 802 1X Port Configuration ...

Page 133: ...control Enabled 802 1X Port Summary Port Type Operation Mode Port Control Authorized Eth 1 1 Disabled Single Host ForceAuthorized Yes Eth 1 2 Authenticator Single Host Auto No Eth 1 26 Disabled Single Host ForceAuthorized No 802 1X Port Details 802 1X is disabled on port 1 1 Authenticator Information Reauthentication Enabled Reauth Period 1800 seconds Quiet Period 30 seconds TX Period 40 seconds S...

Page 134: ...es of any type that have been received by this Authenticator Rx EAP Resp Id The number of EAP Resp Id frames that have been received by this Authenticator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx EAP LenError The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Len...

Page 135: ...the switch will not accept overlapping address ranges When entering addresses for different groups the switch will accept overlapping address ranges You cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses You can delete an address range just by specifying the start address or by specifying both the start address and end address Comm...

Page 136: ... the filter list Figure 3 54 Creating an IP Filter List CLI This example allows SNMP access for a specific client Console config management snmp client 10 1 2 3 4 121 Console config end Console show management all client Management IP Filter HTTP Client Start IP address End IP address SNMP Client Start IP address End IP address 1 10 1 2 3 10 1 2 3 TELNET Client Start IP address End IP address Cons...

Page 137: ...gned VLAN See Configuring Private VLANs on page 3 184 Port Security Configure secure addresses for individual ports 802 1X Use IEEE 802 1X port authentication to control access to specific ports See Configuring 802 1X Port Authentication on page 3 80 Network Access Configures MAC authentication and dynamic VLAN assignment ACL Access Control Lists provide packet filtering for IPv4 frames based on a...

Page 138: ... MAC addresses the selected port will stop learning The MAC addresses already in the address table will be retained and will not age out Any other device that attempts to use the port will be prevented from accessing the switch Command Usage A secure port has the following restrictions It cannot be used as a member of a static or dynamic trunk It should not be connected to a network interconnectio...

Page 139: ... list add the required rules and then bind the list to a specific port Configuring Access Control Lists An ACL is a sequential list of permit or deny conditions that apply to IP addresses MAC addresses or other more specific criteria This switch tests ingress or egress packets against the conditions in an ACL one by one A packet will be accepted as soon as it matches a permit rule or dropped as so...

Page 140: ...permit all Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL Command Attributes Name Name of the ACL Maximum length 15 characters Type There are three filtering modes Standard IP ACL mode that filters packets based on the source IP address Extended IP ACL mode that filters packets based on source or destination IP address as well as protocol type...

Page 141: ...te match and 0 bits to indicate ignore The mask is bitwise ANDed with the specified source IP address and compared with the address for each IP packet entering the port s to which this ACL has been assigned Web Specify the action i e Permit or Deny Select the address type Any Host or IP If you select Host enter a specific address If you select IP enter a subnet address and the mask for an address ...

Page 142: ...tocol number 0 255 Options TCP UDP Others Default TCP Source Destination Port Source destination port number for the specified protocol type Range 0 65535 Source Destination Port Bitmask Decimal number representing the port bits to match Range 0 65535 Control Code Decimal number representing a bit string that specifies flag bits in byte 14 of the TCP header Range 0 63 Control Code Bit Mask Decimal...

Page 143: ...packets if the source address is in subnet 10 7 1 x For example if the rule is matched i e the rule 10 7 1 0 255 255 255 0 equals the masked address 10 7 1 2 255 255 255 0 the packet passes through 2 Allow TCP packets from class C addresses 192 168 1 0 to any destination address when set for destination TCP port 80 i e HTTP 3 Permit all TCP packets from class C addresses 192 168 1 0 with the TCP c...

Page 144: ...ation MAC address VID VLAN ID Range 1 4094 VID Mask VLAN bitmask Range 1 4094 Ethernet Type This option can only be used to filter Ethernet II formatted packets Range 600 fff hex A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX Ethernet Type Bitmask Protocol bitmask Range 600 fff hex Packet Format This attribute...

Page 145: ...ress range Set any other required criteria such as VID Ethernet type or packet format Then click Add Figure 3 59 Configuring MAC ACLs CLI This example configures one permit rule for all source mac addresses to communicate with all destination mac addresses on VLAN 12 and another permit rule for source mac address to communicate with all destination mac addresses Console config mac acl permit any a...

Page 146: ...d one ACL to any port for ingress filtering Command Attributes Port Fixed port or SFP module Range 1 26 50 IP Specifies the IP ACL to bind to a port MAC Specifies the MAC ACL to bind to a port IN ACL for ingress packets OUT ACL for egress packets Not supported Web Click Security ACL Port Binding Click Edit to open the configuration page for the ACL type Mark the Enable field for the port you want ...

Page 147: ...dresses for the same group i e SNMP web or Telnet the switch will not accept overlapping address ranges When entering addresses for different groups the switch will accept overlapping address ranges You cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses You can delete an address range just by specifying the start address or by spec...

Page 148: ...e the filter list Figure 3 61 Creating an IP Filter List CLI This example allows SNMP access for a specific client Console config management snmp client 10 1 2 3 4 39 Console config end Console show management all client Management IP Filter HTTP Client Start IP address End IP address SNMP Client Start IP address End IP address 1 10 1 2 3 10 1 2 3 TELNET Client Start IP address End IP address Cons...

Page 149: ...is 100 packets per second Any DHCP packets in excess of this limit are dropped When DHCP snooping is enabled DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping Filtering rules are implemented as follows If the global DHCP snooping is disabled all DHCP packets are forwarded If DHCP snooping is enabled globally and also enabled on the VLAN...

Page 150: ...self no filtering takes place However when the switch receives any messages from a DHCP server any packets received from untrusted ports are dropped DHCP Snooping Configuration Use the DHCP Snooping Configuration page to enable DHCP Snooping globally on the switch or to configure MAC Address Verification Command Attributes DHCP Snooping Status Enables DHCP snooping globally Default Disabled DHCP S...

Page 151: ...ooping Status Enables or disables DHCP snooping for the selected VLAN When DHCP snooping is enabled globally on the switch and enabled on the specified VLAN DHCP packet filtering will be performed on any untrusted ports within the VLAN Web Click DHCP Snooping VLAN Configuration Figure 3 63 DHCP Snooping VLAN Configuration CLI This example first enables DHCP Snooping for VLAN 1 DHCP Snooping Inform...

Page 152: ...e DHCP packets from a client that already includes DHCP Option 82 information The switch can be configured to set the action policy for these packets The switch can either drop the DHCP packets keep the existing information or replace it with the switch s relay information Command Attributes DHCP Snooping Information Option Status Enables or disables DHCP Option 82 information relay Default Disabl...

Page 153: ...e VLAN When an untrusted port is changed to a trusted port all the dynamic DHCP snooping bindings associated with this port are removed Set all ports connected to DHCP servers within the local network or fire wall to trusted state Set all other ports outside the local network or fire wall to untrusted state Command Attributes Trust Status Enables or disables port as trusted Default Untrusted Conso...

Page 154: ... snooping binding information Unit Stack unit Port Port number VLAN ID VLAN for which DHCP snooping has been enabled MAC Address Physical address associated with the entry IP Address IP address corresponding to the client Console config interface ethernet 1 5 Console config if ip dhcp snooping trust 4 134 Console show ip dhcp snooping 4 138 Global DHCP Snooping status disable DHCP Snooping Informa...

Page 155: ...vent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network This section describes commands used to configure IP Source Guard Note Due to a chip limitation IP source guard and Quality of Service for IP related QoS cannot be enabled at the same time Configuring Ports for IP Source Guard Use the IP Source Guard Port Configuration page to set the filtering ...

Page 156: ...ber and source MAC address for the SIP MAC option If a matching entry is found in the binding table and the entry type is static IP source guard binding the packet will be forwarded If DHCP snooping is enabled IP source guard will check the VLAN ID source IP address port number and source MAC address for the SIP MAC option If a matching entry is found in the binding table and the entry type is sta...

Page 157: ...ed with a value of zero in the table Command Usage Static addresses entered in the source guard binding table are automatically configured with an infinite lease time Dynamic entries learned via DHCP snooping are configured by the DHCP server itself Static bindings are processed as follows If there is no entry with the same VLAN ID and MAC address a new entry is added to the binding table using th...

Page 158: ...e table Port Switch port number Range 1 26 50 VLAN ID ID of a configured VLAN Range 1 4094 MAC Address A valid unicast MAC address IP Address A valid unicast IP address including classful types A B or C Web Click IP Source Guard Static Configuration Select the VLAN and port to which the entry will be bound enter the MAC address and associated IP address then click Add Figure 3 68 Static IP Source ...

Page 159: ...namic Binding Table Counts Displays the number of IP addresses in the source guard binding table Current Dynamic Binding Table Displays the IP addresses in the source guard binding table Web Click IP Source Guard Dynamic Information Figure 3 69 Dynamic IP Source Guard Binding Information CLI This example shows how to configure a static source guard binding on port 5 Console show ip source guard bi...

Page 160: ...atus Indicates the type of flow control currently in use IEEE 802 3x Back Pressure or None Autonegotiation Shows if auto negotiation is enabled or disabled Media Type5 Media type used for the combo ports 21 24 Options Copper Forced SFP Forced or SFP Preferred Auto Default SFP Preferred Auto Trunk Member5 Shows if port is a trunk member Creation6 Shows if a trunk is manually configured or dynamical...

Page 161: ...ed or disabled Multicast Storm Limit Shows the multicast storm threshold 64 1 000 000 kilobits per second Unknown Unicast Storm Shows if unknown unicast storm control is enabled or disabled Unknown Unicast Storm Limit Shows the unknown unicast storm threshold 64 1 000 000 kilobits per second Flow Control Shows if flow control is enabled or disabled LACP Shows if LACP is enabled or disabled Port Se...

Page 162: ... connection over any 1000BASE T port or trunk If not used the success of the link process cannot be guaranteed when connecting to other types of switches Command Attributes Name Allows you to label an interface Range 1 64 characters Admin Allows you to manually disable an interface You can disable an interface due to abnormal behavior e g excessive collisions and then reenable it after the Console...

Page 163: ...Supports 100 Mbps half duplex operation 100full Supports 100 Mbps full duplex operation 1000full Combo ports only Supports 1000 Mbps full duplex operation Default Autonegotiation enabled Advertised capabilities for 100BASE TX 10half 10full 100half 100full 1000BASE T 10half 10full 100half 100full 1000full 1000BASE SX LX ZX 1000full Media Type Media type used for the combo ports 21 24 Copper Forced ...

Page 164: ... standby mode Should one link in the trunk fail one of the standby ports will automatically be activated to replace it Command Usage Besides balancing the load across each port in the trunk the other ports provide redundancy by taking over the load if a port in the trunk fails However before making any physical connections between devices use the web interface or CLI to specify the trunk on the de...

Page 165: ...on the manufacturer s implementation However note that the static trunks on this switch are Cisco EtherChannel compatible To avoid creating a loop in the network be sure you add a static trunk via the configuration interface before connecting the ports and also disconnect the ports before removing a static trunk via the configuration interface Command Attributes Member List Current Shows configure...

Page 166: ... ends of an LACP trunk must be configured for full duplex and auto negotiation Trunks dynamically established through LACP will also be shown in the Member List on the Trunk Membership menu see 3 117 Console config interface port channel 2 4 155 Console config if exit Console config interface ethernet 1 1 4 155 Console config if channel group 2 4 168 Console config if exit Console config interface...

Page 167: ...w Includes entry fields for creating new trunks Port Port identifier Range 1 26 50 Web Click Port LACP Configuration Select any of the switch ports from the scroll down port list and click Add After you have completed adding ports to the member list click Apply Figure 3 73 LACP Trunk Configuration ...

Page 168: ... 171 Command Attributes Set Port Actor This menu sets the local side of an aggregate link i e the ports on this switch Port Port number Range 1 26 50 System Priority LACP system priority is used to determine link aggregation group LAG membership and to identify this device to other switches during LAG negotiations Range 0 65535 Default 32768 Ports must be configured with the same system priority t...

Page 169: ...ched device The command attributes have the same meaning as those used for the port actor However configuring LACP settings for the partner only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with the partner Web Click Port LACP Aggregation Port Set the System Priority Admin Key and Port Priority for the Port A...

Page 170: ...Console show lacp sysid 4 174 Port Channel System Priority System MAC Address 1 3 00 12 CF 31 31 31 2 32768 00 12 CF 31 31 31 3 32768 00 12 CF 31 31 31 4 32768 00 12 CF 31 31 31 Console show lacp 1 internal 4 174 Port channel 1 Oper Key 120 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP System Priority 3 LACP Port Priority 128 Admin Key 120 Oper Key 120 Admin State defaulted aggregation long tim...

Page 171: ...e value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type Marker Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value but contain a badly formed PDU or an illegal value of Protocol Subtype Console show lacp counters 4 174 Port channel 1 Eth 1 1 LACPDUs Sent 91 LACPDUs Receive 43 Marker ...

Page 172: ...information administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is...

Page 173: ... LACP configuration settings and operational state for the local side of port channel 1 Console show lacp 1 internal 4 174 Port channel 1 Oper Key 120 Admin Key 0 Eth 1 1 LACPDUs Internal 30 sec LACP System Priority 3 LACP Port Priority 128 Admin Key 120 Oper Key 120 Admin State defaulted aggregation long timeout LACP activity Oper State distributing collecting synchronization aggregation long tim...

Page 174: ...ssigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port Oper Priority Priority value assigned to this aggregation ...

Page 175: ...t Storm Control is enabled by default Broadcast control does not effect IP multicast traffic Command Attributes Port Port number Type Indicates the port type 1000BASE T or 1000BASE SFP Protect Status Enables or disables broadcast storm control Default Enabled Threshold Threshold level as a rate i e packets per second Range 500 262143 packets per second Default 500 pps Trunk Shows if a port is a tr...

Page 176: ...d should match or exceed source port speed otherwise traffic may be dropped from the monitor port All mirror sessions must share the same destination port When mirroring port traffic the target port must be included in the same VLAN as the source port when using MSTP see Spanning Tree Algorithm Configuration on page 3 142 Command Attributes Mirror Sessions Displays a list of current mirror session...

Page 177: ...ceed the acceptable amount of traffic are dropped Rate limiting can be applied to individual ports or trunks When an interface is configured with this feature the traffic rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped conforming traffic is forwarded without any changes Rate Limit Configuration Use the rate limit configuration pages to apply rate limit...

Page 178: ...dentify potential problems with the switch such as a faulty port or unusually heavy loading RMON statistics provide access to a broad range of statistics including a total count of different frame types and sizes passing through each port All values displayed have been accumulated since the last system reboot and are shown as counts per second Statistics are refreshed every 60 seconds by default N...

Page 179: ...re discarded or not sent Transmit Broadcast Packets The total number of packets that higher level protocols requested be transmitted and which were addressed to a broadcast address at this sub layer including those that were discarded or not sent Transmit Discarded Packets The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their bein...

Page 180: ...ctets and had either an FCS or alignment error Received Bytes Total number of bytes of data received on the network This statistic can be used as a reasonable indication of Ethernet utilization Collisions The best estimate of the total number of collisions on this Ethernet segment Received Frames The total number of frames bad broadcast and multicast received Broadcast Frames The total number of g...

Page 181: ...ed and transmitted that were 64 octets in length excluding framing bits but including FCS octets 65 127 Byte Frames 128 255 Byte Frames 256 511 Byte Frames 512 1023 Byte Frames 1024 1518 Byte Frames 1519 1536 Byte Frames The total number of frames including bad packets received and transmitted where the number of octets fall within the specified range excluding framing bits but including FCS octet...

Page 182: ...itical high or low To control the power supply within the switch s budget ports set at critical or high priority have power enabled in preference to those ports set at low priority For example when a device is connected to a port set to critical priority the switch supplies the required Console show interfaces counters ethernet 1 13 4 164 Ethernet 1 13 Iftable stats Octets input 868453 Octets outp...

Page 183: ... service provided to the switch ports Mainpower Consumption The amount of power being consumed by PoE devices connected to the switch Thermal Temperature7 The internal temperature of the switch Software Version The version of software running on the PoE controller subsystem in the switch Web Click PoE Power Status Figure 3 82 Displaying the Global PoE Status CLI This example displays the current p...

Page 184: ...Use the power mainpower maximum allocation command to set the PoE power budget for the switch Displaying Port Power Status Use the Power Port Status page to display the current PoE power status for all ports Command Attributes Port The port number Admin Status The administrative status of PoE power on the port Mode The current operating status of PoE power on the port Power Allocation The configur...

Page 185: ...he port power priority settings are used to control the supplied power For example If a device is connected to a low priority port and causes the switch to exceed its budget port power is not turned on Console show power inline status 4 194 Unit 1 Compatible mode Enabled Max Used Overload Interface Admin Oper Power Power Priority Auto recover Eth 1 1 Enabled Off 15400 mW 0 mW Low Disabled Eth 1 2 ...

Page 186: ...cts an overload condition the PoE power is disabled and the port administrative status is set to disabled The user must manually re enable the port using a management interface Enabled When a port detects an overload condition the PoE power is disabled and the port administrative status is set to disabled The port is automatically re enabled when the overload condition is no longer detected on the...

Page 187: ...ss will be ignored and will not be written to the address table Command Attributes Static Address Counts8 The number of manually configured addresses Current Static Address Table Lists all the static addresses Interface Port or trunk associated with the device assigned a static address MAC Address Physical address of a device mapped to this interface VLAN ID of configured VLAN 1 4094 Web Click Add...

Page 188: ...nterface Indicates a port or trunk MAC Address Physical address associated with this interface VLAN ID of configured VLAN 1 4094 Address Table Sort Key You can sort the information displayed based on MAC address VLAN or interface port or trunk Dynamic Address Counts The number of addresses dynamically learned Current Dynamic Address Table Lists all the dynamic addresses Web Click Address Table Dyn...

Page 189: ...learned entry is discarded Range 10 630 seconds Default 300 seconds Web Click Address Table Address Aging Specify the new aging time click Apply Figure 3 88 Setting the Address Aging Time CLI This example sets the aging time to 300 seconds Console show mac address table interface ethernet 1 1 4 194 Interface Mac Address Vlan Type Eth 1 1 00 12 CF 48 82 93 1 Delete on reset Eth 1 1 00 12 CF 94 34 D...

Page 190: ... the lowest path cost when forwarding a packet from that LAN to the root device All ports connected to designated bridging devices are assigned as designated ports After determining the lowest cost spanning tree it enables all root ports and designated ports and disables all other ports Network packets are therefore only forwarded between root ports and designated ports eliminating any possible ne...

