manualshive.com logo in svg

SMC Networks 8926EM, Management Manual

Share
Download
SMC Networks 8926EM Management Manual Download Page 483

Secure Shell Commands

25-17

25

stored on the switch can access it. The following exchanges take place during 
this process:

Authenticating SSH v1.5 Clients

a. The client sends its RSA public key to the switch. 
b. The switch compares the client's public key to those stored in memory. 
c. If a match is found, the switch uses its secret key to generate a random 

256-bit string as a challenge, encrypts this string with the user’s public key, 
and sends it to the client. 

d. The client uses its private key to decrypt the challenge string, computes the 

MD5 checksum, and sends the checksum back to the switch. 

e. The switch compares the checksum sent from the client against that 

computed for the original string it sent. If the two checksums match, this 
means that the client's private key corresponds to an authorized public key, 
and the client is authenticated. 

Authenticating SSH v2 Clients

a. The client first queries the switch to determine if DSA public key 

authentication using a preferred algorithm is acceptable. 

b. If the specified algorithm is supported by the switch, it notifies the client to 

proceed with the authentication process. Otherwise, it rejects the request. 

c. The client sends a signature generated using the private key to the switch.
d. When the server receives this message, it checks whether the supplied key 

is acceptable for authentication, and if so, it then checks whether the 
signature is correct. If both checks succeed, the client is authenticated.

Note:

The SSH server supports up to four client sessions. The maximum number of 
client sessions includes both current Telnet sessions and SSH sessions.

ip ssh server

This command enables the Secure Shell (SSH) server on this switch. Use the 

no

 

form to disable this service.

Syntax 

[

no

ip ssh server

Default Setting 

Disabled

Command Mode 

Global Configuration

Command Usage 

• The SSH server supports up to four client sessions. The maximum number of 

client sessions includes both current Telnet sessions and SSH sessions.

• The SSH server uses DSA or RSA for key exchange when the client first 

establishes a connection with the switch, and then negotiates with the client 
to select either DES (56-bit) or 3DES (168-bit) for data encryption.

• You must generate DSA and RSA host keys before enabling the SSH server.

Summary of Contents for 8926EM

Page 1: ...MANAGEMENT GUIDE ta SMC8926EM SMC8950EM TigerStack II 10 100 1000 24 48 Port Stackable Layer 3 Gigabit Switch ...

Page 2: ...20 Mason Irvine CA 92618 Phone 949 679 8000 TigerStack II 10 100 1000 Management Guide From SMC s Tiger line of feature rich workgroup LAN solutions August 2009 Pub 149100000035A E082009 MW R01 ...

Page 3: ...ted by implication or otherwise under any patent or patent rights of SMC SMC reserves the right to change specifications at any time without notice Copyright 2009 by SMC Networks Inc 20 Mason Irvine CA 92618 All rights reserved Printed in China Trademarks SMC is a registered trademark and EZ Switch TigerStack and TigerSwitch are trademarks of SMC Networks Inc Other product and company names are tr...

Page 4: ...Warranty and Product Registration To register SMC products and to review the detailed warranty statement please refer to the Support Section of the SMC Website at http www smc com ...

Page 5: ...nt information or calls your attention to related features or instructions Caution Alerts you to a potential hazard that could cause loss of data or damage the system or equipment Warning Alerts you to a potential hazard that could cause personal injury Related Publications The following publication details the hardware features of the switch including the physical and performance related characte...

Page 6: ...ii ...

Page 7: ...anagement Access 2 5 Resilient Configuration 2 5 Renumbering the Stack 2 5 Ensuring Consistent Code is Used Across the Stack 2 5 Basic Configuration 2 6 Console Connection 2 6 Setting Passwords 2 7 Setting an IP Address 2 7 Manual Configuration 2 8 Dynamic Configuration 2 11 Enabling SNMP Management Access 2 13 Community Strings for SNMP version 1 and 2c clients 2 13 Trap Receivers 2 14 Configurin...

Page 8: ...loading Configuration Settings from a Server 4 25 Console Port Settings 4 26 Telnet Settings 4 28 Configuring Event Logging 4 30 System Log Configuration 4 30 Remote Log Configuration 4 31 Displaying Log Messages 4 33 Sending Simple Mail Transfer Protocol Alerts 4 33 Renumbering the Stack 4 35 Resetting the System 4 36 Setting the System Clock 4 36 Setting the Current Time 4 37 Configuring SNTP 4 ...

Page 9: ...the ACL Name and Type 7 1 Configuring a Standard IPv4 ACL 7 2 Configuring an Extended IPv4 ACL 7 3 Configuring a MAC ACL 7 6 Configuring a Standard IPv6 ACL 7 7 Configuring an Extended IPv6 ACL 7 8 Binding a Port to an Access Control List 7 11 Chapter 8 Port Configuration 8 1 Displaying Connection Status 8 1 Configuring Interface Connections 8 3 Creating Trunk Groups 8 6 Statically Configuring a T...

Page 10: ...n Interface to a QinQ Tunnel 11 17 Configuring Private VLANs 11 18 Enabling Private VLANs 11 19 Configuring Uplink and Downlink Ports 11 19 Configuring Protocol Based VLANs 11 20 Configuring Protocol Groups 11 20 Mapping Protocols to VLANs 11 21 Chapter 12 Link Layer Discovery Protocol 12 1 Setting Basic LLDP Timing Attributes 12 1 Configuring LLDP Interface Attributes 12 3 Displaying LLDP Local D...

Page 11: ...ce 16 1 Configuring General DNS Service Parameters 16 1 Configuring Static DNS Host to Address Entries 16 3 Displaying the DNS Cache 16 5 Chapter 17 Dynamic Host Configuration Protocol 17 1 Configuring DHCP Relay Service 17 1 Configuring the DHCP Server 17 2 Enabling the Server Setting Excluded Addresses 17 3 Configuring Address Pools 17 4 Displaying Address Bindings 17 9 Chapter 18 Configuring Ro...

Page 12: ...irst Protocol 20 14 Configuring General Protocol Settings 20 15 Configuring OSPF Areas 20 19 Configuring Area Ranges Route Summarization for ABRs 20 23 Configuring OSPF Interfaces 20 25 Configuring Virtual Links 20 29 Configuring Network Area Addresses 20 31 Configuring Summary Addresses for External AS Routes 20 33 Redistributing External Routes 20 35 Configuring NSSA Settings 20 36 Displaying Li...

Page 13: ...d 22 4 exit 22 5 quit 22 5 Chapter 23 System Management Commands 23 1 Device Designation Commands 23 1 hostname 23 1 switch renumber 23 2 System Status Commands 23 3 show startup config 23 3 show running config 23 5 show system 23 7 show users 23 8 show version 23 8 Frame Size Commands 23 9 jumbo frame 23 9 File Management Commands 23 10 copy 23 11 delete 23 13 dir 23 14 whichboot 23 15 boot syste...

Page 14: ...ogging sendmail destination email 23 34 logging sendmail 23 34 show logging sendmail 23 35 Time Commands 23 35 sntp client 23 36 sntp server 23 37 sntp poll 23 37 sntp update time 23 38 show sntp 23 38 clock timezone 23 39 clock timezone predefined 23 39 clock summer time date 23 40 clock summer time predefined 23 41 clock summer time recurring 23 42 show clock 23 43 calendar set 23 44 show calend...

Page 15: ...ius server key 25 7 radius server retransmit 25 8 radius server timeout 25 8 show radius server 25 8 TACACS Client 25 9 tacacs server host 25 9 tacacs server port 25 10 tacacs server key 25 10 show tacacs server 25 11 Web Server Commands 25 11 ip http port 25 11 ip http server 25 12 ip http secure server 25 12 ip http secure port 25 13 Telnet Server Commands 25 14 ip telnet server 25 14 Secure She...

Page 16: ... 35 management 25 35 show management 25 36 Chapter 26 Access Control List Commands 26 1 IPv4 ACLs 26 1 access list ip 26 2 permit deny Standard IPv4 ACL 26 2 permit deny Extended IPv4 ACL 26 3 show ip access list 26 5 ip access group 26 6 show ip access group 26 6 IPv6 ACLs 26 7 access list ipv6 26 7 permit deny Standard IPv6 ACL 26 8 permit deny Extended IPv6 ACL 26 9 show ipv6 access list 26 11 ...

Page 17: ...hernet Interface 28 5 lacp admin key Port Channel 28 6 lacp port priority 28 6 show lacp 28 7 Chapter 29 Mirror Port Commands 29 1 port monitor 29 1 show port monitor 29 2 Chapter 30 Rate Limit Commands 30 1 rate limit 30 1 Chapter 31 Address Table Commands 31 1 mac address table static 31 1 clear mac address table dynamic 31 2 show mac address table 31 3 mac address table aging time 31 4 show mac...

Page 18: ...s 32 18 Chapter 33 Spanning Tree Commands 33 1 spanning tree 33 2 spanning tree mode 33 2 spanning tree forward time 33 4 spanning tree hello time 33 4 spanning tree max age 33 5 spanning tree priority 33 6 spanning tree pathcost method 33 6 spanning tree transmission limit 33 7 spanning tree mst configuration 33 7 mst vlan 33 8 mst priority 33 9 name 33 9 revision 33 10 max hops 33 11 spanning tr...

Page 19: ...34 12 show vlan 34 13 Configuring IEEE 802 1Q Tunneling 34 14 dot1q tunnel system tunnel control 34 15 switchport dot1q tunnel mode 34 15 switchport dot1q tunnel tpid 34 16 show dot1q tunnel 34 17 Configuring Private VLANs 34 18 pvlan 34 18 show pvlan 34 19 Configuring Protocol based VLANs 34 20 protocol vlan protocol group Configuring Groups 34 20 protocol vlan protocol group Configuring Interfac...

Page 20: ...6 8 show class map 36 9 show policy map 36 9 show policy map interface 36 10 Chapter 37 Multicast Filtering Commands 37 1 IGMP Snooping Commands 37 1 ip igmp snooping 37 1 ip igmp snooping vlan static 37 2 ip igmp snooping version 37 2 ip igmp snooping immediate leave 37 3 show ip igmp snooping 37 4 show mac address table multicast 37 4 IGMP Query Commands 37 5 ip igmp snooping querier 37 5 ip igm...

Page 21: ...ress 39 6 ip dhcp pool 39 6 network 39 7 default router 39 8 domain name 39 8 dns server 39 9 next server 39 9 bootfile 39 10 netbios name server 39 10 netbios node type 39 11 lease 39 11 host 39 12 client identifier 39 13 hardware address 39 14 clear ip dhcp binding 39 14 show ip dhcp binding 39 15 Chapter 40 Router Redundancy Commands 40 1 Virtual Router Redundancy Protocol Commands 40 1 vrrp ip...

Page 22: ... 13 show ipv6 interface 41 14 ipv6 default gateway 41 17 show ipv6 default gateway 41 17 ipv6 mtu 41 18 show ipv6 mtu 41 19 show ipv6 traffic 41 19 clear ipv6 traffic 41 25 ping ipv6 41 25 ipv6 neighbor 41 26 ipv6 nd dad attempts 41 27 ipv6 nd ns interval 41 29 show ipv6 neighbors 41 30 clear ipv6 neighbors 41 32 Address Resolution Protocol ARP 41 32 arp 41 32 arp timeout 41 33 clear arp cache 41 ...

Page 23: ...mation originate 42 21 timers spf 42 22 area range 42 23 area default cost 42 24 summary address 42 24 redistribute 42 25 network area 42 26 area stub 42 27 area nssa 42 28 area virtual link 42 30 ip ospf authentication 42 32 ip ospf authentication key 42 33 ip ospf message digest key 42 34 ip ospf cost 42 35 ip ospf dead interval 42 36 ip ospf hello interval 42 36 ip ospf priority 42 37 ip ospf r...

Page 24: ...ix A Software Specifications A 1 Software Features A 1 Management Features A 2 Standards A 2 Management Information Bases A 3 Appendix B Troubleshooting B 1 Problems Accessing the Management Interface B 1 Using System Logs B 2 Glossary Index ...

Page 25: ...s to Egress Queues 13 3 Table 13 2 CoS Priority Levels 13 3 Table 13 3 Mapping IP Precedence 13 8 Table 13 4 Mapping DSCP Priority 13 10 Table 19 1 Address Resolution Protocol 19 8 Table 19 2 ARP Statistics 19 14 Table 19 3 IP Statistics 19 16 Table 19 4 ICMP Statistics 19 17 Table 19 5 USP Statistics 19 19 Table 19 6 TCP Statistics 19 20 Table 20 1 RIP Information and Statistics 20 11 Table 21 1 ...

Page 26: ...12 Port Security Commands 25 24 Table 25 13 802 1X Port Authentication Commands 25 26 Table 25 14 IP Filter Commands 25 35 Table 26 1 Access Control List Commands 26 1 Table 26 2 IPv4 ACL Commands 26 1 Table 26 3 IPv6 ACL Commands 26 7 Table 26 4 MAC ACL Commands 26 12 Table 26 5 ACL Information Commands 26 16 Table 27 1 Interface Commands 27 1 Table 27 2 show interfaces switchport display descrip...

Page 27: ...ble 40 4 show vrrp brief display description 40 8 Table 41 1 IP Interface Commands 41 1 Table 41 2 Basic IP Configuration Commands 41 1 Table 41 3 show ipv6 interface display description 41 15 Table 41 4 show ipv6 mtu display description 41 19 Table 41 5 show ipv6 traffic display description 41 21 Table 41 6 show ipv6 neighbors display description 41 31 Table 41 7 Address Resolution Protocol Comma...

Page 28: ...isplay description 42 47 Table 42 17 show ip ospf summary display description 42 48 Table 42 18 show ip ospf interface display description 42 49 Table 42 19 show ip ospf neighbor display description 42 50 Table 42 20 show ip ospf virtual links display description 42 51 Table B 1 Troubleshooting Chart B 1 ...

Page 29: ...5 Figure 4 16 Configuring the Console Port 4 27 Figure 4 17 Configuring the Telnet Interface 4 29 Figure 4 18 System Logs 4 31 Figure 4 19 Remote Logs 4 32 Figure 4 20 Displaying Logs 4 33 Figure 4 21 Enabling and Configuring SMTP Alerts 4 34 Figure 4 22 Renumbering the Stack 4 36 Figure 4 23 Resetting the System 4 36 Figure 4 24 Current Time 4 37 Figure 4 25 SNTP Configuration 4 38 Figure 4 26 Cl...

Page 30: ...e 8 5 LACP Aggregation Port 8 11 Figure 8 6 LACP Port Counters Information 8 13 Figure 8 7 LACP Port Internal Information 8 15 Figure 8 8 LACP Port Neighbors Information 8 16 Figure 8 9 Port Broadcast Control 8 18 Figure 8 10 Mirror Port Configuration 8 19 Figure 8 11 Rate Limit Configuration 8 21 Figure 8 12 Port Statistics 8 25 Figure 9 1 Static Addresses 9 2 Figure 9 2 Dynamic Addresses 9 3 Fig...

Page 31: ...re 13 8 IP Port Priority Status 13 11 Figure 13 9 IP Port Priority 13 12 Figure 14 1 Configuring Class Maps 14 3 Figure 14 2 Configuring Policy Maps 14 6 Figure 14 3 Service Policy Settings 14 7 Figure 15 1 IGMP Configuration 15 4 Figure 15 1 IGMP Immediate Leave 15 5 Figure 15 2 Multicast Router Port Information 15 6 Figure 15 3 Static Multicast Router Port Configuration 15 7 Figure 15 4 IP Multi...

Page 32: ...ace Settings 20 8 Figure 20 4 RIP Redistribution Configuration 20 10 Figure 20 5 RIP Statistics 20 12 Figure 20 6 OSPF General Configuration 20 18 Figure 20 7 OSPF Area Configuration 20 22 Figure 20 8 OSPF Range Configuration 20 24 Figure 20 9 OSPF Interface Configuration 20 28 Figure 20 10 OSPF Interface Configuration Detailed 20 28 Figure 20 11 OSPF Virtual Link Configuration 20 30 Figure 20 12 ...

Page 33: ...his section provides an overview of the switch and introduces some basic concepts about network switches It also describes the basic settings required to access the management interface Introduction 1 1 Initial Configuration 2 1 ...

Page 34: ...Getting Started ...

Page 35: ...ntrol Lists Supports up to 256 ACLs 96 MAC rules 96 IP rules and 96 IPv6 rules DHCP Client Relay and Server Supported DNS Client and Proxy service Port Configuration Speed and duplex mode and flow control Rate Limiting Input and output rate limiting per port Port Mirroring One or more ports mirrored to single analysis port Port Trunking Supports up to 32 trunks using either static or dynamic trunk...

Page 36: ...lso supported via the IEEE 802 1X protocol This protocol uses Extensible Authentication Protocol over LANs EAPOL to request user credentials from the 802 1X client and then uses the EAP between the switch and the authentication server to verify the client s right to access the network via an authentication server i e RADIUS server Other authentication options include HTTPS for secure management ac...

Page 37: ...ceived on an interface Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network Traffic that falls within the rate limit is transmitted while packets that exceed the acceptable amount of traffic are dropped Port Mirroring The switch can unobtrusively mirror traffic from any port to a monitor port You can then attach a protocol analyzer or RMON ...

Page 38: ...30 seconds or more for the older IEEE 802 1D STP standard It is intended as a complete replacement for STP but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP compliant mode if they detect STP protocol messages from attached devices Multiple Spanning Tree Protocol MSTP IEEE 802 1s This protocol is a direct extension of RSTP It can provide...

Page 39: ...tion hassles normally associated with conventional routers Routing for unicast traffic is supported with the Routing Information Protocol RIP and the Open Shortest Path First OSPF protocol RIP This protocol uses a distance vector approach to routing Routes are determined on the basis of minimizing the distance vector or hop count which serves as a rough estimate of transmission cost OSPF This appr...

Page 40: ... a per hop basis Each packet is classified upon entry into the network based on access lists IP Precedence or DSCP values or VLAN lists Using access lists allows you select traffic based on Layer 2 Layer 3 or Layer 4 information contained in each packet Based on network policies different kinds of traffic can be marked for different kinds of forwarding Multicast Filtering Specific multicast traffi...

Page 41: ...ort Connection Baud Rate auto Data bits 8 Stop bits 1 Parity none Local Console Timeout 0 disabled Authentication Privileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privileged Exec from Normal Exec Level Password super RADIUS Authentication Disabled TACACS Authentication Disabled 802 1X Port Authentication Disabled HTTPS Enabled SSH Disabled ...

Page 42: ...t Trunking Static Trunks None LACP all ports Disabled Broadcast Storm Protection Status Enabled all ports Broadcast Limit Rate 500 packets per second Spanning Tree Algorithm Status Enabled RSTP Defaults All values based on IEEE 802 1w Fast Forwarding Edge Port Disabled Address Table Aging Time 300 seconds Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Disabled Switc...

Page 43: ...ay 0 0 0 0 DHCP Client Enabled Relay Disabled Server Disabled DNS Client Proxy service Disabled BOOTP Disabled ARP Enabled Cache Timeout 20 minutes Proxy Disabled Unicast Routing RIP Disabled OSPF Disabled Router Redundancy VRRP Disabled Multicast Filtering IGMP Snooping Snooping Enabled Querier Disabled System Log Status Enabled Messages Logged Levels 0 7 all Messages Logged to Flash Levels 0 3 S...

Page 44: ...Introduction 1 10 1 ...

Page 45: ...onnection to the RS 232 serial console port on the switch or remotely by a Telnet connection over the network The switch s management agent also supports SNMP Simple Network Management Protocol This SNMP agent permits the switch to be managed from any system in the network using network management software such as SMC s EliteView The switch s web interface CLI configuration program and SNMP agent ...

Page 46: ...mplete the following steps 1 Connect the console cable to the serial port on a terminal or a PC running terminal emulation software and tighten the captive retaining screws on the DB 9 connector 2 Connect the other end of the cable to the RS 232 serial port on the switch 3 Make sure the terminal emulation software is set as follows Select the appropriate serial port COM port 1 or COM port 2 Set to...

Page 47: ...board configuration program can be accessed using Telnet from any computer attached to the network The switch can also be managed by any computer using a web browser Internet Explorer 5 0 or above Netscape 6 2 or above or Mozilla Firefox 2 0 0 0 or above or from a network computer using SNMP network management software Note The onboard program only provides access to basic configuration functions ...

Page 48: ...aster unit finishes booting up it continues to synchronize configuration information to all of the Slave units in the stack If the Master unit fails or is powered off a new master unit will be selected based on the election rules described in the preceding section The backup unit elected to serve as the new stack Master will take control of the stack without any loss of configuration settings To e...

Page 49: ...t access However if the unit to which you normally connect for management access fails and there are no active port members on the other units within this VLAN interface then this IP address will no longer be available To retain a constant IP address for management access across fail over events you should include port members on several units within the primary VLAN used for stack management Resi...

Page 50: ...up units that are running a different image version For information on downloading firmware see Managing Firmware on page 4 21 or File Management Commands on page 23 10 Basic Configuration Console Connection The CLI program provides two different command levels normal access level Normal Exec and privileged access level Privileged Exec The commands available at the Normal Exec level are a limited ...

Page 51: ...rname admin password 0 password for the Privileged Exec level where password is your new password Press Enter Note 0 specifies a password in plain text 7 specifies a password in encrypted form Setting an IP Address You must establish IP address information for the stack to obtain management access through the network This can be done in either of the following ways Manual You have to input the inf...

Page 52: ... address is the switch IP address and netmask is the network mask for the network Press Enter 3 Type exit to return to the global configuration mode prompt Press Enter 4 To set the IP address of the default gateway for the network to which the switch belongs type ip default gateway gateway where gateway is the IP address of the default gateway Press Enter Assigning an IPv6 Address There are severa...

Page 53: ...ter Then press Enter Address for Multi segment Network Before you can assign an IPv6 address to the switch that will be used to connect to a multi segment network you must obtain the following information from your network administrator Prefix for this network IP address for the switch Default gateway for the network For most networks that encompass several different subnets it s easier to first d...

Page 54: ...e ipv6 address bits The remaining bits are assigned to the host interface Press Enter 4 Type exit to return to the global configuration mode prompt Press Enter 5 To set the IP address of the IPv6 default gateway for the network to which the switch belongs type ipv6 default gateway gateway where gateway is the IPv6 address of the default gateway Press Enter Console config ipv6 general prefix rd 200...

Page 55: ...rface vlan 1 to access the interface configuration mode Press Enter 2 At the interface configuration mode prompt use one of the following commands To obtain IP settings via DHCP type ip address dhcp and press Enter To obtain IP settings via BOOTP type ip address bootp and press Enter 3 Type end to return to the Privileged Exec mode Press Enter 4 Type ip dhcp restart client to begin broadcasting se...

Page 56: ...a network containing more than one subnet the switch can be configured to automatically generate a unique host address based on the local subnet address prefix received in router advertisement messages DHCP for IPv6 will also be supported in future software releases To dynamically generate an IPv6 host address for the switch complete the following steps 1 From the Global Configuration mode prompt ...

Page 57: ... the default public community string that provides read access to the entire MIB tree and a default view for the private community string that provides read write access to the entire MIB tree However you may assign new views to version 1 or 2c community strings that suit your specific security requirements see page 5 17 Community Strings for SNMP version 1 and 2c clients Community strings are use...

Page 58: ...re are no community strings then SNMP management access from SNMP v1 and v2c clients is disabled Trap Receivers You can also specify SNMP stations that are to receive traps from the switch To configure a trap receiver use the snmp server host command From the Privileged Exec level global configuration mode prompt type snmp server host host address community string version 1 2c 3 auth noauth priv w...

Page 59: ...t up file The three types of files are Configuration This file type stores system configuration information and is created when configuration settings are saved Saved configuration files can be selected as a system start up file or can be uploaded via TFTP to a server for backup The file named Factory_Default_Config cfg contains all the system default settings and cannot be deleted from the system...

Page 60: ... Settings Configuration commands only modify the running configuration file and are not saved when the switch is rebooted To save all your configuration changes in nonvolatile storage you must copy the running configuration file to the start up configuration file using the copy command New startup configuration files must have a name specified File names on the switch are case sensitive can be fro...

Page 61: ...d 1 From the Privileged Exec mode prompt type copy running config startup config and press Enter 2 Enter the name of the start up file Press Enter Console copy running config startup config 23 11 Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Console ...

Page 62: ...Initial Configuration 2 18 2 ...

Page 63: ...agement Tasks 4 1 Simple Network Management Protocol 5 1 User Authentication 6 1 Access Control Lists 7 1 Port Configuration 8 1 Address Table Settings 9 1 Spanning Tree Algorithm 10 1 VLAN Configuration 11 1 Link Layer Discovery Protocol 12 1 Class of Service 13 1 Quality of Service 14 1 Multicast Filtering 15 1 Domain Name Service 16 1 Dynamic Host Configuration Protocol 17 1 Configuring Router ...

Page 64: ...Switch Management ...

Page 65: ...ress on page 2 7 2 Set user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Setting Passwords on page 2 7 3 After you enter a user name and password you will have access to the system configuration program Notes 1 You are allowed three attempts to enter the correct passwor...

Page 66: ...e Page When your web browser connects with the switch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used to navigate to other menus and display configuration parameters and statistics Figure 3 1 Home Page Note The examples in this chapter are based on the SMC...

Page 67: ...orer 7 x This option is available under Tools Internet Options General Browsing History Settings Temporary Internet Files 2 You may have to manually refresh the screen after making configuration changes by pressing the browser s refresh button Panel Display The web agent displays an image of the switch s ports The Mode can be set to display different information for the ports including Active i e ...

Page 68: ...iguration Configures IPv6 interface address and protocol settings 4 9 IPv6 General Prefix Configures IPv6 general prefix for network portion of addresses 4 15 IPv6 ND Neighbor Configures IPv6 neighbor discover protocol and static neighbors 4 17 Jumbo Frames Enables support for jumbo frames 4 21 File Management 4 21 Copy Operation Allows the transfer and copying files 4 22 Delete Allows deletion of...

Page 69: ...s passwords and access levels 6 1 Authentication Settings Configures authentication sequence RADIUS and TACACS 6 2 HTTPS Settings Configures secure HTTP settings 6 5 SSH Secure Shell 6 8 Settings Configures Secure Shell server settings 6 14 Host Key Settings Generates the host key pair public and private 6 10 User Public Key Settings Imports and manages user RSA and DSA public keys 6 12 Port Secur...

Page 70: ... 17 Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 8 17 Mirror Port Configuration Sets the source and target ports for mirroring 8 19 Rate Limit 8 20 Input Port Configuration Sets the input rate limit for each port 8 20 Input Trunk Configuration Sets the input rate limit for each trunk 8 20 Output Port Configuration Sets the output rate limit for each port 8 20 OutputTru...

Page 71: ...Shows the current port members of each VLAN and whether or not the port is tagged or untagged 11 5 Static List Used to create or remove VLAN groups 11 6 Static Table Modifies the settings for an existing VLAN 11 8 Static Membership by Port Configures membership type for interfaces including tagged untagged or forbidden 11 9 Port Configuration Specifies default PVID and VLAN attributes 11 10 Trunk ...

Page 72: ... each trunk 13 1 Traffic Classes Maps IEEE 802 1p priority tags to output queues 13 3 Traffic Classes Status Enables disables traffic class priorities not implemented NA Queue Mode Sets queue mode to strict priority or Weighted Round Robin 13 5 Queue Scheduling Configures Weighted Round Robin queueing 13 6 IP Precedence DSCP Priority Status Globally selects IP Precedence or DSCP Priority or disabl...

Page 73: ... entries for domain name to address mapping 16 3 Cache Displays cache entries discovered by designated name servers 16 5 DHCP Dynamic Host Configuration Protocol 17 1 Relay Configuration Specifies DHCP relay servers enables or disables relay service 17 1 Server Configures DHCP server parameters 17 2 General Enables DHCP server configures excluded address range 17 3 Pool Configuration Configures ad...

Page 74: ... and errors 19 19 TCP Shows statistics for TCP including the amount of traffic and TCP connection activity 19 20 Routing 19 21 Static Routes Configures and display static routing entries 19 21 Routing Table Shows all routing entries including local static and dynamic routes 19 22 Routing Protocol 20 1 RIP Routing Information Protocol 20 2 General Settings Enables or disables RIP sets the global RI...

Page 75: ...nfiguration Defines OSPF areas and associated interfaces 20 31 Summary Address Configuration Aggregates routes learned from other protocols for advertising into other autonomous systems 20 33 Redistribute Configuration Redistributes routes from one routing domain to another 20 35 NSSA Settings Configures settings for importing routes into or exporting routes out of not so stubby areas 20 36 Link S...

Page 76: ...Configuring the Switch 3 12 3 ...

Page 77: ... agent has been up These additional parameters are displayed for the CLI System Description Brief description of device type MAC Address The physical layer address for this switch Web Server Shows if management access via HTTP is enabled Web Server Port Shows the TCP port number used by the web interface Web Secure Server Shows if management access via HTTPS is enabled Web Secure Server Port Shows...

Page 78: ...e config exit Console show system 23 7 System Description SMC TigerStack II 10 100 1000 SMC8926EM SMC8950EM System OID String 1 3 6 1 4 1 202 20 76 System Information System Up Time 0 days 1 hours 28 minutes and 0 51 seconds System Name R D 5 System Location WC 9 System Contact Ted MAC Address Unit1 00 00 E3 11 10 10 Web Server Enabled Web Server Port 80 Web Secure Server Enabled Web Secure Server...

Page 79: ...e main board Internal Power Status Displays the status of the internal power supply Management Software EPLD Version Version number of EEPROM Programmable Logic Device Loader Version Version number of loader code Boot ROM Version Version of Power On Self Test POST and boot code Operation Code Version Version number of runtime code Role Shows that this switch is operating as Master or Slave These a...

Page 80: ...tic Addresses on page 9 1 VLAN Learning This switch uses Independent VLAN Learning IVL where each port maintains its own filtering database Configurable PVID Tagging This switch allows you to override the default Port VLAN ID PVID used in frame tags and egress status VLAN Tagged or Untagged on each port Refer to VLAN Configuration on page 11 1 Local VLAN Capable This switch does not support multip...

Page 81: ...d via DHCP by default To manually configure an address you need to change the stack s default settings to values that are compatible with your network You may also need to a establish a default gateway between the stack and management stations that exist on another network segment if routing is not enabled on this stack You can manually configure a specific IP address or direct the device to obtai...

Page 82: ...e stack are members of VLAN 1 However the management station can be attached to a port belonging to any VLAN as long as that VLAN has been assigned an IP address IP Address Mode Specifies whether IP functionality is enabled via manual configuration Static Dynamic Host Configuration Protocol DHCP or Boot Protocol BOOTP If DHCP BOOTP is enabled IP will not function until a reply has been received fr...

Page 83: ... Apply Figure 4 4 IPv4 Interface Configuration Manual Click IP Global Setting If this stack and management stations exist on other network segments then specify the default gateway and click Apply Figure 4 5 Default Gateway CLI Specify the management interface IP address and default gateway Console config Console config interface vlan 1 27 1 Console config if ip address 10 1 0 253 255 255 255 0 41...

Page 84: ...wer reset Figure 4 6 IPv4 Interface Configuration DHCP Note If you lose your management connection make a console connection to the Master unit and enter show ip interface to determine the new stack address CLI Specify the management interface and set the IP address mode to DHCP or BOOTP and then enter the ip dhcp restart client command Console config Console config interface vlan 1 27 1 Console c...

Page 85: ...bnet Management traffic using this kind of address cannot be passed by any router outside of the subnet A link local address is easy to set up and may be useful for simple networks or basic troubleshooting tasks However to connect to a larger network with multiple segments the switch must be configured with a global unicast address Both link local and global unicast address types can either be man...

Page 86: ...s described under Configuring an IPv6 General Network Prefix on page 4 15 When using this method remember that the prefix length specified on the IPv6 Configuration page must include both the length of the general prefix and any contiguous bits from the left of the specified address that are added to the general prefix to form the extended network portion of the address You can configure multiple ...

Page 87: ...o Configuration Enables stateless autoconfiguration of IPv6 addresses on an interface and enables IPv6 functionality on the interface The network portion of the address is based on prefixes received in IPv6 router advertisement messages and the host portion is automatically generated using the modified EUI 64 form of the interface identifier i e the switch s MAC address If the router advertisement...

Page 88: ...both that specified by the general prefix and any number of subsequent prefix bits that exceed the length of the general prefix Therefore depending on the specified prefix length some of the address bits entered in the IPv6 Address field may be appended to the general prefix However if the prefix length is shorter than the general prefix then the length of the general prefix takes precedence and s...

Page 89: ...quired to join the all nodes multicast addresses FF01 1 and FF02 1 for all IPv6 nodes within scope 1 interface local and scope 2 link local respectively FF01 1 16 is the transient node local multicast address for all attached IPv6 nodes and FF02 1 16 is the link local multicast address for all attached IPv6 nodes The node local multicast address is only used for loopback transmission of multicast ...

Page 90: ...tem IPv6 Configuration IPv6 Configuration Set the IPv6 default gateway specify the VLAN to configure enable IPv6 and set the MTU Then enter a global unicast or link local address and click Add IPv6 Address Figure 4 7 IPv6 Interface Configuration ...

Page 91: ...ment assigned to the general prefix The prefix must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields Console config Console config ipv6 default gateway 2009 DB9 2229 240 41 17 Console config ipv6 general prefi...

Page 92: ...Prefix Click Add to open the editing fields for a prefix entry Enter a name for the general prefix the value for the general prefix and the prefix length Then click Add to enable the entry Figure 4 8 IPv6 General Prefix Configuration CLI This example creates a general network prefix of 2009 DB9 2229 48 Console config ipv6 general prefix rd 2009 DB9 2229 48 41 8 Console config end Console show ipv6...

Page 93: ... detection is automatically restarted when the interface is administratively re activated An interface that is re activated restarts duplicate address detection for all unicast IPv6 addresses on the interface While duplicate address detection is performed on the interface s link local address the other IPv6 addresses remain in a tentative state If no duplicate link local address is found duplicate...

Page 94: ... received that the forward path was functioning A packet was sent within the last DELAY_FIRST_PROBE_TIME interval If no reachability confirmation is received within this interval after entering the DELAY state the switch will send a neighbor solicitation message and change the state to PROBE PROBE A reachability confirmation is actively sought by resending neighbor solicitation messages every Retr...

Page 95: ...col settings select a VLAN interface set the number of attempts allowed for duplicate address detection set the interval for neighbor solicitation messages and click Apply To configure static neighbor entries click Add fill in the IPv6 address VLAN interface and hardware address Then click Add Figure 4 9 IPv6 Neighbor Detection and Neighbor Cache ...

Page 96: ...ss FE80 1034 11FF FE11 4321 64 Global unicast address es 2009 DB9 2229 79 subnet is 2009 DB9 2229 0 64 Joined group address es FF01 1 16 FF02 1 16 FF02 1 FF00 79 104 FF02 1 FF11 4321 104 MTU is 1280 bytes ND DAD is enabled number of DAD attempts 5 ND retransmit interval is 30000 milliseconds Console configure Console config ipv6 neighbor 2009 0DB9 49A vlan 1 30 65 14 01 11 87 41 26 Console config ...

Page 97: ...Frames Enable or disable support for jumbo frames and click Apply Figure 4 10 Configuring Support for Jumbo Frames CLI This example enables jumbo frames globally for the switch Managing Firmware You can upload download firmware to or from a TFTP server or copy files to and from switch units in a stack By saving runtime code to a file on a TFTP server that file can later be downloaded to the switch...

Page 98: ...ted startup version of this file cannot be deleted Downloading System Software from a Server When downloading runtime code you can specify the destination file name to replace the current image or first download the file using a different name from the current runtime code file and then set the new file as the startup file Web Click System File Management Copy Operation Select tftp to file as the ...

Page 99: ...select System File Management Delete Select the file name from the given list by checking the tick box and click Apply Note that the file currently designated as the startup code cannot be deleted Figure 4 13 Deleting Files CLI To download new firmware form a TFTP server enter the IP address of the TFTP server select config as the file type then enter the source and destination file names When the...

Page 100: ...fig Copies the startup config to the running config startup config to tftp Copies the startup configuration to a TFTP server tftp to file Copies a file from a TFTP server to the switch tftp to running config Copies a file from a TFTP server to the running config tftp to startup config Copies a file from a TFTP server to the startup config file to unit Copies a file from this switch to another unit...

Page 101: ...he switch Web Click System File Management Copy Operation Choose tftp to startup config or tftp to file and enter the IP address of the TFTP server Specify the name of the file to download select a file on the switch to overwrite or specify a new file name and then click Apply Figure 4 14 Downloading Configuration Settings for Start Up If you download to a new file name using tftp to startup confi...

Page 102: ...er input is not detected within the timeout interval the current session is terminated Range 0 65535 seconds Default 0 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time set by the Silent Time parameter before allowing the nex...

Page 103: ...f the stop bits transmitted per byte Range 1 2 Default 1 stop bit Password1 Specifies a password for the line connection When a connection is started on a line with password protection the system prompts for the password If you enter the correct password the system shows a prompt Default No password Login1 Enables password checking at login You can select authentication by a single global password...

Page 104: ... interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is terminated Range 0 65535 seconds Default 600 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface becomes silent for a specified amo...

Page 105: ...n parameters for Telnet access then click Apply Figure 4 17 Configuring the Telnet Interface CLI Enter Line Configuration mode for a virtual terminal then specify the connection parameters as required To display the current virtual terminal settings use the show line command from the Normal Exec level 2 CLI only Console config line vty 23 17 Console config line login local 23 18 Console config lin...

Page 106: ... Enables disables the logging of debug or error messages to the logging process Default Enabled Flash Level Limits log messages saved to the switch s permanent flash memory for all levels up to the specified level For example if level 3 is specified all messages from level 0 to level 3 will be logged to flash Range 0 7 Default 3 RAM Level Limits log messages saved to the switch s temporary RAM mem...

Page 107: ...es of 16 to 23 The facility type is used by the syslog server to dispatch log messages to an appropriate service The attribute specifies the facility type tag sent in syslog messages See RFC 3164 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to process messages such as sorting or storing messages in the corresponding database Ran...

Page 108: ...y type and set the logging trap Console config logging host 10 1 0 9 23 28 Console config logging facility 23 23 28 Console config logging trap 4 23 29 Console config logging trap Console config exit Console show logging trap 23 30 Syslog logging Enabled REMOTELOG status Disabled REMOTELOG facility type local use 7 REMOTELOG level type Warning conditions REMOTELOG server ip address 10 1 0 9 REMOTE...

Page 109: ...pecified SMTP servers on the network and can be retrieved using POP or IMAP clients Command Attributes Admin Status Enables disables the SMTP function Default Enabled Email Source Address Sets the email address used for the From field in alert messages You may use a symbolic email address that identifies the switch or the address of an administrator responsible for the switch Severity Sets the sys...

Page 110: ...t Specifies the email recipients of alert messages You can specify up to five recipients Use the New Email Destination Address text field and the Add Remove buttons to configure the list Web Click System Log SMTP Enable SMTP specify a source email address and select the minimum severity level To add an IP address to the SMTP Server List type the new IP address in the SMTP Server field and click Ad...

Page 111: ... each switch in the stack based on the unit identification number You should therefore remember to save the current configuration after renumbering the stack For a line topology the stack is numbered from top to bottom with the first unit in the stack designated at unit 1 For a ring topology the Master unit taken as the top of the stack and is numbered as unit 1 and all other units are numbered se...

Page 112: ...nal clock based on periodic updates from a time server SNTP or NTP Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries You can also manually set the clock using the Current Time page as described in the next section If the clock is not set the switch will only record the time from the factory default set at the last bootup When t...

Page 113: ...to 16 15 58 February 1st 2008 Configuring SNTP You can configure the switch to send time synchronization requests to time servers Command Attributes SNTP Client Configures the switch to operate as an SNTP client This requires at least one time server to be specified in the SNTP Server field Default Disabled SNTP Poll Interval Sets the interval between sending requests for a time update from a time...

Page 114: ...perate as an SNTP client and then displays the current time and settings Console config sntp client 23 36 Console config sntp poll 16 23 37 Console config sntp server 10 1 0 19 137 82 140 80 128 250 36 2 23 37 Console config sntp update time 23 38 Console config exit Console show sntp 23 38 Current time Jan 6 14 56 05 2004 Poll interval 60 Current mode unicast SNTP status Enabled SNTP server 10 1 ...

Page 115: ...time zone to be before east or after west UTC Name Assigns a name to the time zone Range 1 29 characters Hours 0 13 The number of hours before after UTC Minutes 0 59 The number of minutes before after UTC Web Select SNTP Clock Time Zone Select one of the predefined time zones or manually set the offset for your time zone relative to the UTC and click Apply Figure 4 26 Clock Time Zone CLI This exam...

Page 116: ...major regions of the world To specify the time corresponding to your local time when summer time is in effect select the predefined summer time time zone appropriate for your location Date Mode Sets the start end and offset times of summer time for the switch on a one time basis This mode sets the summer time time zone relative to the currently configured time zone To specify a time corresponding ...

Page 117: ...inutes your summer time time zone deviates from your regular time zone Offset Summer time offset from the regular time zone in minutes Range 0 99 minutes From Start time for summer time offset To End time for summer time offset Web Select SNTP Summer Time Select one of the configuration modes configure the relevant attributes enable summer time status and click Apply Figure 4 27 Summer Time CLI Th...

Page 118: ...Basic Management Tasks 4 42 4 ...

Page 119: ...nuously monitors the status of the switch hardware as well as the traffic passing through its ports A network management station can access this information using software such as SMC s EliteView Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings To communicate with the switch the management station must first submit a valid community string for authe...

Page 120: ...ltview none none Community string only v1 noAuthNoPriv private read write defaultview defaultview none Community string only v1 noAuthNoPriv user defined user defined user defined user defined Community string only v2c noAuthNoPriv public read only defaultview none none Community string only v2c noAuthNoPriv private read write defaultview defaultview none Community string only v2c noAuthNoPriv use...

Page 121: ...hat acts like a password and permits access to the SNMP protocol Default strings public read only access private read write access Range 1 32 characters case sensitive Access Mode Specifies the access rights for the community string Read Only Authorized management stations are only able to retrieve MIB objects Read Write Authorized management stations are able to both retrieve and modify MIB objec...

Page 122: ...nt of receipt Informs can be used to ensure that critical information is received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider these effects when deciding whether to issue notifications as traps or informs To send an inform to a SNMPv2c host complete these...

Page 123: ...y available for the SNMPv3 security model Trap Inform Notifications are sent as inform messages Note that this option is only available for version 2c and 3 hosts Default traps are used Timeout The number of seconds to wait for an acknowledgment before resending an inform message Range 0 2147483647 centiseconds Default 1500 centiseconds Retry times The maximum number of times to resend an inform m...

Page 124: ...v3 clients trap inform settings for v2c v3 clients and then click Add Select the trap types required using the check boxes for Authentication and Link up down traps and then click Apply Figure 5 3 Configuring SNMP Trap Managers CLI This example adds a trap manager and enables authentication traps Console config snmp server host 10 1 19 23 private version 2c udp port 162 24 5 Console config snmp se...

Page 125: ...passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A local engine ID is automatically generated that is unique to the switch This is referred to as the default engine ID If the local engineID is deleted or changed all SNMP users will be cleared You will need to reconfigure all existing users A new engine ID can be specified by entering 9 to 64 hexadecimal char...

Page 126: ...s to it See Specifying Trap Managers and Trap Types on page 5 4 and Configuring Remote SNMPv3 Users on page 5 11 A new engine ID can be specified by entering 9 to 64 hexadecimal characters If an odd number of characters are specified a trailing zero is added to the value to fill in the missing octet For example the value 123456789 is equivalent to 1234567890 Web Click SNMP SNMPv3 Remote Engine ID ...

Page 127: ...ser noAuthNoPriv There is no authentication or encryption used in SNMP communications This is the default for SNMPv3 AuthNoPriv SNMP communications use authentication but the data is not encrypted only available for the SNMPv3 security model AuthPriv SNMP communications use both authentication and encryption only available for the SNMPv3 security model Authentication Protocol The method used for u...

Page 128: ...ned group of a user click Change Group in the Actions column of the users table and select the new group Figure 5 6 Configuring SNMPv3 Users CLI Use the snmp server user command to configure a new user name and assign it to a group Console config snmp server user chris group r d v3 auth md5 greenpeace priv des56 einstien 24 14 Console config exit Console show snmp user 24 15 EngineId 8000003403000...

Page 129: ...r for the SNMP agent on the remote device where the remote user resides Note that the remote engine identifier must be specified before you configure a remote user See Specifying a Remote Engine ID on page 5 8 Remote IP The Internet address of the remote device where the user resides Security Model The user security model SNMP v1 v2c or v3 Default v1 Security Level The security level used for the ...

Page 130: ...then click Delete Figure 5 7 Configuring Remote SNMPv3 Users CLI Use the snmp server user command to configure a new user name and assign it to a group Console config snmp server user mark group r d remote 192 168 1 19 v3 auth md5 greenpeace priv des56 einstien 24 14 Console config exit Console show snmp user 24 15 No user exist SNMP remote user EngineId 80000000030004e2b316c54321 User Name mark A...

Page 131: ... model SNMP v1 v2c or v3 Level The security level used for the group noAuthNoPriv There is no authentication or encryption used in SNMP communications AuthNoPriv SNMP communications use authentication but the data is not encrypted only available for the SNMPv3 security model AuthPriv SNMP communications use both authentication and encryption only available for the SNMPv3 security model Read View T...

Page 132: ...e SNMP entity acting in an agent role has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state but not from the notPresent state This other state is indicated by the included value of ifOperStatus linkUp 1 3 6 1 6 3 1 1 5 4 A linkUp trap signifies that the SNMP entity acting in an agent role has detected that the ifOperStat...

Page 133: ... two objects the first object indicates the master version whereas the second represents the slave version swModuleVer MismatchNotificaiton 1 3 6 1 4 1 202 20 76 2 1 0 57 This trap is sent when the slide in module version is mismatched with the main board version swThermalRising Notification 1 3 6 1 4 1 202 20 76 2 1 0 58 This trap is sent when the temperature exceeds the switchThermalActionRising...

Page 134: ...en click Delete Figure 5 8 Configuring SNMPv3 Groups CLI Use the snmp server group command to configure a new group specifying the security model and level and restricting MIB access to defined read and write views Console config snmp server group secure users v3 priv read defaultview write defaultview notify defaultview 24 11 Console config exit Console show snmp group 24 12 Group Name secure use...

Page 135: ...hin the MIB tree Wild cards can be used to mask a specific portion of the OID string Type Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view Web Click SNMP SNMPv3 Views Click New to configure a new view In the New View page define a name and specify OID subtrees in the switch MIB to be included or excluded in the view Click Back to save th...

Page 136: ...rver view ifEntry a 1 3 6 1 2 1 2 2 1 1 included 24 10 Console config exit Console show snmp view 24 11 View Name ifEntry a Subtree OID 1 3 6 1 2 1 2 2 1 1 View Type included Storage Type nonvolatile Row Status active View Name readaccess Subtree OID 1 3 6 1 2 View Type included Storage Type nonvolatile Row Status active View Name defaultview Subtree OID 1 View Type included Storage Type nonvolati...

Page 137: ... has read access for most configuration parameters However the administrator has write access for all parameters governing the onboard agent You should therefore assign a new administrator password as soon as possible and store it in a safe place The default guest name is guest with the password guest The default administrator name is admin with the password admin Command Attributes Account List D...

Page 138: ...lly configure access rights on the switch or you can use a remote access authentication server based on RADIUS or TACACS protocols Remote Authentication Dial in User Service RADIUS and Terminal Access Controller Access Control System Plus TACACS are logon authentication protocols that use software running on a central server to control access to RADIUS aware or TACACS aware devices on Console conf...

Page 139: ...DIUS server is verified first If the RADIUS server is not available then authentication is attempted using the TACACS server and finally the local user name and password is checked Command Attributes Authentication Select the authentication or authentication sequence required Local User authentication is performed only locally by the switch Radius User authentication is performed using a RADIUS se...

Page 140: ... username on page 25 2 Web Click Security Authentication Settings To configure local or remote authentication preferences specify the authentication sequence i e one to three methods fill in the parameters for RADIUS or TACACS authentication if selected and click Apply Figure 6 2 Authentication Server Settings CLI Specify all the required parameters to enable logon authentication Console config au...

Page 141: ...ion The client and server generate session keys for encrypting and decrypting data The client and server establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 5 x or above and Netscape 6 2 or above Console show radius server 25 8 Remote RADIUS server configuration Global settings Communication key with RADIUS server Server port number 181 Retr...

Page 142: ...ion on this function see Replacing the Default Secure site Certificate on page 6 7 Web Click Security HTTPS Settings Enable HTTPS and specify the port number then click Apply Figure 6 3 HTTPS Settings CLI This example enables the HTTP secure server and modifies the port number Table 6 1 HTTPS System Support Web Browser Operating System Internet Explorer 5 0 or later Windows 98 Windows NT with serv...

Page 143: ...ure Sockets Layer certificate at the earliest opportunity This is because the default certificate for the switch is not unique to the hardware you have purchased When you have obtained these place them on your TFTP server and transfer them to the switch to replace the default unrecognized certificate with an authorized one Command Attributes TFTP Server IP Address IP address of TFTP server which c...

Page 144: ... station to access the switch for management via the SSH protocol Note The switch supports both SSH Version 1 5 and 2 0 clients Command Usage The SSH server on this switch supports both password and public key authentication If password authentication is specified by the SSH client then the password can be authenticated either locally or via a RADIUS or TACACS remote authentication server as speci...

Page 145: ...532671316 29432532818915045306393916643 steve 192 168 1 19 4 Set the Optional Parameters On the SSH Settings page configure the optional parameters including the authentication timeout the number of retries and the server key size 5 Enable SSH Service On the SSH Settings page enable the SSH server on the switch 6 Authentication One of the following authentication methods is employed Password Authe...

Page 146: ...uthenticated Note The SSH server supports up to four client sessions The maximum number of client sessions includes both current Telnet sessions and SSH sessions Generating the Host Key Pair A host public private key pair is used to provide secure communications between an SSH client and the switch After generating this key pair you must provide the host public key to SSH clients and import the cl...

Page 147: ...g the host key pair Generate This button is used to generate the host key pair Note that you must first generate the host key pair before you can enable the SSH server on the SSH Server Settings page Clear This button clears the host key from both volatile memory RAM and non volatile memory Flash Web Click Security SSH Host Key Settings Select the host key type from the drop down box select the op...

Page 148: ...1 encrypted public key DSA The switch accepts a DSA version 2 encrypted public key The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch and then negotiates with the client to select either DES 56 bit or 3DES 168 bit for data encryption The switch uses only RSA Version 1 for SSHv1 5 clients and DSA Version 2 for SSHv2 clients Console ip ssh ...

Page 149: ...d public key file it is not necessary to first delete the original key from the switch The import process will overwrite the existing key Delete Deletes a selected RSA or DSA public key that has already been imported to the switch Web Click Security SSH SSH User Public Key Settings Select the user name and the public key type from the respective drop down boxes input the TFTP server IP address and...

Page 150: ...TFTP server IP address 192 168 1 254 Choose public key type 1 RSA 2 DSA 1 2 2 Source file name admin ssh2 dsa pub key Username admin TFTP Download Success Write to FLASH Programming Success Console show public key user admin 25 23 admin RSA 1024 37 154886675541099600242673908076171863880953984597454546825066951007 29617437427136900505591624068119579408716226078634780682201498685790475062 345194806...

Page 151: ...er Settings CLI This example enables SSH sets the authentication parameters and displays the current configuration It shows that the administrator has made a connection via SHH and then disables this connection Console config ip ssh server 25 17 Console config ip ssh timeout 100 25 18 Console config ip ssh authentication retries 5 25 19 Console config ip ssh server key size 512 25 19 Console confi...

Page 152: ...of MAC addresses the selected port will stop learning The MAC addresses already in the address table will be retained and will not age out Any other device that attempts to use the port will be prevented from accessing the switch Command Usage A secure port has the following restrictions It cannot be used as a member of a static or dynamic trunk It should not be connected to a network interconnect...

Page 153: ... allowed on a port and click Apply Figure 6 8 Port Security CLI This example selects the target port sets the port security action to send a trap and disable the port specifies a maximum address count and then enables port security for the port Console config interface ethernet 1 5 Console config if port security action trap and shutdown 25 25 Console config if port security max mac count 20 Conso...

Page 154: ...ontains not only the challenge but the authentication method to be used The client can reject the authentication method and request another depending on the configuration of the client software and the RADIUS server The authentication method must be MD5 TLS TTLS and PEAP will be supported in future releases The client responds to the appropriate method with its credentials such as a password or ce...

Page 155: ...02 1X System Authentication Control The global setting for 802 1X Web Click Security 802 1X Information Figure 6 9 802 1X Global Information CLI This example shows the default global setting for 802 1X Console show dot1x 25 32 Global 802 1X Parameters system auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized n a 1 2 disa...

Page 156: ...ion Command Attributes Status Indicates if authentication is enabled or disabled on the port Default Disabled Operation Mode Allows single or multiple hosts clients to connect to an 802 1X authorized port Range Single Host Multi Host MAC Based Default Single Host In Single Host mode only one host connected to a port can be authenticated for network access In Multi Host mode only one host connected...

Page 157: ...ress table Configured static MAC addresses are added to the secure address table when seen on a switch port Static addresses are treated as authenticated without sending a request to a RADIUS server When port status changes to down all MAC addresses are cleared from the secure MAC address table Static VLAN assignments are not restored Re authentication Sets the client to be re authenticated after ...

Page 158: ...User Authentication 6 22 6 Web Click Security 802 1X Port Configuration Modify the parameters required and click Apply Figure 6 11 802 1X Port Configuration ...

Page 159: ...auth control enable 802 1X Port Summary Port Name Status Operation Mode Mode Authorized 1 1 disabled Single Host ForceAuthorized yes 1 2 enabled Single Host Auto yes 1 25 disabled Single Host ForceAuthorized n a 1 26 disabled Single Host ForceAuthorized n a 802 1X Port Details 802 1X is disabled on port 1 1 802 1X is enabled on port 1 2 reauth enabled Disable reauth period 3600 quiet period 60 tx ...

Page 160: ... of EAP Resp Id frames that have been received by this Authenticator Rx EAP Resp Oth The number of valid EAP Response frames other than Resp Id frames that have been received by this Authenticator Rx EAP LenError The number of EAPOL frames that have been received by this Authenticator in which the Packet Body Length field is invalid Rx Last EAPOLVer The protocol version number carried in the most ...

Page 161: ...ure 6 12 802 1X Port Statistics CLI This example displays the dot1x statistics for port 4 Console show dot1x statistics interface ethernet 1 4 25 32 Eth 1 4 Rx EAPOL EAPOL EAPOL EAPOL EAP EAP EAP Start Logoff Invalid Total Resp Id Resp Oth LenError 2 0 0 1007 672 0 0 Last Last EAPOLVer EAPOLSrc 1 00 00 E8 98 73 21 Tx EAPOL EAP EAP Total Req Id Req Oth 2017 1005 0 Console ...

Page 162: ...to five different sets of addresses either individual addresses or address ranges When entering addresses for the same group i e SNMP web or Telnet the switch will not accept overlapping address ranges When entering addresses for different groups the switch will accept overlapping address ranges You cannot delete an individual address from a specified range You must delete the entire range and ree...

Page 163: ...restricts management access for Telnet clients Console config management telnet client 192 168 1 19 25 35 Console config management telnet client 192 168 1 25 192 168 1 30 Console config exit Console show management all client 25 36 Management IP Filter HTTP Client Start IP address End IP address SNMP Client Start IP address End IP address TELNET Client Start IP address End IP address 1 192 168 1 ...

Page 164: ...User Authentication 6 28 6 ...

Page 165: ...bound to the ports is 96 for each of the following list types MAC ACLs IP ACLs including Standard and Extended ACLs IPv6 Standard ACLs and IPv6 Extended ACLs For the SMC8926EM all ports share this quota For the SMC8950EM ports 1 24 share a quota of 96 rules and ports 25 50 share another quota of 96 rules since there are two switch chips in this system The order in which active ACLs are checked is ...

Page 166: ...d MAC IPv6 Standard IPv6 Extended and click Add to open the configuration page for the new list Figure 7 1 Selecting ACL Type CLI This example creates a standard IP ACL named bill Configuring a Standard IPv4 ACL Command Attributes Action An ACL can contain any combination of permit or deny rules Address Type Specifies the source IP address Use Any to include all possible addresses Host to specify ...

Page 167: ...Any to include all possible addresses Host to specify a specific host address in the Address field or IP to specify a range of addresses with the Address and SubMask fields Options Any Host IP Default Any Source Destination IP Address Source or destination IP address Source Destination Subnet Mask Subnet mask for source or destination address See the description for SubMask on page 2 Service Type ...

Page 168: ...The control bitmask is a decimal number for an equivalent binary bit mask that is applied to the control code Enter a decimal number where the equivalent binary bit 1 means to match a bit and 0 means to ignore a bit The following bits may be specified 1 fin Finish 2 syn Synchronize 4 rst Reset 8 psh Push 16 ack Acknowledgement 32 urg Urgent pointer For example use the code value and mask below to ...

Page 169: ...ncoming packets if the source address is in subnet 10 7 1 x For example if the rule is matched i e the rule 10 7 1 0 255 255 255 0 equals the masked address 10 7 1 2 255 255 255 0 the packet passes through 2 Allow TCP packets from class C addresses 192 168 1 0 to any destination address when set for destination TCP port 80 i e HTTP 3 Permit all TCP packets from class C addresses 192 168 1 0 with t...

Page 170: ... for source or destination MAC address VID VLAN ID Range 1 4093 VID Bit Mask VLAN bitmask Range 1 4093 Ethernet Type This option can only be used to filter Ethernet II formatted packets Range 0000 FFFF hex A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX Ethernet Type Bit Mask Protocol bitmask Range 0000 FFFF he...

Page 171: ...Ethernet type is 0800 Configuring a Standard IPv6 ACL Command Attributes Action An ACL can contain any combination of permit or deny rules Source Address Type Specifies the source IP address Use Any to include all possible addresses Host to specify a specific host address in the Address field or IPv6 prefix to specify a range of addresses Options Any Host IPv6 prefix Default Any Source IPv6 Addres...

Page 172: ...29 5 64 Configuring an Extended IPv6 ACL Command Attributes Action An ACL can contain any combination of permit or deny rules Destination Address Type Specifies the destination IP address Use Any to include all possible addresses or IPv6 prefix to specify a range of addresses Options Any IPv6 prefix Default Any Destination IP Address The address must be formatted according to RFC 2373 IPv6 Address...

Page 173: ...dling by IPv6 routers such as non default quality of service or real time service see RFC 2460 Range 0 16777215 A flow label is assigned to a flow by the flow s source node New flow labels must be chosen pseudo randomly and uniformly from the range 1 to FFFFF hexadecimal The purpose of the random allocation is to make any set of bits within the Flow Label field suitable for use as a hash key by ro...

Page 174: ...uration Extended IPv6 CLI This example adds three rules 1 Accepts any incoming packets for the destination 2009 DB9 2229 79 48 2 Allows packets to any destination address when the DSCP value is 5 3 Allows any packets sent to the destination 2009 DB9 2229 79 48 when the flow label is 43 Console config ext ipv6 acl permit 2009 DB9 2229 79 48 26 9 Console config ext ipv6 acl permit any dscp 5 Console...

Page 175: ...es the MAC ACL to bind to a port IPv6 Specifies the IPv6 ACL to bind to a port IN ACL for ingress packets ACL Name Name of the ACL Web Click Security ACL Port Binding Mark the Enable field for the port you want to bind to an ACL for ingress traffic select the required ACL from the drop down list then click Apply Figure 7 7 ACL Port Binding CLI This examples assigns an IP and MAC ingress ACL to por...

Page 176: ...Access Control Lists 7 12 7 ...

Page 177: ...atus Shows the current speed and duplex mode Auto or fixed choice Flow Control Status Indicates the type of flow control currently in use IEEE 802 3x Back Pressure or None Autonegotiation Shows if auto negotiation is enabled or disabled Media Type4 Shows the forced preferred port type to use for combination ports 21 24 SMC8926EM or 45 48 SMC8950EM Copper Forced SFP Forced SFP Preferred Auto Trunk ...

Page 178: ...ll duplex operation Sym Transmits and receives pause frames for flow control FC Supports flow control Broadcast storm Shows if broadcast storm control is enabled or disabled Broadcast storm limit Shows the broadcast storm threshold 500 262143 packets per second Flow control Shows if flow control is enabled or disabled LACP Shows if LACP is enabled or disabled Port security Shows if port security i...

Page 179: ...connection over any 1000BASE T port or trunk Flow Control Allows automatic or manual selection of flow control Autonegotiation Port Capabilities Allows auto negotiation to be enabled disabled When auto negotiation is enabled you need to specify the capabilities to be advertised When auto negotiation is disabled you can force the settings for speed duplex mode and flow control The following capabil...

Page 180: ...o a hub unless it is actually required to solve a problem Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub Default Autonegotiation enabled Advertised capabilities for 1000BASE T 10half 10full 100half 100full 1000full 1000BASE SX LX LH 1000full 10GBASE SR LR ER 10Gfull Media Type Shows the forced preferred port type to use for the combinati...

Page 181: ...t 1 13 27 1 Console config if description RD SW 13 27 2 Console config if shutdown 27 7 Console config if no shutdown Console config if no negotiation 27 4 Console config if speed duplex 100half 27 3 Console config if negotiation Console config if capabilities 100half 27 4 Console config if capabilities 100full Console config if capabilities flowcontrol Console config if exit Console config interf...

Page 182: ...he trunk the other ports provide redundancy by taking over the load if a port in the trunk fails However before making any physical connections between devices use the web interface or CLI to specify the trunk on the devices at both ends When using a port trunk take note of the following points Finish configuring port trunks before you connect the corresponding network cables between switches to a...

Page 183: ...ports and also disconnect the ports before removing a static trunk via the configuration interface Command Attributes Member List Current Shows configured trunks Trunk ID Unit Port New Includes entry fields for creating new trunks Trunk Trunk identifier Range 1 32 Unit Stack unit Range 1 8 Port Port identifier Range 1 25 49 Web Click Port Trunk Membership Enter a trunk ID of 1 32 in the Trunk fiel...