Page 191: ... then builds a Internal Spanning Tree IST for the Region containing all commonly configured MSTP bridges An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers including the Region Name Revision Level and Configuration Digest see Configuring Multiple Spanning Trees on page 3 158 An MST Region may contain multiple MSTP Instances An Internal Span...

Page 192: ...ssage becomes the designated port for the attached LAN If it is a root port a new root port is selected from among the device ports attached to the network References to ports in this section mean interfaces which includes both ports and trunks Hello Time Interval in seconds at which the root device transmits a configuration message Forward Delay The maximum time in seconds the root device will wa...

Page 193: ...designated ports should receive configuration messages at regular intervals If the root port ages out STA information provided in the last configuration message a new root port is selected from among the device ports attached to the network References to ports in this section means interfaces which includes both ports and trunks Root Forward Delay The maximum time in seconds this device will wait ...

Page 194: ...e show spanning tree 4 213 Spanning tree information Spanning Tree Mode RSTP Spanning Tree Enabled Disabled Disabled Instance 0 VLANs Configuration 1 4094 Priority 32768 Bridge Hello Time sec 2 Bridge Max Age sec 20 Bridge Forward Delay sec 15 Root Hello Time sec 2 Root Max Age sec 20 Root Forward Delay sec 15 Max Hops 20 Remaining Hops 20 Designated Root 32768 00D0CB6A23F3 Current Root Port 0 Cur...

Page 195: ...Spanning Tree Protocol MSTP generates a unique spanning tree for each instance This provides multiple pathways across the network thereby balancing the traffic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new topology for the failed instance To allow multiple spanning trees to operate over the network you must configur...

Page 196: ...gnated port for the attached LAN If it is a root port a new root port is selected from among the device ports attached to the network References to ports in this section mean interfaces which includes both ports and trunks Default 20 Minimum The higher of 6 or 2 x Hello Time 1 Maximum The lower of 40 or 2 x Forward Delay 1 Forward Delay The maximum time in seconds this device will wait before chan...

Page 197: ...h this switch can be assigned Configuration Digest An MD5 signature key that contains the VLAN ID to MST ID mapping table In other words this key is a mapping of all VLANs to the CIST Region Revision10 The revision for this MSTI Range 0 65535 Default 0 Region Name10 The name for this MSTI Maximum length 32 characters Maximum Hop Count The maximum number of hops allowed in the MST region before a B...

Page 198: ...Configuring the Switch 3 150 3 Web Click Spanning Tree STA Configuration Modify the required attributes and click Apply Figure 3 90 Configuring Spanning Tree ...

Page 199: ...here is no other STA device attached to this segment the port with the smaller ID forwards packets and the other is discarding All ports are discarding when the switch is booted then some of them change state to learning and then to forwarding Forward Transitions The number of times this port has transitioned from the Learning state to the Forwarding state Designated Cost The cost for a packet to ...

Page 200: ...n 3 154 Oper Edge Port This parameter is initialized to the setting for Admin Edge Port in STA Port Configuration on 3 154 i e true or false but will be set to false if a BPDU is received indicating that another bridge is attached to this port Port Role Roles are assigned according to whether the port is part of the active topology connecting the bridge to the root bridge i e root port connecting ...

Page 201: ... switch has accepted as the root device Fast forwarding This field provides the same information as Admin Edge port and is only included for backward compatibility with earlier products Admin Edge Port You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly thr...

Page 202: ...nterface Settings for STA on 3 151 for additional information Discarding Port receives STA configuration messages but does not forward packets Learning Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information Port address table is cleared and the port begins learning addresses Forwarding Port forwards packets and con...

Page 203: ...st takes precedence over port priority Range 0 for auto configuration 1 65535 for the short path cost method11 1 200 000 000 for the long path cost method By default the system automatically detects the speed and duplex mode used on each port and configures the path cost according to the values shown below Path cost 0 is used to indicate auto configuration mode When the short path cost method is s...

Page 204: ...me flooding required to rebuild address tables during reconfiguration events does not cause the spanning tree to initiate reconfiguration when the interface changes state and also overcomes other STA related timeout problems However remember that Edge Port should only be enabled for ports connected to an end node device Default Disabled Migration If at any time the switch detects STP BPDUs includi...

Page 205: ...ly Figure 3 92 Configuring Spanning Tree per Port CLI This example sets STA attributes for port 7 Console config interface ethernet 1 7 4 155 Console config if spanning tree port priority 0 4 208 Console config if spanning tree cost 50 4 206 Console config if spanning tree link type auto 4 210 Console config if no spanning tree edge port 4 208 Console config if ...

Page 206: ... To use multiple spanning trees 1 Set the spanning tree type to MSTP STA Configuration 3 142 2 Enter the spanning tree priority for the selected MST instance MSTP VLAN Configuration 3 Add the VLANs that will share this MSTI MSTP VLAN Configuration Note Note All VLANs are automatically added to the IST Instance 0 To ensure that the MSTI maintains connectivity across the network you must configure a...

Page 207: ...d the VLAN members to an MSTI instance enter the instance identifier the VLAN identifier and click Add Figure 3 93 Configuring Multiple Spanning Trees CLI This example sets the priority for MSTI 1 and adds VLANs 1 5 to this MSTI Console config spanning tree mst configuration 4 202 Console config mst mst 1 priority 4096 4 203 Console config mstp mst 1 vlan 1 5 4 203 Console config mst ...

Page 208: ... Root 32768 1 0013F7123123 Current Root Port 0 Current Root Cost 0 Number of Topology Changes 1 Last Topology Change Time sec 5 Transmission Limit 3 Path Cost Method Long Eth 1 1 Information Admin Status Enabled Role Master State Forwarding External Admin Path Cost 100000 Internal Admin Path Cost 100000 External Oper Path Cost 100000 Internal Oper Path Cost 100000 Priority 128 Designated Cost 0 De...

Page 209: ...trunks in the selected MST instance Command Attributes MST Instance ID Instance identifier to configure Default 0 The other attributes are described under Displaying Interface Settings for STA on page 3 151 Web Click Spanning Tree MSTP Port or Trunk Information Select the required MST instance to display the current spanning tree values Figure 3 94 Displaying MSTP Interface Settings ...

Page 210: ... 20 Root Forward Delay sec 15 Max Hops 20 Remaining Hops 20 Designated Root 32768 0 0001ECF8D8C6 Current Root Port 1 Current Root Cost 100000 Number of Topology Changes 2 Last Topology Change Time sec 158 Transmission Limit 3 Path Cost Method Long Eth 1 1 Information Admin Status Enabled Role Root State Forwarding External Admin Path Cost 100000 Internal Admin Path Cost 100000 External Oper Path C...

Page 211: ... switch are the same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Default 128 Range 0 240 in steps ...

Page 212: ...802 1Q VLAN is a group of ports that can be located anywhere in the network but communicate as though they belong to the same physical segment VLANs help to simplify network management by allowing you to move devices to a new VLAN without having to change any physical connections VLANs can be easily organized to reflect departmental groups such as Marketing or R D usage groups such as e mail or mu...

Page 213: ...ath that will carry this traffic to the same VLAN s either manually or dynamically using GVRP However if you want a port on this switch to participate in one or more VLANs but none of the intermediate network devices nor the host at the other end of the connection supports VLANs then you should add this port to the VLAN as an untagged port Note VLAN tagged frames can pass through VLAN aware or VLA...

Page 214: ...ssage to all other ports When the message arrives at another switch that supports GVRP it will also place the receiving port in the specified VLANs and pass the message on to all other ports VLAN requirements are propagated in this way throughout the network This allows GVRP compliant devices to be automatically configured for VLAN groups based solely on endstation requests To implement GVRP in a ...

Page 215: ...frame When the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag However when this switch receives an untagged frame from a VLAN unaware device it first decides where to forward the frame and then inserts a VLAN tag reflecting the ingress port s default VID Enabling or Disabling GVRP Global Setting GARP VLAN Registration Protocol GVRP defines a way f...

Page 216: ...itch Maximum Number of Supported VLANs Maximum number of VLANs that can be configured on this switch Web Click VLAN 802 1Q VLAN Basic Information Figure 3 97 Displaying Basic VLAN Information CLI Enter the following command 12 Web Only Console show bridge ext 4 217 Max Support VLAN Numbers 256 Max Support VLAN ID 4094 Extended Multicast Filtering Services No Static Entry Individual Port Yes VLAN L...

Page 217: ... VLAN 1 4094 Up Time at Creation Time this VLAN was created i e System Up Time Status Shows how this VLAN was added to the switch Dynamic GVRP Automatically learned via GVRP Permanent Added as a static entry Egress Ports Shows all the VLAN port members Untagged Ports Shows the untagged VLAN port members Web Click VLAN 802 1Q VLAN Current Table Select any ID from the scroll down list Figure 3 98 Di...

Page 218: ...y used for management on this system it is not added to the VLAN tag VLAN ID ID of configured VLAN 1 4094 no leading zeroes VLAN Name Name of the VLAN 1 to 32 characters Remote VLAN Reserves this VLAN for RSPAN see Configuring Rate Limits on page 3 129 Status Web Enables or disables the specified VLAN Enabled VLAN is operational Disabled VLAN is suspended i e does not pass packets State CLI Enable...

Page 219: ...ration 3 171 3 Web Click VLAN 802 1Q VLAN Static List To create a new VLAN enter the VLAN ID and VLAN name mark the Enable checkbox to activate the VLAN and then click Add Figure 3 99 Configuring a VLAN Static List ...

Page 220: ...1 9 S Eth1 10 S Eth1 11 S Eth1 12 S Eth1 13 S Eth1 14 S Eth1 15 S Eth1 16 S Eth1 17 S Eth1 18 S Eth1 19 S Eth1 20 S Eth1 21 S Eth1 22 S Eth1 23 S Eth1 24 S Eth1 25 S Eth1 26 S VLAN ID 2 Type Static Name R D Status Active Ports Port Channels VLAN ID 4093 Type Static Name Status Active Ports Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 9 S Eth1 10 S Eth1...

Page 221: ...he VLAN 1 to 32 characters Status Enables or disables the specified VLAN Enable VLAN is operational Disable VLAN is suspended i e does not pass packets Port Port identifier Membership Type Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk Tagged Interface is a member of the VLAN All packets transmitted by the port will be tagged that is carry a t...

Page 222: ...ck Apply Figure 3 100 Configuring a VLAN Static Table CLI The following example adds tagged and untagged ports to VLAN 2 Console config interface ethernet 1 1 4 155 Console config if switchport allowed vlan add 2 tagged 4 226 Console config if exit Console config interface ethernet 1 2 Console config if switchport allowed vlan add 2 untagged Console config if exit Console config interface ethernet...

Page 223: ...embership by Port Select an interface from the scroll down box Port or Trunk Click Query to display membership information for the interface Select a VLAN ID and then click Add to add the interface as a tagged member or click Remove to remove the interface After configuring VLAN membership for each interface click Apply Figure 3 101 VLAN Static Membership by Port CLI This example adds Port 3 to VL...

Page 224: ...including tagged or untagged frames or only tagged frames When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Options All Tagged Default All Ingress Filtering Determines how to process frames tagged for VLANs for which the ingress port is not a member Default Disabled Ingress filtering only affects tagged frames If ingress filtering is disable...

Page 225: ...he port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames Hybrid Specifies a hybrid VLAN interface The port may transmit tagged or untagged frames Also note that this is the only port type that can participate in RSPAN see Configuring Rate Limits on page 3 129 Trunk Member I...

Page 226: ...e provider s network even when they use the same customer specific VLAN IDs QinQ tunneling expands VLAN space by using a VLAN in VLAN hierarchy preserving the customer s original tagged packets and adding SPVLAN tags to each frame also called double tagging A port configured to support QinQ tunneling must be set to tunnel port mode The Service Provider VLAN SPVLAN ID for the specific customer must...

Page 227: ...LAN into the packet based on the default VLAN ID and Tag Protocol Identifier TPID that is the ether type of the tag This outer tag is used for learning and switching packets The priority of the inner tag is copied to the outer tag if it is a tagged or priority tagged packet 2 After successful source and destination lookup the ingress process sends the packet to the switching process with two tags ...

Page 228: ...nabled If ingress filtering is not enabled the packet will still be forwarded If the VLAN is not listed in the VLAN table the packet will be dropped 4 After successful source and destination lookup the packet is double tagged The switch uses the TPID of 0x8100 to indicate that an incoming packet is double tagged If the outer tag of an incoming double tagged packet is equal to the port TPID and the...

Page 229: ... to as an SPVLAN see Creating VLANs on page 3 170 4 Configure the QinQ tunnel access port to 802 1Q Tunnel mode see Adding an Interface to a QinQ Tunnel on page 3 182 5 Configure the QinQ tunnel access port to join the SPVLAN as an untagged member see Adding Static Members to VLANs VLAN Index on page 3 173 6 Configure the SPVLAN ID as the native VID on the QinQ tunnel access port see Configuring V...

Page 230: ... CLI This example sets the switch to operate in QinQ mode Adding an Interface to a QinQ Tunnel Follow the guidelines in the preceding section to set up a QinQ tunnel on the switch Command Usage Use the VLAN Port Configuration or VLAN Trunk Configuration screen to set the access port on the edge switch to 802 1Q Tunnel mode Use the 802 1Q Tunnel Configuration screen to set the switch to QinQ mode b...

Page 231: ...tunneling QinQ for a client access port to segregate and preserve customer VLAN IDs for traffic crossing the service provider network 802 1Q Tunnel Uplink Configures IEEE 802 1Q tunneling QinQ for an uplink port to another device within the service provider network Trunk Member Shows if a port is a member or a trunk Web Click VLAN 802 1Q VLAN 802 1Q Tunnel Configuration or Tunnel Trunk Configurati...

Page 232: ... uplink ports Note that private VLANs and normal VLANs can exist simultaneously within the same switch Enabling Private VLANs Use the Private VLAN Status page to enable disable the Private VLAN function Web Click VLAN Private VLAN Status Select Enable or Disable from the scroll down box and click Apply Figure 3 105 Private VLAN Status CLI This example enables private VLANs Console config pvlan 4 1...

Page 233: ...e easily grouped into a common VLAN This may require non standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol This kind of configuration deprives users of the basic benefits of VLANs including security and easy accessibility To avoid these problems you can configure this switch with protocol based VLANs that divide the ...

Page 234: ...2147483647 Frame Type Choose either Ethernet RFC 1042 or LLC Other as the frame type used by this protocol Protocol Type Specifies the protocol type to match The available options are IP ARP RARP and user defined 0801 FFFF hexadecimal If LLC Other is chosen for the Frame Type the only available Protocol Type is IPX Raw Note Traffic which matches IP Protocol Ethernet Frames is mapped to the VLAN VL...

Page 235: ... the associated VLAN When a frame enters a port that has been assigned to a protocol VLAN it is processed in the following manner If the frame is tagged it will be processed according to the standard rules applied to tagged frames If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the f...

Page 236: ... 3 108 Protocol VLAN Port Configuration CLI The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 2 to VLAN 2 Console config interface ethernet 1 1 4 155 Console config if protocol vlan protocol group 3 vlan 2 4 241 Console config if ...

Page 237: ...y the default port priority for each interface on the switch All untagged packets entering the switch are tagged with the specified default port priority and then sorted into the appropriate priority queue at the output port Command Usage This switch provides four priority queues for each port It uses Weighted Round Robin to prevent head of queue blockage The default priority applies for an untagg...

Page 238: ... interface ethernet 1 3 4 155 Console config if switchport priority default 5 4 245 Console config if end Console show interfaces switchport ethernet 1 3 4 165 Information of Eth 1 3 Broadcast Threshold Enabled 500 packets second Multicast Threshold Disabled Unknown Unicast Threshold Disabled LACP Status Disabled Ingress Rate Limit Disabled 1000 Mbits per second Egress Rate Limit Disabled 1000 Mbi...

Page 239: ...priority levels to the switch s output queues in any way that benefits application traffic for your own network Command Attributes Priority CoS value Range 0 7 where 7 is the highest priority Traffic Class15 Output queue buffer Range 0 3 where 3 is the highest CoS priority queue Note Mapping specific values for CoS priorities is implemented as an interface command but any changes will apply to the...

Page 240: ...to change the CoS assignments Mapping specific values for CoS priorities is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Console config interface ethernet 1 1 4 155 Console config if queue cos map 0 0 4 247 Console config if queue cos map 1 1 Console config if queue cos map 2 2 Console config if end Console show queue cos map ethe...

Page 241: ...eue weighted 8 will be allowed to transmit up to 8 packets after which the next lower priority queue will be serviced according to it s weighting This prevents the head of line blocking that can occur with strict priority queuing Command Attributes WRR Weighted Round Robin shares bandwidth at the egress ports by using scheduling weights with default values of 1 2 4 8 for queues 0 through 3 respect...

Page 242: ...d for service and subsequently affects the response time for software applications assigned a specific priority value Command Attributes Interface Selects a port or trunk as an interface WRR Setting Table16 Displays a list of weights for each traffic class i e queue Weight Value Set a new weight for the selected traffic class Range 1 15 Web Click Priority Queue Scheduling Select the required inter...

Page 243: ...o the output queues in the following manner The precedence for priority mapping is IP Port Priority IP Precedence or DSCP Priority and then Default Port Priority IP Precedence and DSCP Priority cannot both be enabled Enabling one of these priority types will automatically disable the other Selecting IP Precedence DSCP Priority The switch allows you to choose between using IP Precedence or DSCP pri...

Page 244: ...n types ToS bits are defined in the following table Command Attributes IP Precedence Priority Table Shows the IP Precedence to CoS map Class of Service Value Maps a CoS value to the selected IP Precedence value Note that 0 represents low priority and 7 represent high priority Web Click Priority IP Precedence Priority Select an entry from the IP Precedence Priority Table enter a value in the Class ...

Page 245: ...ces will not conflict with the DSCP mapping Based on network policies different kinds of traffic can be marked for different kinds of forwarding The DSCP default values are defined in the following table Note that all the DSCP values that are not specified are mapped to CoS value 0 Console config map ip precedence 4 251 Console config interface ethernet 1 1 4 155 Console config if map ip precedenc...

Page 246: ...P Priority Values CLI The following example globally enables DSCP Priority service on the switch maps DSCP value 0 to CoS value 1 on port 1 and then displays the DSCP Priority settings Mapping specific values for IP DSCP is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Console config map ip dscp 4 252 Console config interface ether...

Page 247: ...e IP port to CoS map IP Port Number TCP UDP Set a new IP port number Class of Service Value Sets a CoS value for a new IP port Note that 0 represents low priority and 7 represent high priority Note Up to 8 entries can be specified IP Port Priority settings apply to all interfaces Web Click Priority IP Port Priority Status Set IP Port Priority Status to Enabled Figure 3 116 IP Port Priority Status ...