Page 184: ... ports on both ends of an LACP trunk must be configured for full duplex either by forced mode or auto negotiation Console config interface port channel 1 27 1 Console config if exit Console config interface ethernet 1 9 27 1 Console config if channel group 1 28 2 Console config if exit Console config interface ethernet 1 10 Console config if channel group 1 Console config if end Console show inter...

Page 185: ...ber List Current Shows configured trunks Unit Port New Includes entry fields for creating new trunks Unit Stack unit Range 1 8 Port Port identifier Range 1 25 49 Web Click Port LACP Configuration Select any of the switch ports from the scroll down port list and click Add After you have completed adding ports to the member list click Apply Figure 8 4 LACP Trunk Configuration ...

Page 186: ...age 28 5 Command Attributes Set Port Actor This menu sets the local side of an aggregate link i e the ports on this switch Port Port number Range 1 25 50 System Priority LACP system priority is used to determine link aggregation group LAG membership and to identify this device to other switches during LAG negotiations Range 0 65535 Default 32768 Console config interface ethernet 1 1 27 1 Console c...

Page 187: ...aggregate link i e the ports on the attached device The command attributes have the same meaning as those used for the port actor However configuring LACP settings for the partner only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with the partner Web Click Port LACP Aggregation Port Set the System Priority Ad...

Page 188: ...sole config if lacp actor system priority 3 Console config if lacp actor admin key 120 Console config if lacp actor port priority 512 Console config if end Console show lacp sysid 28 7 Channel Group System Priority System MAC Address 1 32768 00 00 E3 11 10 10 2 32768 00 00 E3 11 10 10 3 32768 00 00 E3 11 10 10 Console show lacp 1 internal 28 7 Port channel 1 Oper Key 120 Admin Key 0 Eth 1 1 LACPDU...

Page 189: ...roup Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group Marker Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to the Slow Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type Mar...

Page 190: ...formation administratively configured for the partner Distributing If false distribution of outgoing frames on this link is disabled i e distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is n...

Page 191: ...e LACP configuration settings and operational state for the local side of port channel 1 Console show lacp 1 internal 28 7 Port channel 1 Oper Key 3 Admin Key 0 Eth 1 2 LACPDUs Internal 30 sec LACP System Priority 32768 LACP Port Priority 32768 Admin Key 3 Oper Key 3 Admin State defaulted aggregation long timeout LACP activity Oper State distributing collecting synchronization aggregation long tim...

Page 192: ...ned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number Operational port number assigned to this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port Oper Priority Priority value assigned to this aggregation port...

Page 193: ...e resolution is 1 packet per second pps i e any setting between 500 262143 is acceptable Command Attributes Port6 Port number Trunk7 Trunk number Type Indicates the port type 1000BASE T SFP or 10G Protect Status Shows whether or not broadcast storm control has been enabled Default Enabled Threshold Threshold as percentage of port bandwidth Options 500 262143 packets per second Default 500 pps Trun...

Page 194: ...7 1 Console config if no switchport broadcast 27 7 Console config if exit Console config interface ethernet 1 2 Console config if switchport broadcast packet rate 600 27 7 Console config if end Console show interfaces switchport ethernet 1 2 27 11 Information of Eth 1 2 Broadcast threshold Enabled 600 packets second LACP status Disabled Ingress rate limit Disable 1000M bits per second Egress rate ...

Page 195: ...rce port when using MSTP see Spanning Tree Algorithm on page 10 1 Command Attributes Mirror Sessions Displays a list of current mirror sessions Source Unit The unit whose port traffic will be monitored Range 1 8 Source Port The port whose traffic will be monitored Range 1 26 50 Type Allows you to select which traffic to mirror to the target port Rx receive Tx transmit or Both Default Rx Target Uni...

Page 196: ... rate limit is transmitted while packets that exceed the acceptable amount of traffic are dropped Rate limiting can be applied to individual ports or trunks When an interface is configured with this feature the traffic rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped conforming traffic is forwarded without any changes Command Attribute Rate Limit Sets t...

Page 197: ...s then set the rate limit for the individual interfaces and click Apply Figure 8 11 Rate Limit Configuration CLI This example sets the rate limit for input and output traffic passing through port 1 to 600 Mbps Console config interface ethernet 1 1 27 1 Console config if rate limit input 600 30 1 Console config if rate limit output 600 Console config if ...

Page 198: ... at this sub layer Received Broadcast Packets The number of packets delivered by this sub layer to a higher sub layer which were addressed to a broadcast address at this sub layer Received Discarded Packets The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher layer protocol One possible reason for dis...

Page 199: ...particular interface fails due to an internal MAC sublayer transmit error Multiple Collision Frames A count of successfully transmitted frames for which transmission is inhibited by more than one collision Carrier Sense Errors The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame SQE Test Errors A count of times that the SQE TEST ERROR ...

Page 200: ...er of frames received that were longer than 1518 octets excluding framing bits but including FCS octets and were otherwise well formed Fragments The total number of frames received that were less than 64 octets in length excluding framing bits but including FCS octets and had either an FCS or alignment error 64 Bytes Frames The total number of frames including bad packets received and transmitted ...

Page 201: ...Port Statistics 8 25 8 Web Click Port Port Statistics Select the required interface and click Query You can also use the Refresh button at the bottom of the page to update the screen Figure 8 12 Port Statistics ...

Page 202: ...rrors 0 FCS errors 0 Single Collision frames 0 Multiple collision frames 0 SQE Test errors 0 Deferred transmissions 0 Late collisions 0 Excessive collisions 0 Internal mac transmit errors 0 Internal mac receive errors 0 Frame too longs 0 Carrier sense errors 0 Symbol errors 0 RMON stats Drop events 0 Octets 4422579 Packets 31552 Broadcast pkts 238 Multi cast pkts 17033 Undersize pkts 0 Oversize pk...

Page 203: ...s can be assigned to a specific interface on this switch Static addresses are bound to the assigned interface and will not be moved When a static address is seen on another interface the address will be ignored and will not be written to the address table Command Attributes Static Address Counts8 The number of manually configured addresses Current Static Address Table Lists all the static addresse...

Page 204: ...nd traffic is found in the database the packets intended for that address are forwarded directly to the associated port Otherwise the traffic is flooded to all ports Command Attributes Interface Indicates a port or trunk MAC Address Physical address associated with this interface VLAN ID of configured VLAN 1 4093 Address Table Sort Key You can sort the information displayed based on MAC address VL...

Page 205: ...ckbox select the method of sorting the displayed addresses and then click Query Figure 9 2 Dynamic Addresses CLI This example also displays the address table entries for port 1 Console show mac address table interface ethernet 1 1 31 3 Interface Mac Address Vlan Type Eth 1 1 00 E0 29 94 34 DE 1 Permanent Eth 1 1 00 23 54 EF 1D AF 2 Learned Console ...

Page 206: ...les disables the aging function Aging Time The time after which a learned entry is discarded Range 10 1000000 seconds Default 300 seconds Web Click Address Table Address Aging Specify the new aging time click Apply Figure 9 3 Address Aging CLI This example sets the aging time to 400 seconds Console config mac address table aging time 300 31 4 Console config ...

Page 207: ...m that LAN to the root device All ports connected to designated bridging devices are assigned as designated ports After determining the lowest cost spanning tree it enables all root ports and designated ports and disables all other ports Network packets are therefore only forwarded between root ports and designated ports eliminating any possible network loops Once a stable network topology has bee...

Page 208: ... commonly configured MSTP bridges An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers including the Region Name Revision Level and Configuration Digest see Configuring Multiple Spanning Trees on page 16 An MST Region may contain multiple MSTP Instances An Internal Spanning Tree IST is used to connect all the MSTP switches within an MST regio...

Page 209: ...which the root device transmits a configuration message Forward Delay The maximum time in seconds the root device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would mak...

Page 210: ...essage a new root port is selected from among the device ports attached to the network References to ports in this section means interfaces which includes both ports and trunks Root Forward Delay The maximum time in seconds this device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must receive information about topology change...

Page 211: ...Root Forward Delay sec 15 Max Hops 20 Remaining Hops 20 Designated Root 32768 0000E3111010 Current Root Port 0 Current Root Cost 0 Number of Topology Changes 2 Last Topology Change Time sec 2869 Transmission Limit 3 Path Cost Method Long Eth 1 1 information Admin Status Enabled Role root State forwarding External Admin Path Cost 0 Internal Admin Path Cost 0 External Oper Path Cost 100000 Internal ...

Page 212: ...n that port Multiple Spanning Tree Protocol To allow multiple spanning trees to operate over the network you must configure a related set of bridges with the same MSTP configuration allowing them to participate in a specific set of spanning tree instances A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments Be careful when switching between spanning tre...

Page 213: ...ports and trunks Default 20 Minimum The higher of 6 or 2 x Hello Time 1 Maximum The lower of 40 or 2 x Forward Delay 1 Forward Delay The maximum time in seconds this device will wait before changing states i e discarding to learning to forwarding This delay is required because every device must receive information about topology changes before it starts to forward frames In addition each port need...

Page 214: ...LAN ID to MST ID mapping table In other words this key is a mapping of all VLANs to the CIST Region Revision10 The revision for this MSTI Range 0 65535 Default 0 Region Name10 The name for this MSTI Maximum length 32 characters Max Hop Count The maximum number of hops allowed in the MST region before a BPDU is discarded Range 1 40 Default 20 10 The MST name and revision number are both required to...

Page 215: ...Configuring Global Settings 10 9 10 Web Click Spanning Tree STA Configuration Modify the required attributes and click Apply Figure 10 2 STA Global Configuration ...

Page 216: ...s no other STA device attached to this segment the port with the smaller ID forwards packets and the other is discarding All ports are discarding when the switch is booted then some of them change state to learning and then to forwarding Forward Transitions The number of times this port has transitioned from the Learning state to the Forwarding state Designated Cost The cost for a packet to travel...

Page 217: ... BPDU is received indicating that another bridge is attached to this port Port Role Roles are assigned according to whether the port is part of the active topology connecting the bridge to the root bridge i e root port connecting a LAN through the bridge to the root bridge i e designated port or is the MSTI regional root i e master port or is an alternate or backup port that may provide connectivi...

Page 218: ...witch has accepted as the root device Fast forwarding This field provides the same information as Admin Edge port and is only included for backward compatibility with earlier products Admin Edge Port You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node Since end nodes cannot cause forwarding loops they can pass directly throu...

Page 219: ...ng Interface Settings on page 10 10 for additional information Discarding Port receives STA configuration messages but does not forward packets Learning Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory information Port address table is cleared and the port begins learning addresses Forwarding Port forwards packets and co...

Page 220: ... on each port and configures the path cost according to the values shown below Path cost 0 is used to indicate auto configuration mode Admin Link Type The link type attached to this interface Point to Point A connection to exactly one other bridge Shared A connection to two or more bridges Auto The switch automatically determines if the interface is attached to a point to point link or to shared m...

Page 221: ... to forced STP compatible mode However you can also use the Protocol Migration button to manually re check the appropriate BPDU format RSTP or STP compatible to send on the selected interfaces Default Disabled Web Click Spanning Tree STA Port Configuration or Trunk Configuration Modify the required attributes then click Apply Figure 10 6 STA Port Configuration CLI This example sets STA attributes ...

Page 222: ...Tree To use multiple spanning trees 1 Set the spanning tree type to MSTP STA Configuration page 10 6 2 Enter the spanning tree priority for the selected MST instance MSTP VLAN Configuration 3 Add the VLANs that will share this MSTI MSTP VLAN Configuration Note All VLANs are automatically added to the IST Instance 0 To ensure that the MSTI maintains connectivity across the network you must configur...

Page 223: ...e 1 followed by settings for each port Console show spanning tree mst 1 33 18 Spanning tree information Spanning Tree Mode MSTP Spanning Tree Enabled Disabled Enabled Instance 1 VLANs Configuration 1 Priority 32768 Bridge Hello Time sec 2 Bridge Max Age sec 20 Bridge Forward Delay sec 15 Root Hello Time sec 2 Root Max Age sec 20 Root Forward Delay sec 15 Max Hops 20 Remaining Hops 20 Designated Ro...

Page 224: ... Oper Path Cost 10000 Priority 128 Designated Cost 0 Designated Port 128 23 Designated Root 32768 0000E3111010 Designated Bridge 32768 0000E3111010 Fast Forwarding Disabled Forward Transitions 2 Admin Edge Port Disabled Oper Edge Port Disabled Admin Link Type auto Oper Link Type Point to point Spanning Tree Status Enabled Console config spanning tree mst configuration 33 7 Console config mst mst 1...

Page 225: ...on CLI This displays STA settings for instance 0 followed by settings for each port The settings for instance 0 are global settings that apply to the IST page 10 3 the settings for other instances only apply to the local spanning tree Console show spanning tree mst 0 33 18 Spanning tree information Spanning Tree Mode RSTP Spanning Tree Enabled Disabled Enabled Instance 0 VLANs Configuration 1 4093...

Page 226: ...tes if a port is a member of a trunk STA Port Configuration only The following interface attributes can be configured MST Instance ID Instance identifier to configure Range 0 4094 Default 0 Priority Defines the priority used for this port in the Spanning Tree Protocol If the path cost for all ports on a switch are the same the port with the highest priority i e lowest value will be configured as a...

Page 227: ... detects the speed and duplex mode used on each port and configures the path cost according to the values shown below Path cost 0 is used to indicate auto configuration mode Web Click Spanning Tree MSTP Port Configuration or Trunk Configuration Enter the priority and path cost for an interface and click Apply Figure 10 11 MSTP Port Configuration Table 10 9 Recommended STA Path Cost Range Port Type...

Page 228: ... 22 10 CLI This example sets the MSTP attributes for port 4 Console config interface ethernet 1 4 27 1 Console config if spanning tree mst port priority 0 33 17 Console config if spanning tree mst cost 50 33 16 Console config if ...

Page 229: ...herently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN This switch supports the following VLAN features Up to 4093 VLANs based on the IEEE 802 1Q standard Distributed VLAN learning across multiple switches using explicit or implicit tagging and GVRP protocol Port overlapping allowing a port to participate in multiple VL...

Page 230: ...me VLAN Untagged VLANs can be used to manually isolate user groups or subnets However you should use IEEE 802 3 tagged VLANs with GVRP whenever possible to fully automate VLAN registration Automatic VLAN Registration GVRP GARP VLAN Registration Protocol defines a system whereby the switch can automatically learn the VLANs to which each end station should be assigned If an end station or its networ...

Page 231: ...he same untagged VLAN However to participate in a VLAN group that crosses several switches you should create a VLAN for that group and enable tagging on all ports Ports can be assigned to multiple tagged or untagged VLANs Each port on the switch is therefore capable of passing tagged or untagged frames When forwarding a frame from this switch along a path that contains any VLAN aware devices the s...

Page 232: ...AN 802 1Q VLAN GVRP Status Enable or disable GVRP click Apply Figure 11 1 Globally Enabling GVRP CLI This example enables GVRP for the switch Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch Field Attributes VLAN Version Number12 The VLAN version used by this switch as specified in the IEEE 802 1Q standard Maximum...

Page 233: ...e this VLAN was created i e System Up Time Status Shows how this VLAN was added to the switch Dynamic GVRP Automatically learned via GVRP Permanent Added as a static entry Egress Ports Shows all the VLAN port members Untagged Ports Shows the untagged VLAN port members Web Click VLAN 802 1Q VLAN Current Table Select any ID from the scroll down list Figure 11 3 VLAN Current Table Console show bridge...

Page 234: ...oups can be defined VLAN 1 is the default untagged VLAN New Allows you to specify the name and numeric identifier for a new VLAN group The VLAN name is only used for management on this system it is not added to the VLAN tag VLAN ID ID of configured VLAN 1 4093 VLAN Name Name of the VLAN 1 to 32 characters Status Web Enables or disables the specified VLAN Enable VLAN is operational Disable VLAN is ...

Page 235: ...VLAN Console config vlan database 34 5 Console config vlan vlan 2 name R D media ethernet state active 34 6 Console config vlan end Console show vlan 34 13 VLAN ID 1 Type Static Name DefaultVlan Status Active Ports Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 11 S Eth1 12 S Eth1 13 S Eth1 14 S Eth1 15 S Eth1 16 S Eth1 17 S Eth1 18 S Eth1 19 S Eth1 20 S...

Page 236: ...o 32 characters Status Enables or disables the specified VLAN Enable VLAN is operational Disable VLAN is suspended i e does not pass packets Port Port identifier Trunk Trunk identifier Membership Type Select VLAN membership for each interface by marking the appropriate radio button for a port or trunk Tagged Interface is a member of the VLAN All packets transmitted by the port will be tagged that ...

Page 237: ...s Interface Port or trunk identifier Member VLANs for which the selected interface is a tagged member Non Member VLANs for which the selected interface is not a tagged member Web Open VLAN 802 1Q VLAN Static Membership by Port Select an interface from the scroll down box Port or Trunk Click Query to display membership information for the interface Select a VLAN ID and then click Add to add the Con...

Page 238: ... client attributes for client services within a bridged LAN The default values for the GARP timers are independent of the media access method or data rate These values should not be changed unless you are experiencing difficulties with GVRP registration deregistration Command Attributes PVID VLAN ID assigned to untagged frames received on the interface Default 1 If an interface is not a member of ...

Page 239: ...itting requests queries to participate in a VLAN group Range 20 1000 centiseconds Default 20 GARP Leave Timer13 The interval a port waits before leaving a VLAN group This time should be set to more than twice the join time This ensures that after a Leave or LeaveAll message has been issued the applicants can rejoin before the port actually leaves the group Range 60 3000 centiseconds Default 60 GAR...

Page 240: ...Service Provider VLAN SPVLAN tags into the customer s frames when they enter the service provider s network and then stripping the tags when the frames leave the network A service provider s customers may have specific requirements for their internal VLAN IDs and number of VLANs supported VLAN ranges required by different customers in the same service provider network might easily overlap and traf...

Page 241: ...itch into the service provider s metro network must also be added to this SPVLAN The uplink port can be added to multiple SPVLANs to carry inbound traffic for different customers onto the service provider s network When a double tagged packet enters another trunk port in an intermediate or core switch in the service provider s network the outer tag is stripped for packet processing When the packet...

Page 242: ...on through the switching process the packet is written to memory with one tag an outer tag or with two tags both an outer tag and inner tag 4 The switch sends the packet to the proper egress port 5 If the egress port is an untagged member of the SPVLAN the outer tag will be stripped If it is a tagged member the outgoing packets will have two tags Layer 2 Flow for Packets Coming into a Tunnel Uplin...

Page 243: ...e VLAN of uplink ports should not be used as the SPVLAN If the SPVLAN is the uplink port s native VLAN the uplink port must be an untagged member of the SPVLAN Then the outer SPVLAN tag will be stripped when the packets are sent out Another reason is that it causes non customer packets to be forwarded to the SPVLAN Static trunk port groups are compatible with QinQ tunnel ports as long as the QinQ ...

Page 244: ...etropolitan area network You can also globally set the Tag Protocol Identifier TPID value of the tunnel port if the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames Command Usage Use the TPID field to set a custom 802 1Q ethertype value on the selected interface This feature allows the switch to interoperate with third party switches that do not use the stan...

Page 245: ...Switch on page 11 16 Set the mode to 802 1Q Tunnel access or 802 1Q Tunnel Uplink Command Attributes Mode Set the VLAN membership mode of the port None The port operates in its normal VLAN mode This is the default 802 1Q Tunnel Configures IEEE 802 1Q tunneling QinQ for a client access port to segregate and preserve customer VLAN IDs for traffic crossing the service provider network 802 1Q Tunnel U...

Page 246: ...ole config if switchport dot1q tunnel mode access 34 15 Console config if interface ethernet 1 3 Console config if switchport dot1q tunnel mode uplink 34 15 Console config if end Console show dot1q tunnel 34 17 Current double tagged status of the system is Enabled The dot1q tunnel mode of the set interface 1 1 is Normal mode TPID is 0x9100 The dot1q tunnel mode of the set interface 1 2 is Access m...

Page 247: ...d Downlink Ports Use the Private VLAN Link Status page to set ports as downlink or uplink ports Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports Uplink ports can communicate with any other ports on the switch and with any designated downlink ports Web Click VLAN Private VLAN Link Status Mark the ports that will serve as uplinks a...

Page 248: ...s 1 First configure VLAN groups for the protocols you want to use page 6 Although not mandatory we suggest configuring a separate VLAN for each major protocol running on your network Do not add port members at this time 2 Create a protocol group for each of the protocols you want to assign to a VLAN using the Protocol VLAN Configuration page 3 Then map the protocol for each interface to the approp...

Page 249: ... configuration screen If you assign interfaces using any of the other VLAN menus such as the VLAN Static Table page 8 or VLAN Static Membership by Port menu page 9 these interfaces will admit traffic of any protocol type into the associated VLAN When a frame enters a port that has been assigned to a protocol VLAN it is processed in the following manner If the frame is tagged it will be processed a...

Page 250: ...093 Web Click VLAN Protocol VLAN Port Configuration Select a a port or trunk enter a protocol group ID the corresponding VLAN ID and click Apply Figure 11 11 Protocol VLAN Port Configuration CLI The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 3 Console config interface ethernet 1 1 Console config if protocol vlan protocol group 1...

Page 251: ...LLDP globally on the switch Default Disabled Transmission Interval Configures the periodic transmit interval for LLDP advertisements Range 5 32768 seconds Default 30 seconds This attribute must comply with the following rule Transmission Interval Hold Time Multiplier 65536 and Transmission Interval 4 Delay Interval Hold Time Multiplier Configures the time to live TTL value sent in LLDP advertiseme...

Page 252: ...ult 5 seconds This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted Only state changes that exist at the time of a notification are included in the transmission An SNMP agent should therefore periodically check the value of lldpS...

Page 253: ...p destinations see Specifying Trap Managers and Trap Types on page 5 4 Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted Only state changes that exist at the time of a trap notification are included in the transmission An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTab...

Page 254: ...or Entity MIB Since there are typically a number of different addresses associated with a Layer 3 device an individual LLDP PDU may contain more than one management address TLV Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier VID as...

Page 255: ...icates the system s administratively assigned name see Displaying System Information on page 4 1 System Description A textual description of the network entity This field is also displayed by the show system command Console config interface ethernet 1 1 27 1 Console config if lldp tx rx 32 6 Console config if lldp notification 32 6 Console config if lldp basic tlv port description 32 8 Console con...

Page 256: ...ment Interface Settings The attributes listed below apply to both port and trunk interface types When a trunk is listed the descriptions apply to the first port of the trunk Port Description A string that indicates the port s description If RFC 2863 is implemented the ifDescr object should be used for this field Port ID A string that contains the specific identifier for the port from which this LL...

Page 257: ...erStack II 10 100 1000 SMC8926EM SMC8950EM System Capabilities Support Bridge System Capabilities Enable Bridge Management Address 192 168 0 101 IPv4 LLDP Port Information Interface PortID Type PortID PortDesc Eth 1 1 MAC Address 00 00 E3 11 10 11 Ethernet Port on unit 1 port 1 Eth 1 2 MAC Address 00 00 E3 11 10 12 Ethernet Port on unit 1 port 2 Eth 1 3 MAC Address 00 00 E3 11 10 13 Ethernet Port ...

Page 258: ... the specific identifier for the particular chassis in this system Port ID A string that contains the specific identifier for the port from which this LLDPDU was transmitted Port Name A string that indicates the port s description If RFC 2863 is implemented the ifDescr object should be used for this field System Name An string that indicates the system s administratively assigned name Web Click LL...

Page 259: ...he particular chassis in this system Port Type Indicates the basis for the identifier that is listed in the Port ID field Port Description A string that indicates the port s description If RFC 2863 is implemented the ifDescr object should be used for this field Port ID A string that contains the specific identifier for the port from which this LLDPDU was transmitted System Name An string that indi...

Page 260: ...The primary function s of the system which are currently enabled Refer to the preceding table See Table 12 2 System Capabilities on page 12 6 Management Address The IPv4 address of the remote device If no management address is available the address should be the MAC address for the CPU or for the port sending this advertisement Web Click LLDP Remote Information Details Select an interface from the...

Page 261: ...te database dropped an LLDPDU because of insufficient resources Neighbor Entries Age out Count The number of times that a neighbor s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired Interface Statistics on LLDP Protocol Messages Num Frames Recvd Number of LLDP PDUs received Num Frames Sent Number of LLDP PDUs transmitted Num Frames Discarded Nu...

Page 262: ...nected directly to this switch switch show lldp info statistics 32 18 LLDP Device Statistics Neighbor Entries List Last Updated 2450279 seconds New Neighbor Entries Count 1 Neighbor Entries Deleted Count 0 Neighbor Entries Dropped Count 0 Neighbor Entries Ageout Count 0 Interface NumFramesRecvd NumFramesSent NumFramesDiscarded Eth 1 1 10 11 0 Eth 1 2 0 0 0 Eth 1 3 0 0 0 Eth 1 4 0 0 0 Eth 1 5 0 0 0...

Page 263: ...count of all LLDPDUs received with one or more detectable errors Frames Received Number of LLDP PDUs received Frames Sent Number of LLDP PDUs transmitted TLVs Unrecognized A count of all TLVs not recognized by the receiving LLDP local agent TLVs Discarded A count of all LLDPDUs received and then discarded due to insufficient memory space missing or out of sequence attributes or any other reason Ne...

Page 264: ...DP enabled remote device attached to a specific port this switch switch show lldp info statistics detail ethernet 1 1 32 18 LLDP Port Statistics Detail PortName Eth 1 1 Frames Discarded 0 Frames Invalid 0 Frames Received 12 Frames Sent 13 TLVs Unrecognized 0 TLVs Discarded 0 Neighbor Ageouts 0 switch ...

Page 265: ...rted into the appropriate priority queue at the output port Command Usage This switch provides eight priority queues for each port It uses Weighted Round Robin to prevent head of queue blockage The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged frames This priority does not apply to IEEE 802 1Q VLAN tagged frame...

Page 266: ... config if switchport priority default 5 35 3 Console config if end Console show interfaces switchport ethernet 1 3 27 11 Information of Eth 1 3 Broadcast threshold Enabled 500 packets second LACP status Disabled Ingress rate limit Disable 1000M bits per second Egress rate limit Disable 1000M bits per second VLAN membership mode Hybrid Ingress rule Disabled Acceptable frame type All frames Native ...

Page 267: ...plications are shown in the following table However you can map the priority levels to the switch s output queues in any way that benefits application traffic for your own network Command Attributes Priority CoS value Range 0 7 where 7 is the highest priority Traffic Class16 Output queue buffer Range 0 7 where 7 is the highest CoS priority queue Table 13 1 Mapping CoS Values to Egress Queues Prior...

Page 268: ... priorities is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Console config interface ethernet 1 1 27 1 Console config queue cos map 0 0 35 4 Console config queue cos map 1 1 Console config queue cos map 2 2 Console config exit Console show queue cos map 35 6 Information of Eth 1 1 CoS Value 0 1 2 3 4 5 6 7 Priority Queue 0 1 2 3 4...

Page 269: ...prevents the head of line blocking that can occur with strict priority queuing Command Attributes WRR Weighted Round Robin shares bandwidth at the egress ports by using scheduling weights 1 2 4 6 8 10 12 14 for queues 0 through 7 respectively This is the default selection Strict Services the egress queues in sequential order transmitting all traffic in the higher priority queues before servicing l...

Page 270: ...ues and thereby to the corresponding traffic priorities This weight sets the frequency at which each queue will be polled for service and subsequently affects the response time for software applications assigned a specific priority value Command Attributes WRR Setting Table17 Displays a list of weights for each traffic class i e queue Weight Value Set a new weight for the selected traffic class Ra...

Page 271: ...ty information may be contained in the traffic this switch maps priority values to the output queues in the following manner The precedence for priority mapping is IP Port Priority IP Precedence or DSCP Priority and then Default Port Priority IP Precedence and DSCP Priority cannot both be enabled Enabling one of these priority types will automatically disable the other Selecting IP Precedence DSCP...

Page 272: ... Precedence values are mapped one to one to Class of Service values i e Precedence value 0 maps to CoS value 0 and so forth Bits 6 and 7 are used for network control and the other bits for various application types ToS bits are defined in the following table Command Attributes IP Precedence Priority Table Shows the IP Precedence to CoS map Class of Service Value Maps a CoS value to the selected IP...

Page 273: ...t 1 and then displays the IP Precedence settings Mapping specific values for IP Precedence is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Console config map ip precedence 35 8 Console config interface ethernet 1 1 27 1 Console config if map ip precedence 1 cos 0 35 9 Console config if end Console show map ip precedence ethernet 1...

Page 274: ...he following table Note that all the DSCP values that are not specified are mapped to CoS value 0 Command Attributes DSCP Priority Table Shows the DSCP Priority to CoS map Class of Service Value Maps a CoS value to the selected DSCP Priority value Note that 0 represents low priority and 7 represent high priority Note IP DSCP settings apply to all interfaces Web Click Priority IP DSCP Priority Sele...

Page 275: ...tes IP Port Priority Status Enables or disables the IP port priority IP Port Priority Table Shows the IP port to CoS map IP Port Number TCP UDP Set a new IP port number Class of Service Value Sets a CoS value for a new IP port Note that 0 represents low priority and 7 represent high priority Note Up to 8 entries can be specified IP Port Priority settings apply to all interfaces Web Click Priority ...

Page 276: ...tch maps HTTP traffic on port 1 to CoS value 0 and then displays the IP Port Priority settings Mapping specific values for IP Port Priority is implemented as an interface configuration command but any changes will apply to the all interfaces on the switch Console config map ip port 35 7 Console config interface ethernet 1 1 27 1 Console config if map ip port 80 cos 0 35 8 Console config if end Con...

Page 277: ...ize the resources allocated to different traffic classes The manner in which an individual device handles traffic in the DiffServ architecture is called per hop behavior All devices along a path should be configured in a consistent manner to construct a consistent end to end QoS solution Notes 1 You can configure up to 16 rules per Class Map You can also include multiple classes in a Policy Map 2 ...

Page 278: ... name and a brief description of a class map Range 1 16 characters for the name 1 64 characters for the description Edit Rules Opens the Match Class Settings page for the selected class entry Modify the criteria used to classify ingress traffic on this page Add Class Opens the Class Configuration page Enter a class name and description on this page and click Add to open the Match Class Settings pa...

Page 279: ...SCP value contained in an IPv6 packet Range 0 63 Add Adds specified criteria to the class Up to 16 items are permitted per class Remove Deletes the selected criteria from the class Web Click QoS DiffServ then click Add Class to create a new class or Edit Rules to change the rules of an existing class Figure 14 1 Configuring Class Maps ...

Page 280: ...s page 14 7 You can configure up to 64 policers i e meters or class maps for each of the following access list types MAC ACL IP ACL including Standard ACL and Extended ACL IPv6 Standard ACL and IPv6 Extended ACL This limitation applies to each switch chip SMC8926EM ports 1 26 SMC8950EM ports 1 25 ports 26 50 Also note that the maximum number of classes that can be applied to a policy map is 16 Pol...

Page 281: ...ilobits per second Burst byte Burst in bytes Exceed Action Specifies whether the traffic that exceeds the specified rate will be dropped or the DSCP service level will be reduced Remove Class Deletes a class Policy Options Class Name Name of class map Action Configures the service provided to ingress traffic by setting a CoS DSCP or IP Precedence value in a matching packet as specified in Match Cl...

Page 282: ... 14 6 14 Web Click QoS DiffServ Policy Map to display the list of existing policy maps To add a new policy map click Add Policy To configure the policy rule settings click Edit Classes Figure 14 2 Configuring Policy Maps ...

Page 283: ... egress queue Command Attributes Ports Specifies a port Ingress Applies the rule to ingress traffic Enabled Check this to enable a policy map on the specified port Policy Map Select the appropriate policy map from the scroll down box Web Click QoS DiffServ Service Policy Settings Check Enabled and choose a Policy Map for a port from the scroll down box then click Apply Figure 14 3 Service Policy S...

Page 284: ...Quality of Service 14 8 14 ...

Page 285: ...sts and an IGMP enabled device most commonly a multicast router In this way the switch can discover the ports that want to join a multicast group and set its filters accordingly If there is no multicast router attached to the local subnet multicast traffic and query messages may not be received by the switch In this case Layer 2 IGMP Query can be used to actively ask the attached hosts if they wan...

Page 286: ...ed In this case traffic is filtered from sources in the Exclude list and forwarded from all other available sources Notes 1 When the switch is configured to use IGMPv3 snooping the snooping version may be downgraded to version 2 or version 1 depending on the version of the IGMP query packets detected on each VLAN 2 IGMP snooping will not function unless a multicast router port is enabled on the sw...

Page 287: ...multicast enabled switch can periodically ask their hosts if they want to receive multicast traffic If there is more than one router switch on the LAN performing IP multicasting one of these devices is elected querier and assumes the role of querying the LAN for group members It then propagates the service requests on to any upstream multicast switch router to ensure that it will continue to recei...

Page 288: ...The default settings are shown below Figure 15 1 IGMP Configuration CLI This example modifies the settings for multicast filtering and then displays the current status Console config ip igmp snooping 37 1 Console config ip igmp snooping querier 37 5 Console config ip igmp snooping query count 10 37 6 Console config ip igmp snooping query interval 100 37 7 Console config ip igmp snooping query max ...

Page 289: ...ay see Configuring IGMP Snooping and Query Parameters on page 15 3 If immediate leave is enabled the switch assumes that only one host is connected to the interface Therefore immediate leave should only be enabled on an interface if it is connected to only one IGMP enabled device either a service host or a neighbor running IGMP snooping Immediate leave is only effective if IGMP snooping is enabled...

Page 290: ...er switch for each VLAN ID Command Attributes VLAN ID ID of configured VLAN 1 4093 Multicast Router List Multicast routers dynamically discovered by this switch or those that are statically assigned to an interface on this switch Web Click IGMP Snooping Multicast Router Port Information Select the required VLAN ID from the scroll down list to display the associated multicast routers Figure 15 2 Mu...

Page 291: ...unk scroll down list VLAN ID Selects the VLAN to propagate all multicast traffic coming from the attached multicast router Unit Stack unit Range 1 8 Port or Trunk Specifies the interface attached to a multicast router Web Click IGMP Snooping Static Multicast Router Port Configuration Specify the interfaces attached to a multicast router indicate the VLAN which will forward all the corresponding mu...

Page 292: ...ervice Web Click IGMP Snooping IP Multicast Registration Table Select a VLAN ID and the IP address for a multicast service from the scroll down lists The switch will display all the interfaces that are propagating this multicast service Figure 15 4 IP Multicast Registration Table CLI This example displays all the known multicast services supported on VLAN 1 along with the ports propagating the cor...

Page 293: ...cts the VLAN to propagate all multicast traffic coming from the attached multicast router switch Range 1 4093 Multicast IP The IP address for a specific multicast service Unit Stack unit Range 1 8 Port or Trunk Specifies the interface attached to a multicast router switch Web Click IGMP Snooping IGMP Member Port Table Specify the interface attached to a multicast service via an IGMP enabled switch...

Page 294: ...Multicast Filtering 15 10 15 ...

Page 295: ...em will search it for a corresponding entry If none is found the default domain name is used When an incomplete host name is received by the DNS service on this switch and a domain name list has been specified the switch will work through the domain list appending each domain name in the list to the host name and checking with the specified name servers for a match When more than one name server i...

Page 296: ...d a domain list However remember that if a domain list is specified the default domain name is not used Console config ip domain name sample com 38 3 Console config ip domain list sample com uk 38 3 Console config ip domain list sample com jp Console config ip name server 192 168 1 55 10 1 0 55 38 4 Console config ip domain lookup 38 5 Console show dns 38 7 Domain Lookup Status DNS enabled Default...

Page 297: ...ork devices may support one or more connections via multiple IP addresses If more than one IP address is associated with a host name in the static table or via information returned from a name server a DNS client can try each address in succession until it establishes a connection with the target device Field Attributes Host Name Name of a host device that is mapped to one or more IP addresses Ran...

Page 298: ...pply Figure 16 2 DNS Static Host Table CLI This example maps two address to a host name and then configures an alias host name for the same addresses Console config ip host rd5 192 168 1 55 10 1 0 55 38 1 Console config ip host rd6 10 1 0 55 Console show hosts 38 6 Hostname rd5 Inet address 10 1 0 55 192 168 1 55 Alias rd6 Console ...

Page 299: ...is field includes ADDRESS which specifies the host address for the owner and CNAME which specifies an alias IP The IP address associated with this record TTL The time to live reported by the name server Domain The domain name associated with this record Web Select DNS Cache Figure 16 3 DNS Cache CLI This example displays all the resource records learned from the designated name servers Console sho...

Page 300: ...Domain Name Service 16 6 16 ...

Page 301: ... switch supports DHCP relay service for attached host devices If DHCP relay is enabled and this switch sees a DHCP request broadcast it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located Then the switch forwards the packet to the DHCP server When the server receives the DHCP request it allocates a free IP address for the DHCP client...

Page 302: ... other network settings such as the domain name default gateway Domain Name Servers DNS Windows Internet Naming Service WINS name servers or information on the bootup file for the host device to download Addresses can be assigned to clients from a common address pool configured for a specific IP interface on this switch or fixed addresses can be assigned to hosts based on the client identifier cod...

Page 303: ... changes This can be done on the DHCP Server General page Enabling the Server Setting Excluded Addresses Enable the DHCP Server and specify the IP addresses that it should not be assigned to clients Command Attributes DHCP Server Enables or disables the DHCP server on this switch Default Disabled Excluded Addresses Specifies IP addresses that the DHCP server should not assign to DHCP clients You c...

Page 304: ...rom the matching network address pool However if no matching address pool is found the request is ignored When searching for a manual binding the switch compares the client identifier and then the hardware address for DHCP clients Since BOOTP clients cannot transmit a client identifier you must configure a hardware address for this host type If no manual binding has been specified for a host entry...

Page 305: ...teway router The IP address of the router should be on the same subnet as the client DNS Server The IP address of the primary and alternate DNS server DNS servers must be configured for a DHCP client to map host names to IP addresses Netbios Server IP address of the primary and alternate NetBIOS Windows Internet Naming Service WINS name server used for Microsoft DHCP clients Netbios Type NetBIOS n...

Page 306: ...w Address Pool Web Click DHCP Server Pool Configuration Specify a pool name then click Add Figure 17 3 DHCP Server Pool Configuration CLI This example adds an address pool and enters DHCP pool configuration mode Console config ip dhcp pool mgr 39 6 Console config dhcp ...

Page 307: ...etwork Configuration CLI This example configures a network address pool Console config ip dhcp pool tps 39 6 Console config dhcp network 10 1 0 0 255 255 255 0 39 7 Console config dhcp default router 10 1 0 253 39 8 Console config dhcp dns server 10 2 3 4 39 9 Console config dhcp netbios name server 10 1 0 33 39 10 Console config dhcp netbios node type hybrid 39 11 Console config dhcp domain name ...

Page 308: ...ost address pool Console config ip dhcp pool mgr 39 6 Console config dhcp host 10 1 0 19 255 255 255 0 39 12 Console config dhcp hardware address 00 e0 29 94 34 28 ethernet 39 14 Console config dhcp client identifier text bear 39 13 Console config dhcp default router 10 1 0 253 39 8 Console config dhcp dns server 10 2 3 4 39 9 Console config dhcp netbios name server 10 1 0 33 39 10 Console config ...

Page 309: ...ol or after moving DHCP service to another device Entry Count Number of hosts that have been given addresses by the switch Note More than one DHCP server may respond to a service request by a host In this case the host generally accepts the first address assigned by any DHCP server Web Click DHCP Server IP Binding You may use the Delete button to clear an address from the DHCP server s database Fi...

Page 310: ...Dynamic Host Configuration Protocol 17 10 17 ...

Page 311: ...al router priority Router redundancy can be set up in any of the following configurations These examples use the address of one of the participating routers as the master router When the virtual router IP address is not a real address the master router is selected based on priority When the priority is the same on several competing routers then the router with the highest IP address is selected as...

Page 312: ...also enable the preempt feature which allows a router to take over as the master router when it comes on line if it has a higher priority than the currently active master router Command Usage Address Assignment To designate a specific router as the VRRP master the IP address assigned to the virtual router must already be configured on the router that will become the Owner of the group address In o...

Page 313: ...s the new master router if the current master fails Preempting the Acting Master The virtual IP Owner has the highest priority so no other router can preempt it and it will always resume control as the master virtual router when it comes back on line The preempt function only allows a backup router to take over from a master router if no router in the group is the virtual IP owner or from another ...

Page 314: ...ter virtual router if it has a higher priority than the acting master virtual router i e a master router that is not the group s address owner or another backup router that has taken over from the previous master Default Enabled Preempt Delay Time to wait before issuing a claim to become the master Range 0 120 seconds 0 seconds Priority The priority of this router in a VRRP group Range 1 254 Defau...

Page 315: ...18 5 18 Virtual Router Redundancy Protocol Web Click IP VRRP Group Configuration Select the VLAN ID enter the VRID group number and click Add Figure 18 1 VRRP Group Configuration ...

Page 316: ...tual router for the group Otherwise enter the virtual address for an existing group to make it a backup router or to compete as the master based on configured priority if no other members are set as the owner of the group address Click Add IP to enter an IP address into the Associated IP Table Then set any of the other parameters as required and click Apply Figure 18 2 VRRP Group Configuration Det...

Page 317: ... version number VRRP Packets with Invalid VRID The total number of VRRP packets received with an invalid VRID for this virtual router Web Click IP VRRP Global Statistics Figure 18 3 VRRP Global Statistics Console config interface vlan 1 27 1 Console config if vrrp 1 ip 192 168 1 6 40 2 Console config if vrrp 1 ip 192 168 2 6 secondary Console config if vrrp 1 timers advertise 5 40 4 Console config...

Page 318: ...eceived Priority 0 Packets Number of VRRP packets received by the virtual router with priority set to 0 Error Packet Length Packets Number of packets received with a packet length less than the length of the VRRP header Invalid Type Packets Number of VRRP packets received by the virtual router with an invalid value in the type field Error Address List Packets Number of packets received for which t...

Page 319: ...ber of Received Error Advertisement Interval Packets 0 Total Number of Received Authentication Failures Packets 0 Total Number of Received Error IP TTL VRRP Packets 0 Total Number of Received Priority 0 VRRP Packets 0 Total Number of Sent Priority 0 VRRP Packets 5 Total Number of Received Invalid Type VRRP Packets 0 Total Number of Received Error Address List VRRP Packets 0 Total Number of Receive...

Page 320: ...Configuring Router Redundancy 18 10 18 ...

Page 321: ...aditional routers the static and dynamic routing functions must first be configured to work Initial Configuration By default all ports belong to the same VLAN and the switch provides only Layer 2 functionality To segment the attached network first create VLANs for each unique user group or application traffic page 11 6 assign all ports that belong to the same group to these VLANs page 11 8 and the...

Page 322: ...e to live Verifying and recalculating the Layer 3 checksum If the destination node is on the same subnetwork as the source network then the packet can be transmitted directly without the help of a router However if the MAC address is not yet known to the switch an Address Resolution Protocol ARP packet with the destination IP address is broadcast to get the destination MAC address from the destina...

Page 323: ...ket is reformatted and sent out to the destination The reformat process includes decreasing the Time To Live TTL field of the IP header recalculating the IP header checksum and replacing the destination MAC address with either the MAC address of the destination node or that of the next hop router When another packet destined to the same node arrives the destination MAC can be retrieved directly fr...

Page 324: ... to manage the switch in band then you must define the IP subnet address for at least one VLAN Command Attributes IP Routing Status Configures the switch to operate as a Layer 2 switch or as a multilayer routing switch Options Disable this field to restrict operation to Layer 2 switching enable it to allow multilayer operation at either Layer 2 or 3 as required This command affects both static and...

Page 325: ...either Layer 2 or 3 as required All IP packets are routed directly between local interfaces or indirectly to remote interfaces using either static routing or dynamic routing All other packets for non IP protocols for example NetBuei NetWare or AppleTalk are switched based on MAC addresses Command Usage If this router is directly connected to end node devices or connected to end nodes through share...

Page 326: ...esses In other words you will need to specify secondary addresses if more than one IP subnet can accessed via this interface If DHCP BOOTP is enabled the system will immediately start broadcasting service requests IP is enabled but does not function until a reply has been received from the address server Requests will be broadcast periodically by the router for an IP address DHCP BOOTP values can ...

Page 327: ...dresses enter these addresses one at a time and click Set IP Configuration after entering each address Figure 19 2 IP Routing Interface CLI This example sets a primary IP address for VLAN 1 and then adds a secondary IP address for a different subnet also attached to this router interface Console config interface vlan 1 Console config if ip address 10 1 0 253 255 255 255 0 41 3 Console config if ip...

Page 328: ...to the final destination If there is no entry for an IP address in the ARP cache the router will broadcast an ARP request packet to all devices on the network The ARP request contains the following fields similar to that shown in this example When devices receive this request they discard it if their address does not match the destination IP address in the message However if it does match they wri...

Page 329: ... 86400 seconds Default 1200 seconds or 20 minutes The ARP aging timeout can be set for any currently configured VLAN The aging time determines how long dynamic entries remain the cache If the timeout is too short the router may tie up resources by repeating ARP requests for addresses recently flushed from the table When a ARP entry expires it is deleted from the cache and an ARP request packet is ...

Page 330: ...works that do not have routing or a default gateway and click Apply Figure 19 3 ARP General CLI This example sets the ARP cache timeout for 15 minutes i e 900 seconds and enables Proxy ARP for VLAN 3 Console config arp timeout 900 41 33 Console config interface vlan 3 27 1 Console config if ip proxy arp 41 35 Console config if ...

Page 331: ...ntry may need to be used if there is no response to an ARP broadcast message For example some applications may not respond to ARP requests or the response arrives too late causing network operations to time out Static entries will not be aged out or deleted when power is reset You can only remove a static entry via the configuration interface Command Attributes IP Address IP address statically map...

Page 332: ...d to the corresponding IP address Interface VLAN interface associated with the address entry Dynamic to Static19 Changes a selected dynamic entry to a static entry Clear All19 Deletes all dynamic entries from the ARP cache Entry Count The number of dynamic entries in the ARP cache The following field is also displayed in the CLI Type Indicates if entries were learned through replies to broadcast m...

Page 333: ...ry in the cache MAC Address MAC address mapped to the corresponding IP address Interface VLAN interface associated with the address entry Entry Count The number of local entries in the ARP cache Console show arp 41 34 Arp cache timeout 1200 seconds IP Address MAC Address Type Interface 10 1 0 0 ff ff ff ff ff ff other 1 10 1 0 11 00 11 22 33 44 55 static 1 10 1 0 12 01 02 03 04 05 06 static 1 10 1...

Page 334: ...ress Type Interface 10 1 0 0 ff ff ff ff ff ff other 1 10 1 0 11 00 11 22 33 44 55 static 1 10 1 0 12 01 02 03 04 05 06 static 1 10 1 0 19 00 10 b5 62 03 74 dynamic 1 10 1 0 253 00 00 ab cd 00 00 other 1 10 1 0 255 ff ff ff ff ff ff other 1 Total entry 6 Console Table 19 2 ARP Statistics Parameter Description Received Request Number of ARP Request packets received by the router Received Reply Numb...

Page 335: ...ed 0 couldn t fragment Sent 9 generated 0 no route ICMP statistics Rcvd 0 checksum errors 0 redirects 0 unreachable 0 echo 5 echo reply 0 mask requests 0 mask replies 0 quench 0 parameter 0 timestamp Sent 0 redirects 0 unreachable 0 echo 0 echo reply 0 mask requests 0 mask replies 0 quench 0 timestamp 0 time exceeded 0 parameter problem UDP statistics Rcvd 0 total 0 checksum errors 0 no port Sent ...

Page 336: ...s default gateways are down Datagrams Forwarded The number of input datagrams for which this entity was not their final IP destination as a result of which an attempt was made to find a route to forward them to that final destination Reassembly Required The number of IP fragments received which needed to be reassembled at this entity Reassembly Failures The number of failures detected by the IP re...

Page 337: ...s to feed back information about more suitable routes i e the next hop router to use for a specific destination Routing Discards The number of routing entries which were chosen to be discarded even though they are valid One possible reason for discarding such an entry could be to free up buffer space for other routing entries Reassembly Successful The number of datagrams successfully re assembled ...

Page 338: ...ource Quench messages received sent Redirects The number of ICMP Redirect messages received sent Echos The number of ICMP Echo request messages received sent Echo Replies The number of ICMP Echo Reply messages received sent Timestamps The number of ICMP Timestamp request messages received sent Timestamp Replies The number of ICMP Timestamp Reply messages received sent Address Masks The number of I...

Page 339: ...e too complex too slow or just unnecessary Web Click IP Statistics UDP Figure 19 10 UDP Statistics CLI See the example on page 19 14 Table 19 5 USP Statistics Parameter Description Datagrams Received The total number of UDP datagrams delivered to UDP users Datagrams Sent The total number of UDP datagrams sent from this entity Receive Errors The number of received UDP datagrams that could not be de...

Page 340: ... SYN SENT state from the CLOSED state Failed Connection Attempts The number of times TCP connections have made a direct transition to the CLOSED state from either the SYN SENT state or the SYN RCVD state plus the number of times TCP connections have made a direct transition to the LISTEN state from the SYN RCVD state Current Connections The number of TCP connections for which the current state is ...

Page 341: ...nce over a dynamic route Static routes are included in RIP and OSPF updates periodically sent by the router if this feature is enabled by the RIP or OSPF see page 20 9 or 20 35 respectively Command Attributes Interface Index number of the IP interface IP Address IP address of the destination network subnetwork or host Netmask Network mask for the associated IP subnet This mask identifies the host ...

Page 342: ...e is not enabled i e listed in the routing table unless there is at least one active link connected to that interface Command Attributes Interface Index number of the IP interface IP Address IP address of the destination network subnetwork or host Note that the address 0 0 0 0 indicates the default gateway for this router Netmask Network mask for the associated IP subnet This mask identifies the h...

Page 343: ...g Table CLI This example shows routes obtained from various methods Console show ip route 42 3 Ip Address Netmask Next Hop Protocol Metric Interface 0 0 0 0 0 0 0 0 10 1 0 254 static 1 1 10 1 0 0 255 255 255 0 10 1 0 253 local 1 1 10 1 1 0 255 255 255 0 10 1 0 254 RIP 2 1 Total entries 3 Console ...

Page 344: ...IP Routing 19 24 19 ...

Page 345: ...links which lead to relevant subnets OSPFv2 Dynamic Routing Protocol OSPF overcomes all the problems of RIP It uses a link state routing protocol to generate a shortest path tree then builds up its routing table based on this tree OSPF produces a more stable network because the participating routers act on network changes predictably and simultaneously converging on the best route more quickly tha...

Page 346: ...n interface port from which they have been acquired but set the distance vector metrics to infinity This provides faster convergence Triggered updates Whenever a route gets changed broadcast an update message after waiting for a short random delay but without waiting for the periodic cycle RIP 2 is a compatible upgrade to RIP RIP 2 adds useful capabilities for plain text authentication multiple in...

Page 347: ...g and receiving protocol messages RIP send receive versions set on the RIP Interface Settings screen page 20 6 always take precedence over the settings for the Global RIP Version Timer Settings The timers must be set to the same values for all routers in the network Update Sets the rate at which updates are sent This is the fundamental timer used to control all basic RIP processes This value will ...

Page 348: ...click Apply Figure 20 1 RIP General Settings CLI This example sets the router to use RIP Version 2 and sets the basic timer to 15 seconds Console config router rip 42 6 Console config router version 2 42 11 Console config router timers basic 15 42 8 Console config router end Console show rip globals 42 16 RIP Process Enabled Update Time in Seconds 15 Number of Route Change 0 Number of Queries 1 Co...

Page 349: ...st field nnn determines the class 0 127 is class A and only the first field in the network address is used 128 191 is class B and the first two fields in the network address are used 192 223 is class C and the first three fields in the network address are used Web Click Routing Protocol RIP Network Addresses Add all interfaces that will participate in RIP and click Apply Figure 20 2 RIP Network Ad...

Page 350: ...ctively Use RIPv1 Compatible to propagate route information by broadcasting to other routers on the network using the RIPv2 advertisement list instead of multicasting as normally required by RIPv2 Using this mode allows RIPv1 routers to receive these protocol messages but still allows RIPv2 routers to receive the additional information provided by RIPv2 including subnet mask next hop and authentic...

Page 351: ...e Does not accept incoming RIP packets This option does not add any dynamic entries to the routing table for an interface Send Version The RIP version to send on an interface RIPv1 Sends only RIPv1 packets RIPv2 Sends only RIPv2 packets RIPv1 Compatible Route information is broadcast to other routers with RIPv2 Default20 Do Not Send Does not transmit RIP updates Instability Preventing Specifies th...

Page 352: ...d receiving interface must use the same password Range 1 16 characters case sensitive Web Click Routing Protocol RIP Interface Settings Select the RIP protocol message types that will be received and sent the method used to provide faster convergence and prevent loopback i e prevent instability in the network topology and the authentication option and corresponding password Then click Apply Figure...

Page 353: ...xternal routes A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics It is advisable to use a low metric when redistributing routes from another protocol into RIP Using a high metric limits the usefulness of external routes redistributed into RIP For example if a metric of 10 is defined for redistributed routes these routes can only be adver...

Page 354: ...ution metric for static routes and click Set Figure 20 4 RIP Redistribution Configuration CLI This example redistributes static routes and sets the metric for all of these routes to a value of 3 Console config router rip 42 6 Console config router redistribute static metric 3 42 11 Console config router ...

Page 355: ...router database queries received by this router Interface Information Interface IP address of the interface SendMode RIP version sent on this interface none RIPv1 RIPv2 rip1Compatible ReceiveMode RIP version received on this interface none RIPv1 RIPv2 RIPv1Orv2 InstabilityPreventing Shows if split horizon poison reverse or no instability prevention method is in use AuthType Shows if authentication...

Page 356: ...Unicast Routing 20 12 20 Web Click Routing Protocol RIP Statistics Figure 20 5 RIP Statistics ...

Page 357: ...Number of Queries 0 Console show ip rip configuration 42 16 Interface SendMode ReceiveMode Poison Authentication 10 1 0 253 rip1Compatible RIPv1Orv2 SplitHorizon noAuthentication 10 1 1 253 rip1Compatible RIPv1Orv2 SplitHorizon noAuthentication Console show ip rip status 42 16 Interface RcvBadPackets RcvBadRoutes SendUpdates 10 1 0 253 0 0 60 10 1 1 253 0 0 63 Console show ip rip peer 42 16 Peer U...

Page 358: ... used to calculate summary route costs throughout the network when older OSPF routers exist as well as the not so stubby area option RFC 3101 Command Usage OSPF looks at more than just the simple hop count When adding the shortest path to any node into the tree the optimal path is chosen on the basis of delay throughput and connectivity OSPF utilizes IP multicast to reduce the amount of routing tr...

Page 359: ...SPF area that is not physically attached to the OSPF backbone Virtual links can also be used to provide a redundant link between contiguous areas to prevent areas from being partitioned or to merge backbone areas Note that virtual links are not supported for stubs or NSSAs Configuring General Protocol Settings To implement dynamic OSPF routing first assign VLAN groups to each IP subnet to which th...

Page 360: ... any OSPF routers in an area exchanging summary information specifically ABRs which have not been upgraded to OSPFv2 RFC 2328 RFC 1583 should be used on the newly upgraded OSPFv2 routers to ensure compatibility with routers still running older OSPFv2 code SPF Hold Time The hold time between making two consecutive shortest path first SPF calculations Range 0 65535 seconds Default 10 seconds Setting...

Page 361: ...o import external routes through RIP or static routes and such a route is known See Redistributing External Routes on page 20 35 External Metric Type22 The external link type used to advertise the default route Type 1 route advertisements add the internal cost to the external route metric Type 2 routes do not add the internal cost metric When comparing Type 2 routes the internal cost is only used ...

Page 362: ...iguration CLI This example configures the router with the same settings as shown in the screen capture for the web interface Console config router ospf 42 19 Console config router router id 10 1 1 253 42 20 Console config router no compatible rfc1583 42 20 Console config router default information originate always metric 10 metric type 2 42 21 Console config router timers spf 10 42 22 Console conf...

Page 363: ...een areas you can configure an area as a stub or a not so stubby area NSSA Normal Area A large OSPF domain should be broken up into several areas to increase network stability and reduce the amount of routing traffic required through the use of route summaries that aggregate a range of addresses into a single route The backbone or any normal area can pass traffic between other areas and are theref...

Page 364: ...s in an OSPF stub area so routes cannot be redistributed from another protocol into a stub area On the other hand an NSSA allows external routes from another protocol to be redistributed into its own area and then leaked to adjacent areas Routes that can be advertised with NSSA external LSAs include network destinations outside the AS learned via OSPF the default route static routes routes derived...

Page 365: ... area or not so stubby area NSSA Area ID 0 0 0 0 is set to the backbone by default Default Normal area Default Cost Cost for the default summary route sent into a stub from an area border router ABR Range 0 16777215 Default 1 Note that if you set the default cost to 0 the router will not advertise a default route into the attached stub Summary Makes an ABR send a Type 3 summary link advertisement ...

Page 366: ... area 0 0 0 1 as a normal area area 0 0 0 2 as a stub and area 0 0 0 3 as an NSSA It also configures the router to propagate a default summary route into the stub and sets the cost for this default route to 10 Console config router network 10 1 1 0 255 255 255 0 area 0 0 0 1 42 26 Console config router area 0 0 0 2 stub summary 42 27 Console config router area 0 0 0 2 default cost 10 42 24 Console...

Page 367: ...zed for several area ranges This router also supports Variable Length Subnet Masks VLSMs so you can summarize an address range on any bit boundary in a network address To summarize the external LSAs imported into your autonomous system i e local routing domain use the Summary Address Configuration screen page 20 33 Command Attributes Area ID Identifies an area for which the routes are summarized T...

Page 368: ...default for the area range command is to advertise the route summary The configured summary route is shown in the list of information displayed for area 1 Console config router area 0 0 0 1 range 10 1 1 0 255 255 255 0 42 23 Console config router end Console show ip ospf Routing Process with ID 10 1 1 253 Supports only single TOS TOS0 route Number of area in this router is 4 Area 0 0 0 0 BACKBONE ...

Page 369: ... Count The number of IP interfaces assigned to this VLAN Note This router supports up 64 OSPF interfaces Detailed Interface Configuration VLAN ID The VLAN corresponding to the selected interface Rtr Priority Sets the interface priority for this router Range 0 255 Default 1 A designated router DR and backup designated router BDR is elected for each OSPF area based on Router Priority The DR forms an...

Page 370: ...outer is still active Setting the hello interval to a smaller value can reduce the delay in detecting topological changes but will increase routing traffic Rtr Dead Interval Sets the interval at which hello packets are not seen before neighbors declare the router down This interval must be set to the same value for all routers on the network Range 1 65535 seconds Default 40 or 4 times the Hello In...

Page 371: ...lain text or Message Digest 5 MD5 authentication is enabled as described in the preceding item this password key is inserted into the OSPF header when routing protocol packets are originated by this device A different password can be assigned to each network interface but the password must be used consistently on all neighboring routers throughout a network that is autonomous system All neighborin...

Page 372: ... Configuration Select the required interface from the scroll down box and click Detailed Settings Figure 20 9 OSPF Interface Configuration Change any of the interface specific protocol parameters and then click Apply Figure 20 10 OSPF Interface Configuration Detailed ...

Page 373: ...nclude the transit area ID and the router ID for a virtual link neighbor that is adjacent to the backbone Command Attributes Area ID Identifies the transit area for the virtual link The area ID must be in the form of an IPv4 address Neighbor Router ID Router ID of the virtual link neighbor This specifies the Area Border Router ABR at the other end of the virtual link To create a virtual link it mu...

Page 374: ...fy the settings for an existing link click the Detail button for the required entry modify the link settings and click Set Figure 20 11 OSPF Virtual Link Configuration CLI This example configures a virtual link from the ABR adjacent to area 0 0 0 4 through a transit area to the neighbor router 10 1 1 252 at the other end of the link which is adjacent to the backbone Console config router area 0 0 ...

Page 375: ...ea by default A normal area can send and receive external Link State Advertisements LSAs If necessary you can use the Area Configuration page to configure an area as a stubby area that cannot send or receive external LSAs or a not so stubby area NSSA that can import external route information into its area page 20 19 An area must be assigned a range of subnetwork addresses This area and the corres...

Page 376: ...l OSPF Network Area Address Configuration Configure a backbone area that is contiguous with all the other areas in your network configure an area for all of the other OSPF interfaces then click Apply Figure 20 12 OSPF Network Area Address Configuration ...

Page 377: ...iguration screen view the routes imported into the routing table and then configure one or more summary addresses to reduce the size of the routing table and consolidate these external routes for advertising into the local domain To summarize routes sent between OSPF areas use the Area Range Configuration screen page 20 23 Command Attributes IP Address Summary address covering a range of addresses...

Page 378: ...pecify the base address and network mask then click Add Figure 20 13 OSPF Summary Address Configuration CLI This example This example creates a summary address for all routes contained in 192 168 x x Console config router summary address 192 168 0 0 255 255 0 0 42 24 Console config router ...

Page 379: ...Attributes Redistribute Protocol Specifies the external routing protocol type for which routing information is to be redistributed into the local routing domain Options RIP Static Default RIP Redistribute Metric Type Indicates the method used to calculate external route costs Options Type 1 Type 2 Default Type 1 Metric type specifies the way to advertise routes to destinations outside the autonomo...

Page 380: ...efer to Configuring OSPF Areas on page 20 19 Command Attributes Area ID Identifier for an not so stubby area NSSA The area ID must be in the form of an IPv4 address Default Information Originate An NSSA ASBR originates and floods Type 7 external LSAs throughout its area for known network destination outside of the AS However you can also configure an NSSA ASBR to generate a Type 7 default route to...

Page 381: ...rds redistribution should be disabled to prevent the NSSA ABR from advertising external routing information learned through routers in other areas into the NSSA Default Enabled Note This router supports up 16 areas either normal transit areas stubs or NSSAs Web Click Routing Protocol OSPF NSSA Settings Create a new NSSA or modify the routing behavior for an existing NSSA and click Apply Figure 20 ...