Page 248: ...tment to packets in the same class Class information can be assigned by end hosts or switches or routers along the path Priority can then be assigned based on a general policy or a detailed examination of the packet However note that detailed examination of packets should take place close to the network edge so that core switches and routers are not overloaded Switches and routers along the path c...

Page 249: ...Open the Class Map page and click Add Class When the Class Configuration page opens fill in the Class Name field and click Add When the Match Class Settings page opens specify type of traffic for this class based on an access list a DSCP or IP Precedence value or a VLAN and click the Add button next to the field for the selected traffic criteria You can specify up to 16 items to match when assigni...

Page 250: ...dd Adds the specified class Back Returns to previous page with making any changes Match Class Settings Class Name List of class maps ACL List Name of an access control list Any type of ACL can be specified including standard or extended IP ACLs and MAC ACLs Range 1 16 characters IP DSCP A DSCP value Range 0 63 IP Precedence An IP Precedence value Range 0 7 VLAN A VLAN Range 1 4094 Add Adds specifi...

Page 251: ...les to change the rules of an existing class Figure 3 118 Configuring Class Maps CLI This example creates a class map call rd class and sets it to match packets marked for DSCP service value 3 Console config class map rd_class match any 4 258 Console config cmap match ip dscp 3 4 259 Console config cmap ...

Page 252: ...lso note that the maximum number of classes that can be applied to a policy map is 16 Policing is based on a token bucket where bucket depth i e the maximum burst before the bucket overflows is by specified the Burst field and the average rate tokens are removed from the bucket is by specified by the Rate option After using the policy map to define packet classification service tagging and bandwid...

Page 253: ...ass map Action Configures the service provided to ingress traffic by setting a CoS DSCP or IP Precedence value in a matching packet as specified in Match Class Settings on 3 201 Range CoS 0 7 DSCP 0 63 IP Precedence 0 7 Meter Check this to define the maximum throughput burst rate and the action that results from a policy violation Rate kbps Rate in kilobits per second Range 1 100000 kbps or maximu...

Page 254: ...h 3 206 3 Web Click QoS DiffServ Policy Map to display the list of existing policy maps To add a new policy map click Add Policy To configure the policy rule settings click Edit Classes Figure 3 119 Configuring Policy Maps ...

Page 255: ... interface The current firmware does not allow you to bind a policy map to an egress queue Command Attributes Ports Specifies a port Ingress Applies the rule to ingress traffic Enabled Check this to enable a policy map on the specified port Policy Map Select the appropriate policy map from the scroll down box Web Click QoS DiffServ Service Policy Settings Check Enabled and choose a Policy Map for ...

Page 256: ...hat want to join a multicast group and set its filters accordingly If there is no multicast router attached to the local subnet multicast traffic and query messages may not be received by the switch In this case Layer 2 IGMP Query can be used to actively ask the attached hosts if they want to receive a specific multicast service IGMP Query thereby identifies the ports containing hosts requesting t...

Page 257: ... other available sources Notes 1 When the switch is configured to use IGMPv3 snooping the snooping version may be downgraded to version 2 or version 1 depending on the version of the IGMP query packets detected on each VLAN 2 IGMP snooping will not function unless a multicast router port is enabled on the switch This can be accomplished in one of two ways A static router port can be manually confi...

Page 258: ...these devices is elected querier and assumes the role of querying the LAN for group members It then propagates the service requests on to any upstream multicast switch router to ensure that it will continue to receive the multicast service Note Multicast routers use this information from IGMP snooping and query reports along with a multicast routing protocol such as DVMRP or PIM to support IP mult...

Page 259: ...P Report Delay Sets the time between receiving an IGMP Report for an IP multicast address on a port before the switch sends an IGMP Query out of that port and removes the entry from its list Range 5 25 seconds Default 10 IGMP Query Timeout The time the switch waits after the previous querier stops before it considers the router port i e the interface which had been receiving query packets to have ...

Page 260: ...ed to the interface Therefore immediate leave should only be enabled on an interface if it is connected to only one IGMP enabled device either a service host or a neighbor running IGMP snooping Immediate leave is only effective if IGMP snooping is enabled and IGMPv2 or IGMPv3 snooping is used Immediate leave does not apply to a port if the switch has learned that a multicast router is attached to ...

Page 261: ...Immediate Leave CLI This example enables IGMP immediate leave for VLAN 1 and then displays the current IGMP snooping status Console config interface vlan 1 Console config if ip igmp snooping immediate leave 4 269 Console config if end Console show ip igmp snooping 4 268 Service Status Enabled Querier Status Disabled Leave proxy status Enabled Query Count 2 Query Interval 125 sec Query Max Response...

Page 262: ...ched to a neighboring multicast router switch for each VLAN ID Command Attributes VLAN ID ID of configured VLAN 1 4094 Multicast Router List Multicast routers dynamically discovered by this switch or those that are statically assigned to an interface on this switch Web Click IGMP Snooping Multicast Router Port Information Select the required VLAN ID from the scroll down list to display the associa...

Page 263: ...or Trunk scroll down list VLAN ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router Port or Trunk Specifies the interface attached to a multicast router Web Click IGMP Snooping Static Multicast Router Port Configuration Specify the interfaces attached to a multicast router indicate the VLAN which will forward all the corresponding multicast traffic and t...

Page 264: ...cast service Web Click IGMP Snooping IP Multicast Registration Table Select a VLAN ID and the IP address for a multicast service from the scroll down lists The switch will display all the interfaces that are propagating this multicast service Figure 3 125 IP Multicast Registration Table CLI This example displays all the known multicast services supported on VLAN 1 along with the ports propagating ...

Page 265: ... interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN Command Attributes Interface Activates the Port or Trunk scroll down list VLAN ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router switch Range 1 4094 Multicast IP The IP address for a specific multicast service Port or Trunk Specifies the interface a...

Page 266: ...ed as normal If a requested multicast group is denied the IGMP join report is dropped IGMP throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can take one of two actions either deny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replac...

Page 267: ...Command Usage Each profile has only one access mode either permit or deny When the access mode is set to permit IGMP join reports are processed when a multicast group falls within the controlled range When the access mode is set to deny IGMP join reports are only processed when a multicast group is not in the controlled range Command Attributes Profile ID Selects an existing profile number to conf...

Page 268: ... start and end of the range Click the Add button to add a range to the current list Current Multicast Address Range List Lists multicast groups currently included in the profile Select an entry and click the Remove button to delete it from the list Web Click IGMP Snooping IGMP Filter Profile Configuration Select the profile number you want to configure then click Query to display the current setti...

Page 269: ...join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group Command Attributes Profile Selects an existing profile number to assign to an interface Max Multicast Groups Sets the maximum number of multicast groups an interface can join at the same time Range 0 256 Default 256 Current Multicast Groups Display...

Page 270: ...rrent IGMP filtering and throttling settings for the interface are then displayed Console config interface ethernet 1 1 Console config if ip igmp filter 19 4 279 Console config if ip igmp max groups 10 4 280 Console config if ip igmp max groups action replace 4 281 Console config if end Console show ip igmp filter interface ethernet 1 1 4 281 Information of Eth 1 1 IGMP Profile 19 deny range 239 1...

Page 271: ...n though common multicast streams are passed onto different VLAN groups from the MVR VLAN users in different IEEE 802 1Q or private VLANs cannot exchange any information except through upper level routing services General Configuration Guidelines for MVR 1 Enable MVR globally on the switch select the MVR VLAN and add the multicast groups that will stream traffic to attached hosts see Configuring G...

Page 272: ...receive data from that multicast group Default Disabled MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied Running status is true as long as MVR Status is enabled and the specified MVR VLAN exists MVR VLAN Identifier of the VLAN that serves as the channel for streaming multicast services using MVR MVR source ports should be configured as membe...

Page 273: ...at will stream traffic to attached hosts and then click Apply Figure 3 130 MVR Global Configuration CLI This example first enables IGMP snooping enables MVR globally and then configures a range of MVR group addresses Console config ip igmp snooping 4 267 Console config mvr 4 284 Console config mvr group 228 1 23 1 10 4 284 Console config ...

Page 274: ... if there are subscribers receiving multicast traffic from one of the MVR groups or a multicast group has been statically assigned to an interface Immediate Leave Shows if immediate leave is enabled or disabled Trunk Member17 Shows if port is a trunk member Web Click MVR Port or Trunk Information Figure 3 131 MVR Port Information CLI This example shows information about interfaces attached to the ...

Page 275: ...d through the MVR VLAN Web Click MVR Group IP Information Figure 3 132 MVR Group IP Information CLI This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN Console show mvr interface 4 287 MVR Group IP Status Members 225 0 0 1 ACTIVE eth1 1 d eth1 2 s 225 0 0 2 INACTIVE None 225 0 0 3 INACTIVE None 225 0 0 4 INACTIVE None 225 0 0 5 IN...

Page 276: ...ch have been statically assigned see Assigning Static Multicast Groups to Interfaces on page 3 230 Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message When immediate leave is disabled the switch follows the standard rules by sending a group specific query to the receiver port and waiting for a...

Page 277: ...d as an MVR receiver Trunk18 Shows if port is a trunk member Web Click MVR Port or Trunk Configuration Figure 3 133 MVR Port Configuration CLI This example configures an MVR source port and receiver port and then enables immediate leave on the receiver port 18 Port Information only Console config interface ethernet 1 1 Console config if mvr type source 4 286 Console config if exit Console config i...

Page 278: ... of 224 0 0 x Command Attributes Interface Indicates a port or trunk Member Shows the IP addresses for MVR multicast groups which have been statically assigned to the selected interface Non Member Shows the IP addresses for all MVR multicast groups which have not been statically assigned to the selected interface Web Click MVR Group Member Configuration Select a port or trunk from the Interface fi...

Page 279: ...ential order If there is no domain list the default domain name is used If there is a domain list the default domain name is not used When an incomplete host name is received by the DNS service on this switch and a domain name list has been specified the switch will work through the domain list appending each domain name in the list to the host name and checking with the specified name servers for...

Page 280: ...d a domain list However remember that if a domain list is specified the default domain name is not used Console config ip domain name sample com 4 291 Console config ip domain list sample com uk 4 292 Console config ip domain list sample com jp Console config ip name server 192 168 1 55 10 1 0 55 4 293 Console config ip domain lookup 4 294 Console show dns 4 295 Domain Lookup Status DNS enabled De...

Page 281: ...sewhere on the network Servers or other network devices may support one or more connections via multiple IP addresses If more than one IP address is associated with a host name in the static table or via information returned from a name server a DNS client can try each address in succession until it establishes a connection with the target device Field Attributes Host Name Name of a host device th...

Page 282: ...ick Apply Figure 3 136 DNS Static Host Table CLI This example maps two address to a host name and then configures an alias host name for the same addresses Console config ip host rd5 192 168 1 55 10 1 0 55 4 290 Console config ip host rd6 10 1 0 55 Console show hosts 4 295 Hostname rd5 Inet address 10 1 0 55 192 168 1 55 Console ...

Page 283: ... an alias IP The IP address associated with this record TTL The time to live reported by the name server Domain The domain name associated with this record Web Select DNS Cache Figure 3 137 DNS Cache CLI This example displays all the resource records learned from the designated name servers Console show dns cache 4 296 NO FLAG TYPE DOMAIN TTL IP 0 4 Address www times com 198 199 239 136 200 1 4 Ad...

Page 284: ...rator through the management station There can be up to 100 candidates and 16 member switches in one cluster A switch can only be a member of one cluster After the Commander and Members have been configured any switch in the cluster can be managed from the web agent by choosing the desired Member ID from the Cluster drop down menu To connect to the Member switch from the Commander CLI prompt use t...

Page 285: ...rs The current number of Member switches in the cluster Number of Candidates The current number of Candidate switches discovered in the network that are available to become Members Web Click Cluster Configuration Figure 3 139 Cluster Configuration CLI This example first enables clustering on the switch sets the switch as the cluster Commander and then configures the cluster IP pool Console config ...

Page 286: ...ble or enter a specific MAC address of a known switch Web Click Cluster Member Configuration Figure 3 140 Cluster Member Configuration CLI This example creates a new cluster Member by specifying the Candidate switch MAC address and setting a Member ID Console config cluster member mac address 00 30 FC 12 34 56 id 1 4 58 Console config exit Console show cluster candidates 4 60 Cluster Candidates Ro...

Page 287: ...s The internal cluster IP address assigned to the Member switch MAC Address The MAC address of the Member switch Description The system description string of the Member switch Web Click Cluster Member Information Figure 3 141 Cluster Member Information CLI This example shows information about cluster Member switches Console show cluster members 4 60 Cluster Members ID 1 Role Active member IP Addre...

Page 288: ...the current status of Candidate switches in the network MAC Address The MAC address of the Candidate switch Description The system description string of the Candidate switch Web Click Cluster Candidate Information Figure 3 142 Cluster Candidate Information CLI This example shows information about cluster Candidate switches Console show cluster candidates 4 60 Cluster Candidates Role Mac Descriptio...

Page 289: ... the console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec But when the guest user name and password is entered the CLI displays the Console prompt and enters normal ac...

Page 290: ...n isolated network then you can use any IP address that matches the network segment to which you are attached After you configure the switch with an IP address you can open a Telnet session by performing these steps 1 From the remote host enter the Telnet command and the IP address of the device you want to access 2 At the prompt enter the user name and system password The CLI will display the Vty...

Page 291: ...how startup config To enter commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username admin password 0 smith Minimum Abbreviation The CLI will accept a minimum number of characters that uniquely identify a command For example the command configure can be entered as con If an entry is am...

Page 292: ...e TTY line information log Login records logging Login setting mac MAC access list mac address table Configuration of the address table management Management IP filter map Maps priority mvr Show mvr interface information network access Shows the entries of the secure port policy map Display policy maps port Port characteristics port channel Port Channel privilege Shows current privilege level prot...

Page 293: ...essages to a host server To disable logging specify the no logging command This guide describes the negation effect for all applicable commands Using Command History The CLI maintains a history of commands that have been entered You can scroll back through the history of commands by pressing the up arrow key Any command displayed in the history list can be executed again or first modified and then...

Page 294: ...Only a limited number of the commands are available in this mode You can access all commands only from the Privileged Exec command mode or administrator mode To access Privilege Exec mode open a new console session with the user name and password admin The system will now display the Console command prompt You can also enter Privileged Exec mode from within Normal Exec mode by entering the enable ...

Page 295: ...odify the port configuration such as speed duplex and negotiation Line Configuration These commands modify the console port and Telnet configuration and include command such as parity and databits Multiple Spanning Tree Configuration These commands configure settings for the selected multiple spanning tree instance Policy Map Configuration Creates a DiffServ policy map for multiple interfaces Serv...

Page 296: ...ntrol List access list ip standard access list ip extended access list mac Console config std acl Console config ext acl Console config mac acl 4 143 4 146 4 150 Class Map class map Console config cmap 4 258 Interface interface ethernet port port channel id vlan id Console config if 4 155 MSTP spanning tree mst configuration Console config mstp 4 202 Policy Map policy map Console config pmap 4 261...

Page 297: ...ine Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor to the right one character Ctrl K Deletes all characters from the cursor to the end of the line Ctrl L Repeats current command line on a new line Ctrl N Enters the next command line in the history buffer Ctrl P Enters...

Page 298: ...s or Ethernet type 4 143 Interface Configures the connection parameters for all Ethernet ports aggregated links and VLANs 4 155 Link Aggregation Statically groups multiple ports into a single logical trunk configures Link Aggregation Control Protocol for port trunks 4 167 Mirror Port Mirrors data to another port for analysis without affecting the data passing through or the performance of the moni...

Page 299: ...nding Command Modes on page 4 6 Syntax enable level level Privilege level to log into the device The device has two predefined privilege levels 0 Normal Exec 15 Privileged Exec Enter level 15 to access Privileged Exec mode Default Setting Level 15 Table 4 5 General Commands Command Function Mode Page enable Activates privileged mode NE 4 11 disable Returns to normal mode from privileged mode PE 4 ...

Page 300: ...gain access to all commands you must use the privileged mode See Understanding Command Modes on page 4 6 Command Mode Privileged Exec Command Usage The character is appended to the end of the prompt to indicate that the system is in normal access mode Example Related Commands enable 4 11 configure This command activates Global Configuration mode You must enter this mode to modify any settings on t...

Page 301: ...xec Mode and commands from the Configuration command history buffer when you are in any of the configuration modes In this example the 2 command repeats the second command in the Execution history buffer config reload This command restarts the system Note When the system is restarted it will always run the Power On Self Test It will also retain all configuration information stored in non volatile ...

Page 302: ...store the default prompt Syntax prompt string no prompt string Any alphanumeric string to use for the CLI prompt Maximum length 255 characters Default Setting Console Command Mode Global Configuration Example end This command returns to Privileged Exec mode Command Mode Global Configuration Interface Configuration Line Configuration VLAN Database Configuration and Multiple Spanning Tree Configurat...

Page 303: ... then quit the CLI session quit This command exits the configuration program Default Setting None Command Mode Normal Exec Privileged Exec Command Usage The quit and exit commands can both exit the configuration program Example This example shows how to quit a CLI session Console config exit Console exit Press ENTER to start session User Access Verification Username Console quit Press ENTER to sta...

Page 304: ...s Displays system configuration active managers and version information 4 17 Frame Size Enables support for jumbo frames 4 23 File Management Manages code image or switch configuration files 4 24 Line Sets communication parameters for the serial port including baud rate and console time out 4 31 Event Logging Controls logging of error messages 4 40 SMTP Alerts Configures SMTP email alerts 4 47 Tim...

Page 305: ... server settings Local time zone SNMP community strings Users names and access levels VLAN database VLAN ID name and state VLAN configuration settings for each interface Multiple spanning tree instances name and interfaces Interface settings IP address configured for the switch Any configured settings for the console port and Telnet Console config hostname RD 1 Console config Table 4 8 System Stat...

Page 306: ...T Greenwich Mean Time Dublin Edinburgh Lisbon London snmp server community public ro snmp server community private rw username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database VLAN 1 name DefaultVlan media...

Page 307: ...rated by symbols and includes the configuration mode command and corresponding commands This command displays the following information Switch s MAC address SNTP server settings Time zone SNMP community strings Users names and access levels VLAN database VLAN ID name and state VLAN configuration settings for each interface Multiple spanning tree instances name and interfaces Interface settings IP ...

Page 308: ...MP server community public ro username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca VLAN database VLAN 1 name DefaultVlan media ethernet state active VLAN 4093 media ethernet state active spanning tree MST configura...

Page 309: ...eged Exec Command Usage The session used to execute this command is indicated by a symbol next to the Line i e session index number Console show system System Description SMC TigerSwitch 10 100 1000 PoE SMC8126PL2 F System OID String 1 3 6 1 4 1 202 20 74 System Information System Up Time 0 days 0 hours 1 minutes and 32 18 seconds System Name NONE System Location NONE System Contact NONE MAC Addre...