Page 382: ... Area border routers can generate Summary LSAs that give the cost to a subnetwork located outside the area AS Summary Type 4 Area border routers can generate AS Summary LSAs that give the cost to an autonomous system boundary router ASBR AS External Type 5 An ASBR can generate an AS External LSA for each known network destination outside the AS NSSA External Type 7 An ASBR within an NSSA generates...

Page 383: ...SPF Link State Database Information Specify parameters for the LSAs you want to display then click Query Figure 20 16 OSPF Link State Database Information CLI The CLI provides a wider selection of display options for viewing the Link State Database See show ip ospf database on page 42 41 ...

Page 384: ...th Rte Type Route type either intra area or interarea route INTRA or INTER Area The area from which this route was learned SPF No The number of times the shortest path first algorithm has been executed for this route Web Click Routing Protocol OSPF Border Router Information Figure 20 17 OSPF Border Router Information CLI This example shows one router that serves as both the ABR for the local area ...

Page 385: ... Two way Bidirectional communications established ExStart Initializing adjacency between neighbors Exchange Database descriptions being exchanged Loading LSA databases being exchanged Full Neighboring routers now fully adjacent Identification flags include D Dynamic neighbor S Static neighbor DR Designated router BDR Backup designated router Address IP address of this interface Web Click Routing P...

Page 386: ...Unicast Routing 20 42 20 ...

Page 387: ...tion Commands 25 1 Access Control List Commands 26 1 Interface Commands 27 1 Link Aggregation Commands 28 1 Mirror Port Commands 29 1 Rate Limit Commands 30 1 Address Table Commands 31 1 LLDP Commands 32 1 Spanning Tree Commands 33 1 VLAN Commands 34 1 Class of Service Commands 35 1 Quality of Service Commands 36 1 Multicast Filtering Commands 37 1 Domain Name Service Commands 38 1 DHCP Commands 3...

Page 388: ...Command Line Interface ...

Page 389: ...t with corresponding passwords of admin and guest When the administrator user name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec But when the guest user name and password is entered the CLI displays the Console prompt and enters normal access mode i e Normal Exec 2 Enter the necessary commands to complete your desired tasks 3 When...

Page 390: ...tch with an IP address you can open a Telnet session by performing these steps 1 From the remote host enter the Telnet command and the IP address of the device you want to access 2 At the prompt enter the user name and system password The CLI will display the Vty n prompt for the administrator to show that you are using privileged access mode i e Privileged Exec or Vty n for the guest to show that...

Page 391: ...show startup config To enter commands that require parameters enter the required parameters after the command keyword For example to set a password for the administrator enter Console config username admin password 0 smith Minimum Abbreviation The CLI will accept a minimum number of characters that uniquely identify a command For example the command configure can be entered as con If an entry is a...

Page 392: ...ces ip IP information ipv6 IPv6 information lacp Show LACP statistic line TTY line information lldp LLDP log Login records logging Show the contents of logging buffers mac MAC access lists mac address table Set configuration of the address table management Show management IP filter map Map priority policy map Display policy maps port Characteristics of the port port channel Port channel protocol v...

Page 393: ...em messages to a host server To disable logging specify the no logging command This guide describes the negation effect for all applicable commands Using Command History The CLI maintains a history of commands that have been entered You can scroll back through the history of commands by pressing the up arrow key Any command displayed in the history list can be executed again or first modified and ...

Page 394: ...number of the commands are available in this mode You can access all commands only from the Privileged Exec command mode or administrator mode To access Privilege Exec mode open a new console session with the user name and password admin The system will now display the Console command prompt You can also enter Privileged Exec mode from within Normal Exec mode by entering the enable command followe...

Page 395: ...ds modify the port configuration such as speed duplex and negotiation Line Configuration These commands modify the console port and Telnet configuration and include command such as parity and databits Multiple Spanning Tree Configuration These commands configure settings for the selected multiple spanning tree instance Policy Map Configuration Creates a DiffServ policy map for multiple interfaces ...

Page 396: ... list ip extended access list mac access list ipv6 standard access list ipv6 extended Console config std acl Console config ext acl Console config mac acl Console config std ipv6 acl Console config ext ipv6 acl 26 2 26 2 26 12 26 7 26 7 Class Map class map Console config cmap 36 2 DHCP ip dhcp pool Console config dhcp 39 6 Interface interface ethernet port port channel id vlan id Console config if...

Page 397: ...ne Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor to the right one character Ctrl K Deletes all characters from the cursor to the end of the line Ctrl L Repeats current command line on a new line Ctrl N Enters the next command line in the history buffer Ctrl P Enters ...

Page 398: ...cally groups multiple ports into a single logical trunk configures Link Aggregation Control Protocol for port trunks 28 1 Mirror Port Mirrors data to another port for analysis without affecting the data passing through or the performance of the monitored port 29 1 Rate Limit Controls the maximum rate for traffic transmitted or received on a port 30 1 Address Table Configures the address table for ...

Page 399: ...CL Access Control List Configuration MST Multiple Spanning Tree CM Class Map Configuration NE Normal Exec DC DHCP Server Configuration PE Privileged Exec GC Global Configuration PM Policy Map Configuration IC Interface Configuration RC Router Configuration LC Line Configuration VC VLAN Database Configuration ...

Page 400: ...Overview of the Command Line Interface 21 12 21 ...

Page 401: ...mand Usage super is the default password required to change the command mode from Normal Exec to Privileged Exec To set this password see the enable password command on page 25 3 Table 22 1 General Commands Command Function Mode Page enable Activates privileged mode NE 22 1 disable Returns to normal mode from privileged mode PE 22 2 configure Activates global configuration mode PE 22 2 show histor...

Page 402: ... Command Mode Privileged Exec Command Usage The character is appended to the end of the prompt to indicate that the system is in normal access mode Example Related Commands enable 22 1 configure This command activates Global Configuration mode You must enter this mode to modify any settings on the switch You must also enter Global Configuration mode prior to enabling some of the other configuratio...

Page 403: ...nd history buffer The command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode and commands from the Configuration command history buffer when you are in any of the configuration modes In this example the 2 command repeats the second command in the Execution history buffer config Console configure Console config Console show history Exe...

Page 404: ...sage This command resets the entire system Example This example shows how to reset the switch prompt This command customizes the CLI prompt Use the no form to restore the default prompt Syntax prompt string no prompt string Any alphanumeric string to use for the CLI prompt Maximum length 255 characters Default Setting Console Command Mode Global Configuration Example end This command returns to Pr...

Page 405: ...e or exits the configuration program Default Setting None Command Mode Any Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session quit This command exits the configuration program Default Setting None Command Mode Normal Exec Privileged Exec Command Usage The quit and exit commands can both exit the configuration progra...

Page 406: ...General Commands 22 6 22 Example This example shows how to quit a CLI session Console quit Press ENTER to start session User Access Verification Username ...

Page 407: ...s information that uniquely identifies this switch 23 1 System Status Displays system configuration active managers and version information 23 3 Frame Size Enables support for jumbo frames 23 9 File Management Manages code image or switch configuration files 23 10 Line Sets communication parameters for the serial port including baud rate and console time out 23 17 Event Logging Controls logging of...

Page 408: ...ially starting from the top unit for a non loop stack or starting from the Master unit for a looped stack Syntax switch all renumber Default Setting For non loop stacking the top unit is unit 1 For loop stacking the master unit is unit 1 Command Mode Global Configuration Example This example shows how to renumber all units Console config hostname RD 1 Console config Console switch all renumber Con...

Page 409: ... the stack SNTP server settings SNMP community strings Users names and access levels VLAN database VLAN ID name and state VLAN configuration settings for each interface Multiple spanning tree instances name and interfaces IP address configured for VLANs Layer 4 precedence settings Routing protocol configuration settings Spanning tree settings Any configured settings for the console port and Telnet...

Page 410: ...ymap 00 20 1a df 9c a0 00 20 1a df 9e c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNTP server 0 0 0 0 0 0 0 0 0 0 0 0 snmp server community public ro snmp server community private rw username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e...

Page 411: ... mode group is separated by symbols and includes the configuration mode command and corresponding commands This command displays the following information MAC address for each switch in the stack SNTP server settings SNMP community strings Users names access levels and encrypted passwords VLAN database VLAN ID name and state VLAN configuration settings for each interface Multiple spanning tree ins...

Page 412: ...ymap 00 30 f1 d4 73 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNTP server 0 0 0 0 0 0 0 0 0 0 0 0 snmp server community private rw snmp server community public ro username admin access level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access level 0 username guest password 7 084e...

Page 413: ...Telnet client Default Setting None Command Mode Normal Exec Privileged Exec Console show system System Description SMC TigerStack II 10 100 1000 SMC8926EM SMC8950EM System OID String 1 3 6 1 4 1 202 20 76 System information System Up time 0 days 1 hours 23 minutes and 44 61 seconds System Name NONE System Location NONE System Contact NONE MAC Address Unit1 00 00 E3 11 10 10 Web Server Enabled Web ...

Page 414: ...eged Exec Command Usage See Displaying Switch Hardware Software Versions on page 4 3 for detailed information on the items displayed by this command Console show users Username accounts Username Privilege Public Key admin 15 None guest 0 None steve 15 RSA Online users Line Username Idle time h m s Remote IP addr 0 console admin 0 14 14 1 VTY 0 admin 0 00 00 192 168 1 19 2 SSH 1 steve 0 00 06 192 1...

Page 415: ...tly reduces the per packet overhead required to process protocol encapsulation fields To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is operating at full duplex all switches in the network between the two end nodes must be able to accept the extended frame size And for half duplex Console show version Un...

Page 416: ...ew file set as the startup file Saving or Restoring Configuration Settings Configuration settings can be uploaded and downloaded to and from a TFTP server The configuration file can be later downloaded to restore switch settings The configuration file can be downloaded under a new file name and then set as the startup file or the current startup configuration file can be specified as the destinati...

Page 417: ... allows you to copy to from a TFTP server https certificate Keyword that allows you to copy the HTTPS secure site certificate public key Keyword that allows you to copy a SSH key from a TFTP server See Secure Shell Commands on page 25 15 unit Keyword that allows you to copy to from a specific unit in the stack Default Setting None Command Mode Privileged Exec Command Usage The system prompts for d...

Page 418: ...xample The following example shows how to download new firmware from a TFTP server The following example shows how to upload the configuration settings to a file on the TFTP server The following example shows how to copy the running configuration to a startup file Console copy tftp file TFTP server ip address 10 1 0 19 Choose file type 1 config 2 opcode 1 2 2 Source file name SMC8926_50EM_opcode_V...

Page 419: ...le or code image unit Stack unit Range 1 8 Default Setting None Console copy tftp startup config TFTP server ip address 10 1 0 99 Source configuration file name startup 01 Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success Console Console copy tftp https certificate TFTP server ip address 10 1 0 19 Source certificate file name SS certificate Source pri...

Page 420: ...st of files in flash memory Syntax dir unit boot rom config opcode filename The type of file or image to display includes boot rom Boot ROM or diagnostic image file config Switch configuration file opcode Run time operation code image file filename Name of configuration file or code image If this file exists but contains errors information on this file cannot be shown unit Stack unit Range 1 8 Def...

Page 421: ... Information Column Heading Description file name The name of the file file type File types Boot Rom Operation Code and Config file startup Shows if this file is used when the system is started size The length of the file in bytes Console dir File name File type Startup Size byte Unit1 SMC8926_50EM_diag_V1 1 0 3 BIX Boot Rom Image Y 1596952 SMC8926_50EM_opcode_V1 1 4 0 BIX Operation Code Y 4990052...

Page 422: ...onfiguration file opcode Run time operation code filename Name of configuration file or code image unit Stack unit Range 1 8 The colon is required Default Setting None Command Mode Global Configuration Command Usage A colon is required after the specified unit number and file type If the file contains an error it cannot be set as the default file Example Related Commands dir 23 14 whichboot 23 15 ...

Page 423: ...ord Specifies a password on a line LC 23 19 timeout login response Sets the interval that the system waits for a login attempt LC 23 20 exec timeout Sets the interval that the command interpreter waits until user input is detected LC 23 20 password thresh Sets the password intrusion threshold which limits the number of failed logon attempts LC 23 21 silent time These commands only apply to the ser...

Page 424: ...sage There are three authentication modes provided by the switch itself at login login selects authentication by a single global password as specified by the password line configuration command When using this method the management interface starts in Normal Exec NE mode login local selects authentication via the user name and password specified by the username command i e default setting When usi...

Page 425: ...tem prompts for the password If you enter the correct password the system shows a prompt You can use the password thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state The encrypted password is required for compatibility with legacy password settings i e plain text or encrypted wh...

Page 426: ...the connection is terminated for the session This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the default setting Example To set the timeout to two minutes enter this command exec timeout This command sets the interval that the system waits until user input is detected Use the no ...

Page 427: ...e threshold value Syntax password thresh threshold no password thresh threshold The number of allowed password attempts Range 1 120 0 no threshold Default Setting The default value is three attempts Command Mode Line Configuration Command Usage When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time before allowing the next logon attempt Use t...

Page 428: ... silent time to 60 seconds enter this command Related Commands password thresh 23 21 databits This command sets the number of data bits per character that are interpreted and generated by the console port Use the no form to restore the default value Syntax databits 7 8 no databits 7 Seven data bits per character 8 Eight data bits per character Default Setting 8 data bits per character Command Mode...

Page 429: ...sage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting Example To specify no parity enter this command speed This command sets the terminal line s baud rate This command sets both the transmit to terminal and receive from terminal speeds Use the no form to restore the default setting Syntax speed bps no speed bps Baud rate in bits ...

Page 430: ...nd adjust the speed accordingly Example To specify 57600 bps enter this command stopbits This command sets the number of the stop bits transmitted per byte Use the no form to restore the default setting Syntax stopbits 1 2 1 One stop bit 2 Two stop bits Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits enter this command disconnect This command terminates an...

Page 431: ... Syntax show line console vty console Console terminal line vty Virtual terminal for remote console access i e Telnet Default Setting Shows all lines Command Mode Normal Exec Privileged Exec Example To show all lines enter this command Console disconnect 1 Console Console show line Console configuration Password threshold 3 times Interactive timeout Disabled Login timeout Disabled Silent time Disa...

Page 432: ... control the type of error messages that are sent to specified syslog servers Example Related Commands logging history 23 27 logging trap 23 29 clear log 23 29 Table 23 8 Event Logging Commands Command Function Mode Page logging on Controls logging of error messages GC 23 26 logging history Limits syslog messages saved to switch memory based on severity GC 23 27 logging host Adds a syslog server h...

Page 433: ... Mode Global Configuration Command Usage The message level specified for flash memory must be a higher priority i e numerically lower than that specified for RAM Example Table 23 9 Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition such as cold start 4 warnings Warning conditions...

Page 434: ... the facility type for remote logging of syslog messages Use the no form to return the type to the default Syntax no logging facility type type A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service Range 16 23 Default Setting 23 Command Mode Global Configuration Command Usage The command specifies the facility type tag sent in syslog mess...

Page 435: ...etting Disabled Level 7 0 Command Mode Global Configuration Command Usage Using this command with a specified level enables remote logging and sets the minimum severity level to be saved Using this command without a specified level also enables remote logging but restores the minimum severity level to the default Example clear log This command clears messages from the log buffer Syntax clear log f...

Page 436: ...n Default Setting None Command Mode Privileged Exec Example The following example shows that system logging is enabled the message level for flash memory is errors i e default level 3 0 and the message level for RAM is debugging i e default level 7 0 Console show logging flash Syslog logging Enabled History logging in FLASH level errors Console show logging ram Syslog logging Enabled History loggi...

Page 437: ...EMOTELOG server IP address 1 2 3 4 REMOTELOG server IP address 0 0 0 0 REMOTELOG server IP address 0 0 0 0 REMOTELOG server IP address 0 0 0 0 REMOTELOG server IP address 0 0 0 0 Console Table 23 11 show logging trap display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command REMOTELOG status Shows if remote logging has been enabled via ...

Page 438: ...TP servers for event handing However you must enter a separate command to specify each server Console show log ram 1 00 01 30 2001 01 01 VLAN 1 link up notification level 6 module 5 function 1 and event no 1 0 00 01 30 2001 01 01 Unit 1 Port 1 link up notification level 6 module 5 function 1 and event no 1 Console Table 23 12 SMTP Alert Commands Command Function Mode Page logging sendmail host SMT...

Page 439: ...ages Syntax logging sendmail level level level One of the system message levels page 23 27 Messages sent include the selected level down to level 0 Range 0 7 Default 7 Default Setting Level 7 Command Mode Global Configuration Command Usage The specified level indicates an event threshold All events at this level or higher will be sent to the configured email recipients For example using Level 7 wi...

Page 440: ...l email address email address The source email address used in alert messages Range 1 41 characters Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages However you must enter a separate command to specify each recipient Example logging sendmail This command enables SMTP event handling Use the no form to disable this function...

Page 441: ...e show logging sendmail SMTP servers 192 168 1 19 SMTP minimum severity level 7 SMTP destination email addresses ted this company com SMTP source email address bill this company com SMTP status Enabled Console Table 23 13 Time Commands Command Function Mode Page sntp client Accepts time from specified time servers GC 23 36 sntp server Specifies one or more time servers GC 23 37 sntp poll Sets the ...

Page 442: ...a the sntp poll command Example clock summertime date Configures summer time daylight savings time for the switch s internal clock GC 23 40 clock summertime predefined Configures summer time daylight savings time for the switch s internal clock GC 23 41 clock summertime recurring Configures summer time daylight savings time for the switch s internal clock GC 23 42 show clock Shows the time zone an...

Page 443: ...ecifies time servers from which the switch will poll for time updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issues time synchronization requests based on the interval set via the sntp poll command Example Related Commands sntp client 23 36 sntp poll 23 37 show sntp 23 38 sntp poll This command sets the interval bet...

Page 444: ...and configuration settings for the SNTP client and indicates whether or not the local time has been properly updated Command Mode Normal Exec Privileged Exec Command Usage This command displays the current time the poll interval used for sending time synchronization requests and the current SNTP mode i e unicast Example Console config sntp poll 60 Console Console config sntp update time Console co...

Page 445: ...e meridian zero degrees longitude To display a time corresponding to your local time you must indicate the number of hours and minutes your time zone is east before or west after of UTC Example Related Commands show sntp 23 38 clock timezone predefined This command uses predefined time zone configurations to set the time zone for the switch s internal clock Use the no form to restore the default S...

Page 446: ...mmer time name Name of the time zone while summer time is in effect usually an acronym Range 1 30 characters b month The month when summer time will begin Options january february march april may june july august september october november december b day The day summer time will begin Options sunday monday tuesday wednesday thursday friday saturday b year The year summer time will begin b hour The...

Page 447: ...responding to your local time when summer time is in effect you must indicate the number of minutes your summer time time zone deviates from your regular time zone Example Related Commands show clock 23 43 clock summer time predefined This command configures the summer time daylight savings time status and settings for the switch using predefined configurations for several major regions of the wor...

Page 448: ...igure the start end and offset times of summer time daylight savings time for the switch on a recurring basis Use the no form to disable summer time Syntax clock summer time name recurring b week b day b month b hour b minute e week e day e month e hour e minute offset no clock summer time name Name of the timezone while summer time is in effect usually an acronym Range 1 30 characters b week The ...

Page 449: ...from the regular time zone in minutes Range 0 99 minutes Default Setting Disabled Command Mode Global Configuration Command Usage In some countries or regions clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less This is known as Summer Time or Daylight Savings Time DST Typically clocks are adjusted forward one hour at the start of spring and th...

Page 450: ...anuary february march april may june july august september october november december year Year 4 digit Range 2001 2100 Default Setting None Command Mode Privileged Exec Example This example shows how to set the system clock to 15 12 34 February 1st 2002 show calendar This command displays the system clock Command Mode Normal Exec Privileged Exec Example Console show clock Time Zone GMT 0930 Taioha...

Page 451: ...Command Function Mode Page snmp server Enables the SNMP agent GC 24 2 show snmp Displays the status of SNMP communications NE PE 24 2 snmp server community Sets up the community access string to permit access to SNMP commands GC 24 3 snmp server contact Sets the system contact string GC 24 4 snmp server location Sets the system location string GC 24 4 snmp server host Specifies the recipient of an...

Page 452: ...onfiguration Example show snmp This command can be used to check the status of SNMP communications Default Setting None Command Mode Normal Exec Privileged Exec Command Usage This command provides information on the community access strings counter information for SNMP input and output protocol data units and whether or not SNMP logging has been enabled with the snmp server enable traps command Co...

Page 453: ...nt stations are able to both retrieve and modify MIB objects Default Setting public Read only access Authorized management stations are only able to retrieve MIB objects Console show snmp SNMP Agent enabled SNMP traps Authentication enable Link up down enable SNMP communities 1 private and the privilege is read write 2 public and the privilege is read only 0 SNMP packets input 0 Bad SNMP version e...

Page 454: ...that describes the system contact information Maximum length 255 characters Default Setting None Command Mode Global Configuration Example Related Commands snmp server location 24 4 snmp server location This command sets the system location string Use the no form to remove the location string Syntax snmp server location text no snmp server location text String that describes the system location Ma...

Page 455: ...255 Default 3 seconds The number of seconds to wait for an acknowledgment before resending an inform message Range 0 2147483647 centiseconds Default 1500 centiseconds community string Password like community string sent with the notification operation to SNMP V1 and V2c hosts Although you can set this string using the snmp server host command by itself we recommend that you define this string usin...

Page 456: ...ensure that critical information is received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider these effects when deciding whether to issue notifications as traps or informs To send an inform to a SNMPv2c host complete these steps 1 Enable the SNMP agent page 2...

Page 457: ...authentication Keyword to issue authentication failure notifications link up down Keyword to issue link up or link down notifications Default Setting Issue authentication and link up down traps Command Mode Global Configuration Command Usage If you do not enter an snmp server enable traps command no notifications controlled by this command are sent In order to configure this device to send SNMP no...

Page 458: ...MP engine is an independent SNMP agent that resides either on this switch or on a remote device This engine protects against message replay delay and redirection The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A remote engine ID is required when using SNMPv3 informs See snmp server host on page 24 5 The re...

Page 459: ... server engine id local 12345 Console config snmp server engineID remote 54321 192 168 1 19 Console config Console show snmp engine id Local SNMP engineID 800000ca030000e31110100000 Local SNMP engineBoots 1 Remote SNMP engineID IP address 800000ca030000e31110100000 192 168 1 19 Console Table 24 2 show snmp engine id display description Field Description Local SNMP engineID String identifying the e...

Page 460: ...s access to the entire MIB tree Command Mode Global Configuration Command Usage Views are used in the snmp server group command to restrict user access to specified portions of the MIB tree The predefined view defaultview includes access to the entire MIB tree Examples This view includes MIB 2 This view includes the MIB 2 interfaces table ifDescr The wild card is used to select all the index value...

Page 461: ...imple Network Management Protocol on page 5 1 for further information about these authentication and encryption options readview Defines the view for read access 1 32 characters writeview Defines the view for write access 1 32 characters notifyview Defines the view for notifications 1 32 characters Console show snmp view View Name mib 2 Subtree OID 1 2 2 3 6 2 1 View Type included Storage Type per...

Page 462: ...tification Messages on page 5 14 Also note that the authentication link up and link down messages are legacy traps and must therefore be enabled in conjunction with the snmp server enable traps command page 24 7 Example show snmp group Four default groups are provided SNMPv1 read only access and read write access and SNMPv2c read only access and read write access Command Mode Privileged Exec Examp...

Page 463: ...Status active Group Name private Security Model v2c Read View defaultview Write View defaultview Notify View none Storage Type volatile Row Status active Console Table 24 4 show snmp group display description Field Description groupname Name of an SNMP group security model The SNMP version readview The associated read view writeview The associated write view notifyview The associated notify view s...

Page 464: ... of eight characters is required priv des56 Uses SNMPv3 with privacy with DES56 encryption priv password Privacy password Enter as plain text if the encrypted option is not used Otherwise enter an encrypted password Default Setting None Command Mode Global Configuration Command Usage The SNMP engine ID is used to compute the authentication privacy digests from the password You should therefore con...

Page 465: ...Name steve Authentication Protocol md5 Privacy Protocol des56 Storage Type nonvolatile Row Status active SNMP remote user EngineId 80000000030004e2b316c54321 User Name mark Authentication Protocol mdt Privacy Protocol des56 Storage Type nonvolatile Row Status active Console Table 24 5 show snmp user display description Field Description EngineId String identifying the engine ID User Name Name of u...

Page 466: ...SNMP Commands 24 16 24 ...

Page 467: ...asswords for management access 25 1 Authentication Sequence Defines logon authentication method and precedence 25 4 RADIUS Client Configures settings for authentication via a RADIUS server 25 6 TACACS Client Configures settings for authentication via a TACACS server 25 9 Web Server Settings Enables management access via a web browser 25 11 Telnet Server Settings Enables management access via Telne...

Page 468: ...ed password password password The authentication password for the user Maximum length 8 characters plain text 32 encrypted case sensitive Default Setting The default access level is Normal Exec The factory defaults for the user names and passwords are Command Mode Global Configuration Command Usage The encrypted password is required for compatibility with legacy password settings i e plain text or...

Page 469: ... 8 characters plain text 32 encrypted case sensitive Default Setting The default is level 15 The default password is super Command Mode Global Configuration Command Usage You cannot set a null password You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command page 22 1 The encrypted password is required for compatibility with legacy pa...

Page 470: ...the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command to indica...

Page 471: ...pts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and TACACS logon authentication assigns a specific privilege level for each user name and password pair The user name password and privilege level must be configured on the authentication server You can specify three authentication methods in a single command ...

Page 472: ...or the retransmit period expires host_ip_address IP address of server auth_port RADIUS server UDP port used for authentication messages Range 1 65535 key Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters retransmit Number of times the switch will try to authenticate logon access via the RADIUS server Range 1 30 timeout Nu...

Page 473: ...key This command sets the RADIUS encryption key Use the no form to restore the default Syntax radius server key key_string no radius server key key_string Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters Default Setting None Command Mode Global Configuration Example Console config radius server 1 host 192 168 1 20 port 1...

Page 474: ...This command sets the interval between transmitting authentication requests to the RADIUS server Use the no form to restore the default Syntax radius server timeout number_of_seconds no radius server timeout number_of_seconds Number of seconds the switch waits for a reply before resending a request Range 1 65535 Default Setting 5 Command Mode Global Configuration Example show radius server This co...

Page 475: ...host host_ip_address no tacacs server host host_ip_address IP address of a TACACS server Default Setting 10 11 12 13 Console show radius server Remote RADIUS server configuration Global settings Communication key with RADIUS server Server port number 1812 Retransmit times 2 Request timeout 5 Server 1 Server IP address 192 168 1 1 Communication key with RADIUS server Server port number 1812 Retrans...

Page 476: ...ode Global Configuration Example tacacs server key This command sets the TACACS encryption key Use the no form to restore the default Syntax tacacs server key key_string no tacacs server key key_string Encryption key used to authenticate logon access for the client Do not use blank spaces in the string Maximum length 48 characters Default Setting None Command Mode Global Configuration Example Cons...

Page 477: ...port number The TCP port to be used by the browser interface Range 1 65535 Default Setting 80 Command Mode Global Configuration Console show tacacs server Remote TACACS server configuration Server IP address 10 11 12 13 Communication key with TACACS server Server port number 49 Console Table 25 7 Web Server Commands Command Function Mode Page ip http port Specifies the port to be used by the web b...

Page 478: ...ol HTTPS over the Secure Socket Layer SSL providing secure access i e an encrypted connection to the switch s web interface Use the no form to disable this function Syntax no ip http secure server Default Setting Enabled Command Mode Global Configuration Command Usage Both HTTP and HTTPS service can be enabled independently on the switch However you cannot configure the HTTP and HTTPS servers to u...

Page 479: ...efer to the copy command on page 23 11 Example Related Commands ip http secure port 25 13 copy tftp https certificate 23 11 ip http secure port This command specifies the UDP port number used for HTTPS connection to the switch s web interface Use the no form to restore the default port Syntax ip http secure port port_number no ip http secure port port_number The UDP port used for HTTPS Range 1 655...

Page 480: ... form without the port keyword to disable this function Use the no from with the port keyword to use the default port Syntax ip telnet server port port number no telnet server port port The TCP port used by the Telnet interface port number The TCP port number to be used by the browser interface Range 1 65535 Default Setting Server Enabled Server Port 23 Command Mode Global Configuration Example Co...

Page 481: ... switch and enable the SSH server Table 25 10 Secure Shell Commands Command Function Mode Page ip ssh server Enables the SSH server on the switch GC 25 17 ip ssh timeout Specifies the authentication timeout for the SSH server GC 25 18 ip ssh authentication retries Specifies the number of retries allowed by a client GC 25 19 ip ssh server key size Sets the SSH server key size GC 25 19 copy tftp pub...

Page 482: ...s The current firmware only accepts public key files based on standard UNIX format as shown in the following example for an RSA key 1024 35 1341081685609893921040944920155425347631641921872958921143173880 05553616163105177594083868631109291232226828519254374603100937187721199 69631781366277414168985132049117204830339254324101637997592371449011938 006090253948408482717819437228840253311595213486102...

Page 483: ...lgorithm is supported by the switch it notifies the client to proceed with the authentication process Otherwise it rejects the request c The client sends a signature generated using the private key to the switch d When the server receives this message it checks whether the supplied key is acceptable for authentication and if so it then checks whether the signature is correct If both checks succeed...

Page 484: ...nge 1 120 Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase Once an SSH session has been established the timeout for user input is controlled by the exec timeout command for vty sessions Example Related Commands exec timeout 23 20 show ip ssh 25 22 Consol...

Page 485: ...guration Example Related Commands show ip ssh 25 22 ip ssh server key size This command sets the SSH server key size Use the no form to restore the default setting Syntax ip ssh server key size key size no ip ssh server key size key size The size of server key Range 512 896 bits Default Setting 768 bits Command Mode Global Configuration Command Usage The server key is a private key that is never s...

Page 486: ...g Generates both the DSA and RSA key pairs Command Mode Privileged Exec Command Usage The switch uses only RSA Version 1 for SSHv1 5 clients and DSA Version 2 for SSHv2 clients This command stores the host key pair in memory i e RAM Use the ip ssh save host key command to save the host key pair to flash memory Some SSH client programs automatically add the public key to the known hosts file as par...

Page 487: ...ost key from volatile memory RAM Use the no ip ssh save host key command to clear the host key from flash memory The SSH server must be disabled before you can execute this command Example Related Commands ip ssh crypto host key generate 25 20 ip ssh save host key 25 21 no ip ssh server 25 17 ip ssh save host key This command saves the host key from RAM to flash memory Syntax ip ssh save host key ...

Page 488: ...le show ip ssh SSH Enabled version 2 0 Negotiation timeout 120 secs Authentication retries 3 Server key size 768 bits Console Console show ssh Connection Version State Username Encryption 0 2 0 Session Started admin ctos aes128 cbc hmac md5 stoc aes128 cbc hmac md5 Console Table 25 11 show ssh display description Field Description Session The session number Range 0 3 Version The Secure Shell versi...

Page 489: ...ed by SSH is based on the Digital Signature Standard DSS and the last string is the encoded modulus Encryption The encryption method is automatically negotiated between the client and server Options for SSHv1 5 include DES 3DES Options for SSHv2 0 can include different algorithms for the client to server ctos and server to client stoc aes128 cbc hmac sha1 aes192 cbc hmac sha1 aes256 cbc hmac sha1 ...