Page 310: ... Key admin 15 None guest 0 None steve 15 RSA Online users Line Username Idle time h m s Remote IP addr 0 console admin 0 14 14 1 VTY 0 admin 0 00 00 192 168 1 19 2 SSH 1 steve 0 00 06 192 168 1 19 Web online users Line Remote IP addr Username Idle time h m s 1 HTTP 192 168 1 19 admin 0 00 00 Console Console show version Unit1 Serial Number MWOR0AA134A0009 Hardware Version R01 EPLD Version 0 00 Num...

Page 311: ...jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extended frame size And for half duplex connections all devices in the collision domain would need to support jumbo frames Enabling jumbo frames will limit ...

Page 312: ... settings can be uploaded and downloaded to and from an TFTP server The configuration file can be later downloaded to restore switch settings The configuration file can be downloaded under a new file name and then set as the startup file or the current startup configuration file can be specified as the destination file to directly replace it Note that the file Factory_Default_Config cfg can be cop...

Page 313: ...nitialization tftp Keyword that allows you to copy to from a TFTP server https certificate Copies an HTTPS certificate from an TFTP server to the switch public key Keyword that allows you to copy a SSH key from a TFTP server Secure Shell Commands on page 4 103 Default Setting None Command Mode Privileged Exec Command Usage The system prompts for data required to complete the copy command The desti...

Page 314: ...er The following example shows how to upload the configuration settings to a file on the TFTP server The following example shows how to copy the running configuration to a startup file Console copy tftp file TFTP server ip address 10 1 0 19 Choose file type 1 config 2 opcode 1 2 2 Source file name ES4526RO PoE FLF 17V01 BIX Destination file name V1002 Write to FLASH Programming Write to FLASH fini...

Page 315: ...rtup config TFTP server ip address 10 1 0 99 Source configuration file name startup 01 Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Console Console copy tftp https certificate TFTP server ip address 10 1 0 19 Source certificate file name SS certificate Source private file name SS private Private password Success Console reload System will be rest...

Page 316: ...ration file from flash memory Related Commands dir 4 28 delete public key 4 107 dir This command displays a list of files in flash memory Syntax dir boot rom config opcode filename The type of file or image to display includes boot rom Boot ROM or diagnostic image file config Switch configuration file opcode Run time operation code image file filename Name of the configuration file or code image D...

Page 317: ...ing Description File name The name of the file File type File types Boot Rom Operation Code and Config file Startup Shows if this file is used when the system is started Size The length of the file in bytes Console dir File name File type Startup Size byte Unit1 SMC8126PL2 F bix Boot Rom Image Y 1881576 ES4526RO PoE FLF 17V01 Operation Code Y 3877488 Factory_Default_Config cfg Config File N 455 se...

Page 318: ... Configuration file opcode Run time operation code filename Name of the configuration file or code image The colon is required Default Setting None Command Mode Global Configuration Command Usage A colon is required after the specified unit number and file type If the file contains an error it cannot be set as the default file Example Related Commands dir 4 28 whichboot 4 29 Console config boot sy...

Page 319: ...password Specifies a password on a line LC 4 33 timeout login response Sets the interval that the system waits for a user to log into the CLI LC 4 34 exec timeout Sets the interval that the command interpreter waits until user input is detected LC 4 34 password thresh Sets the password intrusion threshold which limits the number of failed logon attempts LC 4 35 silent time Sets the amount of time ...

Page 320: ...Usage There are three authentication modes provided by the switch itself at login login selects authentication by a single global password as specified by the password line configuration command When using this method the management interface starts in Normal Exec NE mode login local selects authentication via the user name and password specified by the username command i e default setting When us...

Page 321: ...he system prompts for the password If you enter the correct password the system shows a prompt You can use the password thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state The encrypted password is required for compatibility with legacy password settings i e plain text or encryp...

Page 322: ...nection is terminated for the session This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the default setting Example To set the timeout to two minutes enter this command Related Commands silent time 4 36 exec timeout 4 14 exec timeout This command sets the interval that the system w...

Page 323: ...tempts Use the no form to remove the threshold value Syntax password thresh threshold no password thresh threshold The number of allowed password attempts Range 1 120 0 no threshold Default Setting The default value is three attempts Command Mode Line Configuration Command Usage When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time before al...

Page 324: ...sole response Range 0 65535 0 no silent time Default Setting The default value is no silent time Command Mode Line Configuration Example To set the silent time to 60 seconds enter this command Related Commands password thresh 4 35 databits This command sets the number of data bits per character that are interpreted and generated by the console port Use the no form to restore the default value Synt...

Page 325: ...ands parity 4 37 parity This command defines the generation of a parity bit Use the no form to restore the default setting Syntax parity none even odd no parity none No parity even Even parity odd Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting Exa...

Page 326: ...d to the serial port Some baud rates available on devices connected to the port might not be supported The system indicates if the speed you selected is not supported If you select the auto option the switch will automatically detect the baud rate configured on the attached terminal and adjust the speed accordingly Example To specify 57600 bps enter this command stopbits This command sets the numb...

Page 327: ...tifier 0 will disconnect the console connection Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection Example Related Commands show ssh 4 110 show users 4 21 show line This command displays the terminal line s parameters Syntax show line console vty console Console terminal line vty Virtual terminal for remote console access i e Telnet Default Setting S...

Page 328: ...ent Logging Commands Command Function Mode Page logging on Controls logging of error messages GC 4 41 logging history Limits syslog messages saved to switch memory based on severity GC 4 42 logging host Adds a syslog server host IP address that will receive logging messages GC 4 43 logging facility Sets the facility type for remote logging of syslog messages GC 4 43 logging trap Limits syslog mess...

Page 329: ...on Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers You can use the logging history command to control the type of error messages that are stored in memory You can use the logging trap command to control the type of error messages that are sent to specified syslog servers Example Related Commands logging history 4 42 logging trap 4 4...

Page 330: ...Mode Global Configuration Command Usage The message level specified for flash memory must be a higher priority i e numerically lower than that specified for RAM Example Table 4 14 Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition such as cold start 4 warnings Warning conditions ...

Page 331: ...the facility type for remote logging of syslog messages Use the no form to return the type to the default Syntax no logging facility type type A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service Range 16 23 Default Setting 23 Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog messa...

Page 332: ...Setting Enabled Level 7 0 Command Mode Global Configuration Command Usage Using this command with a specified level enables remote logging and sets the minimum severity level to be saved Using this command without a specified level also enables remote logging but restores the minimum severity level to the default Example clear log This command clears messages from the log buffer Syntax clear log f...

Page 333: ... Default Setting None Command Mode Privileged Exec Example The following example shows that system logging is enabled the message level for flash memory is errors i e default level 3 0 the message level for RAM is informational i e default level 7 0 Console show logging flash Syslog logging Enabled History logging in FLASH level errors Console show logging ram Syslog logging Enabled History loggin...

Page 334: ...nable REMOTELOG Status disable REMOTELOG Facility Type local use 7 REMOTELOG Level Type Debugging messages REMOTELOG Server IP Address 1 2 3 4 REMOTELOG Server IP Address 0 0 0 0 REMOTELOG Server IP Address 0 0 0 0 REMOTELOG Server IP Address 0 0 0 0 REMOTELOG Server IP Address 0 0 0 0 Console Table 4 16 show logging trap display description Field Description Syslog logging Shows if system logging...

Page 335: ...01 01 STA root change notification level 6 module 6 function 1 and event no 1 3 00 00 54 2001 01 01 STA root change notification level 6 module 6 function 1 and event no 1 2 00 00 50 2001 01 01 STA topology change notification level 6 module 6 function 1 and event no 1 1 00 00 48 2001 01 01 VLAN 1 link up notification level 6 module 6 function 1 and event no 1 Console Table 4 17 SMTP Alert Command...

Page 336: ...e process at a periodic interval A trap will be triggered if the switch cannot successfully open a connection Example logging sendmail level This command sets the severity threshold used to trigger alert messages Syntax logging sendmail level level level One of the system message levels page 4 42 Messages sent include the selected level down to level 0 Range 0 7 Default 7 Default Setting Level 7 C...

Page 337: ...or the switch Example This example will set the source email john acme com logging sendmail destination email This command specifies the email recipients of alert messages Use the no form to remove a recipient Syntax no logging sendmail destination email email address email address The source email address used in alert messages Range 1 41 characters Default Setting None Command Mode Global Config...

Page 338: ...figuration Example show logging sendmail This command displays the settings for the SMTP event handler Command Mode Normal Exec Privileged Exec Example Console config logging sendmail Console config Console show logging sendmail SMTP servers 1 192 168 1 200 SMTP minimum severity level 4 SMTP destination email addresses 1 geoff acme com SMTP source email address john acme com SMTP status Enabled Co...

Page 339: ...ed to record accurate dates and times for log events Without SNTP the switch only records the time starting from the factory default set at the last bootup i e 00 00 00 Jan 1 2001 This command enables client time requests to time servers specified via the sntp servers command It issues time synchronization requests based on the interval set via the sntp poll command Table 4 18 Time Commands Comman...

Page 340: ... time servers from which the switch will poll for time updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issues time synchronization requests based on the interval set via the sntp poll command Example Related Commands sntp client 4 51 sntp poll 4 53 show sntp 4 53 Console config sntp server 10 1 0 19 Console config sn...

Page 341: ... sntp This command displays the current time and configuration settings for the SNTP client and indicates whether or not the local time has been properly updated Command Mode Normal Exec Privileged Exec Command Usage This command displays the current time the poll interval used for sending time synchronization requests and the current SNTP mode i e unicast Example Console config sntp poll 60 Conso...

Page 342: ...e local time zone before east of UTC after utc Sets the local time zone after west of UTC Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time UTC formerly Greenwich Mean Time or GMT based on the earth s prime meridian zero degrees longitude To display a time corresponding to your local time you must i...

Page 343: ... 0 59 sec Second Range 0 59 day Day of month Range 1 31 month january february march april may june july august september october november december year Year 4 digit Range 2001 2100 Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15 12 34 April 1st 2004 show calendar This command displays the system clock Default Setting None Command Mode...

Page 344: ...lected by the administrator through the management station Note Cluster Member switches can be managed either through a Telnet connection to the Commander or through a web management connection to the Commander When using a console connection from the Commander CLI prompt use the rcommand see page 4 59 to connect to the Member switch cluster This command enables clustering on the switch Use the no...

Page 345: ... are maintained across power resets and network changes Example cluster commander This command enables the switch as a cluster Commander Use the no form to disable the switch as cluster Commander Syntax no cluster commander Default Setting Disabled Command Mode Global Configuration Command Usage Once a switch has been configured to be a cluster Commander it automatically discovers other cluster en...

Page 346: ...1 and 16 Set a Cluster IP Pool that does not conflict with addresses in the network IP subnet Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander You cannot change the cluster IP pool when the switch is currently in Commander mode Commander mode must first be disabled Example cluster member This command con...

Page 347: ...mander switch Managing cluster Members using the local console CLI on the Commander is not supported There is no need to enter the username and password for access to the Member switch CLI Example show cluster This command shows the switch clustering configuration Command Mode Privileged Exec Example Console config cluster member mac address 00 12 34 56 78 9a id 5 Console config Console rcommand i...

Page 348: ...rk Command Mode Privileged Exec Example Console show cluster members Cluster Members ID 1 Role Active member IP Address 10 254 254 2 MAC Address 00 12 cf 23 49 c0 Description TigerSwitch 10 100 1000 SPORT MANAGE Console Console show cluster candidates Cluster Candidates Role Mac Description ACTIVE MEMBER 00 12 cf 23 49 c0 TigerSwitch 10 100 1000 SPORT MANAGE CANDIDATE 00 12 cf 0b 47 a0 TigerSwitch...

Page 349: ...General SNMP Commands snmp server Enables the SNMP agent GC 4 62 show snmp Displays the status of SNMP communications NE PE 4 62 snmp server community Sets up the community access string to permit access to SNMP commands GC 4 63 snmp server contact Sets the system contact string GC 4 64 snmp server location Sets the system location string GC 4 64 SNMP Target Host Commands snmp server host Specifie...

Page 350: ...al Configuration Example show snmp This command can be used to check the status of SNMP communications Default Setting None Command Mode Normal Exec Privileged Exec Command Usage This command provides information on the community access strings counter information for SNMP input and output protocol data units and whether or not SNMP logging has been enabled with the snmp server enable traps comman...

Page 351: ...cts Default Setting public Read only access Authorized management stations are only able to retrieve MIB objects private Read write access Authorized management stations are able to both retrieve and modify MIB objects Console show snmp SNMP Agent enabled SNMP traps Authentication enable Link up down enable SNMP communities 1 private and the privilege is read write 2 public and the privilege is re...

Page 352: ...haracters Default Setting None Command Mode Global Configuration Example Related Commands snmp server location 4 64 snmp server location This command sets the system location string Use the no form to remove the location string Syntax snmp server location text no snmp server location text String that describes the system location Maximum length 255 characters Default Setting None Command Mode Glob...

Page 353: ...t for an acknowledgment before resending an inform message Range 0 2147483647 centiseconds Default 1500 centiseconds community string Password like community string sent with the notification operation to SNMP V1 and V2c hosts Although you can set this string using the snmp server host command by itself we recommend that you define this string using the snmp server community command prior to using...

Page 354: ...sider these effects when deciding whether to issue notifications as traps or informs To send an inform to a SNMPv2c host complete these steps 1 Enable the SNMP agent page 4 62 2 Allow the switch to send SNMP traps i e notifications page 4 67 3 Specify the target host that will receive inform messages with the snmp server host command as described in this section 4 Create a view with the required n...

Page 355: ...fications controlled by this command are sent In order to configure this device to send SNMP notifications you must enter at least one snmp server enable traps command If you enter the command with no keywords both authentication and link up down notifications are enabled If you enter the command with a keyword only the notification type related to that keyword is enabled The snmp server enable tr...

Page 356: ...ge replay delay and redirection The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A remote engine ID is required when using SNMPv3 informs See snmp server host on page 4 65 The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host ...

Page 357: ...OID string Refer to the examples included Defines an included view excluded Defines an excluded view Default Setting defaultview includes access to the entire MIB tree Command Mode Global Configuration Console show snmp engine id Local SNMP EngineID 8000002a8000000000e8666672 Local SNMP Engine Boots 1 Remote SNMP EngineID IP Address 80000000030004e2b316c54321 192 168 1 19 Console Table 4 21 show s...

Page 358: ...IB 2 This view includes the MIB 2 interfaces table ifDescr The wild card is used to select all the index values in this table This view includes the MIB 2 interfaces table and the mask selects all index entries Console config snmp server view mib 2 1 3 6 1 2 1 included Console config Console config snmp server view ifEntry 2 1 3 6 1 2 1 2 2 1 2 included Console config Console config snmp server vi...

Page 359: ...ple Network Management Protocol on page 3 37 for further information about these authentication and encryption options readview Defines the view for read access 1 64 characters writeview Defines the view for write access 1 64 characters notifyview Defines the view for notifications 1 64 characters Console show snmp view View Name mib 2 Subtree OID 1 2 2 3 6 2 1 View Type included Storage Type perm...

Page 360: ...lgorithm is used as specified in the snmp server user command When privacy is selected the DES 56 bit algorithm is used for data encryption For additional information on the notification messages supported by this switch see Supported Notification Messages on page 3 49 Also note that the authentication link up and link down messages are legacy traps and must therefore be enabled in conjunction wit...

Page 361: ...tive Group Name public Security Model v1 Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name public Security Model v2c Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name private Security Model v1 Read View defaultview Write View defaultview Notify View none Storage Type volatile Row Status ...

Page 362: ... 1 2c or 3 encrypted Accepts the password as encrypted input auth Uses SNMPv3 with authentication md5 sha Uses MD5 or SHA authentication auth password Authentication password Enter as plain text if the encrypted option is not used Otherwise enter an encrypted password A minimum of eight characters is required priv des56 Uses SNMPv3 with privacy with DES56 encryption priv password Privacy password ...

Page 363: ...e user will fail SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it Example show snmp user This command shows information on SNMP users Command Mode Privileged Exec Example Console config snmp ser...

Page 364: ... user associated with an SNMP engine on a remote device Table 4 25 Authentication Commands Command Group Function Page User Accounts Configures the basic user names and passwords for management access 4 77 Authentication Sequence Defines logon authentication method and precedence 4 80 RADIUS Client Configures settings for authentication via a RADIUS server 4 83 TACACS Client Configures settings fo...

Page 365: ...ivilege levels 0 Normal Exec 15 Privileged Exec nopassword No password is required for this user to log in 0 7 0 means plain password 7 means encrypted password password password The authentication password for the user Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting The default access level is Normal Exec The factory defaults for the user names and passwords are...

Page 366: ...el from the Normal Exec level Use the no form to reset the default password Syntax enable password level level 0 7 password no enable password level level level level Level 15 for Privileged Exec Levels 0 14 are not used 0 7 0 means plain password 7 means encrypted password password password for this privilege level Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting...

Page 367: ...Manager 15 Privileged Exec Range 0 15 command Specifies any command contained within the specified mode Default Setting Privilege level 0 provides access to a limited number of the commands which display the current status of the switch as well as several database clear and reset functions Level 8 provides access to all display status and configuration commands except for those controlling various...

Page 368: ...level for all commands modified by the privilege command Command Mode Privileged Exec Example This example shows the privilege level for any command modified by the privilege command Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access The commands in this section can be used to define the authentication method an...

Page 369: ...he server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command to indicate the authentication sequence For example if you enter authen...

Page 370: ...ssword in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command to indicate the...

Page 371: ...the retransmit period expires host ip address IP address of server auth port RADIUS server UDP port used for authentication messages Range 1 65535 timeout Number of seconds the switch waits for a reply before resending a request Range 1 65535 retransmit Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 key Encryption key used to authenticate logon ac...

Page 372: ... key This command sets the RADIUS encryption key Use the no form to restore the default Syntax radius server key key string no radius server key key string Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters Default Setting None Command Mode Global Configuration Example Console config radius server 1 host 192 168 1 20 auth ...

Page 373: ...s command sets the interval between transmitting authentication requests to the RADIUS server Use the no form to restore the default Syntax radius server timeout number of seconds no radius server timeout number of seconds Number of seconds the switch waits for a reply before resending a request Range 1 65535 Default Setting 5 Command Mode Global Configuration Example show radius server This comma...

Page 374: ...cation Key with RADIUS Server Auth Port 1812 Retransmit Times 2 Request Timeout 5 Sever 1 Server IP Address 192 168 1 1 Communication Key with RADIUS Server Auth Port 1812 Retransmit Times 2 Request Timeout 5 Radius server group Group Name Member Index radius 1 Console Table 4 30 TACACS Commands Command Function Mode Page tacacs server host Specifies the TACACS server GC 4 87 tacacs server port Sp...