Page 490: ...096954050362775257556251003866130989393834523 1033280214988866192159556859887989191950588394018138744046890877916030583 7768185490002831341625008348718449522087429212255691665655296328163516964 0408315547660664151657116381 DSA ssh dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV yrDbKStIlnzD Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbK...

Page 491: ...ge When port security is enabled with this command the switch first clears all dynamically learned entries from the address table It then starts learning new MAC addresses on the specified port and stops learning addresses when it reaches a configured maximum number Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted First use the port...

Page 492: ...all dot1x parameters to their default values GC 25 27 dot1x max req Sets the maximum number of times that the switch retransmits an EAP request identity packet to the client before it times out the authentication session IC 25 27 dot1x port control Sets dot1x mode for a port interface IC 25 28 dot1x operation mode Allows single or multiple hosts on an dot1x port IC 25 29 dot1x re authenticate Forc...

Page 493: ...nd Mode Global Configuration Example dot1x max req This command sets the maximum number of times the switch port will retransmit an EAP request identity packet to the client before it times out the authentication session Use the no form to restore the default Syntax dot1x max req count no dot1x max req count The maximum number of requests Range 1 10 Default 2 Command Mode Interface Configuration E...

Page 494: ...ame port Only one of these security mechanisms can be applied 802 1X port authentication cannot be configured on trunk ports In other words a static trunk or dynamically configured trunk cannot be set to auto or force unauthorized mode When 802 1X authentication is enabled on a port the MAC address learning function for this interface is disabled and the addresses dynamically learned on this port ...

Page 495: ... based auth Allows multiple hosts to connect to this port with each host needing to be authenticated Default Single host Command Mode Interface Configuration Command Usage The max count parameter specified by this command is only effective if the dot1x mode is set to auto by the dot1x port control command page 4 105 In multi host mode only one host connected to a port needs to pass authentication ...

Page 496: ...mple dot1x re authentication This command enables periodic re authentication for a specified port Use the no form to disable re authentication Syntax no dot1x re authentication Command Mode Interface Configuration Command Usage The re authentication process verifies the connected client s user ID and password on the RADIUS server During re authentication the client remains connected the network an...

Page 497: ...econds Range 1 65535 Default 60 seconds Command Mode Interface Configuration Example dot1x timeout re authperiod This command sets the time period after which a connected client must be re authenticated Syntax dot1x timeout re authperiod seconds no dot1x timeout re authperiod seconds The number of seconds Range 1 65535 Default 3600 seconds Command Mode Interface Configuration Example Console confi...

Page 498: ...ace statistics Displays dot1x status for each port interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 Command Mode Privileged Exec Command Usage This command displays the following information Global 802 1X Parameters Shows whether or not 802 1X port authentication is globally enabled on the switch 802 1X Port Summary Displays the port access control parameters f...

Page 499: ... single or multiple hosts clients can connect to an 802 1X authorized port Max Count The maximum number of hosts allowed to access this port page 25 29 Port control Shows the dot1x mode on a port as auto force authorized or force unauthorized page 25 28 Supplicant MAC address of authorized client Current Identifier The integer 0 255 used by the Authenticator to identify the current authentication ...

Page 500: ...e Host Auto yes 802 1X Port Details 802 1X is enabled on port 1 1 802 1X is enabled on port 26 Reauth enabled Enabled Reauth period 3600 Quiet period 60 TX period 30 Supplicant timeout 30 Server timeout 10 Reauth max 2 Max req 2 Status Authorized Operation Mode Multi Host Max count 5 Port control Auto Supplicant 00 e0 29 94 34 65 Current Identifier 3 Authenticator State Machine State Authenticated...

Page 501: ...anagement interface on the switch from an invalid address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respectively Each of these groups can include up to five different sets of addresses either individual addresses or address ranges When entering addresses for ...

Page 502: ...group snmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet group Command Mode Privileged Exec Example Console config management all client 192 168 1 19 Console config management all client 192 168 1 25 192 168 1 30 Console Console show management all client Management Ip Filter HTTP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 ...

Page 503: ...tion Page IPv4 ACLs Configures ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code 26 1 IPv6 ACLs Configures ACLs based on IPv6 addresses next header type and flow label 26 7 MAC ACLs Configures ACLs based on hardware addresses packet format and Ethernet type 26 12 ACL Information Displays ACLs and associated rules shows ACLs assigned to each port 26 16 Table 26 2 I...

Page 504: ... ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 32 rules Example Related Commands permit deny 26 2 ip access group 26 6 show ip access list 26 5 permit deny Standard IPv4 ...

Page 505: ... sets a filter condition for packets with specific source or destination IP addresses protocol types source or destination protocol ports or TCP control codes Use the no form to remove a rule Syntax no permit deny protocol number udp any source address bitmask host source any destination address bitmask host destination precedence precedence tos tos dscp dscp source port sport bitmask destination ...

Page 506: ...inary mask uses 1 bits to indicate match and 0 bits to indicate ignore The bitmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned You can specify both Precedence and ToS in the same rule However if DSCP is used then neither Precedence nor ToS can be specified The control code bitmas...

Page 507: ...ist This command displays the rules for configured IPv4 ACLs Syntax show ip access list standard extended acl_name standard Specifies a standard IP ACL extended Specifies an extended IP ACL acl_name Name of the ACL Maximum length 16 characters Command Mode Privileged Exec Example Related Commands permit deny 26 2 ip access group 26 6 Console config ext acl permit 10 7 1 1 255 255 255 0 any Console...

Page 508: ...sage A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one Example Related Commands show ip access list 26 5 show ip access group This command shows the ports assigned to IPv4 ACLs Command Mode Privileged Exec Example Related Commands ip access group 26 6 Console config int eth 1 2 Consol...

Page 509: ...l Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an ACL you must add at least one rule to the list To remove a rule use the no permit or no deny command followed by the exact text of a previously configured rule An ACL can contain up to 32 rules Table 26 3 IPv6...

Page 510: ...sed in the address to indicate the appropriate number of zeros required to fill the undefined fields prefix length A decimal value indicating how many contiguous bits from the left of the address comprise the prefix i e the network portion of the address host Keyword followed by a specific IP address Default Setting None Command Mode Standard IPv6 ACL Command Usage New rules are appended to the en...

Page 511: ... dscp DSCP priority level Range 0 63 flow label A label for packets belonging to a particular traffic flow for which the sender requests special handling by IPv6 routers such as non default quality of service or real time service see RFC 2460 Range 0 16777215 next header Identifies the type of header immediately following the IPv6 header Range 0 255 Default Setting None Command Mode Extended IPv6 ...

Page 512: ... supports the values defined for the IPv4 Protocol field in RFC 1700 including these commonly used headers 0 Hop by Hop Options RFC 2460 6 TCP Upper layer Header RFC 1700 17 UDP Upper layer Header RFC 1700 43 Routing RFC 2460 44 Fragment RFC 2460 51 Authentication RFC 2402 50 Encapsulating Security Payload RFC 2406 60 Destination Options RFC 2460 Example This example accepts any incoming packets i...

Page 513: ...ax no ipv6 access group acl_name in acl_name Name of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one IPv6 ACLs...

Page 514: ...ss list and enters MAC ACL configuration mode Use the no form to remove the specified ACL Syntax no access list mac acl_name acl_name Name of the ACL Maximum length 16 characters Default Setting None Console show ip access group Interface ethernet 1 2 IPv6 standard access list david in Console Table 26 4 MAC ACL Commands Command Function Mode Page access list mac Creates a MAC ACL and enters confi...

Page 515: ...estination address i e physical layer address or Ethernet protocol type Use the no form to remove a rule Syntax no permit deny any host source source address bitmask any host destination destination address bitmask vid vid vid bitmask ethertype protocol protocol bitmask Note The default is for Ethernet II packets no permit deny tagged eth2 any host source source address bitmask any host destinatio...

Page 516: ...bitmask Range 1 4093 protocol A specific Ethernet protocol number Range 600 fff hex protocol bitmask27 Protocol bitmask Range 600 fff hex Default Setting None Command Mode MAC ACL Command Usage New rules are added to the end of the list The ethertype option can only be used to filter Ethernet II formatted packets A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the m...

Page 517: ...acl_name Name of the ACL Maximum length 16 characters in Indicates that this list applies to ingress packets Default Setting None Command Mode Interface Configuration Ethernet Command Usage A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one Example Related Commands show mac access list...

Page 518: ...ole Table 26 5 ACL Information Commands Command Function Mode Page show access list Show all IPv4 ACLs and associated rules PE 26 16 show access group Shows the IPv4 ACLs assigned to each port PE 26 17 Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 0 0 255 255 15 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 255 255 2...

Page 519: ...26 show access group This command shows the port assignments of IPv4 ACLs Command Mode Privileged Executive Example Console show access group Interface ethernet 1 2 IP standard access list david MAC access list jerry Console ...

Page 520: ...Access Control List Commands 26 18 26 ...

Page 521: ...nterface configuration IC 27 2 speed duplex Configures the speed and duplex operation of a given interface when autonegotiation is disabled IC 27 3 negotiation Enables autonegotiation of a given interface IC 27 4 capabilities Advertises the capabilities of a given interface for use in autonegotiation IC 27 4 flowcontrol Enables flow control on a given interface IC 27 5 media type Force port type s...

Page 522: ... Range 1 64 characters Default Setting None Command Mode Interface Configuration Ethernet Port Channel Command Usage The description is displayed by the show interfaces status command page 27 9 and in the running configuration file An example of the value which a network manager might store in this object is the name of the manufacturer and the product name Example The following example adds a des...

Page 523: ...rnet Port Channel Command Usage The 1000BASE T and 10GBASE T standards do not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T or 10GBASE T port or trunk If not used the success of the link process cannot be guaranteed when connecting to other types of switches To force operation to the speed and duplex mode specified in a speed duplex comman...

Page 524: ...ntrol commands If autonegotiation is disabled auto MDI MDI X pin signal configuration will also be disabled for the RJ 45 ports Example The following example configures port 11 to use autonegotiation Related Commands capabilities 27 4 speed duplex 27 3 capabilities This command advertises the port capabilities of a given interface during autonegotiation Use the no form with parameters to remove an...

Page 525: ...e Auto negotiation should always be used to establish a connection over any 1000BASE T or 10GBASE T port or trunk When auto negotiation is enabled with the negotiation command the switch will negotiate the best settings for a link based on the capabilites command When auto negotiation is disabled you must manually specify the link attributes with the speed duplex and flowcontrol commands Example T...

Page 526: ...ol under auto negotiation flowcontrol must be included in the capabilities list for any port Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub Example The following example enables flow control on port 5 Related Commands negotiation 27 4 ...

Page 527: ...isions and then reenable it after the problem has been resolved You may also want to disable a port for security reasons Example The following example disables port 5 switchport broadcast packet rate This command configures broadcast storm control Use the no form to disable broadcast storm control Syntax switchport broadcast packet rate rate no switchport broadcast rate Threshold level as a rate i...

Page 528: ...ck unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset This command sets the base value for displayed statistics to zero for the current management session However if you log out and back into the management interface the statistics displayed will show the ...

Page 529: ...y this command see Displaying Connection Status on page 8 1 Example Console show interfaces status ethernet 1 5 Information of Eth 1 5 Basic Information Port Type 1000T Mac Address 00 00 E3 11 10 15 Configuration Name Port Admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full 1000full Broadcast Storm Enabled Broadcast Storm Limit 500 packets second Flow Control Disabled LACP Disabl...

Page 530: ... Discard Output 0 Error Input 0 Error Output 0 Unknown Protos Input 0 QLen Output 0 Extended iftable Stats Multi cast input 0 Multi cast output 3064 Broadcast input 262 Broadcast output 1 Ether like Stats Alignment Errors 0 FCS Errors 0 Single Collision Frames 0 Multiple Collision Frames 0 SQE Test Errors 0 Deferred Transmissions 0 Late Collisions 0 Excessive Collisions 0 Internal Mac Transmit Err...

Page 531: ...Disabled Ingress Rate Limit Disable 1000M bits per second Egress Rate Limit Disable 1000M bits per second VLAN Membership Mode Hybrid Ingress Rule Disabled Acceptable Frame Type All frames Native VLAN 1 Priority for Untagged Traffic 0 GVRP Status Disabled Allowed VLAN 1 u Forbidden VLAN 802 1Q tunnel Status Disable 802 1Q tunnel Mode NORMAL 802 1Q tunnel TPID 8100 Hex Console Table 27 2 show inter...

Page 532: ...enabled or disabled page 34 3 Allowed VLAN Shows the VLANs this interface has joined where u indicates untagged and t indicates tagged page 34 11 Forbidden VLAN Shows the VLANs this interface can not dynamically join via GVRP page 34 12 802 1Q tunnel Status Shows if 802 1Q tunnel is enabled on this interface page 34 15 802 1Q tunnel Mode Shows the tunnel mode as Normal 802 1Q Tunnel or 802 1Q Tunn...

Page 533: ...t be configured in an identical manner including communication mode i e speed and duplex mode VLAN assignments and CoS settings Any of the Gigabit ports on the front panel can be trunked together including ports of different media types All the ports in a trunk have to be treated as a whole when moved from to added or deleted from a VLAN via the specified port channel Table 28 1 Link Aggregation C...

Page 534: ... be set to the same value for a port to be allowed to join a channel group If a link goes down LACP port priority is used to select the backup link channel group This command adds a port to a trunk Use the no form to remove a port from a trunk Syntax channel group channel id no channel group channel id Trunk index Range 1 32 Default Setting The current port will be added to this trunk Command Mode...

Page 535: ...ACP enabled the additional ports will be placed in standby mode and will only be enabled if one of the active links fails Example The following shows LACP enabled on ports 10 12 Because LACP has also been enabled on the ports at the other end of the links the show interfaces status port channel 1 command shows that Trunk1 has been established Console config interface ethernet 1 10 Console config i...

Page 536: ...same system priority to join the same LAG System priority is combined with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a link has been established LACP operational settings are already in use on that side Configuring LACP settings for the partner only applies to its admini...

Page 537: ...ACP system priority matches 2 the LACP port admin key matches and 3 the LACP port channel key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group Once the remote si...

Page 538: ...f the port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group Note that when the LAG is no longer used the port channel admin key is reset to 0 Example lacp port priority This command configures LA...

Page 539: ...y applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with the partner Example show lacp This command displays LACP information Syntax show lacp port channel counters internal neighbors sys id port channel Local identifier for a link aggregation group Range 1 32 counters Statistics for LACP protocol messages interna...

Page 540: ...Protocols group MAC Address but do not carry the Slow Protocols Ethernet Type LACPDUs Illegal Pkts Number of frames that carry the Slow Protocols Ethernet Type value but contain a badly formed PDU or an illegal value of Protocol Subtype Console show lacp 1 internal Port Channel 1 Oper Key 3 Admin Key 0 Eth 1 1 LACPDUs Internal 30 seconds LACP System Priority 32768 LACP Port Priority 32768 Admin Ke...

Page 541: ...formation transmitted Aggregation The system considers this link to be aggregatable i e a potential candidate for aggregation Long timeout Periodic transmission of LACPDUs uses a slow transmission rate LACP Activity Activity control value with regard to this link 0 Passive 1 Active Console show lacp 1 neighbors Port Channel 1 neighbors Eth 1 1 Partner Admin System ID 32768 1 3 6 1 4 1 202 20 76 Pa...

Page 542: ... 32768 00 30 F1 8F 2C A7 2 32768 00 30 F1 8F 2C A7 3 32768 00 30 F1 8F 2C A7 4 32768 00 30 F1 8F 2C A7 5 32768 00 30 F1 8F 2C A7 6 32768 00 30 F1 8F 2C A7 7 32768 00 30 F1 D4 73 A0 8 32768 00 30 F1 D4 73 A0 9 32768 00 30 F1 D4 73 A0 10 32768 00 30 F1 D4 73 A0 11 32768 00 30 F1 D4 73 A0 12 32768 00 30 F1 D4 73 A0 Table 28 5 show lacp sysid display description Field Description Channel group A link ...

Page 543: ...figuration Ethernet destination port Command Usage You can mirror traffic from any source port to a destination port for real time analysis You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner The destination port is set by specifying an Ethernet interface The mirror port and monitor port speeds...

Page 544: ... Mode Privileged Exec Command Usage This command displays the currently configured source port destination port and mirror mode i e RX TX RX TX Example The following shows mirroring configured from port 6 to port 11 Console config interface ethernet 1 11 Console config if port monitor ethernet 1 6 both Console config if Console config interface ethernet 1 11 Console config if port monitor ethernet...

Page 545: ...mit for a specific interface Use this command without specifying a rate to restore the default rate Use the no form to restore the default status of disabled Syntax rate limit input output rate no rate limit input output input Input rate output Output rate rate Maximum value in Kbps Range 1 10000 Mbps for Gigabit Ethernet ports Default Setting Gigabit Ethernet 1000 Mbps Command Mode Interface Conf...

Page 546: ...Rate Limit Commands 30 2 30 ...

Page 547: ...nge 1 26 50 port channel channel id Range 1 32 vlan id VLAN ID Range 1 4093 action delete on reset Assignment lasts until the switch is reset permanent Assignment is permanent Default Setting No static addresses are defined The default mode is permanent Command Mode Global Configuration Table 31 1 Address Table Commands Command Function Mode Page mac address table static Maps a static address to a...

Page 548: ... another interface the address will be ignored and will not be written to the address table A static address cannot be learned on another port until the address is removed with the no form of this command Example Related Commands ipv6 neighbor 41 26 clear mac address table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for a...

Page 549: ...C addresses associated with each interface Note that the Type field may include the following types Learned Dynamic address entries Permanent Static entry Delete on reset Static entry to be deleted when system is reset The mask should be hexadecimal numbers representing an equivalent bit mask in the form xx xx xx xx xx xx that is applied to the specified MAC address Enter hexadecimal numbers where...

Page 550: ...00000 seconds 0 to disable aging Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information Example show mac address table aging time This command shows the aging time for entries in the address table Default Setting None Command Mode Privileged Exec Example Console config mac address table aging time 100...

Page 551: ...ze after LLDP ports are disabled or the link goes down GC 32 5 lldp tx delay Configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables GC 32 5 lldp admin status Enables LLDP transmit receive or transmit and receive mode on the specified port IC 32 6 lldp notification Enables the transmission of SNMP trap notifications about LLDP chan...

Page 552: ...hysical layer specifications IC 32 12 lldp dot3 tlv max frame Configures an LLDP enabled port to advertise its maximum frame size IC 32 13 lldp dot3 tlv poe Configures an LLDP enabled port to advertise its Power over Ethernet capabilities IC 32 13 show lldp config Shows LLDP configuration settings for all ports PE 32 14 show lldp info local device Shows LLDP global and interface specific configura...

Page 553: ...nd Usage The time to live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner Example lldp notification interval This command configures the allowed interval for sending SNMP notifications about LLDP MIB changes Use the no form to restore the default setting Syntax lldp notification interval secon...

Page 554: ...hange notification events missed due to throttling or transmission loss Example lldp refresh interval This command configures the periodic transmit interval for LLDP advertisements Use the no form to restore the default setting Syntax lldp refresh interval seconds no lldp refresh delay seconds Specifies the periodic interval at which LLDP advertisements are sent Range 5 32768 seconds Default Setti...

Page 555: ... port all information in the remote systems LLDP MIB associated with this port is deleted Example lldp tx delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables Use the no form to restore the default setting Syntax lldp tx delay seconds no lldp tx delay seconds Specifies the transmit delay Range 1 8192 seconds D...

Page 556: ...admin status rx only Only receive LLDP PDUs tx only Only transmit LLDP PDUs tx rx Both transmit and receive LLDP Protocol Data Units PDUs Default Setting tx rx Command Mode Interface Configuration Ethernet Port Channel Example lldp notification This command enables the transmission of SNMP trap notifications about LLDP changes Use the no form to disable LLDP notifications Syntax no lldp notificati...

Page 557: ... to advertise the management address for this device Use the no form to disable this feature Syntax no lldp basic tlv management ip address Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command Usage The management address protocol packet includes the IPv4 address of the switch If no management address is available the address should be the MAC address for the ...

Page 558: ...face Configuration Ethernet Port Channel Command Usage The port description is taken from the ifDescr object in RFC 2863 which includes information about the manufacturer the product name and the version of the interface hardware software Example lldp basic tlv system capabilities This command configures an LLDP enabled port to advertise its system capabilities Use the no form to disable this feat...

Page 559: ...ernet Port Channel Command Usage The system description is taken from the sysDescr object in RFC 3418 which includes the full name and version identification of the system s hardware type software operating system and networking software Example lldp basic tlv system name This command configures an LLDP enabled port to advertise the system name Use the no form to disable this feature Syntax no lld...

Page 560: ...mmand Mode Interface Configuration Ethernet Port Channel Command Usage This option advertises the protocols that are accessible through this interface Example lldp dot1 tlv proto vid This command configures an LLDP enabled port to advertise port related VLAN information Use the no form to disable this feature Syntax no lldp dot1 tlv proto vid Default Setting Enabled Command Mode Interface Configur...

Page 561: ...ation Ethernet Port Channel Command Usage The port s default VLAN identifier PVID indicates the VLAN with which untagged or priority tagged frames are associated see switchport native vlan on page 34 10 Example lldp dot1 tlv vlan name This command configures an LLDP enabled port to advertise its VLAN name Use the no form to disable this feature Syntax no lldp dot1 tlv vlan name Default Setting Ena...

Page 562: ...net Port Channel Command Usage This option advertises link aggregation capabilities aggregation status of the link and the 802 3 aggregated port identifier if this interface is currently a link aggregation member Example lldp dot3 tlv mac phy This command configures an LLDP enabled port to advertise its MAC and physical layer capabilities Use the no form to disable this feature Syntax no lldp dot3...

Page 563: ... Interface Configuration Ethernet Port Channel Command Usage Refer to Frame Size Commands on page 23 9 for information on configuring the maximum frame size for this switch Example lldp dot3 tlv poe This command configures an LLDP enabled port to advertise its Power over Ethernet PoE capabilities Use the no form to disable this feature Syntax no lldp dot3 tlv poe Default Setting Enabled Command Mo...

Page 564: ...configuration summary interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 Command Mode Privileged Exec Example Console config interface ethernet 1 1 Console config if lldp dot3 tlv poe Console config if Console show lldp config LLDP Global Configuation LLDP Enable Yes LLDP Transmit interval 30 LLDP Hold Time Multiplier 4 LLDP Del...

Page 565: ...ange 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 Command Mode Privileged Exec Console show lldp config detail ethernet 1 1 LLDP Port Configuration Detail Port Eth 1 1 Admin Status Tx Rx Notification Enabled True Basic TLVs Advertised port description system name system description system capabilities management ip address 802 1 specific TLVs Advertised port vid vlan name ...

Page 566: ...ystem Name System Description 24 48 port 10 100 1000 Stackable Managed Switch with 2 X 10G uplinks System Capabilities Support Bridge Router System Capabilities Enable Bridge Router Management Address 192 168 0 2 IPv4 LLDP Port Information Interface PortID Type PortID PortDesc Eth 1 1 MAC Address 00 01 02 03 04 06 Ethernet Port on unit 1 port 1 Eth 1 2 MAC Address 00 01 02 03 04 07 Ethernet Port o...

Page 567: ... uplinks PortDescr Ethernet Port on unit 1 port 1 SystemCapSupported Bridge Router SystemCapEnabled Bridge Router Remote Management Address 192 168 0 5 IPv4 Remote Port VID 1 Remote Port Protocol VLAN VLAN 1 supported disabled Remote VLAN Name VLAN 1 DefaultVlan Remote Protocol Identity Hex 88 CC Remote MAC PHY configuration status Remote port auto neg supported Yes Remote port auto neg enabled Ye...

Page 568: ...ged Exec Example switch show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated 2450279 seconds New Neighbor Entries Count 1 Neighbor Entries Deleted Count 0 Neighbor Entries Dropped Count 0 Neighbor Entries Ageout Count 0 Port NumFramesRecvd NumFramesSent NumFramesDiscarded 1 0 20 0 2 13 13 0 3 2 2 0 4 0 0 0 5 0 0 0 switch show lldp info statistics detail ethernet 1 1 ...

Page 569: ...uration mode GC 33 7 mst vlan Adds VLANs to a spanning tree instance MST 33 8 mst priority Configures the priority of a spanning tree instance MST 33 9 name Configures the name for the multiple spanning tree MST 33 9 revision Configures the revision number for the multiple spanning tree MST 33 10 max hops Configures the maximum number of hops allowed in the region before a BPDU is discarded MST 33...

Page 570: ...which automatically take over when a primary link goes down Example This example shows how to enable the Spanning Tree Algorithm for the switch spanning tree mode This command selects the spanning tree mode for this switch Use the no form to restore the default Syntax spanning tree mode stp rstp mstp no spanning tree mode stp Spanning Tree Protocol IEEE 802 1D rstp Rapid Spanning Tree Protocol IEE...

Page 571: ...ration delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and receives an RSTP BPDU after the migration delay expires RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port Multiple Spanning Tree Protocol To allow multiple spanning trees to operate over the network...

Page 572: ...ce must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to the discarding state otherwise temporary data loops might result Example spanning tree hello time This command configures the spanning tree bridge hello time globally for this switch Use the no form to restore the ...

Page 573: ...nd Mode Global Configuration Command Usage This command sets the maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message becomes the designated port for ...

Page 574: ...e lower numeric value becomes the STA root device However if all devices have the same priority the device with the lowest MAC address will then become the root device Example spanning tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree Use the no form to restore the default Syntax spanning tree pathcost method long short no spa...

Page 575: ...lt Syntax spanning tree transmission limit count no spanning tree transmission limit count The transmission limit in seconds Range 1 10 Default Setting 3 Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs Example spanning tree mst configuration This command changes to Multiple Spanning Tree MST configuration mode Default Setting No VLANs are...

Page 576: ... multiple pathways across the network thereby balancing the traffic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new topology for the failed instance By default all VLANs are assigned to the Internal Spanning Tree MSTI 0 that connects all bridges and LANs within the MST region This switch supports up to 58 instances Yo...

Page 577: ...g the root bridge and alternate bridge of the specified instance The device with the highest priority i e lowest numerical value becomes the MSTI root device However if all devices have the same priority the device with the lowest MAC address will then become the root device You can set this switch to act as the MSTI root device by specifying a priority of 0 or as the MSTI alternate device by spec...

Page 578: ...spanning tree configuration of this switch Use the no form to restore the default Syntax revision number number Revision number of the spanning tree Range 0 65535 Default Setting 0 Command Mode MST Configuration Command Usage The MST region name page 33 9 and revision number are used to designate a unique MST region A bridge i e spanning tree compliant device such as this switch can only belong to...

Page 579: ...instances use a hop count to specify the maximum number of bridges that will propagate a BPDU Each bridge decrements the hop count by one before passing on the BPDU When the hop count reaches zero the message is dropped Example spanning tree spanning disabled This command disables the spanning tree algorithm for the specified interface Use the no form to reenable the spanning tree algorithm for th...

Page 580: ...eds 65 535 the default is set to 65 535 Command Mode Interface Configuration Ethernet Port Channel Command Usage This command is used by the Spanning Tree Algorithm to determine the best path between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Path cost takes precedence over port priority When the spannin...

Page 581: ...rts on a switch are the same the port with the highest priority that is lowest value will be configured as an active link in the spanning tree Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled Example Related Commands spanning tree cost 33 12 spanning tree edge port This command specifies an interface as an edge port Use the no form t...

Page 582: ...mple Related Commands spanning tree portfast 33 14 spanning tree portfast This command sets an interface to fast forwarding Use the no form to disable fast forwarding Syntax no spanning tree portfast Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This command is used to enable disable the fast spanning tree mode for the selected port In this mode ...

Page 583: ...uto Command Mode Interface Configuration Ethernet Port Channel Command Usage Specify a point to point link if the interface can only be connected to exactly one other bridge or a shared link if it can be connected to two or more bridges When automatic detection is selected the switch derives the link type from the duplex mode A full duplex interface is considered a point to point link while a half...

Page 584: ...n mode When the short path cost method is selected and the default path cost recommended by the IEEE 8021D 2004 standard exceeds 65 535 the default is set to 65 535 The default path costs are listed in Table 33 3 on page 33 12 Command Mode Interface Configuration Ethernet Port Channel Command Usage Each spanning tree instance is associated with a unique set of VLAN IDs This command is used by the ...

Page 585: ...an interface in the multiple spanning tree If the path cost for all interfaces on a switch are the same the interface with the highest priority that is lowest value will be configured as an active link in the spanning tree Where more than one interface is assigned the highest priority the interface with lowest numeric identifier will be enabled Example Related Commands spanning tree mst cost 33 16...

Page 586: ...ange 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 instance_id Instance identifier of the multiple spanning tree Range 0 4094 no leading zeroes Default Setting None Command Mode Privileged Exec Command Usage Use the show spanning tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree CST and for every interface...

Page 587: ...gnated Root 32768 0000E3111010 Current Root Port 2 Current Root Cost 10000 Number of Topology Changes 2 Last Topology Change Time sec 4100 Transmission Limit 3 Path Cost Method Long Eth 1 1 information Admin Status Enabled Role root State forwarding External Admin Path Cost 0 Internal Admin Path Cost 0 External Oper Path Cost 10000 Internal Oper Path Cost 10000 Priority 128 Designated Cost 0 Desig...

Page 588: ...ration This command shows the configuration of the multiple spanning tree Command Mode Privileged Exec Example Console show spanning tree mst configuration Mstp Configuration Information Configuration Name R D Revision level 0 Instance VLANs 0 1 3 4093 1 2 Console ...

Page 589: ...N Groups Sets up VLAN groups including name VID and state 34 5 Configuring VLAN Interfaces Configures VLAN interface parameters including ingress and egress tagging mode ingress filtering PVID and GVRP 34 7 Displaying VLAN Information Displays VLAN groups status port members and MAC addresses 34 12 Configuring 802 1Q Tunneling Configures 802 1Q Tunneling QinQ Tunneling 34 14 Configuring Private VL...

Page 590: ... switch Example show bridge ext This command shows the configuration for bridge extension commands Default Setting None Command Mode Privileged Exec Command Usage See Displaying Basic VLAN Information on page 11 4 and Displaying Bridge Extension Capabilities on page 4 4 for a description of the displayed items Example Console config bridge ext gvrp Console config Console show bridge ext Max suppor...

Page 591: ...hows if GVRP is enabled Syntax show gvrp configuration interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 Default Setting Shows both global and interface specific configuration Command Mode Normal Exec Privileged Exec Example Console config interface ethernet 1 1 Console config if switchport gvrp Console config if Cons...

Page 592: ... Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are independent of the media access method or data rate These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration deregistration Timer values are applied to GVRP for all the ports...

Page 593: ...arp timer 34 4 Editing VLAN Groups vlan database This command enters VLAN database mode All commands in this mode will take effect immediately Default Setting None Command Mode Global Configuration Console show garp timer ethernet 1 1 Eth 1 1 GARP timer status Join timer 20 centiseconds Leave timer 60 centiseconds Leaveall timer 1000 centiseconds Console Table 34 3 Commands for Editing VLAN Groups...

Page 594: ...delete a VLAN Syntax vlan vlan id name vlan name media ethernet state active suspend no vlan vlan id name state vlan id ID of configured VLAN Range 1 4093 no leading zeroes name Keyword to be followed by the VLAN name vlan name ASCII string from 1 to 32 characters media ethernet Ethernet media type state Keyword to be followed by the VLAN state active VLAN is operational suspend VLAN is suspended ...

Page 595: ...vlan Table 34 4 Commands for Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for a specified VLAN IC 34 7 switchport mode Configures VLAN membership mode for an interface IC 34 8 switchport acceptable frame types Configures frame types to be accepted by an interface IC 34 9 switchport ingress filtering Enables ingress filtering on an interf...

Page 596: ... link between two switches so the port transmits tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames Default Setting All ports are in hybrid mode with the PVID set to VLAN 1 Command Mode Interface Configuration Ethernet Port Channel Example The following shows how to set the configurati...

Page 597: ...en set to receive all frame types any received frames that are untagged are assigned to the default VLAN Example The following example shows how to restrict the traffic received on port 1 to tagged frames Related Commands switchport mode 34 8 switchport ingress filtering This command enables ingress filtering for an interface Use the no form to restore the default Syntax no switchport ingress filt...

Page 598: ...efault Syntax switchport native vlan vlan id no switchport native vlan vlan id Default VLAN ID for a port Range 1 4093 no leading zeroes Default Setting VLAN 1 Command Mode Interface Configuration Ethernet Port Channel Command Usage If an interface is not a member of VLAN 1 and you assign its PVID to this VLAN the interface will automatically be added to VLAN 1 as an untagged member For all other ...

Page 599: ...unk has switchport mode set to trunk i e 1Q Trunk then you can only assign an interface to VLAN groups as a tagged member Frames are always tagged within the switch The tagged untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress If none of the intermediate network devices nor the host at the other end of the connection...

Page 600: ...mand prevents a VLAN from being automatically added to the specified interface via GVRP If a VLAN has been added to the set of allowed VLANs for an interface then you cannot add it to the set of forbidden VLANs for that same interface Example The following example shows how to prevent port 1 from being added to VLAN 3 Displaying VLAN Information This section describes commands used to display VLAN...

Page 601: ... characters Default Setting Shows all VLANs Command Mode Normal Exec Privileged Exec Example The following example shows how to display information for VLAN 1 Console show vlan id 1 VLAN ID 1 Type Static Name DefaultVlan Status Active Ports Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 9 S Eth1 10 S Eth1 11 S Eth1 12 S Eth1 13 S Eth1 14 S Eth1 15 S Eth1...

Page 602: ...p is required if the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is 0x8100 See switchport dot1q tunnel tpid page 34 16 5 Configure the QinQ tunnel access port to join the SPVLAN as an untagged member switchport allowed vlan page 34 11 6 Configure the SPVLAN ID as the native VID on the QinQ tunnel access port switchport nativ...

Page 603: ...d sets the switch to operate in QinQ mode Use the no form to disable QinQ operating mode Syntax no dot1q tunnel system tunnel control Default Setting Disabled Command Mode Global Configuration Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional Example Related Commands show dot1q tunnel 34 17 show interfaces switchport 27 11 switchport dot1q tu...

Page 604: ...ot1q tunnel 34 17 show interfaces switchport 27 11 switchport dot1q tunnel tpid This command sets the Tag Protocol Identifier TPID value of a tunnel port Use the no form to restore the default setting Syntax switchport dot1q tunnel tpid tpid no switchport dot1q tunnel tpid tpid Sets the ethertype value for 802 1Q encapsulation This identifier is used to select a nonstandard 2 byte ethertype to ide...

Page 605: ... ports Command Mode Privileged Exec Example Related Commands switchport dot1q tunnel mode 34 15 Console config interface ethernet 1 1 Console config if switchport dot1q tunnel tpid 9100 Console config if Console config dot1q tunnel system tunnel control Console config interface ethernet 1 1 Console config if switchport dot1q tunnel mode access Console config if interface ethernet 1 2 Console confi...

Page 606: ...he downlink ports can only be forwarded to and from the uplink port Data cannot pass between downlink ports in the same private VLAN nor to ports which do not belong to a private VLAN Any port can be defined as an uplink port or downlink port but cannot configured to serve both roles Private VLANs and normal VLANs can exist simultaneously within the same switch Traffic may pass freely between upli...

Page 607: ...show pvlan This command displays the configured private VLAN Command Mode Privileged Exec Example Console config pvlan Console config pvlan up link ethernet 1 12 down link ethernet 1 5 8 Console config Console show pvlan Private VLAN status Enabled Up link port Ethernet 1 12 Down link port Ethernet 1 5 Ethernet 1 6 Ethernet 1 7 Ethernet 1 8 Console ...

Page 608: ...the protocols you want to assign to a VLAN using the protocol vlan protocol group command General Configuration mode 3 Then map the protocol for each interface to the appropriate VLAN using the protocol vlan protocol group command Interface Configuration mode protocol vlan protocol group Configuring Groups This command creates a protocol group or to add specific protocols to a group Use the no for...

Page 609: ...147483647 vlan id VLAN to which matching protocol traffic is forwarded Range 1 4093 Default Setting No protocol groups are mapped for any interface Command Mode Interface Configuration Ethernet Port Channel Command Usage When creating a protocol based VLAN only assign interfaces via this command If you assign interfaces using any of the other VLAN commands such as vlan on page 34 6 these interface...

Page 610: ...All protocol groups are displayed Command Mode Privileged Exec Example This shows protocol group 1 configured for IP over Ethernet show interfaces protocol vlan protocol group This command shows the mapping from protocol groups to VLANs for the selected interfaces Syntax show interfaces protocol vlan protocol group interface interface ethernet unit port unit Stack unit Range 1 8 port Port number R...

Page 611: ...ode Privileged Exec Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2 Console show interfaces protocol vlan protocol group Port ProtocolGroup ID Vlan ID Eth 1 1 1 vlan2 Console ...

Page 612: ...VLAN Commands 34 24 34 ...

Page 613: ...untagged frames sets queue weights and maps class of service tags to hardware queues 35 1 Priority Layer 3 and 4 Sets the default priority processing method CoS IP Precedence or DSCP and maps TCP ports IP precedence tags or IP DSCP tags to class of service values 35 7 Table 35 2 Priority Commands Layer 2 Command Function Mode Page queue mode Sets the queue mode to strict priority or Weighted Round...

Page 614: ...ed Round Robin Command Mode Global Configuration Command Usage You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced or use Weighted Round Robin WRR queuing that specifies a relative weight of each queue WRR uses a predefined relative weight for each queue that determines th...

Page 615: ...This priority does not apply to IEEE 802 1Q VLAN tagged frames If the incoming frame is an IEEE 802 1Q VLAN tagged frame the IEEE 802 1p User Priority bits will be used This switch provides eight priority queues for each port It is configured to use strict priority queuing or Weighted Round Robin using the queue mode command see page 35 2 Inbound frames that do not have VLAN tags are tagged with t...

Page 616: ...ted to each queue by calculating a precise number of bytes per second that will be serviced on each round The granularity used to calculate this number is based on a unit of 2k bytes The bytes serviced per second per queue in each round is queue weight granularity Example This example shows how to assign WRR weights to each of the priority queues Related Commands show queue bandwidth 35 6 queue co...

Page 617: ...alues assigned at the ingress port are also used at the egress port This command sets the CoS priority for all interfaces Example The following example shows how to change the CoS assignments to a one to one mapping Related Commands show queue cos map 35 6 show queue mode This command shows the current queue mode Command Mode Privileged Exec Example Table 35 3 Default CoS Priority Levels Priority ...

Page 618: ...ort number Range 1 26 50 port channel channel id Range 1 32 Command Mode Privileged Exec Example show queue cos map This command shows the class of service priority map Syntax show queue cos map interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 Command Mode Privileged Exec Console show queue bandwidth Information of E...

Page 619: ... mapping globally Console show queue cos map ethernet 1 1 Information of Eth 1 1 CoS Value 0 1 2 3 4 5 6 7 Priority Queue 2 0 1 3 4 5 6 7 Console Table 35 4 Priority Commands Layer 3 and 4 Command Function Mode Page map ip port Enables TCP UDP class of service mapping GC 35 7 map ip port Maps TCP UDP socket to a class of service IC 35 8 map ip precedence Enables IP precedence class of service mapp...

Page 620: ...can be specified for IP Port priority mapping This command sets the IP port priority for all interfaces Example The following example shows how to map HTTP traffic to CoS value 0 map ip precedence Global Configuration This command enables IP precedence mapping i e IP Type of Service Use the no form to disable IP precedence mapping Syntax no map ip precedence Default Setting Disabled Command Mode G...

Page 621: ...tion Ethernet Port Channel Command Usage The precedence for priority mapping is IP Port IP Precedence or IP DSCP and default switchport priority IP Precedence values are mapped to default Class of Service values on a one to one basis according to recommendations in the IEEE 802 1p standard and then subsequently mapped to the eight hardware priority queues This command sets the IP Precedence for al...

Page 622: ...lt switchport priority IP Precedence and IP DSCP cannot both be enabled Enabling one of these priority types will automatically disable the other type Example The following example shows how to enable IP DSCP mapping globally map ip dscp Interface Configuration This command sets IP DSCP priority i e Differentiated Services Code Point priority Use the no form to restore the default table Syntax map...

Page 623: ...EEE 802 1p standard and then subsequently mapped to the eight hardware priority queues This command sets the IP DSCP priority for all interfaces Example The following example shows how to map IP DSCP value 1 to CoS value 0 show map ip port This command shows the IP port priority map Syntax show map ip port interface interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26...

Page 624: ...ace ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 Command Mode Privileged Exec Example Related Commands map ip precedence Global Configuration 35 8 map ip precedence Interface Configuration 35 9 Console show map ip port TCP port mapping status disabled Port Port no COS Eth 1 5 80 0 Console Console show map ip precedence ethernet 1 5 ...

Page 625: ...nge 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 Command Mode Privileged Exec Example Related Commands map ip dscp Global Configuration 35 10 map ip dscp Interface Configuration 35 10 Console show map ip dscp ethernet 1 1 DSCP mapping status disabled Port DSCP COS Eth 1 1 0 0 Eth 1 1 1 0 Eth 1 1 2 0 Eth 1 1 3 0 Eth 1 1 61 0 Eth 1 1 62 0 Eth 1 1 63 0 Console ...

Page 626: ...Class of Service Commands 35 14 35 ...

Page 627: ...lass and use the policer command to monitor the average flow and burst rate and drop Table 36 1 Quality of Service Commands Command Function Mode Page class map Creates a class map for a type of traffic GC 36 2 match Defines the criteria used to classify traffic CM 36 3 rename Redefines the name of a class map CM 36 4 description Specifies the description of a class map CM 36 4 policy map Creates ...

Page 628: ...ap class map name Name of the class map Range 1 16 characters Default Setting None Command Mode Global Configuration Command Usage First enter this command to designate a class map and enter the Class Map configuration mode Then use the match command page 36 3 to specify the criteria for ingress traffic that will be classified under this class map Up to 16 match commands are permitted per class ma...

Page 629: ... within ingress packets that must match to qualify for this class map If an ingress packet matches an ACL specified by this command any deny rules included in the ACL will be ignored If match criteria includes an IP ACL or IP priority rule then a VLAN rule cannot be included in the same class map If match criteria includes a MAC ACL or VLAN rule then neither an IP ACL nor IP priority rule can be i...

Page 630: ...tion This command specifies the description of a class map or policy map Syntax description string string Description of the class map or policy map Range 1 64 characters Command Mode Class Map Configuration Policy Map Configuration Example Console config class map rd_class 3 match any Console config cmap match vlan 1 Console config cmap Console config class map rd class 1 Console config cmap rena...

Page 631: ...e assigning it to a Policy Map Example This example creates a policy called rd_policy uses the class command to specify the previously defined rd_class uses the set command to classify the service that incoming packets will receive and then uses the police command to limit the average bandwidth to 100 000 Kbps the burst rate to 1522 bytes and configure the response to drop any violating packets cl...

Page 632: ... the service that incoming packets will receive and then uses the police command to limit the average bandwidth to 100 000 Kbps the burst rate to 1522 bytes and configure the response to drop any violating packets set This command services IP traffic by setting a CoS DSCP or IP Precedence value in a matching packet as specified by the match command on page 36 3 Use the no form to remove the traffi...

Page 633: ...88 bytes drop Drop packet when specified rate or burst are exceeded set Set DSCP service to the specified value Range 0 63 Default Setting Drop out of profile packets Command Mode Policy Map Class Configuration Command Usage You can configure up to 64 policers i e meters or class maps for each of the following access list types MAC ACL IP ACL including Standard ACL and Extended ACL IPv6 Standard A...

Page 634: ...ut traffic policy map name Name of the policy map for this interface Range 1 16 characters Default Setting No policy map is attached to an interface Command Mode Interface Configuration Ethernet Port Channel Command Usage Only one policy map can be assigned to an interface First define a class map then define a policy map and finally use the service policy command to bind the policy map to the req...

Page 635: ...olicy maps which define classification criteria for incoming traffic and may include policers for bandwidth limitations Syntax show policy map policy map name class class map name policy map name Name of the policy map Range 1 16 characters class map name Name of the class map Range 1 16 characters Default Setting Displays all policy maps and all classes Command Mode Privileged Exec Console show c...

Page 636: ...ernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 Command Mode Privileged Exec Example Console show policy map Policy Map rd_policy class rd_class set ip dscp 3 Console show policy map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console Console show policy map interface ethernet 1 5 Service policy rd_policy in...

Page 637: ...st groups via IGMP snooping or static assignment sets the IGMP version displays current snooping and query settings and displays the multicast service and group members 37 1 IGMP Query Configures IGMP query parameters for multicast filtering at Layer 2 37 5 Static Multicast Interface Configures static multicast router ports which forward all inbound multicast traffic to the attached VLANs 37 9 Tab...

Page 638: ...one Command Mode Global Configuration Command Usage Static multicast entries are never aged out When a multicast entry is assigned to an interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN Example The following shows how to statically configure a multicast group on a port ip igmp snooping version This command configures the IGMP snooping version U...

Page 639: ...e the default Syntax no ip igmp snooping immediate leave Default Setting Disabled Command Mode Interface Configuration VLAN Command Usage If immediate leave is not used a multicast router or querier will send a group specific query message when an IGMPv2 v3 group leave message is received The router querier stops forwarding traffic for that group only if no host replies to the query within the tim...

Page 640: ...ast address Syntax show mac address table multicast interface user igmp snooping user igmp snooping multicast address interface ethernet unit port unit Stack unit Range 1 8 port Port number Range 1 26 50 port channel channel id Range 1 32 vlan vlan id VLAN ID 1 4093 user Display only the user configured multicast entries igmp snooping Display only entries learned through IGMP snooping multicast ad...

Page 641: ...ntax no ip igmp snooping querier Default Setting Enabled Command Mode Global Configuration Console show mac address table multicast vlan 1 igmp snooping VLAN M cast IP addr Member ports Type 1 224 1 2 3 Eth1 11 IGMP Console Table 37 3 IGMP Query Commands Command Function Mode Page ip igmp snooping querier Allows this device to act as the querier for IGMP snooping GC 37 5 ip igmp snooping query cou...

Page 642: ...fault Setting 2 times Command Mode Global Configuration Command Usage The query count defines how long the querier waits for a response from a multicast client before taking action If a querier has sent a number of queries defined by this command but a client has not responded a countdown timer is started using the time defined by ip igmp snooping query max response time If the countdown finishes ...

Page 643: ...x ip igmp snooping query max response time seconds no ip igmp snooping query max response time seconds The report delay advertised in IGMP queries Range 5 25 Default Setting 10 seconds Command Mode Global Configuration Command Usage The switch must be using IGMPv2 for this command to take effect This command defines the time after a query during which a response is expected from a multicast client...

Page 644: ...r port expire time seconds The time the switch waits after the previous querier stops before it considers the router port i e the interface which had been receiving query packets to have expired Range 300 500 Default Setting 300 seconds Command Mode Global Configuration Command Usage The switch must use IGMPv2 for this command to take effect Example The following shows how to configure the default...

Page 645: ...ter ports are configured Command Mode Global Configuration Command Usage Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore if the IGMP querier is a known multicast router switch connected over the network to an interface port or trunk on your router you can manually configure that interface to join all the current multicast groups Examp...

Page 646: ...mrouter vlan vlan id vlan id VLAN ID Range 1 4093 Default Setting Displays multicast router ports for all configured VLANs Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static Example The following shows that port 11 in VLAN 1 is attached to a multicast router Console show ip igmp snooping mrouter vlan 1 VLAN M cast Router Ports Type 1 Eth 1 11 Static Con...

Page 647: ... Corresponding IP address address2 address8 Additional corresponding IP addresses Default Setting No static entries Command Mode Global Configuration Table 38 1 DNS Commands Command Function Mode Page ip host Creates a static host name to address mapping GC 38 1 clear host Deletes entries from the host name to address table PE 38 2 ip domain name Defines a default domain name for incomplete host n...

Page 648: ...rget device Example This example maps two address to a host name clear host This command deletes entries from the DNS table Syntax clear host name name Name of the host Range 1 127 characters Removes all entries Default Setting None Command Mode Privileged Exec Example This example clears all static entries from the DNS table Console config ip host rd5 192 168 1 55 10 1 0 55 Console config end Con...

Page 649: ...ip domain list 38 3 ip name server 38 4 ip domain lookup 38 5 ip domain list This command defines a list of domain names that can be appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation Use the no form to remove a name from this list Syntax no ip domain list name name Name of the host Do not include the initial dot that separates the hos...

Page 650: ...r This command specifies the address of one or more domain name servers to use for name to address resolution Use the no form to remove a name server from this list Syntax no ip name server server address1 server address2 server address6 server address1 IP address of domain name server server address2 server address6 IP address of additional domain name servers Default Setting None Command Mode Gl...

Page 651: ...ntax no ip domain lookup Default Setting Disabled Command Mode Global Configuration Command Usage At least one name server must be specified before you can enable DNS If all name servers are deleted DNS will automatically be disabled Console config ip domain server 192 168 1 55 10 1 0 55 Console config end Console show dns Domain Lookup Status DNS disabled Default Domain Name sample com Domain Nam...

Page 652: ...e Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address es as a previously configured entry Console config ip domain lookup Console config end Console show dns Domain Lookup Status DNS enabled Default Domain Name sample com Domain Name List sample com jp sample com uk Name Server List 192 168 1 55 10 1 0 55 Console show hosts Hostname rd5 I...

Page 653: ...8 199 239 136 200 1 4 Address a1116 x akamai net 19 61 213 189 120 2 4 Address a1116 x akamai net 19 61 213 189 104 3 4 CNAME graphics8 nytimes com 19 POINTER TO 2 4 4 CNAME graphics478 nytimes com edgesui 19 POINTER TO 2 Console Table 38 2 show dns cache display description Field Description NO The entry number for each resource record FLAG The flag is always 4 indicating a cache entry and theref...

Page 654: ...me Service Commands 38 8 38 clear dns cache This command clears all entries in the DNS cache Command Mode Privileged Exec Example Console clear dns cache Console show dns cache NO FLAG TYPE IP TTL DOMAIN Console ...

Page 655: ...HP client identifier for the current interface Use the no form to remove this identifier Syntax ip dhcp client identifier text text hex hex no ip dhcp client identifier text A text string Range 1 15 characters hex The hexadecimal value Default Setting None Command Mode Interface Configuration VLAN Table 39 1 DHCP Commands Command Group Function Page DHCP Client Allows interfaces to dynamically acq...

Page 656: ...OTP or DHCP mode via the ip address command DHCP requires the server to reassign the client s last address if available If the BOOTP or DHCP server has been moved to a different domain the network portion of the address provided to the client will be based on this new domain Example In the following example the device is reassigned the same address Related Commands ip address 41 3 Console config i...

Page 657: ...t it allocates a free IP address for the DHCP client from its defined scope for the DHCP client s subnet and sends a DHCP response back to the DHCP relay agent i e this switch This switch then broadcasts the DHCP response received from the server to the client Example In the following example the device is reassigned the same address Related Commands ip dhcp relay server 39 4 Table 39 3 DHCP Relay...

Page 658: ...DHCP server Range 1 3 addresses Default Setting None Command Mode Interface Configuration VLAN Usage Guidelines You must specify the IP address for at least one DHCP server Otherwise the switch s DHCP relay agent will not forward client requests to a DHCP server To start DHCP relay service enter the ip dhcp restart relay command Example Related Commands ip dhcp restart relay 39 3 Console config in...

Page 659: ... Server DNS servers available to a DHCP client DC 39 9 next server Configures the next server in the boot process of a DHCP client DC 39 9 bootfile Specifies a default boot image for a DHCP client DC 39 10 netbios name server Configures NetBIOS Windows Internet Naming Service WINS name servers available to Microsoft DHCP clients DC 39 10 netbios node type Configures NetBIOS node type for Microsoft...

Page 660: ...may be assigned Command Mode Global Configuration Example ip dhcp pool This command configures a DHCP address pool and enter DHCP Pool Configuration mode Use the no form to remove the address pool Syntax no ip dhcp pool name name A string or integer Range 1 8 characters Default Setting DHCP address pools are not configured Command Mode Global Configuration Usage Guidelines After executing this com...

Page 661: ... network address pool matching the gateway where the request originated i e if the request was forwarded by a relay server If there is no gateway in the client request i e the request was not forwarded by a relay server the switch searches for a network pool matching the interface through which the client request was received It then searches for a manually configured host address that falls withi...

Page 662: ...uter should be on the same subnet as the client You can specify up to two routers Routers are listed in order of preference starting with address1 as the most preferred router Example domain name This command specifies the domain name for a DHCP client Use the no form to remove the domain name Syntax domain name domain no domain name domain Specifies the domain name of the client Range 1 128 chara...

Page 663: ...annot correlate host names to IP addresses Servers are listed in order of preference starting with address1 as the most preferred server Example next server This command configures the next server in the boot process of a DHCP client Use the no form to remove the boot server list Syntax no next server address address Specifies the IP address of the next server in the boot process which is typicall...

Page 664: ... command configures NetBIOS Windows Internet Naming Service WINS name servers that are available to Microsoft DHCP clients Use the no form to remove the NetBIOS name server list Syntax netbios name server address1 address2 no netbios name server address1 Specifies IP address of primary NetBIOS WINS name server address2 Specifies IP address of alternate NetBIOS WINS name server Default Setting None...

Page 665: ...n that an IP address is assigned to a DHCP client Use the no form to restore the default value Syntax lease days hours minutes infinite no lease days Specifies the duration of the lease in numbers of days Range 0 364 hours Specifies the number of hours in the lease A days value must be supplied before you can configure hours Range 0 23 minutes Specifies the number of minutes in the lease A days an...

Page 666: ...e if the request was forwarded by a relay server If there is no gateway in the client request i e the request was not forwarded by a relay server the switch searches for a network pool matching the interface through which the client request was received It then searches for a manually configured host address that falls within the matching network pool When searching for a manual binding the switch...

Page 667: ... hexadecimal value Default Setting None Command Mode DHCP Pool Configuration Command Usage This command identifies a DHCP client to bind to an address specified in the host command If both a client identifier and hardware address are configured for a host address the client identifier takes precedence over the hardware address in the search procedure BOOTP clients cannot transmit a client identifi...

Page 668: ...net Command Mode DHCP Pool Configuration Command Usage This command identifies a DHCP or BOOTP client to bind to an address specified in the host command BOOTP clients cannot transmit a client identifier To bind an address to a BOOTP client you must associate a hardware address with the host entry Example Related Commands host 39 12 clear ip dhcp binding This command deletes an automatic address b...

Page 669: ...rvice to another device Example Related Commands show ip dhcp binding 39 15 show ip dhcp binding This command displays address bindings on the DHCP server Syntax show ip dhcp binding address address Specifies the IP address of the DHCP client for which bindings will be displayed Default Setting None Command Mode Normal Exec Privileged Exec Example Console clear ip dhcp binding Console Console show...

Page 670: ...DHCP Commands 39 16 39 ...

Page 671: ... it has a higher priority than the currently active master router Table 40 1 Router Redundancy Commands Command Groups Function Page Virtual Router Redundancy Protocol Configures interface settings for VRRP 40 1 Table 40 2 VRRP Commands Command Function Mode Page vrrp ip Enables VRRP and sets the IP address of the virtual router IC 40 2 vrrp authentication Configures a key used to authenticate VRR...

Page 672: ...e within the same IP subnet If the IP address assigned to the virtual router with this command is already configured as the primary address on this interface this router is considered the Owner and will assume the role of the Master virtual router in the group This interface is used for two purposes to send receive advertisement messages and to forward on behalf of the virtual router when operatin...

Page 673: ...hen a VRRP packet is received from another router in the group its authentication key is compared to the string configured on this router If the keys match the message is accepted Otherwise the packet is discarded Plain text authentication does not provide any real security It is supported only to prevent a misconfigured router from participating in VRRP Example vrrp priority This command sets the...

Page 674: ...gher than the current acting master comes on line this backup router will take over as the new acting master However note that if the original master i e the owner of the VRRP IP address comes back on line it will always resume control as the master If the virtual IP address for the VRRP group is the same as that of the configured device the priority will automatically be set to 255 prior to using...

Page 675: ... over as the master virtual router for a VRRP group if it has a higher priority than the current acting master router Use the no form to disable preemption Syntax vrrp group preempt delay seconds no vrrp group preempt group Identifies the VRRP group Range 1 255 seconds The time to wait before issuing a claim to become the master Range 0 120 seconds Default Setting Preempt Enabled Delay 0 seconds C...

Page 676: ...ary information for all VRRP groups on this router group Identifies a VRRP group Range 1 255 Defaults None Command Mode Privileged Exec Command Usage Use this command without any keywords to display the full listing of status information for all VRRP groups configured on this router Use this command with the brief keyword to display a summary of status information for all VRRP groups configured on...

Page 677: ... the virtual IP address Advertisement interval Interval at which the master virtual router advertises its role as the master Preemption Shows whether or not a higher priority router can preempt the current acting master Min delay Delay before a router with a higher priority can preempt the current acting master Priority Priority of this router Authentication Authentication mode used to verify VRRP...

Page 678: ...on Field Description Interface VLAN interface Grp VRRP group State VRRP role of this interface master or backup Virtual addr Virtual address that identifies this VRRP group Int Interval at which the master virtual router advertises its role as the master Pre Shows whether or not a higher priority router can preempt the current acting master Prio Priority of this router Console show vrrp interface ...

Page 679: ...ay items Console show vrrp router counters Total Number of VRRP Packets with Invalid Checksum 0 Total Number of VRRP Packets with Unknown Error 0 Total Number of VRRP Packets with Invalid VRID 0 Console Console show vrrp 1 interface vlan 1 counters Total Number of Times Transitioned to MASTER 6 Total Number of Received Advertisements Packets 0 Total Number of Received Error Advertisement Interval ...

Page 680: ...This command clears VRRP system statistics for the specified group and interface clear vrrp group interface interface counters group Identifies a VRRP group Range 1 255 interface Identifier of configured VLAN interface Range 1 4093 Defaults None Command Mode Privileged Exec Example Console clear vrrp router counters Console Console clear vrrp 1 interface 1 counters Console ...

Page 681: ... network segment if routing is not enabled This section includes commands for configuring IP interfaces the Address Resolution Protocol ARP and Proxy ARP These commands are used to connect subnetworks to the enterprise network Basic IP Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch Table 41 1 IP Interface Commands Command Group Functi...

Page 682: ... NE PE 41 14 ipv6 default gateway Sets an IPv6 default gateway for traffic with no known next hop GC 41 17 show ipv6 default gateway Displays the current IPv6 default gateway NE PE 41 17 ipv6 mtu Sets the size of the maximum transmission unit MTU for IPv6 packets sent on an interface IC 41 18 show ipv6 mtu Displays maximum transmission unit MTU information for IPv6 interfaces NE PE 41 19 show ipv6...

Page 683: ...ords a router interface address defines the network segment that is connected to that interface and allows IP packets to be sent to or from the router Before any network interfaces are configured on the router first create a VLAN for each unique user group or for each network application and its associated users Then assign the ports associated with each of these VLANs An IP address must be assign...

Page 684: ...ia any of these IP addresses Example In the following example the device is assigned an address in VLAN 1 Related Commands ip dhcp restart client 39 2 ipv6 address 41 9 ip default gateway This command specifies the IPv4 default gateway for destinations not found in the local routing tables Use the no form to remove a default gateway Syntax ip default gateway gateway no ip default gateway gateway I...

Page 685: ...41 14 show ip redirects This command shows the IPv4 default gateway configured for this device Default Setting None Command Mode Privileged Exec Example Related Commands ip default gateway 41 4 show ipv6 default gateway 41 17 Console config ip default gateway 10 1 1 254 Console config Console show ip interface Vlan 1 is up addressing mode is DHCP Interface address is 192 168 0 2 mask is 255 255 25...

Page 686: ...one to ten seconds depending on network traffic Destination does not respond If the host does not respond a timeout appears in ten seconds Destination unreachable The gateway for this destination indicates that the destination is unreachable Network or host unreachable The gateway found no corresponding entry in the route table When pinging a host name be sure the DNS server has been enabled see p...

Page 687: ...s address type makes the router accessible over IPv6 for all devices attached to the same local subnet If a duplicate address is detected on the local segment this interface will be disabled and a warning message displayed on the console The no ipv6 enable command does not disable IPv6 for an interface that has been explicitly configured with an IPv6 address Example In this example IPv6 is enabled...

Page 688: ...undefined fields prefix length A decimal value indicating how many of the contiguous bits from the left of the address comprise the prefix i e the network portion of the address Default Setting No general prefix is defined Command Mode Global Configuration Command Usage Prefixes may contain zero value fields or end in zeros A general prefix holds a short prefix that indicates the high order bits u...

Page 689: ...neral prefix if one is used followed by the host address bits The address must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields prefix length A decimal value indicating how many contiguous bits from the left o...

Page 690: ...eui 64 41 12 ipv6 address autoconfig 41 10 show ipv6 interface 41 14 ip address 41 3 ipv6 address autoconfig This command enables stateless autoconfiguration of IPv6 addresses on an interface and enables IPv6 on the interface The network portion of the address is based on prefixes received in IPv6 router advertisement messages the host portion in based on the modified EUI 64 form of the interface ...

Page 691: ...ill attempt to acquire other non address configuration information such as a default gateway from a DHCP for IPv6 server Example This example assigns two dynamic global unicast address of 2005 212 CFFF FE0B 4600 and 3FFE 501 FFFF 100 212 CFFF FE0B 4600 to the router Related Commands ipv6 address 41 9 show ipv6 interface 41 14 Console config if ipv6 address autoconfig Console config if end Console ...

Page 692: ...nerate a global unicast address and a link local address for this interface The link local address is made with an address prefix of FE80 and a host portion based the router s MAC address in modified EUI 64 format Note that the value specified in the ipv6 prefix may include some of the high order host bits if the specified prefix length is less than 64 bits If the specified prefix length exceeds 6...

Page 693: ...erface Use the no form with a specific address to remove it from the interface Syntax ipv6 address ipv6 address link local no ipv6 address ipv6 address link local ipv6 address The IPv6 address assigned to the interface The address must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the address to ind...