Page 375: ...540 seconds retransmit Number of times the switch will resend an authentication request to the TACACS server Range 1 30 key Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters Default Setting port 49 timeout 5 seconds retransmit 2 Command Mode Global Configuration Example tacacs server port This command specifies the TACACS...

Page 376: ...ommand Mode Global Configuration Example tacacs server retransmit This command sets the number of retries Use the no form to restore the default Syntax tacacs server retransmit number_of_retries no tacacs server retransmit number_of_retries Number of times the switch will try to authenticate logon access via the TACACS server Range 1 30 Default Setting 2 Command Mode Global Configuration Example C...

Page 377: ...and Mode Global Configuration Example show tacacs server This command displays the current settings for the TACACS server Default Setting None Command Mode Privileged Exec Example Console config tacacs server timeout 10 Console config Console show tacacs server Remote TACACS server configuration Global Settings Communication Key with TACACS Server Server Port Number 49 Retransmit Times 2 Request T...

Page 378: ...up server Groups security servers in to defined lists GC 4 90 server Configures the IP address of a server in a group list SG 4 91 aaa accounting dot1x Enables accounting of 802 1X services GC 4 92 aaa accounting exec Enables accounting of Exec services GC 4 93 aaa accounting commands Enables accounting of Exec mode commands GC 4 94 aaa accounting update Enables periodoc updates to be sent to the ...

Page 379: ...etting None Command Mode Server Group Configuration Command Usage When specifying the index for a RADIUS server that server index must already be defined by the radius server host command see page 4 83 When specifying the index for a TACACS server that server index must already be defined by the tacacs server host command see page 4 87 Example Console config aaa group server radius tps Console con...

Page 380: ...o use radius Specifies all RADIUS hosts configure with the radius server host command described on page 4 83 tacacs Specifies all TACACS hosts configure with the tacacs server host command described on page 4 87 server group Specifies the name of a server group configured with the aaa group server command described on 4 90 Range 1 255 characters Default Setting Accounting is not enabled No servers...

Page 381: ...th the radius server host command described on page 4 83 tacacs Specifies all TACACS hosts configure with the tacacs server host command described on page 4 87 server group Specifies the name of a server group configured with the aaa group server command described on 4 90 Range 1 255 characters Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Com...

Page 382: ...g point group Specifies the server group to use tacacs Specifies all TACACS hosts configure with the tacacs server host command described on page 4 87 server group Specifies the name of a server group configured with the aaa group server command described on 4 90 Range 1 255 characters Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Command Usag...

Page 383: ...accounting records for all users on the system Using the command without specifying an interim interval enables updates but does not change the current interval setting Example accounting dot1x This command applies an accounting method for 802 1X service requests on an interface Use the no form to disable accounting on the interface Syntax accounting dot1x default list name no accounting dot1x def...

Page 384: ... accounting method to entered CLI commands Use the no form to disable accounting for entered CLI commands Syntax accounting commands level default list name no accounting commands level level The privilege level for executing commands Range 0 15 default Specifies the default method list created with the aaa accounting commands command page 4 94 list name Specifies a method list created with the aa...

Page 385: ...e 4 87 server group Specifies the name of a server group configured with the aaa group server command described on 4 90 Range 1 255 characters Default Setting Authorization is not enabled No servers are specified Command Mode Global Configuration Command Usage This command performs authorization to determine if a user is allowed to run an Exec shell AAA authentication must be enabled before author...

Page 386: ...ettings per function and per port Syntax show accounting commands level dot1x statistics username user name interface interface exec statistics statistics commands Displays command accounting information level Displays command accounting information for a specifiable command level dot1x Displays dot1x accounting information exec Displays Exec accounting records statistics Displays accounting recor...

Page 387: ...lt Setting 80 Command Mode Global Configuration Console show accounting Accounting type dot1x Method list default Group list radius Interface Method list tps Group list radius Interface eth 1 2 Accounting type Exec Method list default Group list radius Interface vty Console Table 4 32 Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the web browser inter...

Page 388: ...TTPS over the Secure Socket Layer SSL providing secure access i e an encrypted connection to the switch s web interface Use the no form to disable this function Syntax no ip http secure server Default Setting Enabled Command Mode Global Configuration Command Usage Both HTTP and HTTPS service can be enabled independently on the switch However you cannot configure the HTTP and HTTPS servers to use t...

Page 389: ...ure site Certificate on page 3 74 Also refer to the copy command on page 4 25 Example Related Commands ip http secure port 4 101 copy tftp https certificate 4 25 ip http secure port This command specifies the UDP port number used for HTTPS connection to the switch s web interface Use the no form to restore the default port Syntax ip http secure port port_number no ip http secure port port_number T...

Page 390: ...by the Telnet interface Use the no form without the port keyword to disable this function Use the no from with the port keyword to use the default port Syntax ip telnet server port port number no telnet server port port The TCP port used by the Telnet interface port number The TCP port number to be used by the browser interface Range 1 65535 Default Setting Server Enabled Server Port 23 Command Mo...

Page 391: ... to create a host public private key pair 2 Provide Host Public Key to Clients Many SSH client programs automatically import the host public key during the initial connection setup with the switch Table 4 35 SSH Commands Command Function Mode Page ip ssh server Enables the SSH server on the switch GC 4 105 ip ssh timeout Specifies the authentication timeout for the SSH server GC 4 106 ip ssh authe...

Page 392: ...1781943722884025331159521348610229029789827213532671 31629432532818915045306393916643 steve 192 168 1 19 4 Set the Optional Parameters Set other optional parameters including the authentication timeout the number of retries and the server key size 5 Enable SSH Service Use the ip ssh server command to enable the SSH server on the switch 6 Authentication One of the following authentication methods i...

Page 393: ...ther the supplied key is acceptable for authentication and if so it then checks whether the signature is correct If both checks succeed the client is authenticated Note The SSH server supports up to four client sessions The maximum number of client sessions includes both current Telnet sessions and SSH sessions ip ssh server This command enables the Secure Shell SSH server on this switch Use the n...

Page 394: ... wait for a response from the client during the SSH negotiation phase Once an SSH session has been established the timeout for user input is controlled by the exec timeout command for vty sessions Example Related Commands exec timeout 4 34 show ip ssh 4 109 ip ssh authentication retries This command configures the number of times the SSH server attempts to reauthenticate a user Use the no form to ...

Page 395: ...Configuration Command Usage The server key is a private key that is never shared outside the switch The host key is shared with the SSH client and is fixed at 1024 bits Example delete public key This command deletes the specified user s public key Syntax delete public key username dsa rsa username Name of an SSH user Range 1 8 characters dsa DSA public key type rsa RSA public key type Default Sett...

Page 396: ... key command to save the host key pair to flash memory Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process Otherwise you must manually create a known hosts file and place the host public key in it The SSH server uses this host key to negotiate a session key and encryption method with the client trying to connect to it Example Relat...

Page 397: ...y generate 4 108 ip ssh save host key 4 109 no ip ssh server 4 105 ip ssh save host key This command saves host key from RAM to flash memory Syntax ip ssh save host key dsa rsa dsa DSA key type rsa RSA key type Default Setting Saves both the DSA and RSA key Command Mode Privileged Exec Example Related Commands ip ssh crypto host key generate 4 108 show ip ssh This command displays the connection s...

Page 398: ...hentication Started Session Started Username The user name of the client Encryption The encryption method is automatically negotiated between the client and server Options for SSHv1 5 include DES 3DES Options for SSHv2 0 can include different algorithms for the client to server ctos and server to client stoc aes128 cbc hmac sha1 aes192 cbc hmac sha1 aes256 cbc hmac sha1 3des cbc hmac sha1 blowfish...

Page 399: ...ing is the encoded modulus Example Console show public key host Host RSA 1024 35 1568499540186766925933394677505461732531367489083654725415020245593199868 5443583616519999233297817660658309586108259132128902337654680172627257141 3428762941301196195566782595664104869574278881462065194174677298486546861 5717739390164779355942303577413098022737087794545240839717526463580581767 16709574804776117 DSA s...

Page 400: ...imes that the switch retransmits an EAP request identity packet to the client before it times out the authentication session IC 4 113 dot1x port control Sets dot1x mode for a port interface IC 4 113 dot1x operation mode Allows single or multiple hosts on an dot1x port IC 4 114 dot1x re authenticate Forces re authentication on specific ports PE 4 115 dot1x re authentication Enables re authenticatio...

Page 401: ...and Mode Interface Configuration Example dot1x port control This command sets the dot1x mode on a port interface Use the no form to restore the default Syntax dot1x port control auto force authorized force unauthorized no dot1x port control auto Requires a dot1x aware connected client to be authorized by the RADIUS server Clients that are not dot1x aware will be denied access force authorized Conf...

Page 402: ...Keyword for the maximum number of hosts count The maximum number of hosts that can connect to a port Range 1 1024 Default 5 Default Single host Command Mode Interface Configuration Command Usage The max count parameter specified by this command is only effective if the dot1x mode is set to auto by the dot1x port control command page 4 113 In multi host mode only one host connected to a port needs ...

Page 403: ...dot1x re authentication This command enables periodic re authentication globally for all ports Use the no form to disable re authentication Syntax no dot1x re authentication Command Mode Interface Configuration Command Usage The re authentication process verifies the connected client s user ID and password on the RADIUS server During re authentication the client remains connected the network and t...

Page 404: ...onds Range 1 65535 Default 60 seconds Command Mode Interface Configuration Example dot1x timeout re authperiod This command sets the time period after which a connected client must be re authenticated Syntax dot1x timeout re authperiod seconds no dot1x timeout re authperiod seconds The number of seconds Range 1 65535 Default 3600 seconds Command Mode Interface Configuration Example Console config ...

Page 405: ...e no form to reset to the default value Syntax dot1x timeout supp timeout seconds no dot1x timeout supp timeout seconds The number of seconds Range 1 65535 Default 30 seconds Command Mode Interface Configuration Command Usage This command sets the timeout for EAP request frames other than EAP request identity frames If dot1x authentication is enabled on a port the switch will initiate authenticati...

Page 406: ... port access control Operation Mode Dot1x port control operation mode page 4 114 Mode Dot1x port control mode page 4 113 Authorized Authorization status yes or n a not authorized 802 1X Port Details Displays the port access control parameters for each interface including the following items reauth enabled Periodic re authentication page 4 115 reauth period Time after which a connected client must ...

Page 407: ...rent Identifier The integer 0 255 used by the Authenticator to identify the current authentication session Authenticator State Machine State Current state including initialize disconnected connecting authenticating authenticated aborting held force_authorized force_unauthorized Reauth Count Number of times connecting state is re entered Backend State Machine State Current state including request r...

Page 408: ...Port Details 802 1X is disabled on port 1 1 802 1X is enabled on port 1 2 reauth enabled Enable reauth period 1800 quiet period 30 tx period 40 supplicant timeout 30 server timeout 10 reauth max 2 max req 5 Status Authorized Operation mode Single Host Max count 5 Port control Auto Supplicant 00 12 cf 49 5e dc Current Identifier 3 Authenticator State Machine State Authenticated Reauth Count 0 Backe...

Page 409: ...gement interface on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respectively Each of these groups can include up to five different sets of addresses either individual addresses or address ranges When entering addresses for the...

Page 410: ...nmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group Command Mode Privileged Exec Example Console config management all client 192 168 1 19 Console config management all client 192 168 1 25 192 168 1 30 Console config Console show management all client Management IP Filter HTTP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 ...

Page 411: ...Private VLANs Configures private VLANs including uplink and downlink ports 4 233 Port Security The priority of execution for these filtering commands is Port Security Port Authentication Network Access Access Control Lists DHCP Snooping and then IP Source Guard Configures secure addresses for a port 4 124 Port Authentication Configures host authentication on specific ports using 802 1X 4 112 Netwo...

Page 412: ...e the no form without any keywords to disable port security Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses Syntax port security action shutdown trap trap and shutdown max mac count address count no port security action max mac count action Response to take when port security is violate...

Page 413: ... command to set the maximum number of addresses allowed on a port You can also manually add secure addresses with the mac address table static command A secure port has the following restrictions Cannot be connected to a network interconnection device Cannot be a trunk port If a port is disabled due to a security violation it must be manually re enabled using the no shutdown command Example The fo...

Page 414: ...ax network access max mac count count no network access max mac count count The maximum number of authenticated MAC addresses allowed Range 1 to 2048 0 for unlimited Default Setting 2048 Command Mode Interface Configuration Table 4 41 Network Access Command Function Mode Page network access max mac count Sets a maximum number for authenticated MAC addresses on an interface IC 4 126 network access ...

Page 415: ... format XX XX XX XX XX XX all in upper case Authenticated MAC addresses are stored as dynamic entries in the switch s secure MAC address table and are removed when the aging time expires The maximum number of secure MAC addresses supported for the switch system is 1024 Configured static MAC addresses are added to the secure address table when seen on a switch port Static addresses are treated as a...

Page 416: ...Command Usage The reauthentication time is a global setting and applies to all ports When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server During the reauthentication process traffic through the port remains unaffected Example mac authentication intrusion action Use this command to configure the port response to a host MAC authentication failu...

Page 417: ...cated MAC addresses allowed Range 1 1024 Default Setting 1024 Command Mode Interface Configuration Example show network access Use this command to display the MAC authentication settings for port interfaces Syntax show network access interface interface interface Specifies a port interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 Default Setting Displays the settin...

Page 418: ...number Range 1 26 50 sort Sorts displayed entries by either MAC address or interface Default Setting Displays all entries Command Mode Privileged Exec Command Usage When using a bit mask to filter displayed MAC addresses a 1 means care and a 0 means don t care For example a MAC of 00 00 01 02 03 04 and mask FF FF FF 00 00 00 would result in all MACs in the range 00 00 01 00 00 00 to 00 00 01 FF FF...

Page 419: ...amic 00d06h34m20s Console Table 4 42 DHCP Snooping Commands Command Function Mode Page ip dhcp snooping Enables DHCP snooping globally GC 4 132 ip dhcp snooping vlan Enables DHCP snooping on the specified VLAN GC 4 133 ip dhcp snooping trust Configures the specified interface as trusted IC 4 134 ip dhcp snooping verify mac address Verifies the client s hardware address stored in the DHCP packet ag...

Page 420: ... When DHCP snooping is enabled the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second Any DHCP packets in excess of this limit are dropped Filtering rules are implemented as follows If the global DHCP snooping is disabled all DHCP packets are forwarded If DHCP snooping is enabled globally and also enabled on the VLAN where the DHCP packet is re...

Page 421: ...st be configured as trusted ip dhcp snooping trust page 4 134 Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server Also when the switch sends out DHCP client packets for itself no filtering takes place However when the switch receives any messages from a DHCP server any packets received from untrusted ports are dropped...

Page 422: ...oping trust Default Setting All interfaces are untrusted Command Mode Interface Configuration Ethernet Port Channel Command Usage A trusted interface is an interface that is configured to receive only messages from within the network An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall Set all ports connected to DHCP servers within the...

Page 423: ...net header Use the no form to disable this function Syntax no ip dhcp snooping verify mac address Default Setting Enabled Command Mode Global Configuration Command Usage If MAC address verification is enabled and the source MAC address in the Ethernet header of the packet is not same as the client s hardware address in the DHCP packet the packet is dropped Example This example enables MAC address ...

Page 424: ... client or an intermediate relay agent that has used the information fields to describe itself can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server by the switch port to which they are connected rather than just their MAC address DHCP client server exchange messages are then forwarded directly between the server and client withou...

Page 425: ...e Option 82 information in the client s request with information about the relay agent itself inserts the relay agent s address when DHCP snooping is enabled and forwards the packets to trusted ports Default Setting replace Command Mode Global Configuration Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information the switch can be configured ...

Page 426: ...Example Console show ip dhcp snooping Global DHCP Snooping status disable DHCP Snooping Information Option Status disable DHCP Snooping Information Policy replace DHCP Snooping is configured on the following VLANs 1 Verify Source Mac Address enable Interface Trusted Eth 1 1 No Eth 1 2 No Eth 1 3 No Eth 1 4 No Eth 1 5 Yes Console show ip dhcp snooping binding MacAddress IpAddress Lease sec Type VLA...

Page 427: ... Setting Disabled Command Mode Interface Configuration Ethernet Command Usage Source guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor Setting source guard mode to sip or sip mac enables this function on the selected port Use th...

Page 428: ... snooping is disabled see page 4 132 IP source guard will check the VLAN ID source IP address port number and source MAC address for the sip mac option If a matching entry is found in the binding table and the entry type is static IP source guard binding the packet will be forwarded If the DHCP snooping is enabled IP source guard will check the VLAN ID source IP address port number and source MAC ...

Page 429: ...ich is indicated with a value of zero by the show ip source guard command page 4 142 When source guard is enabled traffic is filtered based upon dynamic entries learned via DHCP snooping or static addresses configured in the source guard binding table with this command Static bindings are processed as follows If there is no entry with same VLAN ID and MAC address a new entry is added to binding ta...

Page 430: ...ource guard binding dhcp snooping static dhcp snooping Shows dynamic entries configured with DHCP Snooping commands see page 4 131 static Shows static entries configured with the ip source guard binding command see page 4 141 Command Mode Privileged Exec Example Console show ip source guard Interface Filter type Eth 1 1 DISABLED Eth 1 2 DISABLED Eth 1 3 DISABLED Eth 1 4 DISABLED Eth 1 5 SIP Eth 1 ...

Page 431: ...le 4 44 Access Control Lists Command Groups Function Page IP ACLs Configures ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code 4 143 MAC ACLs Configures ACLs based on hardware addresses packet format and Ethernet type 4 149 ACL Information Displays ACLs and associated rules shows ACLs assigned to each port 4 154 Table 4 45 IP ACLs Command Function Mode Page access...

Page 432: ...acl name Name of the ACL Maximum length 16 characters no spaces Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command follo...

Page 433: ...les are appended to the end of the list Address bitmasks are similar to a subnet mask containing four integers from 0 to 255 each separated by a period The binary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assig...

Page 434: ...rt sport bitmask destination port dport port bitmask control flag control flags flag bitmask protocol number A specific protocol number Range 0 255 source Source IP address destination Destination IP address address bitmask Decimal number representing the address bits to match host Keyword followed by a specific IP address precedence IP precedence level Range 0 7 tos Type of Service level Range 0 ...

Page 435: ... syn Synchronize 4 rst Reset 8 psh Push 16 ack Acknowledgement 32 urg Urgent pointer For example use the code value and mask below to catch packets with the following flags set SYN flag valid use control code 2 2 Both SYN and ACK valid use control code 18 18 SYN valid and ACK invalid use control code 2 18 Example This example accepts any incoming packets if the source address is within subnet 10 7...

Page 436: ...4 148 ip access group This command binds a port to an IP ACL Use the no form to remove the port Syntax no ip access group acl name in acl name Name of the ACL Maximum length 16 characters no spaces in Indicates that this list applies to ingress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to ...

Page 437: ... the access list to one or more ports Console config int eth 1 25 Console config if ip access group david in Console config if Console show ip access group Interface ethernet 1 25 IP access list david in Console Table 4 46 MAC ACL Commands Command Function Mode Page access list mac Creates a MAC ACL and enters configuration mode GC 4 150 permit deny Filters packets matching a specified source and ...

Page 438: ...previously configured rule An ACL can contain up to 32 rules Example Related Commands permit deny 4 150 mac access group 4 152 show mac access list 4 152 permit deny MAC ACL This command adds a rule to a MAC ACL The rule filters packets matching a specified MAC source or destination address i e physical layer address or Ethernet protocol type Use the no form to remove a rule Syntax no permit deny ...

Page 439: ...Ethernet 802 3 packets any Any MAC source or destination address host A specific MAC address source Source MAC address destination Destination MAC address range with bitmask address bitmask23 Bitmask for MAC address in hexidecimal format vid VLAN ID Range 1 4094 vid bitmask VLAN bitmask Range 1 4094 protocol A specific Ethernet protocol number Range 600 fff hex protocol bitmask Protocol bitmask Ra...

Page 440: ... access group This command binds a port to a MAC ACL Use the no form to remove the port Syntax mac access group acl name in acl name Name of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to an ACL and you bind ...

Page 441: ...p This command shows the ports assigned to MAC ACLs Command Mode Privileged Exec Example Related Commands mac access group 4 152 Console config interface ethernet 1 2 Console config if mac access group jerry in Console config if Console show mac access group Interface ethernet 1 5 MAC access list M5 in Console ...

Page 442: ...gned to each port PE 4 154 Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 16 0 255 255 240 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 255 255 255 0 any destination port 80 80 permit 192 168 1 0 255 255 255 0 any protocol tcp control code 2 2 IP access list jerry permit any host 00 30 29 94 34 de ethertype 800 800 I...

Page 443: ... to an interface configuration IC 4 156 speed duplex Configures the speed and duplex operation of a given interface when autonegotiation is disabled IC 4 156 negotiation Enables autonegotiation of a given interface IC 4 157 capabilities Advertises the capabilities of a given interface for use in autonegotiation IC 4 158 flowcontrol Enables flow control on a given interface IC 4 159 media type Forc...

Page 444: ...The following example adds a description to port 24 speed duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled Use the no form to restore the default Syntax speed duplex 1000full 100full 100half 10full 10half no speed duplex 1000full Forces 1000 Mbps full duplex operation 100full Forces 100 Mbps full duplex operation 100half Forces 100 Mbps...

Page 445: ...mmand use the no negotiation command to disable auto negotiation on the selected interface When using the negotiation command to enable auto negotiation the optimal settings will be determined by the capabilities command To set the speed duplex mode under auto negotiation the required mode must be specified in the capabilities list for an interface Example The following example configures port 5 t...

Page 446: ...hout parameters to restore the default values Syntax no capabilities 1000full 100full 100half 10full 10half flowcontrol symmetric 1000full Supports 1000 Mbps full duplex operation 100full Supports 100 Mbps full duplex operation 100half Supports 100 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 10half Supports 10 Mbps half duplex operation flowcontrol Supports flow contro...

Page 447: ...rt Channel Command Usage Flow control can eliminate frame loss by blocking traffic from end stations or segments connected directly to the switch when its buffers fill When enabled back pressure is used for half duplex operation and IEEE 802 3 2005 formally IEEE 802 3x for full duplex operation To force flow control on or off with the flowcontrol or no flowcontrol command use the no negotiation co...

Page 448: ...ode copper forced Always uses the built in RJ 45 port sfp forced Always uses the SFP port even if module not installed sfp preferred auto Uses SFP port if both combination types are functioning and the SFP port has a valid link Default Setting sfp preferred auto Command Mode Interface Configuration Ethernet Ports 21 24 45 48 Example This forces the switch to use the built in RJ 45 port for the com...

Page 449: ...st packet rate rate no switchport broadcast multicast unicast broadcast Specifies storm control for broadcast traffic multicast Specifies storm control for multicast traffic unicast Specifies storm control for unknown unicast traffic rate Threshold level as a rate i e kilobits per second Range 500 262143 Default Setting Broadcast Storm Control Enabled packet rate limit 500 pps Multicast Storm Cont...

Page 450: ...Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset This command sets the base value for displayed statistics to zero for the current management session However if you log out and back into the management interface the statistics displayed will show the absolute value accumulated since the last power reset Example The following example clears statistics on ...

Page 451: ...ee Displaying Connection Status on page 3 112 Example Console show interfaces status ethernet 1 5 Information of Eth 1 5 Basic information Port Type 1000T Mac Address 00 13 F7 12 31 28 Configuration Port Admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full 1000full Broadcast Storm Enabled Broadcast Storm Limit 500 packets second Multicast Storm Disabled Multicast Storm Limit 26214...

Page 452: ...onsole show interfaces status vlan 1 Information of VLAN 1 MAC Address 00 12 CF 12 34 56 Console Console show interfaces counters ethernet 1 7 Ethernet 1 7 Iftable stats Octets input 30658 Octets output 196550 Unicast input 6 Unicast output 5 Discard input 0 Discard output 0 Error input 0 Error output 0 Unknown protos input 0 QLen output 0 Extended iftable stats Multi cast input 0 Multi cast outpu...

Page 453: ...oadcast pkts 263 Multi cast pkts 3064 Undersize pkts 0 Oversize pkts 0 Fragments 0 Jabbers 0 CRC align errors 0 Collisions 0 Packet size 64 octets 3150 Packet size 65 to 127 octets 139 Packet size 128 to 255 octets 49 Packet size 256 to 511 octets 0 Packet size 512 to 1023 octets 0 Packet size 1024 to 1518 octets 0 Console Console show interfaces switchport ethernet 1 24 Broadcast Threshold Enable...

Page 454: ...Hybrid page 4 223 Ingress Rule Shows if ingress filtering is enabled or disabled page 4 224 Note Ingress filtering is always enabled Acceptable Frame Type Shows if acceptable VLAN frames include all types or tagged frames only page 4 224 Native VLAN Indicates the default Port VLAN ID page 4 225 Priority for untagged traffic Indicates the default priority for untagged frames page 4 244 GVRP Status ...

Page 455: ...onfigured in an identical manner including communication mode i e speed duplex mode and flow control VLAN assignments and CoS settings All the ports in a trunk have to be treated as a whole when moved from to added or deleted from a VLAN via the specified port channel STP VLAN and IGMP settings can only be made for the entire trunk via the specified port channel Table 4 50 Link Aggregation Command...

Page 456: ...d to join a channel group If a link goes down LACP port priority is used to select the backup link channel group This command adds a port to a trunk Use the no form to remove a port from a trunk Syntax channel group channel id no channel group channel id Trunk index Range 1 32 Default Setting The current port will be added to this trunk Command Mode Interface Configuration Ethernet Command Usage W...

Page 457: ...nds of an LACP trunk must be configured for full duplex and auto negotiation A trunk formed with another switch using LACP will automatically be assigned the next available port channel ID If the target switch has also enabled LACP on the connected ports the trunk will be activated automatically If more than eight ports attached to the same target switch have LACP enabled the additional ports will...

Page 458: ...p and to identify this device to other switches during LAG negotiations Range 0 65535 Default Setting 32768 Console config interface ethernet 1 11 Console config if lacp Console config if exit Console config interface ethernet 1 12 Console config if lacp Console config if exit Console config interface ethernet 1 13 Console config if lacp Console config if exit Console config exit Console show inte...

Page 459: ...n key Use the no form to restore the default setting Syntax lacp actor partner admin key key no lacp actor partner admin key actor The local side an aggregate link partner The remote side of an aggregate link key The port admin key must be set to the same value for ports that belong to the same link aggregation group LAG Range 0 65535 Default Setting 0 Command Mode Interface Configuration Ethernet...

Page 460: ...during local LACP setup on this switch Range 0 65535 Default Setting 0 Command Mode Interface Configuration Port Channel Command Usage Ports are only allowed to join the same LAG if 1 the LACP system priority matches 2 the LACP port admin key matches and 3 the LACP port channel key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a channel group is fo...

Page 461: ...icates a higher effective priority If an active port link goes down the backup port with the highest priority is selected to replace the downed link However if two or more ports have the same LACP port priority the port with the lowest physical port number will be selected as the backup port Once the remote side of a link has been established LACP operational settings are already in use on that si...

Page 462: ...r Sent 0 Marker Received 0 LACPDUs Unknown Pkts 0 LACPDUs Illegal Pkts 0 Table 4 51 show lacp counters display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group LACPDUs Received Number of valid LACPDUs received on this channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker...

Page 463: ...state Defaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information Collecting Collection of...

Page 464: ...signed by the user Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol part...

Page 465: ...0 12 CF 8F 2C A7 4 32768 00 12 CF 8F 2C A7 Console Table 4 54 show lacp sysid display description Field Description Channel group A link aggregation group configured on this switch System Priority LACP system priority for this channel group System MAC Address System MAC address The LACP system priority and system MAC address are concatenated to form the LAG system ID ...

Page 466: ...traffic from any source port to a destination port for real time analysis You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner Set the destination port by specifying an Ethernet interface with the interface configuration command and then use the port monitor command to specify the source of the ...

Page 467: ...mmand Mode Privileged Exec Command Usage This command displays the currently configured source port destination port and mirror mode i e RX TX Example The following shows mirroring configured from port 6 to port 11 Console config interface ethernet 1 11 Console config if port monitor ethernet 1 6 rx Console config if Console config interface ethernet 1 11 Console config if port monitor ethernet 1 ...

Page 468: ...ort can only be configured as as one type of RSPAN interface source destination or uplink Also note that the source port and destination port cannot be configured on the same switch Local Remote Mirror The destination of a local mirror session created with the port monitor command cannot be used as the destination for RSPAN traffic Only two mirror sessions are allowed Both sessions can be allocate...

Page 469: ...type to be mirrored remotely Use the no form to disable RSPAN on the specified port or with a traffic type keyword to disable mirroring for the specified type Syntax no rspan session session id source interface interface list rx tx both session id A number identifying this RSPAN session Range 1 2 Only two mirror sessions are allowed including both local and remote mirroring If local mirroring is e...

Page 470: ...ilable for RSPAN interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 tagged Traffic exiting the destination port carries the RSPAN VLAN tag untagged Traffic exiting the destination port is untagged Default Setting Traffic exiting the destination port is untagged Command Mode Global Configuration Command Usage Only one destination port can be configured on the same s...

Page 471: ...motely mirrored traffic intermediate Specifies this device as an intermediate switch transparently passing mirrored traffic from one or more sources to one or more destinations destination Specifies this device as a switch configured with a destination port which is to receive mirrored traffic for this session uplink A port configured to receive or transmit remotely mirrored traffic interface ethe...

Page 472: ...irroring If local mirroring is enabled with the port monitor command page 4 178 then there is only one session available for RSPAN Command Mode Global Configuration Command Usage The no rspan session command must be used to disable an RSPAN VLAN before it can be deleted from the VLAN database see the vlan command page 4 221 Example show rspan Use this command to displays the configuration settings...

Page 473: ...forwarded without any changes rate limit Use this command to define the rate limit level for a specific interface Use this command without specifying a rate to restore the default rate limit level Use the no form to restore the default status of disabled Syntax rate limit input output rate no rate limit input output input Input rate limit output Output rate limit rate Maximum value in Mbps Range 1...

Page 474: ... all switch ports Use the no form to restore the default setting Syntax power mainpower maximum allocation watts unit unit watts The power budget for the switch Range 37 375 watts unit Specifies the stack unit Range 1 Console config interface ethernet 1 1 Console config if rate limit input 1000 Console config if Table 4 58 PoE Commands Command Group Function Mode Page power mainpower maximum alloc...

Page 475: ...r inline compatible Default Setting Disabled Command Mode Global Configuration Command Usage The switch automatically detects attached PoE devices by periodically transmitting test voltages over the RJ 45 ports When an 802 3af compatible device is plugged into one of these ports the powered device reflects the test voltage back to the switch which may then turn on the power to this device When the...

Page 476: ...the port providing that the power demanded does not exceed switch s power budget Example Console config power inline compatible Console config end Console show power inline status Unit 1 Compatible mode Enabled Max Used Overload Interface Admin Oper Power Power Priority Auto recover Eth 1 1 Enabled Off 15400 mW 0 mW Low Disabled Eth 1 2 Enabled Off 15400 mW 0 mW Low Disabled Eth 1 3 Enabled Off 15...

Page 477: ...han the maximum power allocated to the port no power is supplied to the device i e port power remains off The switch supports a maximum output power of up to 31 W on Ports 1 4 only Otherwise the switch can support up to a maximum of 7 5 W on 24 ports simultaneously Example power inline priority This command sets the power priority for specific ports Use the no form to restore the default setting S...

Page 478: ...ad automatic recovery for specific ports Use the no form to disable the feature for the port Syntax no power inline overload auto recover Default Setting Disabled Command Mode Interface Configuration Command Usage Disabled When a port detects an overload condition the PoE power is disabled and the port administrative status is set to disabled The user must manually re enable the port using a manag...

Page 479: ...sabled Eth 1 5 Enabled Off 15400 mW 0 mW Low Disabled Eth 1 6 Enabled Off 15400 mW 0 mW Low Disabled Eth 1 7 Enabled Off 15400 mW 0 mW Low Disabled Eth 1 23 Enabled Off 15400 mW 0 mW Low Disabled Eth 1 24 Enabled Off 15400 mW 0 mW Low Disabled Console Table 4 59 show power inline status parameters Parameter Description Admin The power mode set on the port see power inline on page 4 188 Oper The cu...

Page 480: ...ower mainpower maximum allocation on page 4 186 System Operation Status The current operating power status displays on or off Mainpower Consumption The current power consumption on the switch in watts Software Version The version of software running on the PoE controller subsystem in the switch This software can be updated using the copy file controller command see page 4 24 Table 4 61 Address Tab...

Page 481: ...The default mode is permanent Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add static addresses to the MAC Address Table Static addresses have the following characteristics Static addresses will not be removed from the address table when a given interface link is down Static addres...

Page 482: ...ce ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 vlan id VLAN ID Range 1 4094 sort Sort by address vlan or interface Default Setting None Command Mode Privileged Exec Command Usage The MAC Address Table contains the MAC addresses associated with each interface Note that the Type field may include the following types Learned Dynamic add...

Page 483: ... seconds Aging time Range 10 30000 seconds 0 to disable aging Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information Example show mac address table aging time This command shows the aging time for entries in the address table Default Setting None Command Mode Privileged Exec Example Console show mac a...

Page 484: ...ing tree instance MST 4 203 name Configures the name for the multiple spanning tree MST 4 204 revision Configures the revision number for the multiple spanning tree MST 4 205 max hops Configures the maximum number of hops allowed in the region before a BPDU is discarded MST 4 205 spanning tree spanning disabled Disables spanning tree for an interface IC 4 206 spanning tree cost Configures the span...

Page 485: ... in your network to ensure that only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes down Example This example shows how to enable the Spanning Tree Algorithm for the switch spanning tree mode This command selects the spanning tree mode for this switch Use the no form to restore the default Note MSTP is not su...

Page 486: ...TP BPDU after the migration delay expires RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port Multiple Spanning Tree Protocol To allow multiple spanning trees to operate over the network you must configure a related set of bridges with the same MSTP configuration allowing them to participate in a specific set of spanning tree instances A spanning tree instance can exis...

Page 487: ... loops might result Example spanning tree hello time This command configures the spanning tree bridge hello time globally for this switch Use the no form to restore the default Syntax spanning tree hello time time no spanning tree hello time time Time in seconds Range 1 10 seconds The maximum value is the lower of 10 or max age 2 1 Default Setting 2 seconds Command Mode Global Configuration Comman...

Page 488: ...pt for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message becomes the designated port for the attached LAN If it is a root port a new root port is selected from among the device ports attached to the network Example Related Commands spanning tree forward time 4 198 spanning tree hello time 4 ...

Page 489: ...st method long short no spanning tree pathcost method long Specifies 32 bit based values that range from 1 200 000 000 This method is based on the IEEE 802 1w Rapid Spanning Tree Protocol short Specifies 16 bit based values that range from 1 65535 This method is based on the IEEE 802 1 Spanning Tree Protocol Default Setting Long method Command Mode Global Configuration Command Usage The path cost ...

Page 490: ...obal Configuration Command Usage This command limits the maximum transmission rate for BPDUs Example spanning tree mst configuration This command changes to Multiple Spanning Tree MST configuration mode Default Setting No VLANs are mapped to any MST instance The region name is set the switch s MAC address Command Mode Global Configuration Example Related Commands mst vlan 4 203 mst priority 4 203 ...

Page 491: ...ed to the Internal Spanning Tree MSTI 0 that connects all bridges and LANs within the MST region This switch supports up to 58 instances You should try to group VLANs which cover the same general area of your network However remember that you must configure all bridges within the same MSTI Region page 4 204 with the same set of instances and the same instance on each bridge with the same set of VL...

Page 492: ...ecifying a priority of 16384 Example name This command configures the name for the multiple spanning tree region in which this switch is located Use the no form to clear the name Syntax name name name Name of the spanning tree Default Setting Switch s MAC address Command Mode MST Configuration Command Usage The MST region name and revision number page 4 205 are used to designate a unique MST regio...

Page 493: ...red with the same MST instances Example Related Commands name 4 204 max hops This command configures the maximum number of hops in the region before a BPDU is discarded Use the no form to restore the default Syntax max hops hop number hop number Maximum hop number for multiple spanning tree Range 1 40 Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a si...

Page 494: ...s command configures the spanning tree path cost for the specified interface Use the no form to restore the default Syntax spanning tree cost cost no spanning tree cost cost The path cost for the port Range 1 200 000 000 Range 0 for auto configuration 1 65535 for short path cost method24 1 200 000 000 for long path cost method Console config mstp max hops 30 Console config mstp Console config inte...

Page 495: ...higher values assigned to ports with slower media Path cost takes precedence over port priority When the spanning tree pathcost method page 4 201 is set to short the maximum value for path cost is 65 535 Example Table 4 64 Recommended STA Path Cost Port Type Link Type IEEE 802 1D 1998 IEEE 802 1w 2001 Ethernet Half Duplex Full Duplex Trunk 100 95 90 2 000 000 1 999 999 1 000 000 Fast Ethernet Half...

Page 496: ...ve link in the spanning tree Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Example Related Commands spanning tree cost 4 206 spanning tree edge port This command specifies an interface as an edge port Use the no form to restore the default Syntax no spanning tree edge port Default Setting Disabled Command Mode Interface Configurat...

Page 497: ...command is used to enable disable the fast spanning tree mode for the selected port In this mode ports skip the Discarding and Learning states and proceed straight to Forwarding Since end nodes cannot cause forwarding loops they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time Fast forwarding can achieve quicker convergence for end node w...

Page 498: ...el Command Usage Specify a point to point link if the interface can only be connected to exactly one other bridge or a shared link if it can be connected to two or more bridges When automatic detection is selected the switch derives the link type from the duplex mode A full duplex interface is considered a point to point link while a half duplex interface is assumed to be on a shared link RSTP onl...

Page 499: ...to configuration mode Ethernet half duplex 2 000 000 full duplex 1 000 000 trunk 500 000 Fast Ethernet half duplex 200 000 full duplex 100 000 trunk 50 000 Gigabit Ethernet full duplex 10 000 trunk 5 000 10 Gigabit Ethernet full duplex 1000 trunk 500 Command Mode Interface Configuration Ethernet Port Channel Command Usage Each spanning tree instance is associated with a unique set of VLAN IDs This...

Page 500: ...e multiple spanning tree If the path cost for all interfaces on a switch are the same the interface with the highest priority that is lowest value will be configured as an active link in the spanning tree Where more than one interface is assigned the highest priority the interface with lowest numeric identifier will be enabled Example Related Commands spanning tree mst cost 4 211 spanning tree pro...

Page 501: ...nge 1 32 instance id Instance identifier of the multiple spanning tree Range 0 4094 no leading zeroes Default Setting None Command Mode Privileged Exec Command Usage Use the show spanning tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree CST and for every interface in the tree Use the show spanning tree interface command to displ...

Page 502: ...t 1 Current Root Cost 100000 Number of Topology Changes 9 Last Topology Change Time sec 1553 Transmission Limit 3 Path Cost Method Long Eth 1 1 information Admin Status Enabled Role Root State Forwarding External Admin Path Cost 100000 Internal Admin Path Cost 100000 External Oper Path Cost 100000 Internal Oper Path Cost 100000 Priority 128 Designated Cost 0 Designated Port 128 13 Designated Root ...

Page 503: ...vel 0 Instance Vlans 1 2 Console Table 4 66 VLANs Command Groups Function Page GVRP and Bridge Extension Configures GVRP settings that permit automatic VLAN learning shows the configuration for bridge extension MIB 4 216 Editing VLAN Groups Sets up VLAN groups including name VID and state 4 220 Configuring VLAN Interfaces Configures VLAN interface parameters including ingress and egress tagging mo...

Page 504: ...to exchange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration and to support VLANs which extend beyond the local switch Example Table 4 67 GVRP and Bridge Extension Commands Command Function Mode Page bridge ext gvrp Enables GVRP globally for the switch GC 4 216 show bridge ext Shows the global bridg...

Page 505: ...command enables GVRP for a port Use the no form to disable it Syntax no switchport gvrp Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Example Console show bridge ext Max Support VLAN Numbers 256 Max Support VLAN ID 4094 Extended Multicast Filtering Services No Static Entry Individual Port Yes VLAN Learning IVL Configurable PVID Tagging Yes Local VLAN Capable N...

Page 506: ...command sets the values for the join leave and leaveall timers Use the no form to restore the timers default values Syntax garp timer join leave leaveall timer value no garp timer join leave leaveall join leave leaveall Which timer to set timer value Value of timer Ranges join 20 1000 centiseconds leave 60 3000 centiseconds leaveall 500 18000 centiseconds Default Setting join 20 centiseconds leave...

Page 507: ...Set GVRP timers on all Layer 2 devices connected in the same network to the same values Otherwise GVRP may not operate successfully Example Related Commands show garp timer 4 219 show garp timer This command shows the GARP timers for the selected interface Syntax show garp timer interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Ra...

Page 508: ...N settings by entering the show vlan command Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN The results of these commands are written to the running configuration file and you can display this file by entering the show running config command Example Related Commands show vlan 4 228 Table 4 68 Editing VLAN Groups Command Function Mode Page...

Page 509: ... traffic from remote switches The VLAN used for RSPN cannot include VLAN 1 the switch s default VLAN nor VLAN 4093 the VLAN used for switch clustering For more information on configuring RSPAN through the CLI see RSPAN Mirroring Commands on page 4 180 Default Setting By default only VLAN 1 exists and is active Command Mode VLAN Database Configuration Command Usage no vlan vlan id deletes the VLAN ...

Page 510: ...s interface configuration mode for a specified VLAN GC 4 222 switchport mode Configures VLAN membership mode for an interface IC 4 223 switchport acceptable frame types Configures frame types to be accepted by an interface IC 4 224 switchport ingress filtering Enables ingress filtering on an interface IC 4 224 switchport native vlan Configures the PVID native VLAN of an interface IC 4 225 switchpo...

Page 511: ...es belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames hybrid Specifies a hybrid VLAN interface The port may transmit tagged or untagged frames private vlan For an explanation of this command see switchport mode private vlan on page 4 238 Default Setting All ports are in hybrid mode with the PVID set to VLAN 1 Command Mode Interface Configuration...

Page 512: ... Command Usage When set to receive all frame types any received frames that are untagged are assigned to the default VLAN Example The following example shows how to restrict the traffic received on port 1 to tagged frames Related Commands switchport mode 4 223 switchport ingress filtering This command enables ingress filtering for an interface Syntax no switchport ingress filtering Default Setting...

Page 513: ...yntax switchport native vlan vlan id no switchport native vlan vlan id Default VLAN ID for a port Range 1 4094 no leading zeroes Default Setting VLAN 1 Command Mode Interface Configuration Ethernet Port Channel Command Usage If an interface is not a member of VLAN 1 and you assign its PVID to this VLAN the interface will automatically be added to VLAN 1 as an untagged member For all other VLANs an...

Page 514: ...witchport mode set to trunk i e 1Q Trunk then you can only assign an interface to VLAN groups as a tagged member Frames are always tagged within the switch The tagged untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress If none of the intermediate network devices nor the host at the other end of the connection supports...

Page 515: ...esignate a range of IDs Do not enter leading zeros Range 1 4094 Default Setting No VLANs are included in the forbidden list Command Mode Interface Configuration Ethernet Port Channel Command Usage This command prevents a VLAN from being automatically added to the specified interface via GVRP If a VLAN has been added to the set of allowed VLANs for an interface then you cannot add it to the set of ...

Page 516: ...Command Mode Normal Exec Privileged Exec Example The following example shows how to display information for VLAN 1 Table 4 70 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE PE 4 228 show interfaces status vlan Displays status for the specified VLAN interface NE PE 4 163 show interfaces switchport Displays the administrative and operational status of an interface ...

Page 517: ...nfigure the QinQ tunnel access port to join the SPVLAN as an untagged member switchport allowed vlan page 4 226 6 Configure the SPVLAN ID as the native VID on the QinQ tunnel access port switchport native vlan page 4 225 7 Configure the QinQ tunnel uplink port to dot1Q tunnel uplink mode switchport dot1q tunnel mode page 4 230 8 Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged ...

Page 518: ...how dot1q tunnel 4 232 show interfaces switchport 4 165 switchport dot1q tunnel mode This command configures an interface as a QinQ tunnel port Use the no form to disable QinQ on the interface Syntax switchport dot1q tunnel mode access uplink no switchport dot1q tunnel mode access Sets the port as an 802 1Q tunnel access port uplink Sets the port as an 802 1Q tunnel uplink port Default Setting Dis...

Page 519: ...tion This identifier is used to select a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is 0x8100 Range 0800 FFFF hexadecimal Default Setting 0x8100 Command Mode Interface Configuration Ethernet Port Channel Command Usage Use the switchport dot1q tunnel tpid command to set a custom 802 1Q ethertype value on the selected interface This feature allows the ...

Page 520: ...sole config dot1q tunnel system tunnel control Console config interface ethernet 1 1 Console config if switchport dot1q tunnel mode access Console config if interface ethernet 1 2 Console config if switchport dot1q tunnel mode uplink Console config if end Console show dot1q tunnel Current double tagged status of the system is Enabled The dot1q tunnel mode of the set interface 1 1 is Access mode TP...

Page 521: ...feature Syntax no pvlan Default Setting Disabled Command Mode Global Configuration Command Usage When traffic segmentation is enabled the forwarding state for the uplink and downlink ports is shown below When traffic segmentation is disabled all ports operate in normal forwarding mode based on the settings specified by other functions such as VLANs and spanning tree protocol Table 4 72 Traffic Seg...

Page 522: ...consecutive list of interfaces or a comma between non consecutive interfaces ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting None Command Mode Global Configuration Command Usage A port cannot be configured in both an uplink and downlink list If a downlink port is not configured the assigned uplink ports will operate as no...

Page 523: ...and multiple community VLANs can be associated with each primary VLAN Note that private VLANs and normal VLANs can exist simultaneously within the same switch This section describes commands used to configure private VLANs Console show pvlan Private VLAN status Enabled Up link port Ethernet 1 12 Down link port Ethernet 1 5 Ethernet 1 6 Ethernet 1 7 Ethernet 1 8 Console Table 4 74 Private VLAN Comm...

Page 524: ...private VLAN Use the no form to remove the specified private VLAN Syntax private vlan vlan id community primary no private vlan vlan id vlan id ID of private VLAN Range 1 4094 no leading zeroes community A VLAN in which traffic is restricted to host members in the same VLAN and to promiscuous ports in the associate primary VLAN primary A VLAN which can contain one or more community VLANs and serve...

Page 525: ...econdary vlan id ID of secondary i e community VLAN Range 1 4094 no leading zeroes Default Setting None Command Mode VLAN Configuration Command Usage Secondary VLANs provide security for group members The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN e g servers configured with promiscuous ports and to resources outside of the pri...

Page 526: ...ort to a primary VLAN use the switchport private vlan mapping command To assign a host port to a community VLAN use the private vlan host association command Example switchport private vlan host association Use this command to associate an interface with a secondary VLAN Use the no form to remove this association Syntax switchport private vlan host association secondary vlan id no switchport priva...

Page 527: ... Ethernet Port Channel Command Usage Promiscuous ports assigned to a primary VLAN can communicate with any other promiscuous ports in the same VLAN and with the group members within any associated secondary VLANs Example show vlan private vlan Use this command to show the private VLAN configuration settings on this switch Syntax show vlan private vlan community primary community Displays all commu...

Page 528: ...ry we suggest configuring a separate VLAN for each major protocol running on your network Do not add port members at this time 2 Create a protocol group for each of the protocols you want to assign to a VLAN using the protocol vlan protocol group command General Configuration mode 3 Then map the protocol for each interface to the appropriate VLAN using the protocol vlan protocol group command Inte...

Page 529: ...tion for the llc_other frame type is ipx_raw The options for all other frames types include ip arp rarp and user defined 0801 FFFF hexadecimal Default Setting No protocol groups are configured Command Mode Global Configuration Example The following creates protocol group 1 and specifies Ethernet frames with IP and ARP protocol types protocol vlan protocol group Configuring Interfaces This command ...

Page 530: ...ccording to the standard rules applied to tagged frames If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the default VLAN for this interface Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol g...

Page 531: ...it Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting The mapping for all interfaces is displayed Command Mode Privileged Exec Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2 Console show protocol vlan protocol group ProtocolGroup ID Frame Type Protocol Type 1 ethernet 08...

Page 532: ... for untagged frames sets queue weights and maps class of service tags to hardware queues 4 244 Priority Layer 3 and 4 Sets the default priority processing method CoS IP Precedence or DSCP and maps TCP ports IP precedence tags or IP DSCP tags to class of service values 4 250 Table 4 77 Priority Commands Layer 2 Command Function Mode Page queue mode Sets the queue mode to strict priority or Weighte...

Page 533: ...ority queues are serviced WRR uses a relative weight for each queue which determines the number of packets the switch transmits every time it services a queue before moving on to the next queue Thus a queue weighted 8 will be allowed to transmit up to 8 packets after which the next lower priority queue will be serviced according to it s weighting This prevents the head of line blocking that can oc...

Page 534: ...s that do not have VLAN tags are tagged with the input port s default ingress user priority and then placed in the appropriate priority queue at the output port The default priority for all ingress ports is zero Therefore any inbound frames that do not have priority tags will be placed in queue 0 of the output port Note that if the output port is an untagged member of the associated VLAN these fra...

Page 535: ...is prevents the head of line blocking that can occur with strict priority queuing Example This example shows how to assign WRR weights to priority queues 0 2 Related Commands show queue bandwidth 4 249 queue cos map This command assigns class of service CoS values to the priority queues i e hardware output queues 0 3 Use the no form set the CoS map to the default values Syntax queue cos map queue ...

Page 536: ...ress port Example The following example shows how to change the CoS assignments Related Commands show queue cos map 4 249 show queue mode This command shows the current queue mode Default Setting None Command Mode Privileged Exec Example Table 4 78 Default CoS Values to Egress Queues Queue 0 1 2 3 Priority 1 2 0 3 4 5 6 7 Console config interface ethernet 1 1 Console config if queue cos map 0 0 Co...

Page 537: ...ws the class of service priority map Syntax show queue cos map interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting None Command Mode Privileged Exec Example Console show queue bandwidth Queue ID Weight 0 1 1 2 2 4 3 8 Console Console show queue cos map ethernet 1 1 Information of Eth 1 1 Traffic Class 0 1 ...

Page 538: ...ort mapping globally Table 4 79 Priority Commands Layer 3 and 4 Command Function Mode Page map ip port Enables TCP UDP class of service mapping GC 4 250 map ip port Maps TCP UDP socket to a class of service IC 4 251 map ip precedence Enables IP precedence class of service mapping GC 4 251 map ip precedence Maps IP precedence value to a class of service IC 4 252 map ip dscp Enables IP DSCP class of...

Page 539: ...hport priority This command sets the IP port priority for all interfaces Example The following example shows how to map HTTP traffic to CoS value 0 map ip precedence Global Configuration This command enables IP precedence mapping i e IP Type of Service Use the no form to disable IP precedence mapping Syntax no map ip precedence Default Setting Disabled Command Mode Global Configuration Command Usa...

Page 540: ...edence or IP DSCP and default switchport priority IP Precedence values are mapped to default Class of Service values on a one to one basis according to recommendations in the IEEE 802 1p standard and then subsequently mapped to the eight hardware priority queues This command sets the IP Precedence for all interfaces Example The following example shows how to map IP precedence value 1 to CoS value ...

Page 541: ...ty Use the no form to restore the default table Syntax map ip dscp dscp value cos cos value no map ip dscp dscp value 8 bit DSCP value Range 0 63 cos value Class of Service value Range 0 7 Default Setting The DSCP default values are defined in the following table Note that all the DSCP values that are not specified are mapped to CoS value 0 Command Mode Interface Configuration Ethernet Port Channe...

Page 542: ...alue 1 to CoS value 0 show map ip port This command shows the IP port priority map Syntax show map ip port interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Command Mode Privileged Exec Example The following shows that HTTP traffic has been mapped to CoS value 0 Related Commands map ip port Global Configuration 4 250 ma...

Page 543: ...ip precedence Global Configuration 4 251 map ip precedence Interface Configuration 4 252 show map ip dscp This command shows the IP DSCP priority map Syntax show map ip dscp interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting None Console show map ip precedence ethernet 1 5 Precedence mapping status disabl...

Page 544: ...lated Commands map ip dscp Global Configuration 4 252 map ip dscp Interface Configuration 4 253 Console show map ip dscp ethernet 1 1 DSCP mapping status disabled Port DSCP COS Eth 1 1 0 0 Eth 1 1 1 0 Eth 1 1 2 0 Eth 1 1 3 0 Eth 1 1 61 0 Eth 1 1 62 0 Eth 1 1 63 0 Console ...

Page 545: ...ass configuration mode A policy map can contain multiple class statements Table 4 82 Quality of Service Commands Command Function Mode Page class map Creates a class map for a type of traffic GC 4 258 match Defines the criteria used to classify traffic CM 4 259 rename Redefines the name of a class map CM 4 260 description Specifies the description of a class map CM 4 260 policy map Creates a polic...

Page 546: ...figuration mode Use the no form to delete a class map and return to Global configuration mode Syntax no class map class map name match any match any Match any condition within a class map class map name Name of the class map Range 1 16 characters Default Setting None Command Mode Global Configuration Command Usage First enter this command to designate a class map and enter the Class Map configurat...

Page 547: ... Map configuration mode Then use the match command to specify the fields within ingress packets that must match to qualify for this class map Only one match command can be entered per class map Example This example creates a class map called rd_class 1 and sets it to match packets marked for DSCP service value 3 This example creates a class map call rd_class 2 and sets it to match packets marked f...

Page 548: ...ion This command specifies the description of a class map or policy map Syntax description string string Description of the class map or policy map Range 1 64 characters Command Mode Class Map Configuration Policy Map Configuration Example Console config class map rd class 1 Console config cmap rename rd class 9 Console config cmap Console config class map rd_class 1 Console config cmap descriptio...

Page 549: ...te a Class Map page 4 261 before assigning it to a Policy Map Example This example creates a policy called rd_policy uses the class command to specify the previously defined rd_class uses the set command to classify the service that incoming packets will receive and then uses the police command to limit the average bandwidth to 100 000 Kbps the burst rate to 1522 bytes and configure the response t...

Page 550: ...s the police command to limit the average bandwidth to 100 000 Kbps the burst rate to 1522 bytes and configure the response to drop any violating packets set This command services IP traffic by setting a CoS DSCP or IP Precedence value in a matching packet as specified by the match command on page 4 259 Use the no form to remove the traffic classification Syntax no set cos new cos ip dscp new dscp...

Page 551: ...list types MAC ACL IP ACL including Standard ACL and Extended ACL Policing is based on a token bucket where bucket depth i e the maximum burst before the bucket overflows is by specified the burst byte field and the average rate tokens are removed from the bucket is by specified by the rate bps option Example This example creates a policy called rd_policy uses the class command to specify the prev...

Page 552: ...t Port Channel Command Usage You can only assign one policy map to an interface You must first define a class map then define a policy map and finally use the service policy command to bind the policy map to the required interface Example This example applies a service policy to an ingress interface show class map This command displays the QoS class maps which define matching criteria used for cla...

Page 553: ... Mode Privileged Exec Example show policy map interface This command displays the service policy assigned to the specified interface Syntax show policy map interface interface input interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Console show class map Class Map match any rd_class 1 Match ip dscp 3 Class Map match any rd_class ...

Page 554: ...splays the multicast service and group members 4 266 IGMP Query Configures IGMP query parameters for multicast filtering at Layer 2 4 271 Static Multicast Routing Configures static multicast router ports 4 275 IGMP Filtering and Throttling Configures IGMP filtering and throttling 4 277 Multicast VLAN Registration Configures a single network wide multicast VLAN shared by hosts residing in other sta...

Page 555: ...no form to remove the port Syntax no ip igmp snooping vlan vlan id static ip address interface vlan id VLAN ID Range 1 4094 ip address IP address for multicast group interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting None Command Mode Global Configuration Example The following shows how to statically configure a mu...

Page 556: ...lso have to configure this switch to use Version 1 Some commands are only enabled for IGMPv2 and or v3 including ip igmp snooping querier ip igmp snooping query max response time ip igmp snooping query interval and ip igmp snooping immediate leave Example The following configures the switch to use IGMP Version 1 ip igmp snooping leave proxy This command enables IGMP leave proxy on the switch Use t...

Page 557: ...nd immediately deletes a member port of a multicast service if a leave packet is received at that port and immediate leave is enabled for the parent VLAN Use the no form to restore the default Syntax no ip igmp snooping immediate leave Default Setting Disabled Command Mode Interface Configuration VLAN Command Usage If immediate leave is not used a multicast router or querier will send a group spec...

Page 558: ...wn multicast addresses Syntax show mac address table multicast vlan vlan id user igmp snooping vlan id VLAN ID 1 to 4094 user Display only the user configured multicast entries igmp snooping Display only entries learned through IGMP snooping Default Setting None Console config interface vlan 1 Console config if ip igmp snooping immediate leave Console config if Console show ip igmp snooping Servic...

Page 559: ...no ip igmp snooping querier Default Setting Enabled Command Mode Global Configuration Console show mac address table multicast vlan 1 igmp snooping VLAN M cast IP addr Member ports Type 1 224 1 2 3 Eth1 11 IGMP Console Table 4 85 IGMP Query Commands Layer 2 Command Function Mode Page ip igmp snooping querier Allows this device to act as the querier for IGMP snooping GC 4 271 ip igmp snooping query...

Page 560: ... client from the multicast group Range 2 10 Default Setting 2 times Command Mode Global Configuration Command Usage The query count defines how long the querier waits for a response from a multicast client before taking action If a querier has sent a number of queries defined by this command but a client has not responded a countdown timer is started using the time defined by ip igmp snooping quer...

Page 561: ... ip igmp snooping query max response time seconds no ip igmp snooping query max response time seconds The report delay advertised in IGMP queries Range 5 25 Default Setting 10 seconds Command Mode Global Configuration Command Usage The switch must be using IGMPv2 v3 snooping for this command to take effect This command defines the time after a query during which a response is expected from a multi...

Page 562: ...ime the switch waits after the previous querier stops before it considers the router port i e the interface which had been receiving query packets to have expired Range 300 500 Default Setting 300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 v3 snooping for this command to take effect Example The following shows how to configure the default timeout to 300 seco...

Page 563: ...nfigured Command Mode Global Configuration Command Usage Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore if the IGMP querier is a known multicast router switch connected over the network to an interface port or trunk on your router you can manually configure that interface to join all the current multicast groups Example The following...

Page 564: ... vlan id vlan id VLAN ID Range 1 4094 Default Setting Displays multicast router ports for all configured VLANs Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static Example The following shows that port 11 in VLAN 1 is attached to a multicast router Console show ip igmp snooping mrouter vlan 1 VLAN M cast Router Ports Type 1 Eth 1 11 Static 2 Eth 1 12 Stat...

Page 565: ...reports received on the port are checked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP filtering and throttling only applies to dynamically learned multicast groups it does not apply to statically configured groups Table 4 87 IGMP Filtering and Throttli...

Page 566: ...ion Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join The same profile can be applied to many interfaces but only one profile can be assigned to one interface Each profile has only one access mode either permit or deny Example permit deny This command sets the access mode for an IGMP filter profile Use the no form to delete a profile number Synta...

Page 567: ...for the end of a multicast group range Default Setting None Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile Example ip igmp filter Interface Configuration This command assigns an IGMP filtering profile to an interface on the switch Use the no form to remove a profile from an interface ...

Page 568: ...ups number The maximum number of multicast groups an interface can join at the same time Range 0 64 Default Setting 64 Command Mode Interface Configuration Command Usage IGMP throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can take one of two actions either deny or replace If the action is ...

Page 569: ...lace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group Example show ip igmp filter This command displays the global and interface settings for IGMP filtering Syntax show ip igmp filter interface interface interface ethernet unit port unit Stack unit Range ...

Page 570: ...nge 1 4294967295 Default Setting None Command Mode Privileged Exec Example Console show ip igmp filter IGMP filter enabled Console show ip igmp filter interface ethernet 1 1 Ethernet 1 1 information IGMP Profile 19 Deny range 239 1 1 1 239 1 1 1 range 239 2 3 1 239 2 3 100 Console Console show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console show ip igmp profile 19 IGMP Profile 19 Deny rang...

Page 571: ... unit port unit Stack unit Range 1 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces Example Console show ip igmp throttle interface ethernet 1 1 Eth 1 1 Information Status TRUE Action Deny Max Multicast Groups 32 Current Multicast Groups 0 Cons...

Page 572: ...ith the group keyword to remove a specific address or range of addresses Or use the no form with the vlan keyword restore the default MVR VLAN Syntax no mvr group ip address count vlan vlan id group Defines a multicast service sent to all attached subscribers ip address IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 count The number of contiguous MVR group addresses Range 1 ...

Page 573: ...d as members of the MVR VLAN using the switchport allowed vlan command page 4 226 and switchport native vlan command page 4 225 but MVR receiver ports should not be statically configured as members of this VLAN IGMP snooping must be enabled to a allow a subscriber to dynamically join or leave an MVR group see ip igmp snooping on page 4 267 Note that only IGMP version 2 or 3 hosts can issue multica...

Page 574: ... No receiver port is a member of any configured multicast group Command Mode Interface Configuration Ethernet Port Channel Command Usage A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering Receiver ports can belong to different VLANs but should not be configured as a member of the ...

Page 575: ...2 or 3 hosts can issue multicast join or leave messages Example The following configures one source port and several receiver ports on the switch enables immediate leave on one of the receiver ports and statically assigns a multicast group to another receiver port show mvr This command shows information about the global MVR configuration settings when entered without any keywords the interfaces at...

Page 576: ...10 Console Table 4 89 show mvr display description Field Description MVR Status Shows if MVR is globally enabled on the switch MVR running status Indicates whether or not all necessary conditions in the MVR environment are satisfied MVR multicast vlan Shows the VLAN used to transport all MVR multicast traffic MVR Max Multicast Groups Shows the maximum number of multicast groups which can assigned ...

Page 577: ...25 0 0 2 INACTIVE None 225 0 0 3 INACTIVE None 225 0 0 4 INACTIVE None 225 0 0 5 INACTIVE None 225 0 0 6 INACTIVE None 225 0 0 7 INACTIVE None 225 0 0 8 INACTIVE None 225 0 0 9 INACTIVE None 225 0 0 10 INACTIVE None Console Table 4 91 show mvr members display description Field Description MVR Group IP Multicast groups assigned to the MVR VLAN Status Shows whether or not the there are active subscr...

Page 578: ...s1 Corresponding IP address address2 address8 Additional corresponding IP addresses Default Setting No static entries Command Mode Global Configuration Table 4 92 DNS Commands Command Function Mode Page ip host Creates a static host name to address mapping GC 4 290 clear host Deletes entries from the host name to address table PE 4 291 ip domain name Defines a default domain name for incomplete ho...

Page 579: ...s all entries Default Setting None Command Mode Privileged Exec Example This example clears all static entries from the DNS table ip domain name This command defines the default domain name appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation Use the no form to remove the current domain name Syntax ip domain name name no ip domain name n...

Page 580: ...he domain name Range 1 64 characters Default Setting None Command Mode Global Configuration Command Usage Domain names are added to the end of the list one at a time When an incomplete host name is received by the DNS service on this switch it will work through the domain list appending each domain name in the list to the host name and checking with the specified name servers for a match If there ...

Page 581: ...r address6 server address1 IP address of domain name server server address2 server address6 IP address of additional domain name servers Default Setting None Command Mode Global Configuration Command Usage The listed name servers are queried in the specified sequence until a response is received or the end of the list is reached with no response Console config ip domain list sample com jp Console ...

Page 582: ...d before you can enable DNS If all name servers are deleted DNS will automatically be disabled Example This example enables DNS and then displays the configuration Console config ip domain server 192 168 1 55 10 1 0 55 Console config end Console show dns Domain Lookup Status DNS disabled Default Domain Name sample com Domain Name List sample com jp sample com uk Name Server List 192 168 1 55 10 1 ...

Page 583: ...d as an alias if it is mapped to the same address es as a previously configured entry show dns This command displays the configuration of the DNS service Command Mode Privileged Exec Example Console show hosts Hostname rd5 Inet address 10 1 0 55 192 168 1 55 Alias 1 rd6 Console Console show dns Domain Lookup Status DNS enabled Default Domain Name sample com Domain Name List sample com jp sample co...

Page 584: ...ME graphics8 nytimes com 19 POINTER TO 2 4 4 CNAME graphics478 nytimes com edgesui 19 POINTER TO 2 Console Table 4 93 show dns cache display description Field Description NO The entry number for each resource record FLAG The flag is always 4 indicating a cache entry and therefore unreliable TYPE This field includes ADDRESS which specifies the host address for the owner and CNAME which specifies an...

Page 585: ...s bootp Obtains IP address from BOOTP dhcp Obtains IP address from DHCP Default Setting DHCP Command Mode Interface Configuration VLAN Command Usage You must assign an IP address to this device to gain management access over the network You can manually configure a specific IP address or direct the device to obtain an address from a BOOTP or DHCP server Valid IP addresses consist of four numbers 0...

Page 586: ...w management VLAN Example In the following example the device is assigned an address in VLAN 1 Related Commands ip dhcp restart 4 299 ip default gateway This command establishes a static route between this switch and devices that exist on another network segment Use the no form to remove the static route Syntax ip default gateway gateway no ip default gateway gateway IP address of the default gate...

Page 587: ...e network portion of the address provided to the client will be based on this new domain Example In the following example the device is reassigned the same address Related Commands ip address 4 297 show ip interface This command displays the settings of an IP interface Default Setting All interfaces Command Mode Privileged Exec Example Console config interface vlan 1 Console config if ip address d...

Page 588: ...e switch adds header information count Number of packets to send Range 1 16 default 5 Default Setting This command has no default for the host Command Mode Normal Exec Privileged Exec Command Usage Use the ping command to see if another site on the network can be reached Following are some results of the ping command Normal response The normal response occurs in one to ten seconds depending on net...

Page 589: ...ING to 10 1 0 9 by 5 32 byte payload ICMP packets timeout is 5 seconds response time 10 ms response time 10 ms response time 10 ms response time 10 ms response time 10 ms Ping statistics for 10 1 0 9 5 packets transmitted 5 packets received 100 0 packets lost 0 Approximate round trip times Minimum 10 ms Maximum 20 ms Average 10 ms Console ...

Page 590: ...Command Line Interface 4 302 4 ...

Page 591: ...orm Control Broadcast multicast or unknown unicast traffic throttled above a critical threshold Port Mirroring Multiple source ports one destination port Rate Limits Input limit Output limit Port Trunking Static trunks Cisco EtherChannel compliant Dynamic trunks Link Aggregation Control Protocol Spanning Tree Algorithm Spanning Tree Protocol STP IEEE 802 1D 2004 Rapid Spanning Tree Protocol RSTP I...

Page 592: ...anager or Secure Shell Out of Band Management RS 232 console port Software Loading TFTP in band or XModem out of band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1 2 3 9 Statistics History Alarm Event Standards IEEE 802 1D 2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Multiple Spanning Tree Protocol Rapid Spanning Tree Protoco...

Page 593: ...tensible SNMP Agents MIB RFC 2742 Forwarding Table MIB RFC 2096 IGMP MIB RFC 2933 Interface Group MIB RFC 2233 Interfaces Evolution MIB RFC 2863 IP Multicasting related MIBs MAU MIB RFC 2668 MIB II RFC 1213 Port Access Entity MIB IEEE 802 1X Port Access Entity Equipment MIB Private MIB QnQ Tunneling IEEE 802 1ad Provider Bridges Quality of Service MIB RADIUS Accounting Server MIB RFC 2621 RADIUS A...

Page 594: ...Software Specifications A 4 A SNMP View Based ACM MIB RFC 3415 TACACS Authentication Client MIB TCP MIB RFC 2013 Trap RFC 1215 UDP MIB RFC 2013 ...

Page 595: ...t Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH client software is properly configured...

Page 596: ...r messages reported to include all categories 3 Designate the SNMP host that is to receive the error messages 4 Repeat the sequence of commands or other actions that lead up to the error 5 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 6 Contact your distributor s service engineer For example Console config logging on Console con...

Page 597: ...ploying a well defined set of building blocks from which a variety of aggregate forwarding behaviors may be built Each packet carries information DS byte used by each hop to give it a particular forwarding treatment or per hop behavior at each network node DiffServ allocates different levels of service to users on the network with mechanisms such as traffic meters shapers droppers packet markers a...

Page 598: ...witch can work automatically over a Spanning Tree network Generic Attribute Registration Protocol GARP GARP is a protocol that can be used by endstations and switches to register and propagate multicast group membership information in a switched environment so that multicast data frames are propagated only to those parts of a switched LAN containing registered endstations Formerly called Group Add...

Page 599: ... extensions for VLAN tagging IEEE 802 3x Defines Ethernet frame start stop requests and timers used for flow control on full duplex links Now incorporated in IEEE 802 3 2002 IGMP Query On each subnetwork one IGMP capable device will act as the querier that is the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong The elected querier wi...

Page 600: ...n Base MIB An acronym for Management Information Base It is a set of database objects that contains information about a specific device MD5 Message Digest Algorithm An algorithm that is used to create digital signatures It is intended for use with 32 bit machines and is safer than the MD4 algorithm which has been broken MD5 is a one way hash function meaning that it takes a message and converts it...

Page 601: ...rored to a monitor port for troubleshooting with a logic analyzer or RMON probe This allows data on the target port to be studied unobstructively Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high speed logical link that combines several lower speed physical links Private VLANs Private VLANs provide port based security and isolation betwee...

Page 602: ...at operates over TCP port 25 Simple Network Management Protocol SNMP The application protocol in the Internet suite of protocols which offers network management services Simple Network Time Protocol SNTP SNTP allows a device to set its internal clock based on periodic updates from a Network Time Protocol NTP server Updates can be requested from a specific NTP server or can be received via broadcas...

Page 603: ...services UDP packets are delivered just like IP packets connection less datagrams that may be discarded before reaching their targets UDP is useful when TCP would be too complex too slow or just unnecessary Virtual LAN VLAN A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network A VLAN serves as a ...

Page 604: ...Glossary Glossary 8 ...

Page 605: ...ccess Control List See ACL ACL 3 91 4 143 binding to a port 3 98 4 148 IP Extended 3 94 4 143 4 146 IP Standard 3 93 4 143 4 145 MAC 3 96 4 149 4 150 4 152 address table 3 139 4 192 aging time 3 141 4 195 authentication MAC 4 127 MAC address authentication 4 127 MAC configuring ports 4 129 network access 4 127 public key 3 76 4 104 B BOOTP 3 18 4 297 BPDU 3 142 selecting protocol based on message ...

Page 606: ...290 enabling lookup 3 231 4 294 name server list 3 231 4 293 static entries 3 233 4 290 Domain Name Service See DNS downloading software 3 20 4 25 DSA encryption 3 77 4 108 DSCP enabling 3 195 4 252 mapping priorities 3 197 4 253 dynamic addresses displaying 3 140 4 194 E edge port STA 3 153 3 156 4 208 encryption DSA 3 77 4 108 RSA 3 77 4 108 event logging 3 28 4 40 exec command privileges accoun...

Page 607: ...ng filter criteria 3 108 4 139 J jumbo frame 3 19 4 23 K key private 3 75 4 103 public 3 75 4 103 user public importing 4 25 key pair host 3 75 4 103 host generating 3 77 4 108 L LACP group attributes configuring 3 120 4 172 group members configuring 3 120 local parameters 3 124 4 174 partner parameters 3 124 4 174 protocol message statistics 3 124 4 174 link type STA 3 153 3 156 4 210 logging sys...

Page 608: ...re MAC information 4 130 P packet filtering 3 91 password line 4 33 passwords 2 4 administrator setting 3 54 4 77 path cost 3 144 3 153 method 3 148 4 201 STA 3 144 3 153 4 201 port authentication 3 80 4 112 port power displaying status 3 136 4 191 inline 3 137 4 188 inline status 3 136 4 191 maximum allocation 3 136 4 189 priority 3 138 4 189 showing mainpower 3 136 4 192 port priority configurin...

Page 609: ... 3 142 4 197 global settings configuring 3 147 4 197 global settings displaying 3 144 4 213 interfacesettings configuring 3 154 4 206 4 212 interface settings displaying 3 151 4 213 running configuration files displaying 4 18 S secure shell 3 75 4 103 configuration 3 75 4 103 security general measures 3 89 4 123 serial port configuring 3 24 4 31 Simple Mail Transfer Protocol See SMTP Simple Networ...

Page 610: ... STP 3 147 4 197 STP Also see STA summary accounting 3 68 4 98 switch clustering for management 3 236 4 56 switch settings restoring 3 22 4 24 saving 4 24 system clock setting 3 35 4 51 setting manually 3 35 4 55 setting the time zone 3 36 4 54 setting with SNTP 3 35 4 51 4 53 system logs 3 28 4 41 system software downloading from server 3 20 4 25 T TACACS logon authentication 3 56 4 86 settings 3...

Page 611: ...228 egress mode 3 177 4 223 interface configuration 3 176 4 224 4 227 private 3 184 4 235 protocol 3 185 4 240 protocol configuring 3 186 4 241 protocol configuring groups 3 186 4 241 protocol interface configuration 3 187 4 241 protocol system configuration 3 187 4 241 PVID 3 176 4 225 system mode QinQ 3 181 4 230 W Web interface access requirements 3 1 web interface configuration buttons 3 3 hom...

Page 612: ...Index 8 Index ...

Page 613: ......

Page 614: ...149100000023A R01 SMC8126PL2 F ...

Search results

Summary of Contents for 8126PL2-F

Reviews:

Related manuals for 8126PL2-F

Brands by name

Popular brands

SMC Networks 8126PL2-F, Management Manual

Search results

Summary of Contents for 8126PL2-F

Reviews:

Related manuals for 8126PL2-F

Brands by name

Popular brands