Page 694: ...e usability and configured settings for IPv6 interfaces Syntax show ipv6 interface brief vlan vlan id ipv6 prefix prefix length brief Displays a brief summary of IPv6 operational status and the addresses configured for each interface vlan id VLAN ID Range 1 4093 ipv6 prefix The IPv6 network portion of the address assigned to the interface The prefix must be formatted according to RFC 2373 IPv6 Add...

Page 695: ...01 1 16 FF02 1 16 FF02 1 FF00 79 104 FF02 1 FF19 6779 104 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND retransmit interval is 1000 milliseconds Console Table 41 3 show ipv6 interface display description Field Description VLAN A VLAN is marked up if the router can send and receive packets on this interface down if a line signal is not present or administratively down if the inter...

Page 696: ...also required to compute and join the associated solicited node multicast addresses for every unicast and anycast address it is assigned IPv6 addresses that differ only in the high order bits e g due to multiple high order prefixes associated with different aggregations will map to the same solicited node address thereby reducing the number of multicast addresses a node must join In this example F...

Page 697: ... Configuration Command Usage The gateway specified in this command is only valid if routing is disabled with the no ip routing command If IP routing is disabled you must define a gateway if the target device is located in a different subnet If routing is enabled you can still define a static route using the ip route command page 42 2 to ensure that traffic to the designated address or subnet passe...

Page 698: ...t from this device This option is provided to ensure that all nodes on a link use the same MTU value in cases where the link MTU is not otherwise well known IPv6 routers do not fragment IPv6 packets forwarded from other routers However traffic originating from an end station connected to an IPv6 router may be fragmented All devices on the same physical medium must use the same MTU in order to oper...

Page 699: ...atistics Console show ipv6 mtu MTU Since Destination Address 1400 00 04 21 5000 1 3 1280 00 04 50 FE80 203 A0FF FED6 141D Console Table 41 4 show ipv6 mtu display description Field Description MTU Adjusted MTU contained in the ICMP packet too big message returned from this destination and now used for all traffic sent along this path Since Time since an ICMP packet too big message was received fro...

Page 700: ...ameter option 0 hopcount expired 0 reassembly timeout 0 too big 0 echo request 0 echo reply 0 group query 0 group report 0 group reduce 0 router solicit 0 router advert 0 redirects 0 neighbor solicit 0 neighbor advert 0 Ipv6 icmp output sent output 6 unreach routing 0 unreach admin 0 unreach neighbor 0 unreach address 0 unreach port 1 parameter error 0 parameter header 0 parameter option 0 hopcoun...

Page 701: ...col This counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the datagrams not a router The number of input datagrams discarded because the IPv6 address in their IPv6 header s destination field was not a valid address to be received at this entity This count includes invalid addresses e g 0 and unsupported a...

Page 702: ... that have been generated as a result of fragmentation at this output interface fragmented failed The number of IPv6 datagrams that have been discarded because they needed to be fragmented at this output interface but could not be encapsulation failed Failure that can result from an unresolved address or failure to queue a packet no route The number of input datagrams discarded because no route co...

Page 703: ...terface group query The number of ICMPv6 Group Membership Query messages received by the interface group report The number of ICMPv6 Group Membership Response messages received by the interface group reduce The number of ICMPv6 Group Membership Reduction messages received by the interface router solicit The number of ICMP Router Solicit messages received by the interface router advert The number o...

Page 704: ...ace redirects The number of Redirect messages sent For a host this object will always be zero since hosts do not send redirects neighbor solicit The number of ICMP Neighbor Solicitation messages sent by the interface neighbor advert The number of ICMP Neighbor Advertisement messages sent by the interface UDP Statistics input The total number of UDP datagrams delivered to UDP users checksum errors ...

Page 705: ...ble colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields host name The name the IPv6 device to ping A host name can be resolved into an IPv6 address using DNS datagram size Specifies the size of the datagram to send in each ping Range 48 18024 bytes repeat count The number of pings to send Range 1 2147483647 hex data pattern The data pa...

Page 706: ...xample Related Commands ping 41 6 ipv6 neighbor This command configures a static entry in the IPv6 neighbor discovery cache Use the no form to remove a static entry from the cache Syntax ipv6 neighbor ipv6 address vlan vlan id hardware address no ipv6 mtu ipv6 address The IPv6 address of a neighbor device that can be reached through one of the network interfaces configured on this router You can s...

Page 707: ... ipv6 enable command see page 41 7 deletes all dynamically learned entries in the IPv6 neighbor discovery cache for that interface but does not delete static entries Example The following maps a static entry for global unicast address to a MAC address Related Commands show ipv6 neighbors 41 30 mac address table static 31 1 ipv6 nd dad attempts This command configures the number of consecutive neig...

Page 708: ...tion for all unicast IPv6 addresses on the interface While duplicate address detection is performed on the interface s link local address the other IPv6 addresses remain in a tentative state If no duplicate link local address is found duplicate address detection is started for the remaining IPv6 addresses If a duplicate address is detected it is set to duplicate state and a warning message is sent...

Page 709: ...used for neighbor discovery operations 0 milliseconds is advertised in router advertisements Command Mode Interface Configuration VLAN Command Usage When a non default value is configured the specified interval is used both for router advertisements and by the router itself This command specifies the interval between transmitting neighbor solicitation messages when resolving an address or when pro...

Page 710: ...ed 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields Default Setting All IPv6 neighbor discovery cache entries are displayed Command Mode Normal Exec No command options are available Privileged Exec All command options are available Console config interface vlan 1 Console config if ipv6 nd ns inte...

Page 711: ...ghbor was functioning While in REACH state the device takes no special action when sending packets STALE More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning While in STALE state the device takes no action until a packet is sent DELAY More than the ReachableTime interval has elapsed since the last positive confirma...

Page 712: ...ied IP address The format for this address is xx xx xx xx xx xx Default Setting No default entries Command Mode Global Configuration Command Usage The ARP cache is used to map 32 bit IP addresses into 48 bit hardware i e Media Access Control addresses This cache includes entries for hosts and other routers on local network interfaces defined on this router The maximum number of static entries allo...

Page 713: ...ic entry remains in the ARP cache Range 300 86400 86400 is one day Default Setting 1200 seconds 20 minutes Command Mode Global Configuration Command Usage When a ARP entry expires it is deleted from the cache and an ARP request packet is sent to re establish the MAC address The aging time determines how long dynamic entries remain in the cache If the timeout is too short the router may tie up reso...

Page 714: ...hows each cache entry including the IP address MAC address type static dynamic other and VLAN interface Note that entry type other indicates local addresses for this router Example This example displays all entries in the ARP cache Console clear arp cache This operation will delete all the dynamic entries in ARP Cache Are you sure to continue this operation y n y Console Console show arp Arp cache...

Page 715: ...e the MAC address of a host on another subnet or network End stations that require Proxy ARP must view the entire network as a single network These nodes must therefore use a smaller subnet mask than that used by the router or other relevant network devices Extensive use of Proxy ARP can degrade router performance because it may lead to increased ARP traffic and increased search time for larger AR...

Page 716: ...IP Interface Commands 41 36 41 ...

Page 717: ...g Use the no form to disable IP routing Syntax no ip routing Default Setting Enabled Table 42 1 IP Routing Commands Command Group Function Page Global Routing Configuration Configures global parameters for static and dynamic routing displays the routing table and statistics for protocols used to exchange routing information 42 1 Routing Information Protocol RIP Configures global and interface spec...

Page 718: ...work mask for the associated IP subnet This mask identifies the host address bits used for routing to specific subnets default Sets this entry as the default route gateway IP address of the gateway used for this route metric Selected RIP cost for this interface Range 1 5 default 1 Removes all static routing table entries Default Setting No static routes are configured Command Mode Global Configura...

Page 719: ...a local interface Use the no ip route command to remove a static route Example show ip route This command displays information in the IP routing table Syntax show ip route config address netmask config Displays all static routing entries address IP address of the destination network subnetwork or host for which routing information is to be displayed netmask Network mask for the associated IP subne...

Page 720: ...router Netmask Network mask for the associated IP subnet Next Hop IP address of the next hop or gateway used for this route Protocol The protocol which generated this route information Values static local RIP OSPF Metric Cost for this interface Interface VLAN interface through which this address can be reached Console show ip host route Total count 0 IP address Mac address VLAN Port 192 168 1 250 ...

Page 721: ...s 0 unreachable 0 echo 5 echo reply 0 mask requests 0 mask replies 0 quench 0 parameter 0 timestamp Sent 0 redirects 0 unreachable 0 echo 0 echo reply 0 mask requests 0 mask replies 0 quench 0 timestamp 0 time exceeded 0 parameter problem UDP statistics Rcvd 0 total 0 checksum errors 0 no port Sent 0 total TCP statistics Rcvd 0 total 0 checksum errors Sent 0 total ARP statistics Rcvd 0 requests 1 ...

Page 722: ...routes from one routing domain to another RC 42 11 ip rip receive version Sets the RIP receive version to use on a network interface IC 42 12 ip rip send version Sets the RIP send version to use on a network interface IC 42 13 ip split horizon Enables split horizon or poison reverse loop prevention IC 42 14 ip rip authentication key Enables authentication for RIP2 packets and specifies keys IC 42 ...

Page 723: ...cs It is advisable to use a low metric when redistributing routes from another protocol into RIP Using a high metric limits the usefulness of external routes redistributed into RIP For example if a metric of 10 is defined for redistributed routes these routes can only be advertised to routers up to 5 hops away at which point the metric exceeds the maximum hop count of 15 By defining a low metric o...

Page 724: ...imeout timer is the time after which there have been no update messages that a route is declared dead The route is marked inaccessible i e the metric set to infinite and advertised as unreachable However packets are still forwarded on this route After the timeout interval expires the router waits for an interval specified by the garbage collection timer before removing this entry from the routing ...

Page 725: ... xxx xxx xxx is entered the first field nnn determines the class 0 127 is class A and only the first field in the network address is used 128 191 is class B and the first two fields in the network address are used 192 223 is class C and the first three fields in the network address are used Example This example includes network interface 10 1 0 0 in the RIP routing process Related Commands router ...

Page 726: ...r ip rip send version command will be set to the following values RIP Version 1 configures the unset interfaces to send RIPv1 compatible protocol messages and receive either RIPv1 or RIPv2 protocol messages RIP Version 2 configures the unset interfaces to use RIPv2 for both sending and receiving protocol messages When the no form of this command is used to restore the default value any VLAN interf...

Page 727: ... must be used to resolve the problem of redistributing external routes with incompatible metrics It is advisable to use a low metric when redistributing routes from another protocol into RIP Using a high metric limits the usefulness of external routes redistributed into RIP For example if a metric of 10 is defined for redistributed routes these routes can only be advertised to routers up to 5 hops...

Page 728: ...se this command to override the global setting specified by the RIP redistribute command You can specify the receive version based on these options Use none if you do not want to add any dynamic entries to the routing table for an interface For example you may only want to allow static routes for a specific interface Use 1 or 2 if all routers in the local network are based on RIPv1 or RIPv2 respec...

Page 729: ...eceive version based on these options Use none to passively monitor route information advertised by other routers attached to the network Use 1 or 2 if all routers in the local network are based on RIPv1 or RIPv2 respectively Use v2 broadcast to propagate route information by broadcasting to other routers on the network using RIPv2 instead of multicasting as normally required by RIPv2 Using this m...

Page 730: ...metrics to infinity This provides faster convergence Example This example propagates routes back to the source using poison reverse ip rip authentication key This command enables authentication for RIPv2 packets and specifies the key that must be used on an interface Use the no form to prevent authentication Syntax ip rip authentication key key string no ip rip authentication key string A password...

Page 731: ...5 MD5 authentication Command Mode Interface Configuration VLAN Default Setting No authentication Command Usage The password to be used for authentication is specified in the ip rip authentication key command page 42 14 This command requires the interface to exchange routing information with other routers based on an authorized password Note that this command only applies to RIPv2 For authenticatio...

Page 732: ...on about the last time a route update was received the RIP version used by the neighbor and the status of routing messages received from this neighbor Command Mode Privileged Exec Console config interface vlan 1 Console config if ip rip authentication mode text Console config if Console show rip globals RIP Process Enabled Update Time in Seconds 30 Number of Route Change 0 Number of Queries 1 Cons...

Page 733: ...Mode RIP version sent on this interface none RIPv1 RIPv2 or RIPv2 broadcast ReceiveMode RIP version received on this interface none RIPv1 RIPv2 RIPv1 or RIPv2 Poison Shows if split horizon poison reverse or no protocol message loopback prevention method is in use Authentication Shows if authentication is set to simple password MD5 or none show ip rip status Interface IP address of the interface Rc...

Page 734: ...5 Area Configuration network area Assigns specified interface to an area RC 42 26 area stub Defines a stubby area that cannot send or receive LSAs RC 42 27 area nssa Defines a not so stubby that can import external routes RC 42 28 area virtual link Defines a virtual link from an area border routers to the backbone RC 42 30 Interface Configuration ip ospf authentication Specifies the authentication...

Page 735: ...routing processes PE 42 39 show ip ospf border routers Displays routing table entries for Area Border Routers ABR and Autonomous System Boundary Routers ASBR PE 42 40 show ip ospf database Shows information about different LSAs in the database PE 42 41 show ip ospf interface Displays interface information PE 42 49 show ip ospf neighbor Displays neighbor information PE 42 50 show ip ospf summary ad...

Page 736: ... the router ID you cannot be set to 0 0 0 0 or 255 255 255 255 If this router already has registered neighbors the new router ID will be used when the router is rebooted or manually restarted by entering the no router ospf page 42 19 followed by the router ospf command If the priority values of the routers bidding to be the designated router or backup designated router for an area are equal the ro...

Page 737: ...erates a default external route into an autonomous system Use the no form to disable this feature Syntax default information originate always metric interface metric metric type metric type no default information originate always Always advertise a default route to the local AS regardless of whether the router has a default route See ip route on page 42 2 interface metric Metric assigned to the de...

Page 738: ...l cost is only used as a tie breaker if several Type 2 routes have the same cost Example This example assigns a metric of 20 to the default external route advertised into an autonomous system sending it as a Type 2 external metric Related Commands ip route 42 2 redistribute 42 25 timers spf This command configures the hold time between making two consecutive shortest path first SPF calculations Us...

Page 739: ...t Setting Disabled Command Usage This command can be used to summarize intra area routes and advertise this information to other areas through Area Border Routers ABRs If the network addresses within an area are assigned in a contiguous manner the ABRs can advertise a summary route that covers all of the individual networks within the area that fall into the specified range using a single area ran...

Page 740: ...efault Setting 1 Command Usage Use this option only on an area border router attached to a stub area or NSSA If the default cost is set to 0 the router will not advertise a default route into the attached stub or NSSA Example Related Commands area stub 42 27 summary address This command aggregates routes learned from other protocols Use the no form to remove a summary address Syntax no summary add...

Page 741: ...This command redistributes external routing information from other routing protocols and static routes into an autonomous system Use the no form to disable this feature or to restore the default settings Syntax no redistribute rip static metric metric value metric type type value rip Imports entries learned through the Routing Information Protocol into this Autonomous System static Imports static ...

Page 742: ...AS is equal to the cost associated with reaching the advertising ASBR plus the cost of the external route When a Type 2 LSA is received by a router it only uses the external route metric to determine route cost Example This example redistributes routes learned from RIP as Type 1 external routes Related Commands default information originate 42 21 network area This command defines an OSPF area and ...

Page 743: ...ped in subsequent network area commands the router will use the network area with the address range that most closely matches the interface address Also note that if a more specific address range is removed from an area the interface belonging to that range may still remain active if a less specific address range covering that area has been specified This router supports up to 64 OSPF router inter...

Page 744: ... ABR This router supports up to 16 total areas either normal transit areas stubs or NSSAs Example This example creates a stub area 10 2 0 0 and assigns all interfaces with class B addresses 10 2 x x to the stub Related Commands area default cost 42 24 area nssa This command defines a not so stubby area NSSA To remove an NSSA use the no form without any optional keywords To remove an optional attri...

Page 745: ...he AS into the NSSA using the default information originate keyword However an NSSA is different from a stub because when the router is an ASBR it can import a default external AS route for routing protocol domains adjacent to the NSSA but not within the OSPF AS into the NSSA using the default information originate keyword External routes advertised into an NSSA can include network destinations ou...

Page 746: ...ify the authentication field in protocol message headers A separate password can be assigned to each network interface However this key must be the same for all neighboring routers on the same network i e autonomous system This key is only used when authentication is enabled for the backbone message digest key key id md5 key Sets the key identifier and password to be used to authenticate protocol ...

Page 747: ...nted by this amount before transmission This value must be the same for all routers attached to an autonomous system Range 1 3600 seconds Default 1 seconds Command Mode Router Configuration Default Setting area id None router id None hello interval 10 seconds retransmit interval 5 seconds transmit delay 1 second dead interval 40 seconds authentication key None message digest key None Command Usage...

Page 748: ...assword or key All neighboring routers on the same network with the same password will exchange routing data This command creates a password key that is inserted into the OSPF header when routing protocol packets are originated by this device Assign a separate password to each network for different interfaces When using simple password authentication a password is included in the packet If it does...

Page 749: ...oring routers to verify the authenticity of routing protocol messages Use the no form to remove the password Syntax ip ospf authentication key key no ip ospf authentication key key Sets a plain text password Range 1 8 characters Command Mode Interface Configuration VLAN Default Setting No password Command Usage Before specifying plain text password authentication for an interface with the ip ospf ...

Page 750: ...ce with the ip ospf authentication command configure the message digest key id and key with this command Normally only one key is used per interface to generate authentication information for outbound packets and to authenticate incoming packets Neighbor routers must use the same key identifier and key value When changing to a new key the router will send multiple copies of all protocol messages o...

Page 751: ...uter link state advertisements Routes are assigned a metric equal to the sum of all metrics for each interface link in the route Interface cost reflects the port speed This router uses a default cost of 1 for all ports Therefore if you install a 10 Gigabit module you may have to reset the cost for all of the 100 Mbps ports to a value greater than 1 This router uses a default cost of 1 for all inte...

Page 752: ...spf hello interval command Command Usage The dead interval is advertised in the router s hello packets It must be a multiple of the hello interval and be the same for all routers on a specific network Example Related Commands ip ospf hello interval 42 36 ip ospf hello interval This command specifies the interval between sending hello packets on an interface Use the no form to restore the default v...

Page 753: ...forms an active adjacency to all other routers in the network segment to exchange routing topology information If for any reason the DR fails the BDR takes over this role Set the priority to zero to prevent a router from being elected as a DR or BDR If set to any value other than zero the router with the highest priority will become the DR and the router with the next highest priority becomes the ...

Page 754: ...s an adequate flow of routing information but does not produce unnecessary protocol traffic Note that this value should be larger for virtual links Set this interval to a value that is greater than the round trip delay between any two routers on the attached network to avoid unnecessary retransmissions Example ip ospf transmit delay This command sets the estimated time to send a link state update ...

Page 755: ...sole config interface vlan 1 Console config if ip ospf transmit delay 6 Console config if Console show ip ospf Routing Process with ID 10 1 1 253 Supports only single TOS TOS0 route It is an area border and autonomous system boundary router Redistributing External Routes from rip with metric mapped to 10 Number of area in this router is 2 Area 0 0 0 0 BACKBONE Number of interfaces in this area is ...

Page 756: ... Area SPF No 10 1 1 252 10 1 1 253 0 ABR INTRA 10 1 0 0 3 10 2 6 252 10 2 9 253 0 ASBR INTER 10 2 0 0 7 Console Table 42 10 show ip ospf border routers display description Field Description Destination Identifier for the destination router Next Hop IP address of the next hop toward the destination Cost Link metric for this route Type Router type of the destination either ABR ASBR or both RteType R...

Page 757: ...f originate link state id show ip ospf area id database self originate link state id show ip ospf area id database summary link state id show ip ospf area id database summary link state id adv router ip address show ip ospf area id database summary link state id self originate link state id area id Area defined for which you want to view LSA information This item must be entered in the form of an ...

Page 758: ...252 26 0X80000005 0X89A1 10 1 1 253 10 1 1 253 23 0X80000002 0X8D9D Displaying Net Link States Area 10 1 0 0 Link ID ADV Router Age Seq Checksum 10 1 1 252 10 1 1 252 28 0X80000001 0X53E1 Console Table 42 11 show ip ospf database display description Field Description Link ID Router ID ADV Router Advertising router ID Age Age of LSA in seconds Seq Sequence number of LSA used to detect older duplica...

Page 759: ... Network Mask 255 255 255 0 Metric 1 Console Table 42 12 show ip ospf asbr summary display description Field Description OSPF Router id Router ID LS age Age of LSA in seconds Options Optional capabilities associated with the LSA LS Type Summary Links LSA describes routes to AS boundary routers Link State ID Interface address of the autonomous system boundary router Advertising Router Advertising r...

Page 760: ...sa 2 1 1 0 0 0 Total LSA Counts 4 Console Table 42 13 show ip ospf database summary display description Field Description Area ID Area identifier Router Number of router LSAs Network Number of network LSAs Sum Net Number of summary LSAs Sum ASBR Number of summary ASBR LSAs External AS Number of autonomous system external LSAs External Nssa Number of NSSA external network LSAs Total LSA Counts Tota...

Page 761: ...s associated with the LSA LS Type AS External Links LSA describes routes to destinations outside the AS including default external routes for the AS Link State ID IP network number External Network Number Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA used to detect older duplicate LSAs LS Checksum Checksum of the complete contents of the LSA Length The length o...

Page 762: ...Router 10 1 1 253 Console Table 42 15 show ip ospf network display description Field Description OSPF Router id Router ID LS age Age of LSA in seconds Options Optional capabilities associated with the LSA LS Type Network Link LSA describes the routers attached to the network Link State ID Interface address of the designated router Advertising Router Advertising router ID LS Sequence Number Sequenc...

Page 763: ...ter display description Field Description OSPF Router id Router ID LS age Age of LSA in seconds Options Optional capabilities associated with the LSA LS Type Router Link LSA describes the router s interfaces Link State ID Router ID of the router that originated the LSA Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA used to detect older duplicate LSAs LS Checksum...

Page 764: ...er 80000003 LS Checksum 0x3D02 Length 28 Network Mask 255 255 255 0 Metric 1 Console Table 42 17 show ip ospf summary display description Field Description OSPF Router id Router ID LS age Age of LSA in seconds Options Optional capabilities associated with the LSA LS Type Summary Links LSA describes routes to networks Link State ID Router ID of the router that originated the LSA Advertising Router ...

Page 765: ...tatus of physical link Interface Address IP address of OSPF interface Mask Network mask for interface address Area OSPF area to which this interface belongs Router ID Router ID Network Type Includes broadcast non broadcast or point to point networks Cost Interface transmit cost Transmit Delay Interface transmit delay in seconds State Disabled OSPF not enabled on this interface Down OSPF is enabled...

Page 766: ... router priority State OSPF state and identification flag States include Down Connection down Attempt Connection down but attempting contact for non broadcast networks Init Have received Hello packet but communications not yet established Two way Bidirectional communications established ExStart Initializing adjacency between neighbors Exchange Database descriptions being exchanged Loading LSA data...

Page 767: ... Commands area virtual link 42 30 Console show ip ospf summary address 10 1 0 0 255 255 0 0 Console Console show ip ospf virtual links Virtual Link to router 10 1 1 253 is up Transit area 10 1 1 0 Transmit Delay is 1 sec Timer intervals configured Hello 10 Dead 40 Retransmit 5 Console Table 42 20 show ip ospf virtual links display description Field Description Virtual Link to router OSPF neighbor ...

Page 768: ...IP Routing Commands 42 52 42 ...

Page 769: ...Section IV Appendices This section provides additional information on the following topics Software Specifications A 1 Troubleshooting B 1 Glossary Index ...

Page 770: ...Appendices ...

Page 771: ... Storm Control Traffic throttled above a critical threshold Port Mirroring Multiple source ports one destination port Rate Limits Input Limit Output limit Range configured per port Port Trunking Static trunks Cisco EtherChannel compliant Dynamic trunks Link Aggregation Control Protocol Spanning Tree Algorithm Spanning Tree Protocol STP IEEE 802 1D 2004 Rapid Spanning Tree Protocol RSTP IEEE 802 1D...

Page 772: ...ng groups 1 2 3 9 SMTP Email Alerts Management Features In Band Management Telnet web based HTTP or HTTPS SNMP manager or Secure Shell Out of Band Management RS 232 DB 9 console port Software Loading TFTP in band or XModem out of band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1 2 3 9 Statistics History Alarm Event Standards IEEE 802 1D 2004 Spanning Tre...

Page 773: ...PF RFC 2328 2178 1587 RADIUS RFC 2618 RIP RFC 1058 RIPv2 RFC 2453 RIPv2 extension RFC 1724 RMON RFC 2819 groups 1 2 3 9 SNMP RFC 1157 SNMPv2c RFC 2571 SNMPv3 RFC DRAFT 3414 3410 2273 3411 3415 SNTP RFC 2030 SSH Version 2 0 TFTP RFC 1350 VRRP RFC 3768 Management Information Bases Bridge MIB RFC 1493 DNS Resolver MIB RFC 1612 Differentiated Services MIB RFC 3289 Entity MIB RFC 2737 Ether like MIB RF...

Page 774: ...21 RIP1 MIB RFC 1058 RIP2 MIB RFC 2453 RIP2 Extension RFC1724 RMON MIB RFC 2819 RMON II Probe Configuration Group RFC 2021 partial implementation SNMPv2 IP MIB RFC 2011 SNMP Framework MIB RFC 3411 SNMP MPD MIB RFC 3412 SNMP Target MIB SNMP Notification MIB RFC 3413 SNMP User Based SM MIB RFC 3414 SNMP View Based ACM MIB RFC 3415 SNMP Community MIB RFC 3584 TACACS Authentication Client MIB TCP MIB ...

Page 775: ...t Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Be sure the control parameters for the SSH server are properly configured on the switch and that the SSH client software is properly configured...

Page 776: ...r messages reported to include all categories 3 Designate the SNMP host that is to receive the error messages 4 Repeat the sequence of commands or other actions that lead up to the error 5 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 6 Contact your distributor s service engineer For example Console config logging on Console con...

Page 777: ...rce priority service and prevent blockage of lower level queues Priority may be set according to the port default the packet s priority bit in the VLAN tag TCP UDP port number IP Precedence bit or DSCP priority bit Differentiated Services DiffServ DiffServ provides quality of service on large networks by employing a well defined set of building blocks from which a variety of aggregate forwarding b...

Page 778: ...cation Protocol over LAN EAPOL EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch A user name and password is requested by the switch and then passed to an authentication server e g RADIUS for verification EAPOL is implemented as part of the IEEE 802 1X Port Authentication standard GARP VLAN Registration ...

Page 779: ... Spanning Tree Protocol RSTP which reduces the convergence time for network topology changes to about 10 of that required by the older IEEE 802 1D STP standard Now incorporated in IEEE 802 1D 2004 IEEE 802 1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication IEEE 802 3ac Defines frame extensions for VLAN tagging IEEE...

Page 780: ...cedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic The eight values are mapped one to one to the Class of Service categories by default but may be configured differently to suit the requirements for specific network applications Layer 2 Data Link layer in the ISO 7 Layer Data Communications Protocol...

Page 781: ...e or radio Open Shortest Path First OSPF OSPF is a link state routing protocol that functions better over a larger network such as the Internet as opposed to distance vector routing protocols such as RIP It includes features such as unlimited hop count authentication of routing updates and Variable Length Subnet Masks VLSM Out of Band Management Management of the network from a station not attache...

Page 782: ...o about 10 of that required by the older IEEE 802 1D STP standard Routing Information Protocol RIP The RIP protocol seeks to find the shortest route to another device by minimizing the distance vector or hop count which serves as a rough estimate of transmission cost RIP 2 is a compatible upgrade to RIP It adds useful capabilities for subnet routing authentication and multicast transmissions Secur...

Page 783: ...Greenwich Mean Time based solely on the Earth s rotation rate with highly accurate atomic time The UTC does not have daylight saving time User Datagram Protocol UDP UDP provides a datagram mode for packet switched communications It uses IP as the underlying transport mechanism to provide access to IP like services UDP packets are delivered just like IP packets connection less datagrams that may be...

Page 784: ...which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down XModem A protocol used to transfer files between devices Data is grouped in 128 byte blocks and error corrected ...

Page 785: ...command line interface See CLI community string 2 13 5 3 24 3 configuration files restoring defaults 4 24 23 10 configuration settings saving or restoring 2 16 4 24 23 10 23 11 console port required connections 2 2 CoS configuring 13 1 35 1 36 1 DSCP 13 10 35 10 IP port priority 13 11 35 7 IP precedence 13 8 35 8 layer 3 4 priorities 13 7 35 7 queue mapping 13 3 35 4 queue mode 13 5 35 2 traffic c...

Page 786: ...02 1X 6 18 25 26 IGMP groups displaying 15 8 37 4 immediate leave status 15 5 37 4 Layer 2 15 2 37 1 query 15 2 37 5 query Layer 2 15 3 37 5 snooping 15 2 37 1 snooping configuring 15 3 37 1 snooping immediate leave 15 5 37 3 IGMP snooping immediate leave 15 5 importing user public keys 6 12 23 11 ingress filtering 11 10 34 9 IP address BOOTP DHCP 4 8 39 2 IP port priority enabling 13 11 35 7 mapp...

Page 787: ... attributes 12 3 32 1 32 6 32 13 message statistics 12 11 32 18 message timing 12 1 32 3 32 5 remote information displaying 12 9 32 16 remote port information displaying 12 8 32 16 timing attributes configuring 12 1 32 3 32 5 TLV 12 1 12 3 TLV management address 12 4 32 7 TLV port description 12 3 32 8 TLV system capabilities 12 4 32 8 TLV system description 12 4 32 9 TLV system name 12 4 32 9 log...

Page 788: ...ng 8 19 29 1 priority default port ingress 13 1 35 3 problems troubleshooting B 1 protocol migration 10 15 33 17 proxy ARP 19 9 41 35 Q QinQ Tunneling See 802 1Q QoS 14 1 36 1 Quality of Service See QoS queue weights 13 6 35 4 R RADIUS logon authentication 6 2 25 6 rate limits setting 8 20 30 1 remote logging 4 31 23 29 restarting the system 4 36 22 4 RIP configuring 20 2 42 6 42 16 description 20...

Page 789: ...2 switch settings saving or restoring 23 10 system clock setting 4 36 4 37 23 35 system clock summer time 4 40 23 40 23 41 23 42 system clock time zone 4 39 23 39 system mode normal or QinQ 11 16 34 15 system software downloading from server 4 22 23 11 T TACACS logon authentication 6 2 25 9 time zone setting 4 39 23 39 time setting 4 36 4 37 23 35 TPID 11 16 34 16 traffic class weights 13 6 35 4 t...

Page 790: ...group statistics 18 8 40 6 preemption 18 3 18 4 40 5 priority 18 3 18 4 40 3 protocol message statistics 18 7 40 9 timers 18 4 40 4 virtual address 18 2 18 4 40 2 W web interface access requirements 3 1 configuration buttons 3 3 home page 3 2 menu list 3 4 panel display 3 3 ...

Page 791: ......

Page 792: ...20 Mason Irvine CA 92618 Phn 949 679 8000 www smc com 150200062800A R02 149100000035A R01 SMC8926EM SMC8950EM ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands