Supermicro SSE-G2252 User Manual Download Page 876

Page: 876 / 1401

Chapter 24: General Security Measures
Denial of Service Protection

– 887 –

XAMPLE

Console(config)#dos-protection syn-fin-scan

Console(config)#

dos-protection

tcp-udp-port-zero

This command protects against DoS attacks in which the UDP or TCP

source port or destination port is set to zero. This technique may be used

as a form of DoS attack, or it may just indicate a problem with the source

device. Use the

form to restore the default setting.

YNTAX

dos-protection tcp-udp-port-zero

{

drop

forward

}

dos-protection tcp-udp-port-zero

drop

– Drops all packets with the Layer 4 source port or destination

port set to zero.

forward

– Forwards all packets with the Layer 4 source port or

destination port set to zero.

EFAULT

ETTING

Drop

OMMAND

ODE

Global Configuration

XAMPLE

Console(config)#dos-protection tcp-udp-port-zero forward

Console(config)#

dos-protection
tcp-xmas-scan

This command protects against DoS TCP-xmas-scan in which a so-called

TCP XMAS scan message is used to identify listening TCP ports. This scan

uses a series of strangely configured TCP packets which contain a sequence

number of 0 and the URG, PSH and FIN flags. If the target's TCP port is

closed, the target replies with a TCP RST packet. If the target TCP port is

open, it simply discards the TCP XMAS scan. Use the

form to disable

this feature.

YNTAX

[

]

dos-protection tcp-xmas-scan

EFAULT

ETTING

Enabled

OMMAND

ODE

Global Configuration

Summary of Contents for SSE-G2252

Page 1: ...SSE G2252 Switch SSE G2252P Switch USER S MANUAL Revison 1 0b SSE G2252P SSE G2252P Switch SSE G2252 SSE G2252 Switch...

Page 2: ...l liability for all claims will not exceed the price paid for the hardware product FCC Statement This equipment has been tested and found to comply with the limits for a Class A digital device pursuan...

Page 3: ...al switch functions the Internet Protocol IP and Simple Network Management Protocol SNMP CONVENTIONS The following conventions are used throughout this guide to show information NOTE Emphasizes import...

Page 4: ...e first version of this guide This guide is valid for software release v2 0 0 4 REVISION 1 0A NOVEMBER 2015 REVISION This is the second version of this guide with new changes for the latest software r...

Page 5: ...g Passwords 30 Setting an IP Address 31 Downloading a Configuration File and Other Parameters Provided by a DHCP Server 37 Enabling SNMP Management Access 39 Managing System Files 41 Saving or Restori...

Page 6: ...5 Showing Port or Trunk Statistics 109 Displaying Statistical History 114 Displaying Transceiver Data 118 Configuring Transceiver Thresholds 119 Performing Cable Diagnostics 122 Trunk Configuration 12...

Page 7: ...er 2 Queue Settings 223 Setting the Default Priority for Interfaces 223 Selecting the Queue Mode 224 Mapping CoS Values to Egress Queues 226 Layer 3 4 Priority Settings 229 Setting Priority Processing...

Page 8: ...ction 326 Configuring VLAN Settings for ARP Inspection 328 Configuring Interface Settings for ARP Inspection 329 Displaying ARP Inspection Statistics 330 Displaying the ARP Inspection Log 332 Filterin...

Page 9: ...figuring General Settings for Clusters 439 Cluster Member Configuration 440 Managing Cluster Members 442 Ethernet Ring Protection Switching 442 ERPS Global Configuration 447 ERPS Ring Configuration 44...

Page 10: ...Source List 553 Multicast VLAN Registration for IPv4 554 Configuring MVR Global Settings 555 Configuring MVR Domain Settings 557 Configuring MVR Group Address Profiles 559 Configuring MVR Interface S...

Page 11: ...solution Protocol 634 Proxy ARP Configuration 634 Configuring Static ARP Addresses 636 Displaying Dynamic or Local ARP Entries 637 Displaying ARP Statistics 638 Configuring Static Routes 639 Displayin...

Page 12: ...973 Local Port Mirroring Commands 973 RSPAN Mirroring Commands 976 30 CONGESTION CONTROL COMMANDS 983 Rate Limit Commands 983 Storm Control Commands 984 Automatic Traffic Control Commands 986 31 LOOPB...

Page 13: ...ME SERVICE COMMANDS 1321 44 DHCP COMMANDS 1329 DHCP Client 1329 DHCP Relay 1337 45 IP INTERFACE COMMANDS 1339 IPv4 Interface 1339 Basic IPv4 Configuration 1340 ARP Configuration 1346 IPv6 Interface 13...

Page 14: ...view of the switch and introduces some basic concepts about network switches It also describes the basic settings required to access the management interface This section includes these chapters Intro...

Page 15: ...ity Measures AAA ARP Inspection DHCP Snooping with Option 82 relay information DoS Protection IP Source Guard PPPoE Intermediate Agent Port Authentication IEEE 802 1X Port Security MAC address filteri...

Page 16: ...hing Supported to ensure wire speed switching while eliminating bad frames Spanning Tree Algorithm Supports standard STP Rapid Spanning Tree Protocol RSTP and Multiple Spanning Trees MSTP Virtual LANs...

Page 17: ...ocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols PORT CONFIGURATION You can manually configure the speed duplex mod...

Page 18: ...s table facilitates data switching by learning addresses and then filtering or forwarding traffic based on this information The address table supports up to 16K addresses STORE AND FORWARD SWITCHING T...

Page 19: ...can be dynamically learned via GVRP or ports can be manually assigned to a specific set of VLANs This allows the switch to restrict traffic to the VLAN groups to which a user has been assigned By segm...

Page 20: ...uted between any IP interfaces configured on the switch Routing to statically configured hosts or subnet addresses is provided based on next hop entries specified in the static routing table ADDRESS R...

Page 21: ...to manage multicast group registration It also supports Multicast VLAN Registration MVR for IPv4 and MVR6 for IPv6 which allows common multicast traffic such as television channels to be transmitted a...

Page 22: ...Timeout 600 seconds Authentication and Security Measures Privileged Exec Level Username ADMIN Password ADMIN Normal Exec Level Username guest Password guest Enable Privileged Exec from Normal Exec Lev...

Page 23: ...rol Rate Limiting Disabled Storm Control Broadcast Disabled 500 packets sec Multicast Disabled Unknown Unicast Disabled Auto Traffic Control Disabled Address Table Aging Time 300 seconds Spanning Tree...

Page 24: ...sabled DNS Proxy service Disabled BOOTP Disabled ARP Enabled Cache Timeout 20 minutes Proxy Disabled Multicast Filtering IGMP Snooping Layer 2 Snooping Enabled Querier Disabled Multicast VLAN Registra...

Page 25: ...s and display statistics using a standard web browser such as Internet Explorer 8 Mozilla Firefox 36 or Google Chrome 41 or more recent versions The switch s web management interface can be accessed f...

Page 26: ...rmation and statistics REQUIRED CONNECTIONS The switch provides an RS 232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch A null modem console cable...

Page 27: ...he attached network The onboard configuration program can be accessed using Telnet from any computer attached to the network The switch can also be managed by any computer using a web browser Internet...

Page 28: ...haracters and are case sensitive To prevent unauthorized access to the switch set the passwords as follows 1 Open the console interface with the default user name and password ADMIN to access the Priv...

Page 29: ...d through the DHCPv6 server or manually configured as described in Assigning an IPv6 Address on page 32 MANUAL CONFIGURATION You can manually assign an IP address to the switch You may also need to sp...

Page 30: ...ss IP Version 6 on page 659 Link Local Address All link local addresses must be configured with a prefix in the range of FE80 FEBF Remember that this address type makes the switch accessible over IPv6...

Page 31: ...rk address and is expressed as a decimal number For example all IPv6 addresses that start with the first byte of 73 hexadecimal could be expressed as 73 0 0 0 0 0 0 0 8 or 73 8 To generate an IPv6 glo...

Page 32: ...backoff until IP configuration information is obtained from a BOOTP or DHCP server BOOTP and DHCP values can include the IP address subnet mask and default gateway If the DHCP BOOTP server is slow to...

Page 33: ...g Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success OBTAINING AN IPV6 ADDRESS Link Local Address There are several ways to configure IPv6 addresses The s...

Page 34: ...ration mode prompt type interface vlan 1 to access the interface configuration mode Press Enter 2 From the interface prompt type ipv6 address autoconfig and press Enter 3 Type ipv6 enable and press En...

Page 35: ...uration file the download procedure will be terminated and the switch will not send any further DHCP client requests If the switch fails to download the bootup configuration file based on information...

Page 36: ...ge 192 168 255 160 192 168 255 200 option routers 192 168 255 101 option tftp server name 192 168 255 100 Default Option 66 option bootfile name bootfile Default Option 67 class Option66 67_1 DHCP Opt...

Page 37: ...need to assign community strings to specified users and set the access level The default strings are public with read only access Authorized management stations are only able to retrieve MIB objects p...

Page 38: ...ONFIGURING ACCESS FOR SNMP VERSION 3 CLIENTS To configure management access for SNMPv3 clients you need to first create a view that defines the portions of MIB that the client can read or write assign...

Page 39: ...the switch operations and provides the CLI and web management interfaces See Managing System Files on page 129 for more information Diagnostic Code Software that is run during system boot up also know...

Page 40: ...rrent configuration settings enter the following command 1 From the Privileged Exec mode prompt type copy running config startup config and press Enter 2 Enter the name of the start up file Press Ente...

Page 41: ...gement Tasks on page 65 Interface Configuration on page 99 VLAN Configuration on page 147 Address Table Settings on page 179 Spanning Tree Algorithm on page 189 Congestion Control on page 213 Class of...

Page 42: ...44 General IP Routing on page 627...

Page 43: ...s and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Setting Passwords on page 30...

Page 44: ...switch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main Menu links are used t...

Page 45: ...Figure 3 2 Front Panel Indicators MAIN MENU Using the onboard web agent you can define system parameters manage and control the switch and all its ports or monitor network conditions The following ta...

Page 46: ...Shows list of configured NTP time servers 83 Add NTP Authentication Key Adds key index and corresponding MD5 key 85 Show NTP Authentication Key Shows list of configured authentication keys 85 Configu...

Page 47: ...into static trunks 125 Show Member Shows the port members for the selected trunk 125 Configure General 125 Configure Configures trunk connection settings 125 Show Information Displays trunk connectio...

Page 48: ...d administrative status 150 Edit Member by VLAN Specifies VLAN attributes per VLAN 150 Edit Member by Interface Specifies VLAN attributes per interface 153 Edit Member by Interface Range Specifies VLA...

Page 49: ...plays dynamic entries in the address table 183 Clear Dynamic MAC Removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured...

Page 50: ...reshold and the time to release the control response after traffic has fallen beneath the lower threshold 217 Configure Interface Sets the storm control mode broadcast or multicast the traffic thresho...

Page 51: ...igure Interface Configures VoIP traffic settings for ports including the way in which a port is added to the Voice VLAN filtering of non VoIP packets the method of detecting VoIP traffic and the prior...

Page 52: ...tocol settings 280 Configure Interface Enables Web Authentication for individual ports 281 Network Access MAC address based network access authentication 282 Configure Global Enables aging for authent...

Page 53: ...L and time range Configure Binds a port to the specified ACL and time range 321 Add Mirror MIrrors matching traffic to the specified port 322 Show Mirror Shows ACLs mirrored to specified port 322 Show...

Page 54: ...Pv6 Source Guard Filters IPv6 traffic based on static entries in the IP Source Guard table or dynamic entries in the DHCP Snooping table 355 Port Configuration Enables IPv6 source guard and selects fi...

Page 55: ...ent status and sets related trap functions 402 Configure Engine 403 Set Engine ID Sets the SNMP v3 engine ID on this switch 403 Add Remote Engine Sets the SNMP v3 engine ID for a remote device 404 Sho...

Page 56: ...ics on a physical interface 433 Statistics Enables collection of statistics on a physical interface 436 Show History Shows sampling parameters for each entry in the history group 433 Statistics Shows...

Page 57: ...s list of configured maintenance associations 480 Configure MEP Configures Maintenance End Points 485 Add Configures MEPs at the domain boundary to provide management access for each maintenance assoc...

Page 58: ...d recovery interval 514 Configure Interface Enables UDLD and aggressive mode which reduces the shut down delay after loss of bidirectional connectivity is detected 515 Show Information Displays UDLD n...

Page 59: ...ave returned an ICMP packet too big message along with an acceptable MTU to this switch 608 IP Service 611 DNS Domain Name Service 611 General 611 Configure Global Enables DNS lookup defines the defau...

Page 60: ...to a neighboring multicast router either through static or dynamic configuration 526 IGMP Member 528 Add Static Member Statically assigns multicast addresses to the selected VLAN 528 Show Static Memb...

Page 61: ...resses statically configured on the selected VLAN 551 Show Current Member Shows multicast addresses associated with the selected VLAN either through static or dynamic configuration 551 Group Informati...

Page 62: ...ing 575 Configure Interface Configures MVR interface type and immediate leave mode also displays MVR operational and active status 578 Configure Port Configures MVR attributes for a port 578 Configure...

Page 63: ...Clock Sets the current time manually or through specified NTP or SNTP servers Configuring the Console Port Sets console port connection parameters Configuring Telnet Settings Sets Telnet connection p...

Page 64: ...39 102 SSE G2252P 1 3 6 1 4 1 259 10 1 39 102 ECS4210 52P 1 3 6 1 4 1 259 10 1 39 102 System Up Time Length of time the management agent has been up System Name Name assigned to the switch system Syst...

Page 65: ...rts Hardware Version Hardware version of the main board Main Power Status Displays the status of the internal power supply Management Software Information Role Shows that this switch is operating as M...

Page 66: ...s protocol encapsulation fields CLI REFERENCES System Management Commands on page 653 USAGE GUIDELINES To use jumbo frames both the source and destination end nodes such as a computer or server must s...

Page 67: ...switch provides mapping of user priorities to multiple traffic classes Refer to Class of Service on page 223 Static Entry Individual Port This switch allows static filtering for unicast and multicast...

Page 68: ...ion information 1 Click System then Capability Figure 4 4 Displaying Bridge Extension Configuration MANAGING SYSTEM FILES This section describes how to upgrade the switch operating software or configu...

Page 69: ...y the protocol versions and perform security checks SFTP connection setup includes verification of the DSS signature creation of session keys creation of client server and server client ciphers SSH ke...

Page 70: ...n the file directory on the switch NOTE The maximum number of user defined configuration files is limited only by available flash memory space NOTE The file Factory_Default_Config cfg can be copied to...

Page 71: ...artup file CLI REFERENCES copy on page 667 PARAMETERS The following parameters are displayed Copy Type The copy operation includes this option Running Config Copies the current configuration settings...

Page 72: ...HE START UP FILE Use the System File Set Start Up page to specify the firmware or configuration file to use for system initialization CLI REFERENCES whichboot on page 672 boot system on page 666 WEB I...

Page 73: ...the File List and click Delete Figure 4 8 Displaying System Files AUTOMATIC OPERATION CODE UPGRADE Use the System File Automatic Operation Code Upgrade page to automatically download an operation cod...

Page 74: ...operating systems such as Unix and most Unix like systems FreeBSD NetBSD OpenBSD and most Linux distributions etc are case sensitive meaning that two files in the same directory sse G2252 series bix...

Page 75: ...st be observed tftp host filedir tftp Defines TFTP protocol for the server connection host Defines the IP address of the TFTP server Valid IP addresses consist of four numbers 0 to 255 separated by pe...

Page 76: ...ory tftp 192 168 0 1 switch opcode The image file is in the switch opcode directory relative to the TFTP root tftp 192 168 0 1 switches opcode The image file is in the opcode directory which is within...

Page 77: ...restart after upgrade succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart SETTING THE SYSTEM CLOCK Simple Network Time Protocol SNTP allow...

Page 78: ...ows the current time set on the switch Hours Sets the hour Range 0 23 Minutes Sets the minute value Range 0 59 Seconds Sets the second value Range 0 59 Month Sets the month Range 1 12 Day Sets the day...

Page 79: ...equests for a time update from a time server Range 16 16384 seconds Default 16 seconds WEB INTERFACE To set the polling interval for SNTP 1 Click System then Time 2 Select Configure General from the S...

Page 80: ...and client Polling Interval Shows the interval between sending requests for a time update from NTP servers Fixed 1024 seconds WEB INTERFACE To set the clock maintenance type to NTP 1 Click System the...

Page 81: ...ime Servers SPECIFYING NTP TIME SERVERS Use the System Time Configure Time Server Add NTP Server page to add the IP address for up to 50 NTP time servers CLI REFERENCES ntp server on page 704 PARAMETE...

Page 82: ...ge 1 65535 WEB INTERFACE To add an NTP time server to the server list 1 Click System then Time 2 Select Configure Time Server from the Step list 3 Select Add NTP Server from the Action list 4 Enter th...

Page 83: ...n this page Up to 255 keys can be configured on the switch Range 1 65535 Key Context An MD5 authentication key string The key string can be up to 32 case sensitive printable ASCII characters no spaces...

Page 84: ...e zone is east before or west after of UTC You can choose one of the 80 predefined time zone definitions or your can manually configure the parameters for your local time zone CLI REFERENCES clock tim...

Page 85: ...ion is terminated for the session Range 10 300 seconds Default 300 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input is not detected within the ti...

Page 86: ...ection can only be configured through the CLI see password on page 682 NOTE Password checking can be enabled or disabled for logging in to the console connection see login on page 680 You can select a...

Page 87: ...s not detected within the timeout interval the connection is terminated for the session Range 10 300 seconds Default 300 seconds Exec Timeout Sets the interval that the system waits until user input i...

Page 88: ...age 656 PARAMETERS The following parameters are displayed CPU Guard Status Enables CPU Guard Default Disabled High Watermark If the percentage of CPU usage time is higher than the high watermark the s...

Page 89: ...ilization must drop beneath the low watermark before the alarm is terminated and then exceed the high watermark again before another alarm is triggered Once the maximum threshold is exceeded utilizati...

Page 90: ...Utilization CPU utilization over specified interval Show Information by Task Total The total number of tasks running on the CPU Index An index indentifying each task Task The name of the task Util The...

Page 91: ...Utilization To display CPU utilization by task 1 Click System CPU Utilization Show Information by Task Figure 4 23 Displaying CPU Utilization by Task DISPLAYING MEMORY UTILIZATION Use the System Memor...

Page 92: ...y at a specified time after a specified delay or at a periodic interval CLI REFERENCES reload Privileged Exec on page 650 reload Global Configuration on page 646 show reload on page 651 COMMAND USAGE...

Page 93: ...reload the switch The specified time must be equal to or less than 24 days hours The number of hours combined with the minutes before the switch resets Range 0 576 minutes The number of minutes combi...

Page 94: ...RFACE To restart the switch 1 Click System then Reset 2 Select the required reset mode 3 For any option other than to reset immediately fill in the required parameters 4 Click Apply 5 When prompted co...

Page 95: ...Chapter 4 Basic Management Tasks Resetting the System 97 Figure 4 27 Restarting the Switch At Figure 4 28 Restarting the Switch Regularly...

Page 96: ...rs which support DDM Configuring Transceiver Thresholds Configures thresholds for alarm and warning messages for optical transceivers which support DDM Cable Test Tests the cable attached to a port Tr...

Page 97: ...bled the only attribute which can be advertised is flow control PARAMETERS These parameters are displayed Port Port identifier Range 1 52 Type Indicates the port type 100BASE FX 1000BASE T 1000BASE SF...

Page 98: ...ormally IEEE 802 3x for full duplex operation Default Autonegotiation enabled Advertised capabilities for 100BASE FX SFP 100full 1000BASE T 10half 10full 100half 100full 1000full 1000BASE SX LX LH SFP...

Page 99: ...ommands on page 921 WEB INTERFACE To configure port connection parameters 1 Click Interface Port General 2 Select Configure by Port Range from the Action List 3 Enter to range of ports to which your c...

Page 100: ...Flow Control Shows the flow control type used WEB INTERFACE To display port connection parameters 1 Click Interface Port General 2 Select Show Information from the Action List Figure 5 3 Displaying P...

Page 101: ...target port cannot be set to the same target ports as that used for port mirroring by this command When traffic matches the rules for both port mirroring and for mirroring of VLAN traffic or packets b...

Page 102: ...rror traffic from remote switches for analysis at a destination port on the local switch This feature also called Remote Switched Port Analyzer RSPAN carries traffic generated on the specified source...

Page 103: ...the mirror session the switch s role Source the RSPAN VLAN and the uplink port1 Then specify the source port s and the traffic type to monitor Rx Tx or Both 3 Set up all intermediate switches on the...

Page 104: ...is enabled after RSPAN has been configured MAC address learning will still not be re started on the RSPAN uplink ports IEEE 802 1X RSPAN and 802 1X are mutually exclusive functions When 802 1X is enab...

Page 105: ...ned by the switch as members of the RSPAN VLAN Ports cannot be manually assigned to an RSPAN VLAN through the VLAN Static page Nor can GVRP dynamically add port members to an RSPAN VLAN Also note that...

Page 106: ...TRUNK STATISTICS Use the Interface Port Trunk Statistics or Chart page to display standard statistics on network traffic from the Interfaces Group and Ethernet like MIBs as well as a detailed breakdow...

Page 107: ...ddress including those that were discarded or not sent Received Discarded Packets The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent the...

Page 108: ...umber of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame Internal MAC Receive Errors A count of frames for which reception on a particular interfa...

Page 109: ...yte Packets 128 255 Byte Packets 256 511 Byte Packets 512 1023 Byte Packets 1024 1518 Byte Packets 1519 1536 Byte Packets The total number of packets including bad packets received and transmitted whe...

Page 110: ...how a chart of port statistics 1 Click Interface Port Chart 2 Select the statistics mode to display Interface Etherlike RMON or All 3 If Interface Etherlike RMON statistics mode is chosen select a por...

Page 111: ...story page to display statistical history for the specified interfaces CLI REFERENCES history on page 926 show interfaces history on page 933 COMMAND USAGE For a description of the statistics displaye...

Page 112: ...e number of samples to take Show Details Mode Status Shows the sample parameters Current Entry Shows current statistics for the specified port and named sample Input Previous Entries Shows statistical...

Page 113: ...how from the Action menu 3 Select an interface from the Port or Trunk list Figure 5 14 Showing Entries for History Sampling To show the configured parameters for a sampling entry 1 Click Interface Por...

Page 114: ...Statistics 2 Select Show Details from the Action menu 3 Select Current Entry from the options for Mode 4 Select an interface from the Port or Trunk list 5 Select an sampling entry from the Name list F...

Page 115: ...ng DDM CLI REFERENCES show interfaces transceiver on page 944 PARAMETERS These parameters are displayed Port Port number Range 49 52 General Information on connector type and vendor related parameters...

Page 116: ...iver page to configure thresholds for alarm and warning messages for optical transceivers which support Digital Diagnostic Monitoring DDM This page also displays identifying information for supported...

Page 117: ...ovides information on transceiver parameters Trap Sends a trap when any of the transceiver s operation values falls outside of specified thresholds Default Disabled Auto Mode Uses default threshold se...

Page 118: ...to the threshold and the last sample value was greater than the threshold After a falling event has been generated another such event will not be generated until the sampled value has risen above the...

Page 119: ...1 Gbps TDR analyses the cable by sending a pulsed signal into the cable and then examining the reflection of that pulse If the port link up speed is not 1 Gbps then Time Domain Reflectometry TDR test...

Page 120: ...Link Status Shows if the port link is up or down Test Result The results include common cable failures as well as the status and approximate distance to a fault or the approximate cable length if no f...

Page 121: ...d link with LACP configured ports on another device You can configure any number of ports on the switch as LACP as long as they are not already configured as part of a static trunk If ports on another...

Page 122: ...hole when moved from to added or deleted from a VLAN STP VLAN and IGMP settings can only be made for the entire trunk CONFIGURING A STATIC TRUNK Use the Interface Trunk Static page to create a trunk a...

Page 123: ...te a static trunk 1 Click Interface Trunk Static 2 Select Configure Trunk from the Step list 3 Select Add from the Action list 4 Enter a trunk identifier 5 Set the unit and port for the initial trunk...

Page 124: ...figure from the Action list 4 Modify the required interface settings Refer to Configuring by Port List on page 99 for a description of the parameters 5 Click Apply Figure 5 24 Configuring Connection P...

Page 125: ...ttached to the same target switch have LACP enabled the additional ports will be placed in standby mode and will only be enabled if one of the active links fails All ports on both ends of an LACP trun...

Page 126: ...timeout of 3 seconds The timeout is set in the LACP timeout bit of the Actor State field in transmitted LACPDUs When the partner switch receives an LACPDU set with a short timeout from the actor swit...

Page 127: ...he downed link However if two or more ports have the same LACP port priority the port with the lowest physical port number will be selected as the backup port If an LAG already exists with the maximum...

Page 128: ...rom the Step list 3 Select Configure from the Action list 4 Click General 5 Enable LACP on the required ports 6 Click Apply Figure 5 28 Enabling LACP on a Port To configure LACP parameters for group m...

Page 129: ...p list 3 Select Show Member from the Action list 4 Select a Trunk Figure 5 30 Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk 1 Click Interface Trunk Dynamic...

Page 130: ...TERS Use the Interface Trunk Dynamic Configure Aggregation Port Show Information Counters page to display statistics for LACP protocol messages CLI REFERENCES show lacp on page 960 PARAMETERS These pa...

Page 131: ...gation Port Show Information Internal page to display the configuration settings and operational state for the local side of a link aggregation CLI REFERENCES show lacp on page 960 Marker Unknown Pkts...

Page 132: ...ed state Defaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner Distributing If false distribution of outgoing frames on t...

Page 133: ...Partner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number...

Page 134: ...ce Trunk Load Balance page to set the load distribution method used among ports in aggregated links CLI REFERENCES COMMAND USAGE This command applies to all static and dynamic trunks on the switch To...

Page 135: ...witch to switch trunk links where traffic through the switch is received from and destined for many different hosts Source IP Address All traffic with the same source IP address is output on the same...

Page 136: ...en there is no link partner Under normal operation the switch continuously auto negotiates to find a link partner keeping the MAC interface powered up even if no link connection exists When using powe...

Page 137: ...active link only works when connection speed is 1 Gbps and line length is less than 60 meters PARAMETERS These parameters are displayed Port Power saving mode only applies to the Gigabit Ethernet port...

Page 138: ...e access to their uplink ports where security is less likely to be compromised ENABLING TRAFFIC SEGMENTATION Use the Interface Traffic Segmentation Configure Global page to enable traffic segmentation...

Page 139: ...nctions such as VLANs and spanning tree protocol A port cannot be configured in both an uplink and downlink list A port can only be assigned to one traffic segmentation session A downlink port can onl...

Page 140: ...or trunks Port Port Identifier Range 1 52 Trunk Trunk Identifier Range 1 16 WEB INTERFACE To configure the members of the traffic segmentation group 1 Click Interface Traffic Segmentation 2 Select Con...

Page 141: ...D and E Figure 5 41 Configuring VLAN Trunking Without VLAN trunking you would have to configure VLANs 1 and 2 on all intermediate switches C D and E otherwise these switches would drop any frames wit...

Page 142: ...ll other ports where VLAN trunking is enabled In other words VLAN trunking will still be effectively enabled for the unknown VLAN PARAMETERS These parameters are displayed Interface Displays a list of...

Page 143: ...switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains VLANs confine broadcast traffic to the originating group and can eli...

Page 144: ...up s in which it will participate By default all ports are assigned to VLAN 1 as untagged ports Add a port as a tagged port if you want it to carry traffic for one or more VLANs and any intermediate n...

Page 145: ...GARP VLAN Registration Protocol defines a system whereby the switch can automatically learn the VLANs to which each end station should be assigned If an end station or its network adapter supports th...

Page 146: ...h along a path that contains any VLAN aware devices the switch should include VLAN tags When forwarding a frame from this switch along a path that does not contain any VLAN aware devices including the...

Page 147: ...ce to support Layer 3 configuration and reserves memory space required to maintain additional information about this interface type This parameter must be enabled before you can assign an IP address t...

Page 148: ...elect Modify from the Action list 3 Select the identifier of a configured VLAN 4 Modify the VLAN name operational status or Layer 3 Interface status as required 5 Click Apply Figure 6 4 Modifying Sett...

Page 149: ...of configured VLAN 1 4094 Interface Displays a list of ports or trunks Port Port Identifier Range 1 52 Trunk Trunk Identifier Range 1 16 Mode Indicates VLAN membership mode for an interface Default Hy...

Page 150: ...t is not a member these frames will be discarded Ingress filtering does not affect VLAN independent BPDU frames such as GVRP or STP However they do affect VLAN dependent BPDU frames such as GMRP Membe...

Page 151: ...e frame type and ingress filtering parameters for each interface within the specified range must be configured on either the Edit Member by VLAN or Edit Member by Interface page WEB INTERFACE To confi...

Page 152: ...Member by Interface Range from the Action list 3 Set the Interface type to display as Port or Trunk 4 Enter an interface range 5 Modify the VLAN parameters as required Remember that the PVID acceptabl...

Page 153: ...GVRP must be globally enabled for the switch before this setting can take effect using the Configure General page When disabled any GVRP packets received on this port will be discarded and no GVRP reg...

Page 154: ...AN Identifier of a VLAN this switch has joined through GVRP Interface Displays a list of ports or trunks which have joined the selected VLAN through GVRP WEB INTERFACE To configure GVRP on the switch...

Page 155: ...Dynamic 2 Select Show Dynamic VLAN from the Step list 3 Select Show VLAN from the Action list Figure 6 11 Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN 1 Click...

Page 156: ...VLAN IDs QinQ tunneling expands VLAN space by using a VLAN in VLAN hierarchy preserving the customer s original tagged packets and adding SPVLAN tags to each frame also called double tagging A port c...

Page 157: ...ag if it is a tagged or priority tagged packet 2 After successful source and destination lookup the ingress process sends the packet to the switching process with two tags If the incoming packet is un...

Page 158: ...will be dropped when ingress filtering is enabled If ingress filtering is not enabled the packet will still be forwarded If the VLAN is not listed in the VLAN table the packet will be dropped 4 After...

Page 159: ...t in the Ethernet Type field This step is required if the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The default ethertype value is 0x8100 See Enabling Qi...

Page 160: ...assigned to the VLAN contained in the tag following the ethertype field as they would be with a standard 802 1Q trunk Frames arriving on the port containing any other ethertype are looked upon as unt...

Page 161: ...he outer tag This allows the service provider to differentiate service based on the indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel Rather than r...

Page 162: ...ed port 6 Click Apply Figure 6 15 Configuring CVLAN to SPVLAN Mapping Entries To show the mapping table 1 Click VLAN Tunnel 2 Select Configure Service from the Step list 3 Select Show from the Action...

Page 163: ...re Interface page to set the access interface on the edge switch to Access mode and set the uplink interface on the switch attached to the service provider network to Uplink mode PARAMETERS These para...

Page 164: ...ort its VLAN membership can then be determined based on the protocol type being used by the inbound packets COMMAND USAGE To configure protocol based VLANs follow these steps 1 First configure VLAN gr...

Page 165: ...which matches IP Protocol Ethernet Frames is mapped to the VLAN VLAN 1 that has been configured with the switch s administrative IP IP Protocol Ethernet traffic must not be mapped to another VLAN or y...

Page 166: ...will participate in the group CLI REFERENCES protocol vlan protocol group Configuring Interfaces on page 1108 COMMAND USAGE When creating a protocol based VLAN only assign interfaces using this confi...

Page 167: ...rotocol Group ID assigned to the Protocol VLAN Group Range 1 2147483647 VLAN ID VLAN to which matching protocol traffic is forwarded Range 1 4094 Priority The priority assigned to untagged ingress tra...

Page 168: ...o configure IP subnet based VLANs When using port based classification all untagged frames received by a port are classified as belonging to the VLAN whose VID PVID is associated with that port When I...

Page 169: ...ity is applied in this sequence and then port based VLANs last PARAMETERS These parameters are displayed IP Address The IP address for a subnet Valid IP addresses consist of four decimal numbers 0 to...

Page 170: ...to ingress untagged frames according to source MAC addresses When MAC based VLAN classification is enabled untagged frames received by a port are assigned to the VLAN which is mapped to the frame s s...

Page 171: ...address 00 50 6e 00 5f b1 translated into binary MAC 00000000 01010000 01101110 00000000 01011111 10110001 could be 11111111 11xxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx So the mask in hexadecimal for...

Page 172: ...obe to the target port and study the traffic crossing the source VLAN s in a completely unobtrusive manner CLI REFERENCES Port Mirroring Commands on page 973 COMMAND USAGE All active ports in a source...

Page 173: ...matches the rules for both port mirroring and for mirroring of VLAN traffic or packets based on a MAC address the matching packets will not be sent to target port specified for port mirroring PARAMETE...

Page 174: ...Chapter 6 VLAN Configuration Configuring VLAN Mirroring 178 Figure 6 27 Showing the VLANs to Mirror...

Page 175: ...dress to a target port MAC Notification Traps Issue trap when a dynamic MAC address is added or removed CONFIGURING MAC ADDRESS LEARNING Use the MAC Address Learning Status page to enable or disable M...

Page 176: ...Port Port identifier Range 1 52 Trunk Trunk identifier Range 1 16 VLAN VLAN identifier Range 1 4094 Status The status of MAC address learning Default Enabled WEB INTERFACE To enable or disable MAC ad...

Page 177: ...e this command to add static addresses to the MAC Address Table Static addresses have the following characteristics Static addresses are bound to the assigned interface and will not be moved When a st...

Page 178: ...nk to which the address will be assigned the MAC address and the time to retain this entry 4 Click Apply Figure 7 3 Configuring Static MAC Addresses To show the static addresses in MAC address table 1...

Page 179: ...required 4 Specify a new aging time 5 Click Apply Figure 7 5 Setting the Address Aging Time DISPLAYING THE DYNAMIC ADDRESS TABLE Use the MAC Address Dynamic Show Dynamic MAC page to display the MAC ad...

Page 180: ...how the dynamic address table 1 Click MAC Address Dynamic 2 Select Show Dynamic MAC from the Action list 3 Select the Sort Key MAC Address VLAN or Interface 4 Enter the search parameters MAC Address V...

Page 181: ...MAC ADDRESS MIRRORING Use the MAC Address Mirror Add page to mirror traffic matching a specified source address from any port on the switch to a target port for real time analysis You can then attach...

Page 182: ...address the matching packets will not be sent to target port specified for port mirroring PARAMETERS These parameters are displayed Source MAC MAC address in the form of xx xx xx xx xx xx or xxxxxxxxx...

Page 183: ...d Default Disabled MAC Notification Trap Interval Specifies the interval between issuing two consecutive traps Range 1 3600 seconds Default 1 second Configure Interface Port Port Identifier Range 1 52...

Page 184: ...Traps Global Configuration To enable MAC address traps at the interface level 1 Click MAC Address MAC Notification 2 Select Configure Interface from the Step list 3 Enable MAC notification traps for...

Page 185: ...that only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes down The spanning tree algorithms supported by this...

Page 186: ...forwarding database for ports insensitive to changes in the tree structure when reconfiguration occurs MSTP When using STP or RSTP it may be difficult to maintain a stable path between all VLAN member...

Page 187: ...ause each instance is treated as an RSTP node in the Common Spanning Tree CST CONFIGURING LOOPBACK DETECTION Use the Spanning Tree Loopback Detection page to configure loopback detection on an interfa...

Page 188: ...ows an interface to be manually released from discard mode This is only available if the interface is configured for manual release mode Action Sets the response for loopback detection to block user t...

Page 189: ...vertently disabled to prevent network loops thus isolating group members When operating multiple VLANs we recommend selecting the MSTP option Rapid Spanning Tree Protocol1 RSTP supports connections to...

Page 190: ...displayed Basic Configuration of Global Settings Spanning Tree Status Enables disables STA on this switch Default Enabled Spanning Tree Type Specifies the type of spanning tree used on this switch ST...

Page 191: ...RSTP according to the standard Path Cost Method The path cost is used to determine the best path between devices The path cost method is used to determine the range of values that can be assigned to...

Page 192: ...firm that a port can transition to the forwarding state without having to rely on any timer configuration To achieve fast convergence RSTP relies on the use of edge ports and automatic detection of po...

Page 193: ...Spanning Tree STA 2 Select Configure Global from the Step list 3 Select Configure from the Action list 4 Modify any of the required attributes Note that the parameters displayed for the spanning tree...

Page 194: ...Chapter 8 Spanning Tree Algorithm Configuring Global Settings for STA 198 Figure 8 6 Configuring Global Settings for STA RSTP Figure 8 7 Configuring Global Settings for STA MSTP...

Page 195: ...nd MAC address where the address is taken from the switch system Designated Root The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device Root P...

Page 196: ...erface Displays a list of ports or trunks Spanning Tree Enables disables STA on this interface Default Enabled BPDU Flooding Enables disables the flooding of BPDUs to other ports when global spanning...

Page 197: ...is attached to a point to point link or to shared media This is the default setting Root Guard STA allows a bridge with a lower bridge identifier or same identifier and lower MAC address to take over...

Page 198: ...ls the spanning tree s maximum age for configuration messages see maximum age under Configuring Global Settings for STA on page 193 An interface cannot function as an edge port under the following con...

Page 199: ...cted interface to forced STP compatible mode However you can also use the Protocol Migration button to manually re check the appropriate BPDU format RSTP or STP compatible to send on the selected inte...

Page 200: ...ected to the same segment and there is no other STA device attached to this segment the port with the smaller ID forwards packets and the other is discarding All ports are discarding when the switch i...

Page 201: ...ugh the bridge to the root bridge i e designated port is the MSTI regional root i e master port or is an alternate or backup port that may provide connectivity if other bridges bridge ports or LANs fa...

Page 202: ...default all VLANs are assigned to the Internal Spanning Tree MST Instance 0 that connects all bridges and LANs within the MST region This switch supports up to 64 instances You should try to group VLA...

Page 203: ...in steps of 4096 Options 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440 Default 32768 WEB INTERFACE To create instances for MSTP 1 Click Spanning Tree MSTP...

Page 204: ...Select Modify from the Action list 4 Modify the priority for an MSTP Instance 5 Click Apply Figure 8 14 Modifying the Priority for an MST Instance To display global settings for MSTP 1 Click Spanning...

Page 205: ...p list 3 Select Add Member from the Action list 4 Select an MST instance from the MST ID list 5 Enter the VLAN group to add to the instance in the VLAN ID field Note that the specified member does not...

Page 206: ...es STA configuration messages but does not forward packets Learning Port has transmitted configuration messages for an interval set by the Forward Delay parameter without receiving contradictory infor...

Page 207: ...below Path cost 0 is used to indicate auto configuration mode When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is...

Page 208: ...Chapter 8 Spanning Tree Algorithm Configuring Interface Settings for MSTP 212 Figure 8 19 Displaying MSTP Interface Settings...

Page 209: ...e Traffic Rate Limit page to apply rate limiting to ingress or egress ports This function allows the network manager to control the maximum rate for traffic received or transmitted on an interface Rat...

Page 210: ...erly configured If there is too much traffic on your network performance can be severely degraded or everything can come to complete halt You can protect your network from traffic storms by setting a...

Page 211: ...BASE FX 1000BASE T 1000BASE SFP Unknown Unicast Specifies storm control for unknown unicast traffic Multicast Specifies storm control for multicast traffic Broadcast Specifies storm control for broadc...

Page 212: ...ow Alarm Fire Threshold The highest acceptable traffic rate When ingress traffic exceeds the threshold ATC sends a Storm Alarm Fire Trap and logs it Storm Alarm FireTRAP Alarm Fire Threshold 1 255kpps...

Page 213: ...nually The control response of shutting down a port can only be released manually Figure 9 4 Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in th...

Page 214: ...r The interval after the upper threshold has been exceeded at which to apply the control response to broadcast storms Range 1 300 seconds Default 300 seconds Broadcast Release Timer The time at which...

Page 215: ...storm control is a software level control function Traffic storms can also be controlled at the hardware level using the Storm Control menu However only one of these control types can be applied to a...

Page 216: ...igured by the Auto Release Control attribute Range 1 255 kilo packets per second Default 250 kpps If rate limiting has been configured as a control response and Auto Control Release is enabled rate li...

Page 217: ...to Traffic Control 2 Select Configure Interface from the Step field 3 Enable or disable ATC as required set the control response specify whether or not to automatically release the control response of...

Page 218: ...This section describes how to configure the default priority for untagged frames set the queue mode set the weights assigned to each queue and map class of service tags to queues SETTING THE DEFAULT P...

Page 219: ...r any interface 4 Click Apply Figure 10 1 Setting the Default Port Priority SELECTING THE QUEUE MODE Use the Traffic Priority Queue page to set the queue mode for the egress queues on any interface Th...

Page 220: ...es a combination of strict and weighted queuing The specified queue mode applies to all interfaces PARAMETERS These parameters are displayed Queue Mode Strict Services the egress queues in sequential...

Page 221: ...ueues which are serviced first must be specified by enabling strict mode parameter in the table 5 Click Apply Figure 10 2 Setting the Queue Mode Strict Figure 10 3 Setting the Queue Mode WRR Figure 10...

Page 222: ...els recommended in the IEEE 802 1p standard for various network applications are shown in Table 10 2 However priority levels can be mapped to the switch s output queues in any way that benefits applic...

Page 223: ...ueues 1 Click Traffic Priority PHB to Queue 2 Select Configure from the Action list 3 Map an internal PHB to a hardware queue Depending on how an ingress packet is processed internally based on its Co...

Page 224: ...put queue Because different priority information may be contained in the traffic this switch maps priority values to the output queues in the following manner The precedence for priority mapping is DS...

Page 225: ...ed packet the default port priority see page 223 is used for priority processing If the QoS mapping mode is set to CoS and the ingress packet type is IPv4 then priority processing will be based on the...

Page 226: ...one to one to the Class of Service values that is Precedence value 0 maps to PHB value 0 and so forth Bits 6 and 7 are used for network control and the other bits for various application types The ToS...

Page 227: ...or this router hop Range 0 7 Drop Precedence Drop precedence used for Random Early Detection in controlling traffic congestion Range 0 Green 3 Yellow 1 Red WEB INTERFACE To map IP Precedence to intern...

Page 228: ...ut it retains backward compatibility with the three precedence bits so that non DSCP compliant ToS enabled devices will not conflict with the DSCP mapping Based on network policies different kinds of...

Page 229: ...lick Apply Table 10 6 Default Mapping of DSCP Values to Internal PHB Drop Values ingress dscp1 ingress dscp10 0 1 2 3 4 5 6 7 8 9 0 0 0 0 1 0 0 0 3 0 0 0 1 0 0 0 3 1 0 1 1 1 1 0 1 3 1 0 1 1 1 0 1 3 2...

Page 230: ...Priority CoS to DSCP page to maps CoS CFI values in incoming packets to per hop behavior and drop precedence values for priority processing CLI REFERENCES qos map cos dscp on page 1126 COMMAND USAGE...

Page 231: ...s parameter to 0 to indicate that the MAC address information carried in the frame is in canonical format Range 0 1 PHB Per hop behavior or the priority used for this router hop Range 0 7 Drop Precede...

Page 232: ...Settings 237 Figure 10 12 Configuring CoS to DSCP Internal Mapping To show the CoS CFI to internal PHB drop precedence map 1 Click Traffic Priority CoS to DSCP 2 Select Show from the Action list Figu...

Page 233: ...etwork policies different kinds of traffic can be marked for different kinds of forwarding All switches or routers that access the Internet rely on class information to provide the same forwarding tre...

Page 234: ...ured to monitor the maximum throughput and burst rate Then specify the action to take for conforming traffic or the action to take for a policy violation 5 Use the Configure Interface page to assign a...

Page 235: ...IPv6 ACLs and MAC ACLs IP DSCP A DSCP value Range 0 63 IP Precedence An IP Precedence value Range 0 7 IPv6 DSCP A DSCP value contained in an IPv6 packet Range 0 63 VLAN ID A VLAN Range 1 4094 CoS A Co...

Page 236: ...from the Step list 3 Select Add Rule from the Action list 4 Select the name of a class map 5 Specify type of traffic for this class based on an access list a DSCP or IP Precedence value a VLAN or a C...

Page 237: ...eviously defined class maps The class of service or per hop behavior i e the priority used for internal queue processing can be assigned to matching packets In addition the flow rate of inbound traffi...

Page 238: ...d The marker re colors an IP packet according to the results of the meter The color is coded in the DS field RFC 2474 of the packet The behavior of the meter is specified in terms of its mode and two...

Page 239: ...service value or drop a packet the switch will also mark the two color bits used to set the drop precedence of a packet for Random Early Detection A packet is marked red if it exceeds the PIR Otherwi...

Page 240: ...of trTCM CLI REFERENCES Quality of Service Commands on page 1133 COMMAND USAGE A policy map can contain 200 class statements that can be applied to the same interface page 252 Up to 32 policy maps ca...

Page 241: ...r maximum throughput committed burst size BC or burst rate and the action to take for conforming and non conforming traffic Policing is based on a token bucket where bucket depth that is the maximum b...

Page 242: ...ed rate in kilobits per second Range 0 1000000 kbps at a granularity of 64 kbps or maximum port speed whichever is lower The rate cannot exceed the configured interface speed Committed Burst Size BC C...

Page 243: ...f this section under trTCM Police Meter Committed Information Rate CIR Committed rate in kilobits per second Range 0 1000000 kbps at a granularity of 64 kbps or maximum port speed whichever is lower T...

Page 244: ...ority for out of conformance traffic Range 0 63 Drop Drops out of conformance traffic WEB INTERFACE To configure a policy map 1 Click Traffic DiffServ 2 Select Configure Policy from the Step list 3 Se...

Page 245: ...havior for matching packets to specify the quality of service to be assigned to the matching traffic class Use one of the metering options to define parameters such as the maximum throughput and burst...

Page 246: ...t CLI REFERENCES Quality of Service Commands on page 1133 COMMAND USAGE First define a class map define a policy map and then bind the service policy to the required interface Only one policy map can...

Page 247: ...ervice Attaching a Policy Map to a Port 253 3 Check the box under the Ingress field to enable a policy map for a port 4 Select a policy map from the scroll down box 5 Click Apply Figure 11 9 Attaching...

Page 248: ...It provides security by isolating the VoIP traffic from other data traffic End to end QoS policies and high priority can be applied to VoIP VLAN traffic across the network guaranteeing the bandwidth i...

Page 249: ...ports Default Disabled Voice VLAN Sets the Voice VLAN ID for the network Only one Voice VLAN is supported and it must already be created on the switch Range 1 4094 Voice VLAN Aging Time The time after...

Page 250: ...Telephony OUI Specifies a MAC address range to add to the list Format xx xx xx xx xx xx Mask Identifies a range of MAC addresses Setting a mask of FF FF FF 00 00 00 identifies all devices with the sam...

Page 251: ...gure ports for VoIP traffic you need to set the mode Auto or Manual specify the discovery method to use and set the traffic priority You can also enable security filtering to ensure that only VoIP tra...

Page 252: ...ionally Unique Identifier OUI of the source MAC address OUI numbers are assigned to vendors and form the first three octets of a device MAC address MAC address OUI numbers must be configured in the Te...

Page 253: ...Configuring VoIP Traffic Ports 260 1 Click Traffic VoIP 2 Select Configure Interface from the Step list 3 Configure any required changes to the VoIP settings each port 4 Click Apply Figure 12 4 Confi...

Page 254: ...Network Access Configure MAC authentication intrusion response dynamic VLAN assignment and dynamic QoS assignment HTTPS Provide a secure web connection SSH Provide a secure shell for secure Telnet ac...

Page 255: ...ts auditing and billing for services that users have accessed on the network The AAA functions require the use of configured RADIUS or TACACS servers in the network The security servers can be defined...

Page 256: ...IUS or TACACS protocols to verify management access CLI REFERENCES Authentication Sequence on page 758 COMMAND USAGE By default management access is always checked against the authentication database...

Page 257: ...cess Control System Plus TACACS are logon authentication protocols that use software running on a central server to control access to RADIUS aware or TACACS aware devices on the network An authenticat...

Page 258: ...ssage Digest 5 TLS Transport Layer Security or TTLS Tunneled Transport Layer Security PARAMETERS These parameters are displayed Configure Server RADIUS Global Provides globally applicable RADIUS setti...

Page 259: ...uthentication Timeout The number of seconds the switch waits for a reply from the TACACS server before it resends the request Range 1 65535 Default 5 Authentication Retries Number of times the switch...

Page 260: ...RADIUS or TACACS server type 4 Select Global to specify the parameters that apply globally to all specified servers or select a specific Server Index to specify the parameters that apply to a specifi...

Page 261: ...rom the Step list 3 Select Add from the Action list 4 Select RADIUS or TACACS server type 5 Enter the group name followed by the index of the server to use for each priority level 6 Click Apply Figure...

Page 262: ...st be enabled before accounting is enabled PARAMETERS These parameters are displayed Configure Global Periodic Update Specifies the interval at which the local accounting service updates information f...

Page 263: ...or Exec as described in the preceding section 802 1X Method Name Specifies a user defined accounting method to apply to an interface This method must be defined in the Configure Method page Range 1 64...

Page 264: ...the switch Time Elapsed Displays the length of time this entry has been active WEB INTERFACE To configure global settings for AAA accounting 1 Click Security AAA Accounting 2 Select Configure Global...

Page 265: ...t Configure Method from the Step list 3 Select Show from the Action list Figure 13 9 Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces console commands e...

Page 266: ...Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types 1 Click Security AAA Accounting 2 Select Show Information from the Step li...

Page 267: ...S or TACACS server must be enabled before authorization is enabled PARAMETERS These parameters are displayed Configure Method Authorization Type Specifies the service as Command Administrative authori...

Page 268: ...Name Displays the user defined or default accounting method Server Group Name Displays the authorization server group Interface Displays the console or Telnet interface to which these rules apply Thi...

Page 269: ...authorization method applied to local console Telnet or SSH connections 1 Click Security AAA Authorization 2 Select Configure Service from the Step list 3 Enter the required authorization method 4 Cl...

Page 270: ...safe place PARAMETERS These parameters are displayed User Name The name of the user Maximum length 32 characters maximum number of users 16 Access Level Specifies command access privileges Range 0 15...

Page 271: ...d password Encrypted Password Encrypted password The encrypted password is required for compatibility with legacy password settings i e plain text or encrypted when reading the configuration file duri...

Page 272: ...CP assigned IP address and perform DNS queries All other traffic except for HTTP protocol traffic is blocked The switch intercepts HTTP protocol traffic and redirects it to a switch generated web page...

Page 273: ...it must re authenticate itself Range 300 3600 seconds Default 3600 seconds Quiet Period Configures how long a host must wait to attempt authentication again after it has exceeded the maximum allowable...

Page 274: ...ining Session Time Indicates the remaining time until the current authorization session for the host expires Apply Enables web authentication if the Status box is checked Revert Restores the previous...

Page 275: ...on trunk ports CLI REFERENCES Network Access MAC Address Authentication on page 824 COMMAND USAGE MAC address authentication controls access to the network by authenticating the MAC address of each ho...

Page 276: ...ttribute The VLAN list can contain multiple VLAN identifiers in the format 1u 2t 3u where u indicates an untagged VLAN and t a tagged VLAN The RADIUS server may optionally return dynamic QoS assignmen...

Page 277: ...result changes from success to failure when the following conditions occur Illegal characters found in a profile value for example a non digital character in an 802 1p profile value Failure to configu...

Page 278: ...ation Time Sets the time period after which a connected host must be reauthenticated When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server During...

Page 279: ...page 150 Also when used with 802 1X authentication intrusion action must be set for Guest VLAN see Configuring Port Authenticator Settings for 802 1X on page 340 Dynamic VLAN Enables dynamic VLAN assi...

Page 280: ...button 4 Make any configuration changes required to enable address authentication on a port set the maximum number of secure addresses supported the guest VLAN to use when MAC Authentication or 802 1...

Page 281: ...TERFACE To configure link detection on switch ports 1 Click Security Network Access 2 Select Configure Interface from the Step list 3 Click the Link Detection button 4 Modify the link detection status...

Page 282: ...dress Mask The filter rule will check for the range of MAC addresses defined by the MAC bit mask If you omit the mask the system will assign the default mask of an exact match Range 000000000000 FFFFF...

Page 283: ...Query By Specifies parameters to use in the MAC address query Sort Key Sorts the information displayed based on MAC address port interface or attribute MAC Address Specifies a specific MAC address Int...

Page 284: ...IGURING HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol HTTPS over the Secure Socket Layer SSL providing secure access i e an encrypted connection to the switch s w...

Page 285: ...currently support HTTPS To specify a secure site certificate see Replacing the Default Secure site Certificate on page 293 NOTE Users are automatically logged off of the HTTP server or HTTPS server if...

Page 286: ...e replaced by a message confirming that the connection to the switch is secure you must obtain a unique certificate and a private key and password from a recognized certification authority CAUTION For...

Page 287: ...Click Security HTTPS 2 Select Copy Certificate from the Step list 3 Fill in the TFTP server certificate and private key file name and private password 4 Click Apply Figure 13 29 Downloading the Secure...

Page 288: ...entication Settings To use the SSH server complete these steps 1 Generate a Host Key Pair On the SSH Host Key Settings page create a host public private key pair 2 Provide Host Public Key to Clients M...

Page 289: ...in memory c If a match is found the connection is allowed NOTE To use SSH with only password authentication the host public key must still be given to the client either during initial connection or m...

Page 290: ...le for authentication and if so it then checks whether the signature is correct If both checks succeed the client is authenticated NOTE The SSH server supports up to eight client sessions The maximum...

Page 291: ...private key that is never shared outside the switch The host key is shared with the SSH client and is fixed at 1024 bits WEB INTERFACE To configure the SSH server 1 Click Security SSH 2 Select Config...

Page 292: ...d then negotiates with the client to select either DES 56 bit or 3DES 168 bit for data encryption NOTE The switch uses only RSA Version 1 for SSHv1 5 clients and DSA Version 2 for SSHv2 clients Save H...

Page 293: ...32 Showing the SSH Host Key Pair IMPORTING USER PUBLIC KEYS Use the Security SSH Configure User Key Copy page to upload a user s public key to the switch This public key must be stored on the switch...

Page 294: ...the client to select either DES 56 bit or 3DES 168 bit for data encryption The switch uses only RSA Version 1 for SSHv1 5 clients and DSA Version 2 for SSHv2 clients TFTP Server IP Address The IP addr...

Page 295: ...ype or any frames based on MAC address or Ethernet type To filter incoming packets first create an access list add the required rules and then bind the list to a specific port Configuring Access Contr...

Page 296: ...resses the ACEs to reduce the number of required TCAM entries For example one ACL may include 128 ACEs which classify a continuous IP address range like 192 168 1 0 255 If compression is disabled the...

Page 297: ...haracters Add Rule Time Range Name of a time range Mode Absolute Specifies a specific time or time range Start End Specifies the hours minutes month day and year at which to start or end Periodic Spec...

Page 298: ...Configure Time Range from the Step list 3 Select Add Rule from the Action list 4 Select the name of time range from the drop down list 5 Select a mode option of Absolute or Periodic 6 Fill in the requ...

Page 299: ...IP Source Guard filter rules Quality of Service QoS processes QinQ MAC based VLANs VLAN translation or traps For example when binding an ACL to a port each rule in an ACL will use two PCEs and when se...

Page 300: ...th 32 characters Type The following filter modes are supported IP Standard IPv4 ACL mode filters packets based on the source IPv4 address IP Extended IPv4 ACL mode filters packets based on the source...

Page 301: ...figure the name and type of an ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add from the Action list 4 Fill in the ACL Name field and select the ACL type 5 Click Apply F...

Page 302: ...the Address field or IP to specify a range of addresses with the Address and Subnet Mask fields Options Any Host IP Default Any Source IP Address Source IP address Source Subnet Mask A subnet mask co...

Page 303: ...e 902 Time Range on page 711 COMMAND USAGE Due to a ASIC limitation the switch only checks the leftmost six priority bits This presents no problem when checking DSCP or IP Precedence bits but limits t...

Page 304: ...for the specified protocol type Range 0 65535 Source Destination Port Bit Mask Decimal number representing the port bits to match Range 0 65535 Protocol Specifies the protocol type to match as TCP UD...

Page 305: ...ame of a time range WEB INTERFACE To add rules to an IPv4 Extended ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the Action list 4 Select IP Extended from t...

Page 306: ...matching the selected type Action An ACL can contain any combination of rules which permit or deny a packet Source Address Type Specifies the source IP address Use Any to include all possible addresse...

Page 307: ...ect Add Rule from the Action list 4 Select IPv6 Standard from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the source address type Any...

Page 308: ...ng Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields The swit...

Page 309: ...ck Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the Action list 4 Select IPv6 Extended from the Type list 5 Select the name of an ACL from the Name list 6 Specify the...

Page 310: ...me Range on page 711 PARAMETERS These parameters are displayed Type Selects the type of ACLs to show in the Name list Name Shows the names of ACLs matching the selected type Action An ACL can contain...

Page 311: ...ed packets Range 0 ffff hex A detailed listing of Ethernet protocol types can be found in RFC 1060 A few of the more common types include 0800 IP 0806 ARP 8137 IPX Ethernet Type Bit Mask Protocol bit...

Page 312: ...Ethernet type or packet format 10 Click Apply Figure 13 46 Configuring a MAC ACL CONFIGURING AN ARP ACL Use the Security ACL Configure ACL Add Rule ARP page to configure ACLs based on ARP message add...

Page 313: ...on page 309 Source Destination MAC Address Type Use Any to include all possible addresses Host to indicate a specific MAC address or MAC to specify an address range with the Address and Mask fields O...

Page 314: ...access list IPv4 IPv6 or MAC can be assigned to a port CLI REFERENCES ip access group Interface Configuration on page 901 show ip access group on page 902 mac access group Interface Configuration on...

Page 315: ...48 Binding a Port to an ACL CONFIGURING ACL MIRRORING After configuring ACLs use the Security ACL Configure Interface Add Mirror page to mirror traffic matching an ACL from one or more source ports t...

Page 316: ...S These parameters are displayed Port Port identifier ACL ACL used for ingress packets WEB INTERFACE To bind an ACL to a port 1 Click Security ACL 2 Select Configure Interface from the Step list 3 Sel...

Page 317: ...the type of ACL Direction Displays statistics for ingress ACL Name The ACL bound this port Action Shows if action is to permit or deny specified packets Rules Shows the rules for the ACL bound to thi...

Page 318: ...nooping binding database see DHCP Snooping Global Configuration on page 364 This database is built by DHCP snooping if it is enabled on globally on the switch and on the required VLANs ARP Inspection...

Page 319: ...AGE ARP Inspection Validation By default ARP Inspection Validation is disabled Specifying at least one of the following validations enables ARP Inspection Validation globally Any combination of the fo...

Page 320: ...spection globally Default Disabled ARP Inspection Validation Enables extended ARP Inspection Validation if any of the following options are enabled Default Disabled Dst MAC Validates the destination M...

Page 321: ...red within the ARP ACL configuration page see page 319 ARP Inspection ACLs can be applied to any configured VLAN ARP Inspection uses the DHCP snooping bindings database for the list of valid IP to MAC...

Page 322: ...hen validation against the DHCP Snooping Bindings database Default Disabled WEB INTERFACE To configure VLAN settings for ARP Inspection 1 Click Security ARP Inspection 2 Select Configure VLAN from the...

Page 323: ...n trusted or untrusted ports Range 0 2048 Default 15 Setting the rate limit to 0 means that there is no restriction on the number of ARP packets that can be processed by the CPU The switch will drop a...

Page 324: ...ped ARP packets in the process of ARP inspection rate limit Count of ARP packets exceeding and dropped by ARP rate limiting ARP packets dropped by additional validation IP Count of ARP packets that fa...

Page 325: ...ct Show Log from the Action list Figure 13 56 Displaying the ARP Inspection Log FILTERING IP ADDRESSES FOR MANAGEMENT ACCESS Use the Security IP Filter page to create a list of up to 15 IP addresses o...

Page 326: ...tering addresses for different groups the switch will accept overlapping address ranges You cannot delete an individual address from a specified range You must delete the entire range and reenter the...

Page 327: ...network When port security is enabled on a port the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number Only incoming traffic with source add...

Page 328: ...table that attempts to use the port will be prevented from accessing the switch If a port is disabled shut down due to a security violation it must be manually re enabled from the Interface Port Gene...

Page 329: ...sses currently associated with this interface MAC Filter Shows if MAC address filtering has been set under Security Network Access Configure MAC Filter as described on page 288 MAC Filter ID The ident...

Page 330: ...henticator responds with an EAPOL identity request The client provides its identity such as a user name in an EAPOL response to the switch which it forwards to the RADIUS server The RADIUS server veri...

Page 331: ...D5 PEAP TLS or TTLS Native support for these encryption methods is provided in Windows 8 7 Vista and XP and in Windows 2000 with Service Pack 4 To support these encryption methods in Windows 95 and 98...

Page 332: ...ssword are used to identify this switch as a supplicant when responding to an MD5 challenge from the authenticator These parameters must be set when this switch passes client authentication requests t...

Page 333: ...the authentication server configure the parameters for the exchange of EAP messages between the authenticator and clients on the Authenticator configuration page When devices attached to a port must s...

Page 334: ...to connect to this port Multi Host Allows multiple host to connect to this port In this mode only one host connected to a port needs to pass authentication for all other hosts to be granted network a...

Page 335: ...t Default 0 seconds A RADIUS server must be set before the correct operational value of 10 seconds will be displayed in this field See Configuring Remote Logon Authentication Servers on page 264 Re au...

Page 336: ...ncluding request response success fail timeout idle initialize Request Count Number of EAP Request packets sent to the Supplicant without receiving a response Identifier Server Identifier carried in t...

Page 337: ...uthentication on page 792 COMMAND USAGE When devices attached to a port must submit requests to another authenticator on the network configure the Identity Profile parameters on the Configure Global p...

Page 338: ...uthenticator Range 1 65535 seconds Default 30 seconds Held Period The time that a supplicant port waits before re sending its credentials to find a new an authenticator Range 1 65535 seconds Default 3...

Page 339: ...that have been received by this Authenticator in which the frame type is not recognized Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Authenticator Rx Las...

Page 340: ...Rx Last EAPOLSrc The source MAC address carried in the most recent EAPOL frame received by this Supplicant Rx EAP Resp Id The number of EAP Resp Id frames that have been received by this Supplicant R...

Page 341: ...s for 802 1X Port Supplicant DOS PROTECTION Use the Security DoS Protection page to protect against denial of service DoS attacks A DoS attack is an attempt to block the services provided by a compute...

Page 342: ...get and never returns ACK packets These half open connections will bind resources on the target and no new connections can be made resulting in a denial of service Default Disabled TCP Flooding Attack...

Page 343: ...the Microsoft Windows 3 1x 95 NT operating systems In this type of attack the perpetrator sends the string of OOB out of band OOB packets contained a TCP URG flag to the target computer on TCP port 13...

Page 344: ...urce IP and MAC enables this function on the selected port Use the SIP option to check the VLAN ID source IP address and port number against all entries in the binding table Use the SIP MAC option to...

Page 345: ...fault None None Disables IP source guard filtering on the port SIP Enables traffic filtering based on IP addresses stored in the binding table SIP MAC Enables traffic filtering based on IP addresses a...

Page 346: ...ress a new entry is added to the binding table using the type static IP source guard binding If there is an entry with the same VLAN ID and MAC address and the type of entry is static IP source guard...

Page 347: ...t 4 Click Apply Figure 13 68 Configuring Static Bindings for IPv4 Source Guard To display static bindings for IP Source Guard 1 Click Security IP Source Guard Static Binding 2 Select Show from the Act...

Page 348: ...ace Port to which this entry is bound IP Address IP address corresponding to the client Lease Time The time for which this IP address is leased to the client WEB INTERFACE To display the binding table...

Page 349: ...IPv6 source guard is enabled on an interface the switch initially blocks all IPv6 traffic received on that interface except for ND packets allowed by ND snooping and DHCPv6 packets allowed by DHCPv6...

Page 350: ...based on IPv6 global unicast source IPv6 addresses stored in the binding table Max Binding Entry The maximum number of entries that can be bound to an interface Range 1 5 Default 5 This parameter set...

Page 351: ...ND Binding Dynamic DHCPv6 Binding VLAN identifier and port identifier CLI REFERENCES ipv6 source guard binding on page 870 COMMAND USAGE Traffic filtering is based only on the source IPv6 address VLAN...

Page 352: ...be entered according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros...

Page 353: ...d DISPLAYING INFORMATION FOR DYNAMIC IPV6 SOURCE GUARD BINDINGS Use the Security IPv6 Source Guard Dynamic Binding page to display the source guard binding table for a selected interface CLI REFERENCE...

Page 354: ...Showing the IPv6 Source Guard Binding Table DHCP SNOOPING The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping...

Page 355: ...re forwarded for a trusted port If the received packet is a DHCP ACK message a dynamic DHCP snooping entry is also added to the binding table If DHCP snooping is enabled globally and also enabled on t...

Page 356: ...82 information to be inserted into request packets When the DHCP Snooping Information Option 82 is enabled the requesting client or an intermediate relay agent that has used the information fields to...

Page 357: ...fies the MAC address IP address or arbitrary identifier of the requesting device i e the switch in this context MAC Address Inserts a MAC address in the remote ID sub option for the DHCP snooping agen...

Page 358: ...snooping on specific VLANs CLI REFERENCES ip dhcp snooping vlan on page 848 COMMAND USAGE When DHCP snooping is enabled globally on the switch and enabled on the specified VLAN DHCP packet filtering...

Page 359: ...Interface page to configure switch ports as trusted or untrusted CLI REFERENCES ip dhcp snooping trust on page 851 COMMAND USAGE A trusted interface is an interface that is configured to receive only...

Page 360: ...ervice DHCP Snooping 2 Select Configure Interface from the Step list 3 Set any ports within the local network or firewall to trusted 4 Specify the mode used for sending circuit ID information and an a...

Page 361: ...d to store the currently learned dynamic DHCP snooping entries to flash memory These entries will be restored to the snooping table when the switch is reset However note that the lease time shown for...

Page 362: ...NMP Switch Clustering Configures centralized management by a single unit over a group of switches connected to the same local network Ethernet Ring Protection Switching ERPS Configures a protection sw...

Page 363: ...Default Enabled Flash Level Limits log messages saved to the switch s permanent flash memory for all levels up to the specified level For example if level 3 is specified all messages from level 0 to l...

Page 364: ...2 Select Configure Global from the Step list 3 Enable or disable system logging set the level of event messages to be logged to flash memory and RAM 4 Click Apply Figure 14 1 Configuring Settings for...

Page 365: ...ed by values of 16 to 23 The facility type is used by the syslog server to dispatch log messages to an appropriate service The attribute specifies the facility type tag sent in syslog messages see RFC...

Page 366: ...ogging events of a specified level The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients CLI REFERENCES SMTP Alerts on page 695 PARAMETERS These...

Page 367: ...e Configuring a List of Name Servers on page 613 or Configuring Static DNS Host to Address Entries on page 615 WEB INTERFACE To configure SMTP alert messages 1 Click Administration Log SMTP 2 Enable S...

Page 368: ...LLDP Commands on page 1245 PARAMETERS These parameters are displayed LLDP Enables LLDP globally on the switch Default Enabled Transmission Interval Configures the periodic transmit interval for LLDP...

Page 369: ...tate changes that exist at the time of a notification are included in the transmission An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldp...

Page 370: ...smission of SNMP trap notifications about LLDP and LLDP MED changes Default Enabled This option sends out SNMP trap notifications to designated target stations at the interval specified by the Notific...

Page 371: ...nt address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifi...

Page 372: ...controlled the port pins selected to deliver power and the power class MAC PHY Configuration Status The MAC PHY configuration and status which includes information about auto negotiation support capa...

Page 373: ...ital ASCII letters Example DK DE or US Device entry refers to The type of device to which the location applies Location of DHCP server Location of network element closest to client Location of client...

Page 374: ...the device attached to an interface including items such as the city street number building and room information The address location is specified as a type and value pair with the civic address type...

Page 375: ...ce 1 Click Administration LLDP 2 Select Configure Interface from the Step list 3 Select Add CA Type from the Action list 4 Select an interface from the Port or Trunk list 5 Specify a CA Type and CA Va...

Page 376: ...the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent There are several ways in which a chassis may be identified and a chassis ID subtype is used to indicate the...

Page 377: ...unk interface types When a trunk is listed the descriptions apply to the first port of the trunk Port Trunk Description A string that indicates the port or trunk description If RFC 2863 is implemented...

Page 378: ...etwork Policy Location Identification Extended Power via MDI PSE Extended Power via MDI PD Inventory WEB INTERFACE To display LLDP information for the local device 1 Click Administration LLDP 2 Select...

Page 379: ...ce Information for LLDP Port Details DISPLAYING LLDP REMOTE DEVICE INFORMATION Use the Administration LLDP Show Remote Device Information page to display information about devices connected directly t...

Page 380: ...ied and a chassis ID subtype is used to indicate the type of component being referenced by the chassis ID field See Table 14 3 Chassis ID Subtype on page 383 Chassis ID An octet string indicating the...

Page 381: ...ote VLAN Name List VLAN names associated with a port Remote Protocol Identity List Information about particular protocols that are accessible through a port This object represents an arbitrary local i...

Page 382: ...MDI power is supported on the given port associated with the remote system Remote Power Pair Controllable Indicates whether the pair selection can be controlled for sourcing power on the given port as...

Page 383: ...f the IP communication systems Network Connectivity Device Devices that provide access to the IEEE 802 based LAN infrastructure for LLDP MED endpoint devices These may be any LAN access device includi...

Page 384: ...ity level is significant and the default PVID of the ingress port is used instead DSCP Value The DSCP value to be used to provide Diffserv node behavior for the specified application type This field m...

Page 385: ...vice Asset ID The asset identifier of the end point device End point devices are typically assigned asset identifiers to facilitate inventory management and assets tracking Firmware Revision The firmw...

Page 386: ...otocols Link Layer Discovery Protocol 393 Figure 14 13 Displaying Remote Device Information for LLDP Port Details Additional information displayed by an end point device which advertises LLDP MED TLVs...

Page 387: ...eneral Statistics on Remote Devices Neighbor Entries List Last Updated The time the LLDP neighbor entry list was last updated New Neighbor Entries Count The number of LLDP neighbors for which the remo...

Page 388: ...gnized A count of all TLVs not recognized by the receiving LLDP local agent TLVs Discarded A count of all LLDPDUs received and then discarded due to insufficient memory space missing or out of sequenc...

Page 389: ...s its power budget When a device is connected to a switch port its power requirements are detected by the switch before power is supplied If the power required by a device exceeds the power budget of...

Page 390: ...hat were designed prior to the IEEE 802 3af PoE standard Default Disabled The switch automatically detects attached PoE devices by periodically transmitting test voltages that over the Gigabit Etherne...

Page 391: ...4 current Afterwards the switch exchanges information with the PD such as duty cycle peak and average power needs For the SSE G2252P the total PoE power delivered by all ports cannot exceed the maxim...

Page 392: ...Port The port number on the switch Admin Status Enables PoE power on a port Power is automatically supplied when a device is detected on a port providing that the power demanded does not exceed the sw...

Page 393: ...ial problems Managed devices supporting SNMP contain software which runs locally on the device and is referred to as an agent A defined set of variables known as managed objects is maintained by the S...

Page 394: ...views for the SNMP clients that require access COMMAND USAGE Configuring SNMPv1 2c Management Access To configure SNMPv1 or v2c management access to the switch follow these steps 1 Use the Administra...

Page 395: ...nd write access views for the switch MIB tree 5 Use the Administration SNMP Configure User page to configure SNMP user groups with the required security model i e SNMP v1 v2c or v3 and security level...

Page 396: ...types 4 Click Apply Figure 14 19 Configuring Global Settings for SNMP SETTING THE LOCAL ENGINE ID Use the Administration SNMP Configure Engine Set Engine ID page to change the local engine ID An SNMPv...

Page 397: ...characters 5 Click Apply Figure 14 20 Configuring the Local Engine ID for SNMP SPECIFYING A REMOTE ENGINE ID Use the Administration SNMP Configure Engine Add Remote Engine page to configure a engine...

Page 398: ...ost The IPv4 or IPv6 address of a remote management station which is using the specified engine ID WEB INTERFACE To configure a remote SNMP engine ID 1 Click Administration SNMP 2 Select Configure Eng...

Page 399: ...ype Indicates if the object identifier of a branch within the MIB tree is included or excluded from the SNMP view Add OID Subtree View Name Lists the SNMP views configured in the Add View page Range 1...

Page 400: ...Select Show View from the Action list Figure 14 24 Showing SNMP Views To add an object identifier to an existing SNMP view of the switch s MIB database 1 Click Administration SNMP 2 Select Configure V...

Page 401: ...ing the OID Subtree Configured for SNMP Views CONFIGURING SNMPV3 GROUPS Use the Administration SNMP Configure Group page to add an SNMPv3 group which can be used to set the access policy for its assig...

Page 402: ...its election as the new root e g upon expiration of the Topology Change Timer immediately subsequent to its election topologyChange 1 3 6 1 2 1 17 0 2 A topologyChange trap is sent by a bridge when an...

Page 403: ...trap is sent when the port is being intruded This trap will only be sent when the portSecActionTrap is enabled swIpFilterRejectTrap 1 3 6 1 4 1 259 10 1 39 2 1 0 40 This trap is sent when an incorrect...

Page 404: ...t1agCfmLoopFindTrap 1 3 6 1 4 1 259 10 1 17 10 1 39 2 1 0 10 0 This trap is sent when a MEP receives its own CCMs dot1agCfmMepUnknownTrap 1 3 6 1 4 1 259 10 1 17 10 1 39 2 1 0 10 1 This trap is sent w...

Page 405: ...2 1 0 201 This trap is sent when user logs in logoutTrap 1 3 6 1 4 1 259 10 1 39 2 1 0 202 This trap is sent when user logs out fileCopyTrap 1 3 6 1 4 1 259 10 1 39 2 1 0 208 This trap is sent when f...

Page 406: ...k Administration SNMP 2 Select Configure Group from the Step list 3 Select Show from the Action list Figure 14 28 Showing SNMP Groups SETTING COMMUNITY ACCESS STRINGS Use the Administration SNMP Confi...

Page 407: ...ons are only able to retrieve MIB objects Read Write Authorized management stations are able to both retrieve and modify MIB objects WEB INTERFACE To set a community access string 1 Click Administrati...

Page 408: ...meters are displayed User Name The name of user connecting to the SNMP agent Range 1 32 characters Group Name The name of the SNMP group to which the user is assigned Range 1 32 characters Security Mo...

Page 409: ...onfigure User from the Step list 3 Select Add SNMPv3 Local User from the Action list 4 Enter a name and assign it to a group If the security model is set to SNMPv3 and the security level is authNoPriv...

Page 410: ...user resides The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and the remote user See Specifying Trap Managers on pag...

Page 411: ...ble Privacy Password Enter plain text characters for the privacy password Range 8 32 characters WEB INTERFACE To configure a remote SNMPv3 user 1 Click Administration SNMP 2 Select Configure User from...

Page 412: ...NAGERS Use the Administration SNMP Configure Trap page to specify the host devices to be sent traps and the types of traps to send Traps indicating status changes are issued by the switch to the speci...

Page 413: ...munity string specified on the Configure Trap Add page to include the required notify view page 408 4 Enable trap informs as described in the following pages To send an inform to a SNMPv3 host complet...

Page 414: ...ore resending an inform message Range 0 2147483647 centiseconds Default 1500 centiseconds Retry times The maximum number of times to resend an inform message if the recipient does not acknowledge rece...

Page 415: ...ich is used to identify the source of SNMPv3 inform messages sent from the local switch Range 1 32 characters If an account for the specified user has not been created page 417 one will be automatical...

Page 416: ...3 Figure 14 35 Configuring Trap Managers SNMPv1 Figure 14 36 Configuring Trap Managers SNMPv2c Figure 14 37 Configuring Trap Managers SNMPv3 To show configured trap managers 1 Click Administration SNM...

Page 417: ...ndividual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost and applications can poll the log...

Page 418: ...ly It is not sent to a remote device This remote host parameter is only required to complete mandatory fields in the SNMP Notification MIB Filter Profile Name Notification log profile name Range 1 32...

Page 419: ...P community name not known to said entity Illegal operation for community name supplied The total number of SNMP messages delivered to the SNMP entity which represented an SNMP operation which was not...

Page 420: ...er of SNMP PDUs which were delivered to or generated by the SNMP protocol entity and for which the value of the error status field is noSuchName Bad values errors The total number of SNMP PDUs which w...

Page 421: ...Alarm groups When RMON is enabled the system gradually builds up information about its physical interfaces storing this information in the relevant RMON database group A management agent then periodic...

Page 422: ...ing Threshold If the current value is greater than or equal to the rising threshold and the last sample value was less than this threshold then an alarm will be generated After a rising event has been...

Page 423: ...ON alarm 1 Click Administration RMON 2 Select Configure Global from the Step list 3 Select Add from the Action list 4 Click Alarm 5 Enter an index number the MIB object to be polled etherStatsEntry n...

Page 424: ...twork problems CLI REFERENCES Remote Monitoring Commands on page 745 COMMAND USAGE If an alarm is already defined for an index the entry must be deleted before any changes can be made One default even...

Page 425: ...trap configuration page see Setting Community Access Strings on page 413 prior to configuring it here Range 1 127 characters Description A comment that describes this event Range 1 127 characters Owne...

Page 426: ...to predict network growth and plan for expansion before your network becomes too overloaded CLI REFERENCES Remote Monitoring Commands on page 745 COMMAND USAGE Each index number equates to a port on...

Page 427: ...t 1800 seconds Buckets The number of buckets requested for this entry Range 1 65536 Default 50 The number of buckets granted are displayed on the Show page Owner Name of the person who created this en...

Page 428: ...elect Configure Interface from the Step list 3 Select Show from the Action list 4 Select a port from the list 5 Click History Figure 14 47 Showing Configured RMON History Samples To show collected RMO...

Page 429: ...ace the entry must be deleted before any changes can be made The information collected for each entry includes input octets packets broadcast packets multicast packets undersize packets oversize packe...

Page 430: ...ured RMON statistical samples 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select Show from the Action list 4 Select a port from the list 5 Click Statistics Figure 14...

Page 431: ...t or the web interface to communicate directly with the Commander through its IP address and then use the Commander to manage Member switches through the cluster s internal IP addresses Clustered swit...

Page 432: ...ot conflict with the network IP subnet Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander PARAMETERS These...

Page 433: ...dministration Cluster Configure Member Add page to add Candidate switches to the cluster as Members CLI REFERENCES Switch Clustering on page 714 PARAMETERS These parameters are displayed Member ID Spe...

Page 434: ...Configuring a Cluster Members To show the cluster members 1 Click Administration Cluster 2 Select Configure Member from the Step list 3 Select Show from the Action list Figure 14 54 Showing Cluster M...

Page 435: ...of the switch in the cluster IP Address The internal cluster IP address assigned to the Member switch MAC Address The MAC address of the Member switch Description The system description string of the...

Page 436: ...the RPL When a ring failure occurs the RPL owner is responsible for unblocking the RPL allowing this link to be used for traffic Ring nodes may be in one of two states Idle normal operation no link no...

Page 437: ...r network If the network is in normal operating condition the RPL owner node of each ring blocks the transmission and reception of traffic over the RPL for that ring This figure presents the configura...

Page 438: ...The traffic channels remain bi directionally blocked at the RPL connection point on ERP2 This prevents the formation of a loop Figure 14 58 Ring Interconnection Architecture Multi ring Ladder Net work...

Page 439: ...p first globally enable ERPS on the switch If ERPS has not yet been enabled or has been disabled no ERPS rings will work 7 Enable an ERPS ring Configure Domain Configure Details Before an ERPS ring ca...

Page 440: ...y Figure 14 59 Setting ERPS Global Status ERPS RING CONFIGURATION Use the Administration ERPS Configure Domain pages to configure ERPS rings CLI REFERENCES ERPS Commands on page 1049 COMMAND USAGE Rin...

Page 441: ...rted but has not yet determined the status of the ring Idle If all nodes in a ring are in this state it means that all the links in the ring are up This state will switch to protection state if a link...

Page 442: ...ociation for the specific users distinguished by the ring name maintenance level maintenance association s name and assigned VLAN Up to 26 ERPS rings can be configured on the switch Domain ID ERPS rin...

Page 443: ...v2 When ring nodes running G 8032v1 and G 8032v2 co exist on a ring the ring ID of each node is configured as 1 In version 1 the MAC address 01 19 A7 00 00 01 is used for the node identifier The R APS...

Page 444: ...th the Forced Switch or Manual Switch commands on the Configure Operation page The east and west connections to the ring must be specified for all ring nodes When this switch is configured as the RPL...

Page 445: ...guard timer When another recovered ring node or nodes holding the link block receives this message it compares the Node ID information with its own Node ID If the received R APS NR message has the hig...

Page 446: ...Switch mode is in effect The clear command removes any existing local operator commands and triggers reversion if the ring is in revertive behavior mode The ring node where the Forced Switch was clea...

Page 447: ...ual Switching A Manual Switch command is removed by issuing the Clear command Configure Operation page at the same ring node where the Manual Switch is in effect The clear command removes any existing...

Page 448: ...to the RPL transmits an R APS NR RB message over both ring ports informing the ring that the RPL is blocked and flushes its FDB c The acceptance of the R APS NR RB message triggers all ring nodes to u...

Page 449: ...work data in the traffic channel will still flow across the network but the all R APS messages will be terminated at the interconnection points Sub ring with R APS Virtual Channel When using a virtual...

Page 450: ...R APS messages are inserted or extracted by other rings or sub rings at the interconnection nodes where a sub ring is attached Hence there is no need for either additional bandwidth or for different...

Page 451: ...a traffic on the major ring may suffer for a short period of time due to this flooding behavior Non ERPS Device Protection Sends non standard health check packets when an owner node enters protection...

Page 452: ...to have a chance to fix the problem before switching at a client layer When a new defect or more severe defect occurs new Signal Failure this event will not be reported immediately to the protection s...

Page 453: ...sed to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure Range 5 12 minutes If the switch goes into ring protection state due to a signal failure after t...

Page 454: ...G Level parameter on this configuration page must match the authorized maintenance level of the CFM domain to which the specified MEP belongs See Configuring CFM Maintenance Domains on page 476 To ens...

Page 455: ...gure Details from the Action list 4 Configure the ERPS parameters for this node Note that spanning tree protocol cannot be configured on the ring ports nor can these ports be members of a static or dy...

Page 456: ...Ring Protection Switching 463 Figure 14 64 Creating an ERPS Ring To show the configured ERPS rings 1 Click Administration ERPS 2 Select Configure Domain from the Step list 3 Select Show from the Acti...

Page 457: ...ng port b The ring node where the FS command was issued transmits R APS messages indicating FS over both ring ports R APS FS messages are continuously transmitted by this ring node while the local FS...

Page 458: ...als have the priorities as specified in the following table Recovery for forced switching under revertive and non revertive mode is described under the Revertive parameter When a ring is under an FS c...

Page 459: ...d and that the traffic channel is blocked on one ring port c If no other higher priority commands exist and assuming the ring node was in Idle state before the manual switch command was issued the rin...

Page 460: ...ode is operating in revertive mode Two steps are required to make a ring operating in non revertive mode return to Idle state from forced switch or manual switch state 1 Issue a Clear command to remov...

Page 461: ...cross check messages which are used to verify a static list of remote maintenance points located on other devices in the same maintenance association against those found through continuity check messa...

Page 462: ...main with DSAPs located on the domain boundary and Internal Service Access Points ISAPs inside the domain through which frames may pass between the DSAPs Figure 14 67 Single CFM Maintenance Domain The...

Page 463: ...ndicated when a known MEP stops sending CCMs or a remote MEP configured in a static list does not come up Configuration errors such as a cross connect between different MAs are indicated when a CCM is...

Page 464: ...o automatically verify the functionality of these remote end points by cross checking the static list configured on this device against information learned through continuity check messages 5 Enable C...

Page 465: ...s check operation Range 1 65535 seconds Default 10 seconds This parameter sets the time to wait for a remote MEP to come up and the switch starts cross checking the list of statically configured remot...

Page 466: ...nd point identifier MPID as its own but with a different source MAC address indicating that a CFM configuration error exists Connectivity Check Loop Sends a trap if this device receives a CCM with the...

Page 467: ...ed in the static list7 WEB INTERFACE To configure global settings for CFM 1 Click Administration CFM 2 Select Configure Global from the Step list 3 Before enabling CFM processing on the switch first c...

Page 468: ...ND USAGE An interface must be enabled before a MEP can be created see Configuring Maintenance End Points If a MEP has been configured on an interface it must first be deleted before CFM can be disable...

Page 469: ...el than the ones it encompasses The higher to lower level domain types commonly include entities such as customer service provider and operator More than one domain can be configured at the same maint...

Page 470: ...ssive agents which can only validate received CFM messages and respond to loop back and link trace messages The MIP creation method defined for an MA see Configuring CFM Maintenance Associations takes...

Page 471: ...wer MA Level None No MIP can be created for any MA configured in this domain Configuring Detailed Settings for a Maintenance Domain MD Index Domain index Range 1 65535 3 remErrXcon DefErrorCCM DefXcon...

Page 472: ...arm is issued Range 3 10 seconds Default 3 seconds MEP Fault Notify Reset Time The time after a fault alarm has been issued and no defect exists before another fault alarm can be issued Range 3 10 sec...

Page 473: ...or Maintenance Domains CONFIGURING CFM MAINTENANCE ASSOCIATIONS Use the Administration CFM Configure MA pages to create and configure the Maintenance Associations MA which define a unique CFM service...

Page 474: ...checked to verify that the MEP identifier field sent in the message does not match its own MEP ID which would indicate a duplicate MEP or network loop If these error types are not found the CCM is st...

Page 475: ...cifies the name format for the maintenance association as IEEE 802 1ag character based or ITU T SG13 SG15 Y 1731 defined ICC based format Character String IEEE 802 1ag defined character string format...

Page 476: ...conds Default 1 second AIS Transmit Level Configure the AIS maintenance level in an MA Range 0 7 Default is 0 AIS Level must follow this rule AIS Level Domain Level AIS Suppress Alarm Enables disables...

Page 477: ...onfigure detailed settings for maintenance associations 1 Click Administration CFM 2 Select Configure MA from the Step list 3 Select Configure Details from the Action list 4 Select an entry from MD In...

Page 478: ...EP s MA or the direction it faces first delete the MEP and then create a new one PARAMETERS These parameters are displayed MD Index Domain index Range 1 65535 MA Index MA identifier Range 1 2147483647...

Page 479: ...ints CONFIGURING REMOTE MAINTENANCE END POINTS Use the Administration CFM Configure Remote MEP Add page to specify remote maintenance end points MEPs set on other CFM enabled devices within a common M...

Page 480: ...e waits for remote MEPs to come up before starting the cross check operation can be configured on the Configure Global page see Configuring Global Settings for CFM SNMP traps for continuity check even...

Page 481: ...nk Trace page to transmit link trace messages LTMs These messages can isolate connectivity faults by tracing the path through a network to the designated target node i e a remote maintenance end point...

Page 482: ...er Parameters controlling the link trace cache including operational state entry hold time and maximum size can be configured on the Configure Global page see Configuring Global Settings for CFM PARAM...

Page 483: ...tomatic detection of a fault or receipt of some other error report Loopback messages can also used to confirm the successful restoration or initiation of connectivity The receiving maintenance point s...

Page 484: ...either of the following formats xx xx xx xx xx xx or xxxxxxxxxxxx Count The number of times the loopback message is sent Range 1 1024 Packet Size The size of the loopback message Range 64 1518 bytes D...

Page 485: ...a frame with DM request information and the receiving MEP responds with a frame with DM reply information with TxTimeStampf copied from the DM request information RxTimeStampf Timestamp at the time of...

Page 486: ...sure messages Range 1 5 seconds Default 1 second Timeout The timeout to wait for a response Range 1 5 seconds Default 5 seconds WEB INTERFACE To transmit delay measure messages 1 Click Administration...

Page 487: ...he MEP is facing away from the switch and transmits CFM messages towards and receives them from the direction of the physical medium Up indicates that the MEP faces inward toward the switch cross conn...

Page 488: ...ce point Direction The direction in which the MEP faces on the Bridge port up or down Interface The port to which this MEP is attached CC Status Shows if the MEP will generate CCM messages MAC Address...

Page 489: ...M 2 Select Show Information from the Step list 3 Select Show Local MEP Details from the Action list 4 Select an entry from MD Index and MA Index 5 Select a MEP ID Figure 14 85 Showing Detailed Informa...

Page 490: ...CFM 2 Select Show Information from the Step list 3 Select Show Local MIP from the Action list Figure 14 86 Showing Information on Local MIPs DISPLAYING REMOTE MEPS Use the Administration CFM Show Info...

Page 491: ...CFM 2 Select Show Information from the Step list 3 Select Show Remote MEP from the Action list Figure 14 87 Showing Information on Remote MEPs DISPLAYING DETAILS FOR REMOTE MEPS Use the Administration...

Page 492: ...Up The port is functioning normally Blocked The port has been blocked by the Spanning Tree Protocol No port state Either no CCM has been received or nor port status TLV was received in the last CCM I...

Page 493: ...rom MD Index and MA Index 5 Select a MEP ID Figure 14 88 Showing Detailed Information on Remote MEPs DISPLAYING THE LINK TRACE CACHE Use the Administration CFM Show Information Show Link Trace Cache p...

Page 494: ...to be false IngBlocked The ingress port can be identified but the target data frame was not forwarded when received on this port due to active topology management i e the bridge port is not in the fo...

Page 495: ...splay configuration settings for the fault notification generator CLI REFERENCES show ethernet cfm fault notify generator on page 1306 PARAMETERS These parameters are displayed MEP ID Maintenance end...

Page 496: ...s are displayed Level Maintenance level associated with this entry Primary VLAN VLAN in which this error occurred MEP ID Identifier of remote MEP Interface Port at which the error was recorded Remote...

Page 497: ...ntinuity check errors 1 Click Administration CFM 2 Select Show Information from the Step list 3 Select Show Continuity Check Error from the Action list Figure 14 91 Showing Continuity Check Errors OAM...

Page 498: ...Disabled OAM is disabled on this interface via the OAM Admin Status Link Fault The link has detected a fault or the interface is not operational Passive Wait This value is returned only by OAM entitie...

Page 499: ...d is reached or exceeded within the specified period If reporting is enabled and an errored frame link event occurs the local OAM entity this switch sends an Event Notification OAMPDU to the remote OA...

Page 500: ...CES show efm oam counters interface on page 1316 clear efm oam counters on page 1313 PARAMETERS These parameters are displayed Port Port identifier Range 1 52 Clear Clears statistical counters for the...

Page 501: ...whether the location is local or remote this information is entered in OAM event log When the log system becomes full older events are automatically deleted to make room for new entries The time of lo...

Page 502: ...tion Shows if this function is supported by the OAM peer If supported this indicates that the OAM entity supports the transmission of OAMPDUs on links that are operating in unidirectional mode where t...

Page 503: ...rm an OAM remote loop back test on the specified port The port that you specify to run this test must be connected to a peer OAM device capable of entering into OAM remote loop back mode During a remo...

Page 504: ...during the last loopback test on this interface Loss Rate The percentage of packets for which there was no response WEB INTERFACE To initiate a loop back test to the peer device attached to the selec...

Page 505: ...ting for each port for which this information is available CLI REFERENCES show efm oam remote loopback interface on page 1318 PARAMETERS These parameters are displayed Port Port identifier Range 1 52...

Page 506: ...ntrol frame transmit interval and recover time may be adjusted to improve performance for your specific environment The shutdown mode may also need to be changed once you determine what kind of packet...

Page 507: ...tead deemed bidirectional the curve will use Mfast for the first four subsequent message transmissions and then transition to an Mslow value for all other steady state transmissions Mslow is the value...

Page 508: ...ault Disabled UDLD requires that all the devices connected to the same LAN segment be running the protocol in order for a potential mis configuration to be detected and for prompt corrective action to...

Page 509: ...epeated last resort attempts to re establish communication with the other end of the link This mode of operation assumes that loss of communication with the neighbor is a meaningful network event in i...

Page 510: ...DLD on a port interface Device ID Device identifier of neighbor sending the UDLD packet Port ID The physical port the UDLD packet is sent from Device Name The device name of this neighbor Neighbor Sta...

Page 511: ...Chapter 14 Basic Administration Protocols UDLD Configuration 518 Figure 14 100 Displaying UDLD Neighbor Information...

Page 512: ...es a single network wide multicast VLAN shared by hosts residing in other standard or private VLAN groups preserving security and data isolation OVERVIEW Multicasting is used to support real time appl...

Page 513: ...lticast VLAN Registration for IPv4 on page 555 LAYER 2 IGMP SNOOPING AND QUERY FOR IPV4 IGMP Snooping and Query If multicast routing is not supported on other switches in your network you can use IGMP...

Page 514: ...o 1023 multicast entries can be maintained for IGMP snooping Once the table is full no new entries are learned Any subsequent multicast traffic not found in the table is dropped if unregistered floodi...

Page 515: ...is forwarded to that port However if no router port exists on the VLAN the traffic is dropped if unregistered data flooding is disabled default behavior or flooded throughout the VLAN if unregistered...

Page 516: ...eceivers by default a switch in a VLAN with IGMP snooping enabled that receives a Bridge Protocol Data Unit BPDU with TC bit set by the root bridge will enter into multicast flooding mode for a period...

Page 517: ...starts overloading multicast hosts by sending a large number of group and source specific queries each with a large source list and the Maximum Response Time set to a large value To protect against th...

Page 518: ...ed Range 1 65535 Recommended Range 300 500 seconds Default 300 IGMP Snooping Version Sets the protocol version for compatibility with other devices on the network This is the IGMP Version the switch u...

Page 519: ...rface and a specified VLAN can be manually configured to join all the current multicast groups supported by the attached router This can ensure that multicast traffic is passed to all the appropriate...

Page 520: ...is static or dynamic Expire Time until this dynamic entry expires WEB INTERFACE To specify a static interface attached to a multicast router 1 Click Multicast IGMP Snooping Multicast Router 2 Select...

Page 521: ...Interfaces Attached a Multicast Router ASSIGNING INTERFACES TO MULTICAST SERVICES Use the Multicast IGMP Snooping IGMP Member Add Static Member page to statically assign a multicast service to an inte...

Page 522: ...cast group Multicast IP The IP address for a specific multicast service WEB INTERFACE To statically assign an interface to a multicast service 1 Click Multicast IGMP Snooping IGMP Member 2 Select Add...

Page 523: ...ed for use by IGMP snooping and multicast routing devices MRD is used to discover which interfaces are attached to multicast routers allowing IGMP enabled devices to determine where to send multicast...

Page 524: ...nation messages are sent by multicast routers when Multicast forwarding is disabled on an interface An interface is administratively disabled The router is gracefully shut down Advertisement and Termi...

Page 525: ...multicast router or querier will send a group specific query message when an IGMPv2 group leave message is received The router querier stops forwarding traffic for that group only if no host replies t...

Page 526: ...the IP source address in general and group specific query messages sent downstream and use the source address of the last IGMP message received from a downstream host in report and leave messages sen...

Page 527: ...nt The number of IGMP proxy group specific or group and source specific query messages that are sent out before the system assumes there are no more local members Range 1 255 Default 2 This attribute...

Page 528: ...ace settings for IGMP snooping 1 Click Multicast IGMP Snooping Interface 2 Select Show VLAN Information from the Action list Figure 15 9 Showing Interface Settings for IGMP Snooping FILTERING IGMP QUE...

Page 529: ...rt i e the interfaces specified by this command Default Disabled WEB INTERFACE To drop IGMP query packets or multicast data packets 1 Click Multicast IGMP Snooping Interface 2 Select Configure Port or...

Page 530: ...ically and statically configured multicast router ports Up Time Time that this multicast group has been known Expire Time until this entry expires Count The number of times this address has been learn...

Page 531: ...eneral Query Sent The number of general queries sent from this interface Specific Query Received The number of specific queries received on this interface Specific Query Sent The number of specific qu...

Page 532: ...successfully joined Group The number of IGMP groups active on this interface Output Statistics Report The number of IGMP membership reports sent from this interface Leave The number of leave messages...

Page 533: ...ure 15 12 Displaying IGMP Snooping Statistics Query To display IGMP snooping protocol related statistics for a VLAN 1 Click Multicast IGMP Snooping Statistics 2 Select Show VLAN Statistics from the Ac...

Page 534: ...limits the number of simultaneous multicast groups a port can join IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the...

Page 535: ...B INTERFACE To enable IGMP filtering and throttling on the switch 1 Click Multicast IGMP Snooping Filter 2 Select Configure General from the Step list 3 Enable IGMP Filter Status 4 Click Apply Figure...

Page 536: ...Range Profile ID Selects an IGMP profile to configure Start Multicast IP Address Specifies the starting address of a range of multicast groups End Multicast IP Address Specifies the ending address of...

Page 537: ...Add Multicast Group Range from the Action list 4 Select the profile to configure and add a multicast group address or range of addresses 5 Click Apply Figure 15 18 Adding Multicast Groups to an IGMP F...

Page 538: ...f the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group PARAMET...

Page 539: ...MLD snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4 That is MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is f...

Page 540: ...st traffic Default Disabled An IPv6 address must be configured on the VLAN interface from which the querier will act if elected When serving as the querier the switch uses this IPv6 address as the que...

Page 541: ...fault 2 Unknown Multicast Mode The action for dealing with unknown multicast packets Options include Flood Floods any received IPv6 multicast packets that have not been requested by a host to all port...

Page 542: ...e leave should only be enabled on an interface if it is connected to only one MLD enabled device either a service host or a neighbor running MLD snooping WEB INTERFACE To configure immediate leave for...

Page 543: ...pecifies the interface attached to a multicast router WEB INTERFACE To specify a static interface attached to a multicast router 1 Click Multicast MLD Snooping Multicast Router 2 Select Add Static Mul...

Page 544: ...TERFACES TO IPV6 MULTICAST SERVICES Use the Multicast MLD Snooping MLD Member Add Static Member page to statically assign an IPv6 multicast service to an interface Multicast filtering can be dynamical...

Page 545: ...LD Snooping or is a data stream to which no other ports are subscribing i e the stream is flooded onto VLAN instead of being trapped to the CPU for processing or is being processed by MVR6 WEB INTERFA...

Page 546: ...tatically or dynamically assigned to an IPv6 multicast service 1 Click Multicast MLD Snooping MLD Member 2 Select Show Current Member from the Action list 3 Select the VLAN for which to display this i...

Page 547: ...ent to the specified multicast address In Exclude mode the router uses both the request list and exclude list indicating that the reception of packets sent to the given multicast address is requested...

Page 548: ...bers This protocol can significantly reduce to processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN This makes it possible to support com...

Page 549: ...ning Static MVR Multicast Groups to Interfaces on page 565 Although MVR operates on the underlying mechanism of IGMP snooping the two features operate independently of each other One can be enabled or...

Page 550: ...en receiver ports receive any query messages they are dropped When changes occurring in the downstream MVR groups are learned by the receiver ports through report and leave messages an MVR state chang...

Page 551: ...is enabled the switch only forwards multicast streams which the source port has dynamically joined In other words both the receiver port and source port must subscribe to a multicast group before a mu...

Page 552: ...specified MVR VLAN exists and a source port with a valid link has been configured see Configuring MVR Interface Status on page 562 MVR Current Learned Groups The number of MVR groups currently assigne...

Page 553: ...ll receiver ports that have registered to receive data from that multicast group The IP address range from 224 0 0 0 to 239 255 255 255 is used for multicast streams MVR group addresses cannot fall wi...

Page 554: ...le from the Step list 3 Select Add from the Action list 4 Enter the name of a group profile to be assigned to one or more domains and specify a multicast group that will stream traffic to participatin...

Page 555: ...files assigned to a domain 1 Click Multicast MVR 2 Select Associate Profile from the Step list 3 Select Show from the Action list Figure 15 36 Showing the MVR Group Address Profiles Assigned to a Do m...

Page 556: ...MVR groups or for groups which have been statically assigned see Assigning Static MVR Multicast Groups to Interfaces on page 565 All source ports must belong to the MVR VLAN Subscribers should not be...

Page 557: ...Active if MVR is globally enabled on the switch MVR status for receiver ports is Active only if there are subscribers receiving multicast traffic from one of the MVR groups or a multicast group has be...

Page 558: ...e set of hosts CLI REFERENCES mvr vlan group on page 1214 COMMAND USAGE Multicast groups can be statically assigned to a receiver port using this configuration page The IP address range from 224 0 0 0...

Page 559: ...figure Static Group Member from the Step list 3 Select Add from the Action list 4 Select an MVR domain 5 Select a VLAN and interface to receive the multicast stream and then enter the multicast group...

Page 560: ...to the MVR VLAN VLAN Indicates the MVR VLAN receiving the multicast service Note that this may be different from the MVR VLAN if the group address has been statically assigned Port Shows the interfac...

Page 561: ...Range 1 5 VLAN VLAN identifier Range 1 4094 Port Port identifier Range 1 52 Trunk Trunk identifier Range 1 16 Query Statistics Querier IP Address The IP address of the querier on this interface Queri...

Page 562: ...leave or query was dropped Packets may be dropped due to invalid format rate limiting packet content not allowed or MVR group report received Join Success The number of times a multicast group was su...

Page 563: ...IPv4 570 Figure 15 41 Displaying MVR Statistics Query To display MVR protocol related statistics for a VLAN 1 Click Multicast MVR 2 Select Show Statistics from the Step list 3 Select Show VLAN Statist...

Page 564: ...IPv4 571 Figure 15 42 Displaying MVR Statistics VLAN To display MVR protocol related statistics for a port 1 Click Multicast MVR 2 Select Show Statistics from the Step list 3 Select Show Port Statisti...

Page 565: ...ing the multicast groups that will stream traffic to attached hosts and assign the profile to an MVR6 domain see Configuring MVR6 Group Address Profiles on page 576 3 Set the interfaces that will join...

Page 566: ...urce port receives report and leave messages it only forwards them to other source ports When receiver ports receive any query messages they are dropped When changes occurring in the downstream MVR gr...

Page 567: ...domain The multicast streams are sent to all source ports on the switch and to all receiver ports that have elected to receive data on that multicast address Dynamic When dynamic mode is enabled the s...

Page 568: ...environment are satisfied Running status is Active as long as MVR6 is enabled the specified MVR6 VLAN exists and a source port with a valid link has been configured see Configuring MVR6 Interface Sta...

Page 569: ...ddress for required services to one or more MVR6 domains CLI REFERENCES MVR for IPv6 on page 1226 COMMAND USAGE Use the Configure Profile page to statically configure all multicast group addresses tha...

Page 570: ...ddress bits End IPv6 Address Ending IP address for an MVR6 multicast group This parameter must be a full IPv6 address including the network prefix and host address bits Associate Profile Domain ID An...

Page 571: ...dress profile to a domain 1 Click Multicast MVR6 2 Select Associate Profile from the Step list 3 Select Add from the Action list 4 Select a domain from the scroll down list and enter the name of a gro...

Page 572: ...ng Static MVR6 Multicast Groups to Interfaces on page 581 Receiver ports should not be statically configured as a member of the MVR6 VLAN If so configured its MVR6 status will be inactive Also note th...

Page 573: ...ot be set to access mode see Adding Static Members to VLANs on page 153 Forwarding Status Shows if multicast traffic is being forwarded or blocked MVR6 Status Shows the MVR6 status MVR6 status for sou...

Page 574: ...TICAST GROUPS TO INTERFACES Use the Multicast MVR6 Configure Static Group Member page to statically bind multicast groups to a port which will receive long term multicast streams associated with a sta...

Page 575: ...CE To assign a static MVR6 group to an interface 1 Click Multicast MVR6 2 Select Configure Static Group Member from the Step list 3 Select Add from the Action list 4 Select an MVR6 domain 5 Select a V...

Page 576: ...fferent from the MVR6 VLAN if the group address has been statically assigned Port Indicates the source address of the multicast service or displays an asterisk if the group address has been statically...

Page 577: ...ange 1 4094 Port Port identifier Range 1 52 Trunk Trunk identifier Range 1 16 Query Statistics Querier IPv6 Address The IP address of the querier on this interface Querier Expire Time The time after w...

Page 578: ...y be dropped due to invalid format rate limiting packet content not allowed or MVR6 group report received Join Success The number of times a multicast group was successfully joined Group The number of...

Page 579: ...playing MVR6 Statistics Query To display MVR6 protocol related statistics for a VLAN 1 Click Multicast MVR6 2 Select Show Statistics from the Step list 3 Select Show VLAN Statistics from the Action li...

Page 580: ...v6 587 To display MVR6 protocol related statistics for a port 1 Click Multicast MVR6 2 Select Show Statistics from the Step list 3 Select Show Port Statistics from the Action list 4 Select an MVR6 dom...

Page 581: ...via DHCP by default for VLAN 1 To configure a static address you need to change the switch s default settings to values that are compatible with your network You may also need to a establish a defaul...

Page 582: ...r words secondary addresses need to be specified if more than one IP subnet can be accessed through this interface For initial configuration set this parameter to Primary Options Primary Secondary Def...

Page 583: ...he Action list 3 Select any configured VLAN and set IP Address Mode to BOOTP or DHCP 4 Click Apply IP will be enabled but will not function until a BOOTP or DHCP reply is received Requests are broadca...

Page 584: ...elect Show Address from the Action list 3 Select an entry from the VLAN list Figure 16 3 Showing the Configured IP Address for an Interface SETTING THE SWITCH S IP ADDRESS IP VERSION 6 This section de...

Page 585: ...se parameters are displayed Default Gateway Sets the IPv6 address of the default next hop router to use when no routing information is known about an IPv6 address If no static routes are defined you m...

Page 586: ...l not generate a global IPv6 address if auto configuration is not enabled In this case you can manually configure a global unicast address see Configuring an IPv6 Address on page 597 IPv6 Neighbor Dis...

Page 587: ...ss must be manually configured using the Add Interface page described below Enable IPv6 Explicitly Enables IPv6 on an interface and assigns it a link local address Note that when an explicit address i...

Page 588: ...ess is detected it is set to duplicate state and a warning message is sent to the console If a duplicate link local address is detected IPv6 processes are disabled on the interface If a duplicate glob...

Page 589: ...nfiguration information such as a default gateway when DHCPv6 is restarted Prior to submitting a client request to a DHCPv6 server the switch should be configured with a link local address using the A...

Page 590: ...which interfaces are connected to known routers and enable RA Guard on all other untrusted interfaces WEB INTERFACE To configure general IPv6 settings for the switch 1 Click IP IPv6 Configuration 2 Se...

Page 591: ...riate number of zeros required to fill the undefined fields The switch must always be configured with a link local address Therefore any configuration process that enables IPv6 functionality or assign...

Page 592: ...atically enabled and cannot be disabled until all assigned addresses have been removed PARAMETERS These parameters are displayed VLAN ID of a configured VLAN which is to be used for management access...

Page 593: ...EUI 64 requirements i e 1 for globally defined addresses and 0 for locally defined addresses changing 28 to 2A Then the two bytes FFFE are inserted between the OUI i e organizationally unique identifi...

Page 594: ...FF02 1 link local scope FF01 1 16 is the transient interface local multicast address for all attached IPv6 nodes and FF02 1 16 is the link local multicast address for all attached IPv6 nodes The inter...

Page 595: ...show the configured IPv6 addresses 1 Click IP IPv6 Configuration 2 Select Show IPv6 Address from the Action list 3 Select a VLAN from the list Figure 16 8 Showing Configured IPv6 Addresses SHOWING THE...

Page 596: ...packets Stale More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning While in STALE state the device takes no action u...

Page 597: ...the host to send traffic on a shorter route ICMP is also used by routers to feed back information about more suitable routes that is the next hop router to use for a specific destination UDP User Dat...

Page 598: ...ams successfully reassembled Note that this counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the fragments...

Page 599: ...ed by the interface Echo Reply Messages The number of ICMP Echo Reply messages received by the interface Redirect Messages The number of Redirect messages received by the interface Group Membership Qu...

Page 600: ...essages The number of ICMP Router Advertisement messages sent by the interface Redirect Messages The number of Redirect messages sent For a host this object will always be zero since hosts do not send...

Page 601: ...Chapter 16 IP Configuration Setting the Switch s IP Address IP Version 6 607 Figure 16 10 Showing IPv6 Statistics IPv6 Figure 16 11 Showing IPv6 Statistics ICMPv6...

Page 602: ...ipv6 mtu on page 1214 PARAMETERS These parameters are displayed WEB INTERFACE To show the MTU reported from other devices 1 Click IP IPv6 Configuration 2 Select Show MTU from the Action list Figure 1...

Page 603: ...Chapter 16 IP Configuration Setting the Switch s IP Address IP Version 6 609...

Page 604: ...ween a client and broadband remote access servers DOMAIN NAME SERVICE DNS service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other na...

Page 605: ...domain name 4 Click Apply Figure 17 1 Configuring General Settings for DNS CONFIGURING A LIST OF DOMAIN NAMES Use the IP Service DNS General Add Domain Name page to configure a list of domain names t...

Page 606: ...he host Do not include the initial dot that separates the host name from the domain name Range 1 68 characters WEB INTERFACE To create a list domain names 1 Click IP Service DNS 2 Select Add Domain Na...

Page 607: ...se If all name servers are deleted DNS will automatically be disabled This is done by disabling the domain lookup status PARAMETERS These parameters are displayed Name Server IP Address Specifies the...

Page 608: ...MAND USAGE Static entries may be used for local devices connected directly to the attached network or for commonly used resources located elsewhere on the network PARAMETERS These parameters are displ...

Page 609: ...ERENCES show dns cache on page 1327 COMMAND USAGE Servers or other network devices may support one or more connections via multiple IP addresses If more than one IP address is associated with a host n...

Page 610: ...on of the switch to the DHCP server which then uses this information to decide on how to service the client or the type of information to return The general framework for this DHCP option is set out i...

Page 611: ...are displayed in the web interface Vendor Class ID The following options are supported when the check box is marked to enable this feature the unit model number A text string Range 1 32 characters A h...

Page 612: ...sponse received from the server to the client Figure 17 10 Layer 2 DHCP Relay Service CLI REFERENCES DHCP Relay on page 1337 Up to five DHCP servers can be specified in order of preference DHCP relay...

Page 613: ...p dynamic provision command By default the parameters for DHCP option 66 67 are not carried by the reply sent from the DHCP server To ask for a DHCP reply with option 66 67 the client can inform the s...

Page 614: ...to all trusted ports designated on the Configure Interface page The BRAS detects the presence of the subscriber s circuit ID tag inserted by the switch during the PPPoE discovery phase and sends this...

Page 615: ...Configuring Global Settings for PPPoE Intermediate Agent CONFIGURING PPPOE IA INTERFACE SETTINGS Use the IP Service PPPoE Intermediate Agent Configure Interface page to enable PPPoE IA on an interfac...

Page 616: ...he switch intercepts PPPoE discovery frames from the client and inserts a unique line identifier using the PPPoE Vendor Specific tag 0x0105 to PPPoE Active Discovery Initiation PADI and Request PADR p...

Page 617: ...s are displayed Interface Port or trunk selection Received Received PPPoE active discovery messages All All PPPoE active discovery message types PADI PPPoE Active Discovery Initiation messages PADO PP...

Page 618: ...Agent 625 WEB INTERFACE To show statistics for PPPoE IA protocol messages 1 Click IP Service PPPoE Intermediate Agent 2 Select Show Statistics from the Step list 3 Select Port or Trunk interface type...

Page 619: ...ks However when the switch is first booted default routing can only forward traffic between local IP interfaces As with all traditional routers static and dynamic routing functions must first be confi...

Page 620: ...eplacing destination source MAC addresses for each hop Incrementing the hop count Decrementing the time to live Verifying and recalculating the Layer 3 checksum If the destination node is on the same...

Page 621: ...n ARP packet to all the ports on the destination VLAN to find out the destination MAC address After the MAC address is discovered the packet is reformatted and sent out to the destination The reformat...

Page 622: ...In other words a router interface address defines the network segment that is connected to that interface and allows you to send IP packets to or from the router You can specify the IP subnets connect...

Page 623: ...s on page 613 or Configuring Static DNS Host to Address Entries on page 615 Probe Count Number of packets to send Range 1 16 Packet Size Number of bytes in a packet IPV4 32 512 bytes IPV6 0 1500 bytes...

Page 624: ...rameters 3 Click Apply Figure 18 2 Pinging a Network Device USING THE TRACE ROUTE FUNCTION Use the IP General Trace Route page to show the route packets take to the specified destination CLI REFERENCE...

Page 625: ...probes by returning an ICMP port unreachable message If the timer goes off before a response is returned the trace function prints a series of asterisks and the Request Timed Out message A long seque...

Page 626: ...sage However if it does match they write their own hardware address into the destination MAC address field and send the message back to the source hardware address When the source device receives a re...

Page 627: ...require Proxy ARP must view the entire network as a single network These nodes must therefore use a smaller subnet mask than that used by the router or other relevant network devices Extensive use of...

Page 628: ...cations may not respond to ARP requests or the response arrives too late causing network operations to time out Static entries will not be aged out or deleted when power is reset You can only remove a...

Page 629: ...YNAMIC OR LOCAL ARP ENTRIES Use the IP ARP Show Information page to display dynamic or local entries in the ARP cache The ARP cache contains static entries and entries for local interfaces including s...

Page 630: ...n page to display statistics for ARP messages crossing all interfaces on this router CLI REFERENCES show ip traffic on page 1343 PARAMETERS These parameters are displayed WEB INTERFACE To display ARP...

Page 631: ...ility CLI REFERENCES ip route on page 1377 ip sw route on page 1378 COMMAND USAGE Up to 24 static routes can be configured Due to a hardware limitation on the SSE G2252 static routes do not work with...

Page 632: ...s 2 Select Add from the Action List 3 Enter the destination address subnet mask and next hop router 4 Click Apply Figure 18 11 Configuring Static Routes To display static routes 1 Click IP Routing Sta...

Page 633: ...ontain any secondary paths A FIB entry consists of the minimum amount of information necessary to make a forwarding decision on a particular packet The typical components within a FIB entry are a netw...

Page 634: ...Chapter 18 General IP Routing Displaying the Routing Table 642 1 Click IP Routing Routing Table Figure 18 13 Displaying the Routing Table...

Page 635: ...ds on page 721 Remote Monitoring Commands on page 745 Authentication Commands on page 753 General Security Measures on page 817 Access Control Lists on page 895 Interface Commands on page 921 Link Agg...

Page 636: ...ands on page 1121 Quality of Service Commands on page 1133 Multicast Filtering Commands on page 1151 LLDP Commands on page 1245 CFM Commands on page 1269 OAM Commands on page 1309 Domain Name Service...

Page 637: ...mpt GC reload Restarts the system at a specified time after a specified delay or at a periodic interval GC enable Activates privileged mode NE quit Exits a CLI session NE PE show history Shows the com...

Page 638: ...of week monthly day cancel at in regularity reload at A specified time at which to reload the switch hour The hour at which to reload Range 0 23 minute The minute at which to reload Range 0 59 month...

Page 639: ...Exec mode In privileged mode additional commands are available and certain commands display additional information See Understanding Command Modes on page 718 SYNTAX enable level level Privilege leve...

Page 640: ...privileged access mode EXAMPLE Console enable Password privileged level password Console RELATED COMMANDS disable 650 enable password 754 quit This command exits the configuration program DEFAULT SET...

Page 641: ...history buffer when you are in Normal Exec or Privileged Exec Mode and commands from the Configuration command history buffer when you are in any of the configuration modes In this example the 2 comm...

Page 642: ...EFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE The character is appended to the end of the prompt to indicate that the system is in normal access mode EXAMPLE Console disable Console R...

Page 643: ...ebooted at January 1 02 11 50 2001 Remaining Time 0 days 0 hours 29 minutes 52 seconds Console end This command returns to Privileged Exec mode DEFAULT SETTING None COMMAND MODE Global Configuration I...

Page 644: ...EXAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console config exit Console exit Press ENTER to start session Use...

Page 645: ...System Status Displays system configuration active managers and version information Frame Size Enables support for jumbo frames File Management Manages code image or switch configuration files Line S...

Page 646: ...Shows CPU utilization parameters NE PE show process cpu guard Shows the CPU utilization watermark and threshold NE PE show process cpu task Shows CPU utilization per process NE PE show running config...

Page 647: ...on Total Policy Control Entries 768 Free Policy Control Entries 756 Entries Used by System 12 Entries Used by User 0 TCAM Utilization 1 56 Console show memory This command shows memory utilization par...

Page 648: ...ion watermark and threshold settings COMMAND MODE Normal Exec Privileged Exec EXAMPLE Console show process cpu guard CPU Guard Configuration Status Disabled High Watermark 90 Low Watermark 70 Maximum...

Page 649: ...0 00 0 00 DOT1X_SUP_GROUP 1 00 1 03 2 46 DOT1X_SUP_PROC 0 00 0 00 0 00 DRIVER_GROUP 1 00 1 18 3 03 DRIVER_GROUP_DI 0 00 0 00 0 00 Low Watermark If packet flow has been stopped after exceeding the high...

Page 650: ...SM_GROUP 0 00 0 00 0 00 NSM_PROC 0 00 0 00 0 00 NSM_TD 0 00 0 00 0 00 NTP_TD 0 00 0 00 0 00 OAM_GROUP 0 00 0 00 0 00 OAM_TXLBK_TD 0 00 0 00 0 00 POE_PROC 0 00 0 00 0 00 POE_TASK 0 00 0 00 0 00 POEDRV_...

Page 651: ...interface keyword to display configuration data for the specified interface Use this command in conjunction with the show startup config command to compare the information in running memory to the inf...

Page 652: ...el 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database VLAN 1 name DefaultVlan media ethernet state active spanning t...

Page 653: ...els VLAN database VLAN ID name and state Multiple spanning tree instances name and interfaces Interface settings and VLAN configuration settings for each interface IP address for management VLAN Any c...

Page 654: ...is command generates a long list of information including detailed system and interface settings It is therefore advisable to direct the output to a file using any suitable output capture function pro...

Page 655: ...19 SSH 1 steve 0 00 06 192 168 1 19 Web Online Users Line User Name Idle time h m s Remote IP addr HTTP ADMIN 0 00 00 192 168 0 99 Console show version This command displays hardware and software vers...

Page 656: ...s the system if any of these processes are not responding correctly SYNTAX watchdog software disable enable DEFAULT SETTING Disabled COMMAND MODE Privileged Exec EXAMPLE Console watchdog Console FRAME...

Page 657: ...n the two end nodes must be able to accept the extended frame size And for half duplex connections all devices in the collision domain would need to support jumbo frames The current setting for jumbo...

Page 658: ...e General Commands boot system Specifies the file or image used to start up the system GC copy Copies a code image or a switch configuration to or from flash memory or an FTP SFTP TFTP server PE delet...

Page 659: ...n later be downloaded to the switch to restore system operation The success of the file transfer depends on the accessibility of the FTP SFTP TFTP server and the quality of the network connection SYNT...

Page 660: ...ust use startup config as the destination The Boot ROM and Loader cannot be uploaded or downloaded from the FTP SFTP TFTP server You must follow the instructions in the release notes for new firmware...

Page 661: ...w to download new firmware from a TFTP server Console copy tftp file TFTP server ip address 10 1 0 19 Choose file type 1 config 2 opcode 1 2 2 Source file name m360 bix Destination file name m360 bix...

Page 662: ...e name SS private Private password Success Console reload System will be restarted continue y n y This example shows how to copy a public key used by SSH from an TFTP server Note that public key authe...

Page 663: ...Password Press y to allow connect to new sftp server and N to deny connect to new sftp server y Success Console delete This command deletes a file or image SYNTAX delete file name filename filename N...

Page 664: ...llowing example shows how to display all file information Console dir File Name Type Startup Modify Time Size bytes Unit 1 SSE G2252P_V1 0 14 0 bix OpCode Y 1970 01 01 00 00 00 8559848 Factory_Default...

Page 665: ...a new version is detected on the server indicated by the upgrade opcode path command Use the no form of this command to restore the default setting SYNTAX no upgrade opcode auto DEFAULT SETTING Disab...

Page 666: ...h tftp 192 168 0 1 sm24 Console config If a new image is found at the specified location the following type of messages will be displayed during bootup Automatic Upgrade is looking for a new image New...

Page 667: ...ntax must be used where filedir indicates the path to the directory containing the new image ftp username password 192 168 0 1 filedir If the user name is omitted anonymous will be used for the connec...

Page 668: ...d Path File Name SSE G2252 series bix Console TFTP Configuration Commands ip tftp retry This command specifies the number of times the switch can retry transmitting a request to a TFTP server after wa...

Page 669: ...o ip tftp timeout seconds The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out Range 1 65535 seconds DEFAULT SETTING 5 seconds COMMAND MODE...

Page 670: ...tions LC databits Sets the number of data bits per character that are interpreted and generated by hardware LC exec timeout Sets the interval that the command interpreter waits until user input is det...

Page 671: ...e config line RELATED COMMANDS show line 687 show users 662 databits This command sets the number of data bits per character that are interpreted and generated by the console port Use the no form to r...

Page 672: ...MODE Line Configuration COMMAND USAGE If user input is detected within the timeout interval the session is kept open otherwise the session is terminated This command applies to both the local console...

Page 673: ...ame command i e default setting When using this method the management interface starts in Normal Exec NE or Privileged Exec PE mode depending on the user s privilege level 0 or 15 respectively no logi...

Page 674: ...length 32 characters plain text or encrypted case sensitive DEFAULT SETTING No password is specified COMMAND MODE Line Configuration COMMAND USAGE When a connection is started on a line with password...

Page 675: ...ine Configuration COMMAND USAGE When the logon attempt threshold is reached the system interface becomes silent for a specified amount of time before allowing the next logon attempt Use the silent tim...

Page 676: ...and sets the terminal line s baud rate This command sets both the transmit to terminal and receive from terminal speeds Use the no form to restore the default setting SYNTAX speed bps no speed bps Bau...

Page 677: ...Console config line stopbits 2 Console config line timeout login response This command sets the interval that the system waits for a user to log into the CLI Use the no form to restore the default set...

Page 678: ...nection Range 0 8 COMMAND MODE Privileged Exec COMMAND USAGE Specifying session identifier 0 will disconnect the console connection Specifying any other identifiers for an active session will disconne...

Page 679: ...i bbs ANSI BBS vt 100 VT 100 vt 102 VT 102 width The number of character columns displayed on the terminal Range 0 80 DEFAULT SETTING Escape Character 27 ASCII number History 10 Length 24 Terminal Typ...

Page 680: ...nsole EVENT LOGGING This section describes commands used to configure event logging on the switch Table 20 9 Event Logging Commands Command Function Mode logging command Controls logging of commands e...

Page 681: ...config logging facility This command sets the facility type for remote logging of syslog messages Use the no form to return the type to the default SYNTAX logging facility type no logging facility typ...

Page 682: ...tion COMMAND USAGE The message level specified for flash memory must be a higher priority i e numerically lower than that specified for RAM EXAMPLE Console config logging history ram 0 Console config...

Page 683: ...EXAMPLE Console config logging host 10 1 0 3 Console config logging on This command controls logging of error messages sending debug or error messages to a logging process The no form disables the log...

Page 684: ...le on page 690 Messages sent include the selected level through level 0 DEFAULT SETTING Disabled Level 7 COMMAND MODE Global Configuration COMMAND USAGE Using this command with a specified level enabl...

Page 685: ...NG None COMMAND MODE Privileged Exec COMMAND USAGE All log messages are retained in RAM and Flash after a warm restart i e power is reset through the command interface All log messages are retained in...

Page 686: ...MMAND MODE Privileged Exec EXAMPLE The following example shows that system logging is enabled the message level for flash memory is errors i e default level 3 0 and the message level for RAM is debugg...

Page 687: ...te Log Status Shows if remote logging has been enabled via the logging trap command Remote Log Facility Type The facility type for remote logging of syslog messages as specified in the logging facilit...

Page 688: ...to specify each server To send email alerts the switch first opens a connection sends all the email alerts waiting in the queue one by one and finally closes the connection To open a connection the s...

Page 689: ...vel 0 EXAMPLE This example will send email alerts for system errors from level 3 through 0 Console config logging sendmail level 3 Console config logging sendmail destination email This command specif...

Page 690: ...ODE Global Configuration COMMAND USAGE You may use an symbolic email address that identifies the switch or the address of an administrator responsible for the switch EXAMPLE Console config logging sen...

Page 691: ...ls for time GC sntp server Specifies one or more time servers GC show sntp Shows current SNTP configuration settings NE PE NTP Commands ntp authenticate Enables authentication for NTP traffic GC ntp a...

Page 692: ...command EXAMPLE Console config sntp server 10 1 0 19 Console config sntp poll 60 Console config sntp client Console config end Console show sntp Current Time Dec 23 02 52 44 2002 Poll Interval 60 Cur...

Page 693: ...Range 1 3 addresses DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE This command specifies time servers from which the switch will poll for time updates when set to SNTP client mo...

Page 694: ...on SYNTAX no ntp authenticate DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE You can enable NTP authentication to ensure that reliable updates are received from only authoriz...

Page 695: ...ed on the switch Re enter this command for each server you want to configure Note that NTP authentication key numbers and values must match on both the server and client NTP authentication is optional...

Page 696: ...ient 699 ntp server 704 ntp server This command sets the IP addresses of the servers to which NTP time requests are issued Use the no form of the command to clear a specific time server or all servers...

Page 697: ...ient 703 show ntp 705 show ntp This command displays the current time and configuration settings for the NTP client and indicates whether or not the local time has been properly updated COMMAND MODE N...

Page 698: ...l begin b hour The hour summer time will begin Range 0 23 hours b minute The minute summer time will begin Range 0 59 minutes e date Day of the month when summer time will end Range 1 31 e month The m...

Page 699: ...predefined australia europe new zealand usa no clock summer time name Name of the timezone while summer time is in effect usually an acronym Range 1 30 characters DEFAULT SETTING Disabled COMMAND MOD...

Page 700: ...ay The day of the week when summer time will begin Options sunday monday tuesday wednesday thursday friday saturday b month The month when summer time will begin Options january february march april m...

Page 701: ...afternoons have more daylight and mornings have less This is known as Summer Time or Daylight Savings Time DST Typically clocks are adjusted forward one hour at the start of spring and then adjusted b...

Page 702: ...a time corresponding to your local time you must indicate the number of hours and minutes your time zone is east before or west after of UTC EXAMPLE Console config clock timezone Japan hours 8 minute...

Page 703: ...ivileged Exec EXAMPLE Console show calendar Current Time Dec 28 18 14 47 2013 Time Zone UTC 00 00 Summer Time Not configured Summer Time in Effect No Console TIME RANGE This section describes the comm...

Page 704: ...of seven rules can be configured for a time range EXAMPLE Console config time range r d Console config time range RELATED COMMANDS Access Control Lists 895 absolute This command sets the time range fo...

Page 705: ...ence of an event Console config time range r d Console config time range absolute start 1 1 1 april 2009 end 2 1 1 april 2009 Console config time range periodic This command sets the time range for th...

Page 706: ...LE This example configures a time range for the periodic occurrence of an event Console config time range sales Console config time range periodic daily 1 1 to 2 1 Console config time range show time...

Page 707: ...ted by the administrator through the management station The cluster VLAN 4093 is not configured by default Before using clustering take the following actions to set up this VLAN 1 Create VLAN 4093 see...

Page 708: ...nd are used for communication between Member switches and the Commander Switch clusters are limited to the same Ethernet broadcast domain There can be up to 100 candidates and 36 member switches in on...

Page 709: ...x x DEFAULT SETTING 10 254 254 1 COMMAND MODE Global Configuration COMMAND USAGE An internal IP address pool is used to assign IP addresses to Member switches in the cluster Internal cluster IP addres...

Page 710: ...le config cluster member mac address 00 12 34 56 78 9a id 5 Console config rcommand This command provides access to a cluster Member CLI for configuration SYNTAX rcommand id member id member id The ID...

Page 711: ...tch cluster members COMMAND MODE Privileged Exec EXAMPLE Console show cluster members Cluster Members ID 1 Role Active member IP Address 10 254 254 2 MAC Address 00 E0 0C 00 00 FE Description SSE G225...

Page 712: ...p the community access string to permit access to SNMP commands GC snmp server contact Sets the system contact string GC snmp server location Sets the system location string GC show snmp Displays the...

Page 713: ...ol IC Port snmp server enable port traps atc multicast control apply Sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires IC Port snm...

Page 714: ...y string that acts like a password and permits access to the SNMP protocol Maximum length 32 characters case sensitive Maximum number of strings 5 ro Specifies read only access Authorized management s...

Page 715: ...Use the no form to remove the system contact information SYNTAX snmp server contact string no snmp server contact string String that describes the system contact information Maximum length 255 charac...

Page 716: ...units and whether or not SNMP logging has been enabled with the snmp server enable traps command EXAMPLE Console show snmp SNMP Agent Enabled SNMP Traps Authentication Enabled Link up down Enabled MA...

Page 717: ...dress is added or removed interval Specifies the interval between issuing two consecutive traps Range 1 3600 seconds Default 1 second DEFAULT SETTING Issues authentication and link up down traps Other...

Page 718: ...re sent as inform messages Note that this option is only available for version 2c and 3 hosts Default traps are used retries The maximum number of times to resend an inform message if the recipient do...

Page 719: ...snmp server enable traps command For example some notification types are always enabled Notifications are issued by the switch as trap messages by default The recipient of a trap message does not send...

Page 720: ...f you specify an SNMP Version 3 host then the community string is interpreted as an SNMP user name The user name must first be defined with the snmp server user command Otherwise an SNMPv3 group will...

Page 721: ...interfaces SYNTAX show snmp server enable port traps interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 52 port channel channel id Range 1 16 COMMA...

Page 722: ...of packets passed between the switch and a user on the remote host SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote a...

Page 723: ...T SETTING Default groups public1 read only private2 read write readview Every object belonging to the Internet OID space 1 writeview Nothing is defined notifyview Nothing is defined COMMAND MODE Globa...

Page 724: ...assword Authentication password Enter as plain text if the encrypted option is not used Otherwise enter an encrypted password Range 8 32 characters priv des56 Uses SNMPv3 with privacy with DES56 encry...

Page 725: ...nfig snmp server user steve group r d v3 auth md5 greenpeace priv des56 einstien Console config snmp server user mark group r d remote 192 168 1 19 v3 auth md5 greenpeace priv des56 einstien Console c...

Page 726: ...ivileged Exec EXAMPLE This example shows the default engine ID Console show snmp engine id Local SNMP EngineID 8000002a8000000000e8666672 Local SNMP EngineBoots 1 Remote SNMP EngineID IP address 80000...

Page 727: ...ge Type volatile Row Status active Group Name private Security Model v1 Read View defaultview Write View defaultview Notify View none Storage Type volatile Row Status active Group Name private Securit...

Page 728: ...mation on the SNMP views COMMAND MODE Privileged Exec EXAMPLE Console show snmp view View Name mib 2 Subtree OID 1 2 2 3 6 2 1 View Type included Storage Type permanent Row Status active View Name def...

Page 729: ...is enabled by the nlm command Disabling logging with this command does not delete the entries stored in the notification log EXAMPLE This example enables the notification log A1 Console config nlm A1...

Page 730: ...tions can poll the log to verify that they have not missed any important Notifications If notification logging is not configured and enabled when the switch reboots some SNMP traps such as warm start...

Page 731: ...lter Name A1 Oper Status Operational Console show snmp notify filter This command displays the configured notification logs COMMAND MODE Privileged Exec EXAMPLE This example displays the configured no...

Page 732: ...655 process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization Use the no form to restore the default setting SYNTAX process cpu rising rising threshold falling fal...

Page 733: ...me falls below the low watermark low watermark If packet flow has been stopped after exceeding the high watermark normal flow will be restored after usaage falls beneath the low watermark max threshol...

Page 734: ...efore another alarm is triggered Once the maximum threshold is exceeded utilization must drop beneath the minimum threshold before the alarm is terminated and then exceed the maximum threshold again b...

Page 735: ...on in the relevant RMON database group A management agent then periodically communicates with the switch using the SNMP protocol However if the switch encounters a critical event it can automatically...

Page 736: ...entry Range 1 127 characters DEFAULT SETTING 1 3 6 1 2 1 16 1 1 1 6 1 1 3 6 1 2 1 16 1 1 1 6 52 Taking delta samples every 30 seconds Rising threshold is 892800 assigned to event 0 Falling threshold i...

Page 737: ...ty A password like community string sent with the trap operation to SNMP v1 and v2c hosts Although this string can be set using the rmon event command by itself it is recommended that the string be de...

Page 738: ...figuration Ethernet COMMAND USAGE By default each index number equates to a port on the switch but can be changed to any number not currently in use If periodic sampling is already enabled on an inter...

Page 739: ...wner name no rmon collection rmon1 controlEntry index index Index to this entry Range 1 65535 name Name of the person who created this entry Range 1 127 characters DEFAULT SETTING Enabled COMMAND MODE...

Page 740: ...id owned by mike Description is urgent Event firing causes log and trap to community last fired 00 00 00 Console show rmon history This command shows the sampling parameters configured for each entry...

Page 741: ...tistics Interface 1 is valid and owned by Monitors 1 3 6 1 2 1 2 2 1 1 1 which has Received 164289 octets 2372 packets 120 broadcast and 2211 multicast packets 0 undersized and 0 oversized packets 0 f...

Page 742: ...Privilege Levels Configures the basic user names and passwords for management access and assigns a privilege level to specified command groups or individual commands Authentication Sequence Defines l...

Page 743: ...ame default access privileges including additional commands in Normal Exec mode and a subset of commands in Privileged Exec mode under the Console command prompt Level 15 provides full access to all c...

Page 744: ...The device has two predefined users guest which is assigned privilege level 0 Normal Exec and ADMIN which is assigned privilege level 15 and has full access to all commands under both Normal Exec and...

Page 745: ...nfiguration file during system bootup or when downloading the configuration file from an FTP server There is no need for you to manually configure encrypted passwords EXAMPLE This example shows how th...

Page 746: ...hose controlling various authentication and security features Level 15 provides full access to all commands COMMAND MODE Global Configuration EXAMPLE This example sets the privilege level for the ping...

Page 747: ...ers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADI...

Page 748: ...connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and...

Page 749: ...ing messages Use the no form to restore the default SYNTAX radius server acct port port number no radius server acct port port number RADIUS server UDP port used for accounting messages Range 1 65535...

Page 750: ...e default values SYNTAX no radius server index host host ip address acct port acct port auth port auth port key key retransmit retransmit timeout timeout index Allows you to specify up to five servers...

Page 751: ...ing no radius server key key string Encryption key used to authenticate logon access for client Enclose any string containing blank spaces in double quotes Maximum length 48 characters DEFAULT SETTING...

Page 752: ...ut number of seconds Number of seconds the switch waits for a reply before resending a request Range 1 65535 DEFAULT SETTING 5 COMMAND MODE Global Configuration EXAMPLE Console config radius server ti...

Page 753: ...r to restore the default values SYNTAX tacacs server index host host ip address key key port port number retransmit retransmit timeout timeout no tacacs server index index The index for this server Ra...

Page 754: ...smit 5 key green Console config tacacs server key This command sets the TACACS encryption key Use the no form to restore the default SYNTAX tacacs server key key string no tacacs server key key string...

Page 755: ...cacs server retransmit number of retries Number of times the switch will try to authenticate logon access via the TACACS server Range 1 30 DEFAULT SETTING 2 COMMAND MODE Global Configuration EXAMPLE C...

Page 756: ...Retransmit Times 2 Timeout 5 Server 1 Server IP Address 192 168 1 25 Server Port Number 181 Retransmit Times 2 Timeout 4 TACACS Server Group Group Name Member Index tacacs 1 Console AAA The Authentica...

Page 757: ...red with the aaa group server command Range 1 64 characters DEFAULT SETTING Accounting is not enabled No servers are specified COMMAND MODE Global Configuration aaa accounting exec Enables accounting...

Page 758: ...ot1x default method name default Specifies the default accounting method for service requests method name Specifies an accounting method for service requests Range 1 64 characters start stop Records a...

Page 759: ...up Specifies the server group to use radius Specifies all RADIUS hosts configure with the radius server host command tacacs Specifies all TACACS hosts configure with the tacacs server host command ser...

Page 760: ...interim interval enables updates but does not change the current interval setting EXAMPLE Console config aaa accounting update periodic 30 Console config aaa authorization exec This command enables th...

Page 761: ...tly defined EXAMPLE Console config aaa authorization exec default group tacacs Console config aaa group server Use this command to name a group of security server hosts To remove a server group from t...

Page 762: ...server host command EXAMPLE Console config aaa group server radius tps Console config sg radius server 10 2 68 120 Console config sg radius accounting dot1x This command applies an accounting method f...

Page 763: ...ULT SETTING None COMMAND MODE Line Configuration EXAMPLE Console config line console Console config line accounting commands 15 default Console config line accounting exec This command applies an acco...

Page 764: ...ne Configuration EXAMPLE Console config line console Console config line authorization exec tps Console config line exit Console config line vty Console config line authorization exec default Console...

Page 765: ...ommands used to configure web browser management access to the switch NOTE Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 300 seconds ip http port Th...

Page 766: ...erver 777 show system 661 ip http server This command allows this device to be monitored or configured from a browser Use the no form to disable this function SYNTAX no ip http server DEFAULT SETTING...

Page 767: ...cure port 1000 Console config RELATED COMMANDS ip http secure server 778 show system 661 ip http secure server This command enables the secure hypertext transfer protocol HTTPS over the Secure Socket...

Page 768: ...rsions The following web browsers and operating systems currently support HTTPS To specify a secure site certificate see Replacing the Default Secure site Certificate on page 293 Also refer to the cop...

Page 769: ...ip telnet max sessions session count The maximum number of allowed Telnet session Range 0 8 DEFAULT SETTING 4 sessions COMMAND MODE Global Configuration COMMAND USAGE A maximum of eight sessions can b...

Page 770: ...l Configuration EXAMPLE Console config ip telnet port 123 Console config ip telnet server This command allows this device to be monitored or configured from Telnet Use the no form to disable this func...

Page 771: ...n Note that regardless of whether you Table 23 11 Secure Shell Commands Command Function Mode ip ssh authentication retries Specifies the number of retries allowed by a client GC ip ssh server Enables...

Page 772: ...blic Key to the Switch Use the copy tftp public key command to copy a file containing the public key for all the SSH client s granted management access to the switch Note that these clients must be co...

Page 773: ...6 bit string as a challenge encrypts this string with the user s public key and sends it to the client d The client uses its private key to decrypt the challenge string computes the MD5 checksum and s...

Page 774: ...p ssh authentication retries count no ip ssh authentication retries count The number of authentication attempts permitted after which the interface is reset Range 1 5 DEFAULT SETTING 3 COMMAND MODE Gl...

Page 775: ...key generate 787 show ssh 790 ip ssh server key size This command sets the SSH server key size Use the no form to restore the default setting SYNTAX ip ssh server key size key size no ip ssh server ke...

Page 776: ...ut is controlled by the exec timeout command for vty sessions EXAMPLE Console config ip ssh timeout 60 Console config RELATED COMMANDS exec timeout 680 show ip ssh 789 delete public key This command d...

Page 777: ...me SSH client programs automatically add the public key to the known hosts file as part of the configuration process Otherwise you must manually create a known hosts file and place the host public key...

Page 778: ...sh save host key 789 no ip ssh server 785 ip ssh save host key This command saves the host key from RAM to flash memory SYNTAX ip ssh save host key DEFAULT SETTING Saves both the DSA and RSA key COMMA...

Page 779: ...e encoded modulus EXAMPLE Console show public key host Host RSA 1024 65537 13236940658254764031382795526536375927835525327972629521130241 07194210616557594245909392360969540503627752575562510038661309...

Page 780: ...ion Started ADMIN ctos aes128 cbc hmac md5 stoc aes128 cbc hmac md5 Console Table 23 12 show ssh display description Field Description Connection The session number Range 0 3 Version The Secure Shell...

Page 781: ...single or multiple hosts on an dot1x port IC dot1x port control Sets dot1x mode for a port interface IC dot1x re authentication Enables re authentication for all ports IC dot1x timeout quiet period Se...

Page 782: ...ontrol multi host max count dot1x operation mode dot1x max req dot1x timeout quiet period dot1x timeout tx period dot1x timeout re authperiod dot1x timeout sup timeout dot1x re authentication dot1x in...

Page 783: ...arried out by switches located on the edge of the network When this device is functioning as an edge switch but does not require any attached clients to be authenticated the no dot1x eapol pass throug...

Page 784: ...nfiguration COMMAND USAGE For guest VLAN assignment to be successful the VLAN must be configured and set as active see the vlan database command and assigned as the guest VLAN for the port see the net...

Page 785: ...onfig if dot1x max req 2 Console config if dot1x operation mode This command allows hosts clients to connect to an 802 1X authorized port Use the no form with no keywords to restore the default to sin...

Page 786: ...ss to a port operating in this mode is limited only by the available space in the secure address table i e up to 1024 addresses EXAMPLE Console config interface eth 1 2 Console config if dot1x operati...

Page 787: ...the process is handled transparently by the dot1x client software Only if re authentication fails is the port blocked The connected client is re authenticated after the interval specified by the dot1x...

Page 788: ...3600 seconds COMMAND MODE Interface Configuration EXAMPLE Console config interface eth 1 2 Console config if dot1x timeout re authperiod 300 Console config if dot1x timeout supp timeout This command s...

Page 789: ...out tx period This command sets the time that an interface on the switch waits during an authentication session before re transmitting an EAP packet Use the no form to reset to the default value SYNTA...

Page 790: ...d username Specifies the supplicant user name Range 1 11 characters password Specifies the supplicant password Range 1 8 characters DEFAULT No user name or password COMMAND MODE Global Configuration C...

Page 791: ...st submit requests to another authenticator on the network configure the identity profile parameters see dot1x identity profile command which identify this switch as a supplicant and enable dot1x supp...

Page 792: ...FAULT 30 seconds COMMAND MODE Interface Configuration COMMAND USAGE This command sets the time that the supplicant waits for a response from the authenticator for packets other than EAPOL Start EXAMPL...

Page 793: ...eriod seconds The number of seconds Range 1 65535 DEFAULT 30 seconds COMMAND MODE Interface Configuration EXAMPLE Console config interface eth 1 2 Console config if dot1x timeout start period 60 Conso...

Page 794: ...ss control parameters for each interface including the following items Reauthentication Periodic re authentication page 798 Reauth Period Time after which a connected client must be re authenticated p...

Page 795: ...e initialize Request Count Number of EAP Request packets sent to the Supplicant without receiving a response Identifier Server Identifier carried in the most recent EAP Success Failure or Request pack...

Page 796: ...State Machine State Idle Request Count 0 Identifier Server 2 Reauthentication State Machine State Initialize Console MANAGEMENT IP FILTER This section describes commands used to configure IP managemen...

Page 797: ...d address the switch will reject the connection enter an event message in the system log and send a trap message to the trap manager IP address can be configured for SNMP web and Telnet access respect...

Page 798: ...addresses for the web group snmp client Displays IP addresses for the SNMP group telnet client Displays IP addresses for the Telnet group COMMAND MODE Privileged Exec EXAMPLE Console show management a...

Page 799: ...p information from the client s PPPoE Active Discovery Request and forwards this information to all trusted ports Table 23 15 PPPoE Intermediate Agent Commands Command Function Mode pppoe intermediate...

Page 800: ...SYNTAX pppoe intermediate agent format type access node identifier id string generic error message error message no pppoe intermediate agent format type access node identifier generic error message i...

Page 801: ...rface ethernet 1 5 Console config if pppoe intermediate agent port enable Console config if pppoe intermediate agent port format type This command sets the circuit id or remote id for an interface Use...

Page 802: ...sent from the PPPoE Server include the Circuit ID tag inserted by the switch and should be stripped out of PADO and PADS packets which are to be passed directly to end node clients using the pppoe int...

Page 803: ...AGE This command only applies to trusted interfaces It is used to strip off vendor specific tags which carry subscriber and line identification information in PPPoE Discovery packets received from an...

Page 804: ...ccess Node Identifier 192 168 0 2 PPPoE Intermediate Agent Oper Access Node Identifier 192 168 0 2 PPPoE Intermediate Agent Admin Generic Error Message PPPoE Discover packet too large to process Try r...

Page 805: ...rom untrusted Request towards untrusted Malformed 0 0 0 Console Table 23 16 show pppoe intermediate agent statistics display description Field Description Received PADI PPPoE Active Discovery Initiati...

Page 806: ...t Authentication Configures host authentication on specific ports using 802 1X Network Access Configures MAC authentication and dynamic VLAN assignment Web Authentication Configures Web authentication...

Page 807: ...g a trap message mac learning This command enables MAC address learning on the selected interface Use the no form to disable MAC address learning SYNTAX no mac learning DEFAULT SETTING Enabled COMMAND...

Page 808: ...AC address learning for port 2 Console config interface ethernet 1 2 Console config if no mac learning Console config if RELATED COMMANDS show interfaces status 936 port security This command enables...

Page 809: ...frames received on the port The specified maximum address count is effective when port security is enabled or disabled Note that you can manually add additional secure addresses to a port using the ma...

Page 810: ...static entries SYNTAX port security mac address as permanent interface interface interface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 52 COMMAND MODE P...

Page 811: ...AC Filter ID field is configured by the network access port mac filter command If this field displays Disabled then any unknown source MAC address can be learned as a secure MAC address If it displays...

Page 812: ...on about a detected intrusion Console show port security interface ethernet 1 2 Global Port Security Parameters Secure MAC Aging Mode Disabled Port Security Details Port 1 2 Port Security Enabled Port...

Page 813: ...network access link detection Enables the link detection feature IC network access link detection link down Configures the link detection feature to detect and act upon link down events IC network ac...

Page 814: ...ddress Authentication process described in this section as well as to any secure MAC addresses authenticated by 802 1X regardless of the 802 1X Operation Mode Single Host Multi Host or MAC Based authe...

Page 815: ...mac filter 1 mac address 11 22 33 44 55 66 Console config mac authentication reauth time Use this command to set the time period after which a connected MAC address must be re authenticated Use the no...

Page 816: ...returned dynamic QoS profile that is different from users already logged on to the same port the user is denied access While a port has an assigned dynamic QoS profile any manual QoS configuration ch...

Page 817: ...he first authenticated MAC address are implemented for a port Other authenticated MAC addresses on the port must have same VLAN configuration or they are treated as an authentication failure If dynami...

Page 818: ...mmand EXAMPLE Console config interface ethernet 1 1 Console config if network access guest vlan 25 Console config if network access link detection Use this command to enable link detection for the sel...

Page 819: ...ace ethernet 1 1 Console config if network access link detection link down action trap Console config if network access link detection link up Use this command to detect link up events When detected t...

Page 820: ...onse to take when port security is violated shutdown Disable port only trap Issue SNMP trap message only trap and shutdown Issue SNMP trap message and disable the port DEFAULT SETTING Disabled COMMAND...

Page 821: ...en enabled on a port the authentication process sends a Password Authentication Protocol PAP request to a configured RADIUS server The user name and password are both equal to the MAC address being au...

Page 822: ...port mac filter Use this command to enable the specified MAC address filter Use the no form of this command to disable the specified MAC address filter SYNTAX network access port mac filter filter id...

Page 823: ...d to restore the default SYNTAX mac authentication max mac count count no mac authentication max mac count count The maximum number of MAC authenticated MAC addresses allowed Range 1 1024 DEFAULT SETT...

Page 824: ...interface interface Specifies a port interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 52 DEFAULT SETTING Displays the settings for all interfaces COMMAND MODE Privil...

Page 825: ...it identifier Range 1 port Port number Range 1 52 sort Sorts displayed entries by either MAC address or interface DEFAULT SETTING Displays all filters COMMAND MODE Privileged Exec COMMAND USAGE When u...

Page 826: ...perform DNS queries All other traffic except for HTTP protocol traffic is blocked The switch intercepts HTTP protocol traffic and redirects it to a switch generated web page that facilitates user name...

Page 827: ...se the no form to restore the default SYNTAX web auth quiet period time no web auth quiet period time The amount of time the host must wait before attempting authentication again Range 1 180 seconds w...

Page 828: ...time data transmission takes place Use the no form to restore the default SYNTAX web auth session timeout timeout no web auth session timeout timeout The amount of time that an authenticated session...

Page 829: ...AULT SETTING Disabled COMMAND MODE Interface Configuration COMMAND USAGE Both web auth system auth control for the switch and web auth for a port must be enabled for the web authentication feature to...

Page 830: ...net unit port unit This is unit 1 port Port number Range 1 52 ip IPv4 formatted IP address DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console web auth re authenticate interface ethernet...

Page 831: ...Web Auth Status Enabled Host Summary IP address Web Auth State Remaining Session Time 1 1 1 1 Authenticated 295 1 1 1 2 Authenticated 111 Console show web auth summary This command displays a summary...

Page 832: ...mation option policy for DHCP client packets that include Option 82 information GC ip dhcp snooping limit rate Sets the maximum number of DHCP packets that can be trapped for DHCP snooping GC ip dhcp...

Page 833: ...emented as follows If global DHCP snooping is disabled all DHCP packets are forwarded If DHCP snooping is enabled globally and also enabled on the VLAN where the DHCP packet is received all DHCP packe...

Page 834: ...s example enables DHCP snooping globally for the switch Console config ip dhcp snooping Console config RELATED COMMANDS ip dhcp snooping vlan 848 ip dhcp snooping trust 851 ip dhcp snooping informatio...

Page 835: ...in reply packets sent back from the DHCP server When the DHCP Snooping Information Option 82 is enabled clients can be identified by the switch port to which they are connected rather than just their...

Page 836: ...ay agent itself inserts the relay agent s address when DHCP snooping is enabled and forwards the packets to trusted ports DEFAULT SETTING replace COMMAND MODE Global Configuration COMMAND USAGE When t...

Page 837: ...no ip dhcp snooping verify mac address DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE If MAC address verification is enabled and the source MAC address in the Ethernet header...

Page 838: ...re enabled When DHCP snooping is globally enabled and then disabled on a VLAN all dynamic bindings learned for this VLAN are removed from the binding table EXAMPLE This example enables DHCP snooping...

Page 839: ...ess node identifier ASCII string Default is the MAC address of the switch s CPU This field is set by the ip dhcp snooping information option command eth The second field is the fixed string eth slot T...

Page 840: ...cp snooping command and enabled on a VLAN with ip dhcp snooping vlan command DHCP packet filtering will be performed on any untrusted ports within the VLAN according to the default status or as specif...

Page 841: ...Privileged Exec EXAMPLE Console clear ip dhcp snooping database flash Console ip dhcp snooping database flash This command writes all dynamically learned snooping entries to flash memory COMMAND MODE...

Page 842: ...ace DHCP Snooping is configured on the following VLANs Verify Source MAC Address enabled DHCP Snooping rate limit unlimited Interface Trusted Circuit ID mode Circuit ID Value Eth 1 1 No Vlan Unit Port...

Page 843: ...essages received on an untrusted interface as Table 24 9 DHCP Snooping Commands Command Function Mode ipv6 dhcp snooping Enables DHCPv6 snooping globally GC ipv6 dhcp snooping option remote id Enables...

Page 844: ...described below If DHCPv6 snooping is enabled globally and also enabled on the VLAN where the DHCP packet is received but the port is not trusted DHCP packets are processed according to message type...

Page 845: ...ck the relay message option in Relay Forward or Relay Reply packet and process client and server packets as described above If DHCPv6 snooping is globally disabled all dynamic bindings are removed fro...

Page 846: ...identified in the DHCPv6 request packets forwarded by the switch and in reply packets sent back from the DHCPv6 server When the DHCPv6 Snooping Option 37 is enabled clients can be identified by the s...

Page 847: ...d of relaying it keep Retains the Option 37 information in the client request and forwards the packets to trusted ports replace Replaces the Option 37 remote ID in the client s request with the relay...

Page 848: ...usted ports within the VLAN as specified by the ipv6 dhcp snooping trust command When the DHCPv6 snooping is globally disabled DHCPv6 snooping can still be configured for specific VLANs but the change...

Page 849: ...network An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall Set all ports connected to DHCv6 servers within the local network or fire w...

Page 850: ...entry Format xx xx xx xx xx xx ipv6 address Corresponding IPv6 address This address must be entered according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values...

Page 851: ...ding table entries COMMAND MODE Privileged Exec EXAMPLE Console show ipv6 dhcp snooping binding NA Non temporary address TA Temporary address Link layer Address 00 13 49 aa 39 26 IPv6 Address Lifetime...

Page 852: ...ress binding table Use the no form to remove a static entry SYNTAX ip source guard binding mode acl mac mac address vlan vlan id ip address interface ethernet unit port no ip source guard binding mode...

Page 853: ...ed with a value of zero by the show ip source guard command page 868 When source guard is enabled traffic is filtered based upon dynamic entries learned via DHCP snooping or static addresses configure...

Page 854: ...ce Configuration Ethernet COMMAND USAGE Source guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall and therefore may be subject to traffic...

Page 855: ...P snooping is enabled IP source guard will check the VLAN ID source IP address port number and source MAC address for the sip mac option If a matching entry is found in the binding table and the entry...

Page 856: ...ic entries set by the ip source guard command EXAMPLE This example sets the maximum number of allowed entries in the binding table for port 5 to one entry The mode is not specified and therefore defau...

Page 857: ...urce guard binding blocked command A maximum of 512 blocked records can be stored before the switch overwrites the oldest record with new blocked records Use the clear ip source guard binding blocked...

Page 858: ...tic Shows static entries configured with the ip source guard binding command see page 863 acl Shows static entries in the ACL binding table mac Shows static entries in the MAC address binding table bl...

Page 859: ...urce guard binding mac address vlan vlan id mac address A valid unicast MAC address vlan id ID of a configured VLAN Range 1 4094 ipv6 address Corresponding IPv6 address This address must be entered ac...

Page 860: ...ings are processed as follows If there is no entry with same and MAC address and IPv6 address a new entry is added to binding table using static IPv6 source guard binding If there is an entry with sam...

Page 861: ...Pv6 packets allowed by DHCPv6 snooping A port access control list ACL is applied to the interface Traffic is then filtered based upon dynamic entries learned via ND snooping or DHCPv6 snooping or stat...

Page 862: ...kets and DHCPv6 packets Only IPv6 global unicast addresses are accepted for static bindings EXAMPLE This example enables IP source guard on port 5 Console config interface ethernet 1 5 Console config...

Page 863: ...he maximum number of allowed bindings is changed to a lower value precedence is given to deleting entries learned through DHCPv6 snooping ND snooping and then manually configured IPv6 source guard sta...

Page 864: ...Inspection validates the MAC to IP address bindings in Address Resolution Protocol ARP packets It protects against ARP traffic with invalid address bindings which forms the basis for certain man in th...

Page 865: ...g buffer logs Sets the maximum number of entries saved in a log message and the rate at these messages are sent GC ip arp inspection validate Specifies additional validation of address components in a...

Page 866: ...ly to one or more VLANs Use the no form to remove an ACL binding Use the no form to remove an ACL binding SYNTAX ip arp inspection filter arp acl name vlan vlan id vlan range static no ip arp inspecti...

Page 867: ...ed in a log message Range 0 256 where 0 means no events are saved and no messages sent seconds The interval at which log messages are sent Range 0 86400 DEFAULT SETTING Message Number 5 Interval 1 sec...

Page 868: ...get MAC address in the ARP body This check is performed for ARP responses When enabled packets with different MAC addresses are classified as invalid and are dropped ip Checks the ARP body for invalid...

Page 869: ...led with this command When ARP Inspection is enabled globally and enabled on selected VLANs all ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by...

Page 870: ...AND USAGE This command applies to both trusted and untrusted ports When the rate of incoming ARP packets exceeds the configured limit the switch drops all ARP packets in excess of the limit EXAMPLE Co...

Page 871: ...on Global IP ARP Inspection status disabled Log Message Interval 10 s Log Message Number 1 Need Additional Validation s Yes Additional Validation Type Destination MAC address Console show ip arp inspe...

Page 872: ...cs ARP packets received before rate limit 150 ARP packets dropped due to rate limt 5 Total ARP packets processed by ARP Inspection 150 ARP packets dropped by additional validation source MAC address 0...

Page 873: ...sent to it and the chargen character generator service generates a continuous stream of data When used together they create an infinite loop and result in a denial of service Use the no form to disabl...

Page 874: ...any interrupts required to send ICMP Echo response packets Use the no form to disable this feature SYNTAX no dos protection smurf DEFAULT SETTING Enabled COMMAND MODE Global Configuration EXAMPLE Cons...

Page 875: ...mply discards the TCP NULL scan Use the no form to disable this feature SYNTAX no dos protection tcp null scan DEFAULT SETTING Enabled COMMAND MODE Global Configuration EXAMPLE Console config dos prot...

Page 876: ...to zero forward Forwards all packets with the Layer 4 source port or destination port set to zero DEFAULT SETTING Drop COMMAND MODE Global Configuration EXAMPLE Console config dos protection tcp udp...

Page 877: ...Disabled 1000 kbits second COMMAND MODE Global Configuration EXAMPLE Console config dos protection udp flooding 65 Console config dos protection win nuke This command protects against DoS WinNuke att...

Page 878: ...ter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider port based traffic segmentation can be use...

Page 879: ...the uplink and downlink ports assigned to different client sessions is shown below traffic segmentation uplink to uplink Specifies whether or not traffic can be forwarded between uplink ports assigne...

Page 880: ...n globally on the switch Console config traffic segmentation Console config traffic segmentation session This command creates a traffic segmentation client session Use the no form to remove a client s...

Page 881: ...wnlink list A port can only be assigned to one traffic segmentation session When specifying an uplink or downlink a list of ports may be entered by using a hyphen or comma in the port field Note that...

Page 882: ...Forwards traffic between uplink ports assigned to different sessions DEFAULT SETTING Blocking COMMAND MODE Global Configuration EXAMPLE This example enables forwarding of traffic between uplink ports...

Page 883: ...Chapter 24 General Security Measures Port based Traffic Segmentation 894...

Page 884: ...res ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code IPv6 ACLs Configures ACLs based on IPv6 addresses DSCP traffic class or next header type MAC ACLs Configures ACL...

Page 885: ...onfiguration COMMAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To remove a rule use the...

Page 886: ...le config RELATED COMMANDS show ip access list 902 Time Range 711 permit deny Standard IP ACL This command adds a rule to a Standard IPv4 ACL The rule sets a filter condition for packets emanating fro...

Page 887: ...permit deny Extended IPv4 ACL This command adds a rule to an Extended IPv4 ACL The rule sets a filter condition for packets with specific source or destination IP addresses protocol types source or de...

Page 888: ...g the port bits to match Range 0 65535 control flags Decimal number representing a bit string that specifies flag bits in byte 14 of the TCP header Range 0 63 flag bitmask Decimal number representing...

Page 889: ...o problem when checking DSCP or IP Precedence bits but limits the checking of ToS bits underlined in the following example to the leftmost three bits ignoring the rightmost fourth bit For example if y...

Page 890: ...e the no form to remove the port SYNTAX ip access group acl name in time range time range name counter no ip access group acl name in acl name Name of the ACL Maximum length 32 characters in Indicates...

Page 891: ...access group Interface Configuration 901 show ip access list This command displays the rules for configured IPv4 ACLs SYNTAX show ip access list standard extended acl name standard Specifies a standa...

Page 892: ...ODE Global Configuration COMMAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an...

Page 893: ...the port SYNTAX ipv6 access group acl name in time range time range name counter no ipv6 access group acl name in acl name Name of the ACL Maximum length 32 characters in Indicates that this list app...

Page 894: ...rated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields prefix length A decimal value indicating h...

Page 895: ...n the address to indicate the appropriate number of zeros required to fill the undefined fields destination ipv6 address An IPv6 destination address or network class The address must be formatted acco...

Page 896: ...FC 2460 EXAMPLE This example accepts any incoming packets if the destination address is 2009 DB9 2229 79 8 Console config ext ipv6 acl permit 2009 DB9 2229 79 8 Console config ext ipv6 acl This allows...

Page 897: ...GE A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will replace the old binding with the new one IPv6 ACLs can only be applied to...

Page 898: ...rface Configuration 907 MAC ACLS The commands in this section configure ACLs based on hardware addresses packet format and Ethernet type The ACLs can further specify optional IP and IPv6 addresses inc...

Page 899: ...MAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To remove a rule use the no permit or no...

Page 900: ...in Console config RELATED COMMANDS show mac access list 916 Time Range 711 permit deny MAC ACL This command adds a rule to a MAC ACL The rule filters packets matching a specified MAC source or destina...

Page 901: ...on ipv6 destination ipv6 prefix length protocol protocol l4 source port sport port bitmask l4 destination port dport port bitmask time range time range name no permit deny tagged eth2 any host source...

Page 902: ...ce address bitmask any host destination destination address bitmask time range time range name no permit deny untagged 802 3 any host source source address bitmask any host destination destination add...

Page 903: ...535 time range name Name of the time range Range 1 16 characters DEFAULT SETTING None COMMAND MODE MAC ACL COMMAND USAGE New rules are added to the end of the list The ethertype option can only be use...

Page 904: ...stics DEFAULT SETTING None COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Only one ACL can be bound to a port If an ACL is already bound to a port and you bind a different ACL to it the s...

Page 905: ...MAC address contained in ARP request and reply messages To configure ARP ACLs first create an access list containing the required permit or deny rules and then bind the access list to one or more VLA...

Page 906: ...This command adds a rule to an ARP ACL The rule filters packets matching a specified source or destination address in ARP messages Use the no form to remove a rule SYNTAX no permit deny ip any host s...

Page 907: ...mits packets from any source IP and MAC address to the destination subnet address 192 168 0 0 Console config arp acl permit response ip any 192 168 0 0 255 255 0 0 mac any any Console config mac acl R...

Page 908: ...t unit Unit identifier Range 1 port Port number Range 1 52 acl name Name of the ACL Maximum length 32 characters COMMAND MODE Privileged Exec EXAMPLE Console clear access list hardware counters Consol...

Page 909: ...Shows ingress rules for Standard IPv6 ACLs mac Shows ingress rules for MAC ACLs tcam utilization Shows the percentage of user configured ACL rules as a percentage of total ACL rules acl name Name of t...

Page 910: ...ed duplex Configures the speed and duplex operation of a given interface when autonegotiation is disabled IC clear counters Clears statistics on an interface PE show discard Displays if CDP and PVST p...

Page 911: ...perature which can be used to trigger an alarm or warning message IC transceiver threshold tx power Sets thresholds for the transceiver power level of the transmitted signal which can be used to trigg...

Page 912: ...n file An example of the value which a network manager might store in this object for a WAN interface is the Telco s circuit number identifier of the interface EXAMPLE The following example adds an al...

Page 913: ...te the best settings for a link based on the capabilities command When auto negotiation is disabled you must manually specify the link attributes with the speed duplex and flowcontrol commands EXAMPLE...

Page 914: ...RD SW 3 Console config if discard This command discards CDP or PVST packets Use the no form to forward the specified packet type to other ports configured the same way SYNTAX no discard cdp pvst cdp C...

Page 915: ...ontrol on or off with the flowcontrol or no flowcontrol command use the no negotiation command to disable auto negotiation on the selected interface When using the negotiation command to enable auto n...

Page 916: ...tatistical values on port 1 Console config interface ethernet 1 1 Console config if history 15min 15 10 Console config if media type This command forces the transceiver mode to use for SFP ports Use t...

Page 917: ...ased on the capabilities command When auto negotiation is disabled you must manually specify the link attributes with the speed duplex and flowcontrol commands If auto negotiation is disabled auto MDI...

Page 918: ...ll duplex operation 10half Forces 10 Mbps half duplex operation DEFAULT SETTING Auto negotiation is enabled by default When auto negotiation is disabled the default speed duplex setting is 100full for...

Page 919: ...r Range 1 port Port number Range 1 52 port channel channel id Range 1 16 DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Statistics are only initialized for a power reset This command...

Page 920: ...t priority speed duplex mode and port type for all ports COMMAND MODE Privileged Exec EXAMPLE Console show interfaces brief Interface Name Status PVID Pri Speed Duplex Type Trunk Eth 1 1 Down 1 0 Auto...

Page 921: ...xtended Iftable Stats 23 Multi cast Input 5525 Multi cast Output 170 Broadcast Input 11 Broadcast Output Ether like Stats 0 Alignment Errors 0 FCS Errors 0 Single Collision Frames 0 Multiple Collision...

Page 922: ...1 32 characters current Statistics recorded in current interval previous Statistics recorded in previous intervals index An index into the buckets containing previous samples Range 1 96 count The num...

Page 923: ...val 86400 second s Buckets Requested 7 Buckets Granted 0 Status Active Current Entries Start Time Octets Input Unicast Multicast Broadcast 00d 00 00 00 0 00 3009496 14174 13187 5931 Discards Errors 0...

Page 924: ...37 0 00 902 7 0 0 00d 06 52 38 0 00 64 0 1 0 Start Time Discards Errors 00d 06 52 29 0 0 00d 06 52 30 0 0 00d 06 52 31 0 0 00d 06 52 32 0 0 00d 06 52 33 0 0 00d 06 52 34 0 0 00d 06 52 35 0 0 00d 06 5...

Page 925: ...ation on all interfaces is displayed For a description of the items displayed by this command see Displaying Connection Status on page 102 EXAMPLE Console show interfaces status ethernet 1 21 Informat...

Page 926: ...l Exec Privileged Exec COMMAND USAGE If no interface is specified information on all interfaces is displayed EXAMPLE This example shows the configuration setting for port 21 Console show interfaces sw...

Page 927: ...t Shows if rate limiting is enabled and the current rate limit page 983 VLAN Membership Mode Indicates membership mode as Trunk or Hybrid page 1090 Ingress Rule Shows if ingress filtering is enabled o...

Page 928: ...nsceiver threshold auto Console transceiver threshold current This command sets thresholds for transceiver current which can be used to trigger an alarm or warning message SYNTAX transceiver threshold...

Page 929: ...triggered as described above to avoid a hysteresis effect which would continuously trigger event messages if the power level were to fluctuate just above and below either the high threshold or the low...

Page 930: ...nfigured by the snmp server host command EXAMPLE The following example sets alarm thresholds for the signal power received at port 1 Console config interface ethernet 1 52 Console config if transceive...

Page 931: ...ansceiver temperature at port 1 Console config interface ethernet 1 52 Console config if transceiver threshold temperature low alarm 97 Console config if transceiver threshold temperature high alarm 8...

Page 932: ...m thresholds for the signal power transmitted at port 1 Console config interface ethernet 1 52 Console config if transceiver threshold tx power low alarm 8 Console config if transceiver threshold tx p...

Page 933: ...52 Console config if transceiver threshold voltage low alarm 4 Console config if transceiver threshold voltage high alarm 2 Console show interfaces transceiver This command displays identifying infor...

Page 934: ...endor Rev V1 1 Vendor SN A492101711 Date Code 09 05 19 DDM Information Temperature 35 64 degree C Vcc 3 25 V Bias Current 12 13 mA TX Power 2 36 dBm RX Power 24 20 dBm DDM Thresholds Low Alarm Low War...

Page 935: ...iver monitor Disabled Transceiver threshold auto Enabled Low Alarm Low Warning High Warning High Alarm Temperature Celsius 123 00 0 00 70 00 75 00 Voltage Volts 3 10 3 15 3 45 3 50 Current mA 6 00 7 0...

Page 936: ...nated pair ON Open Open pair no link partner ST Short Shorted pair IE Impedance error Terminating impedance is not in the reference range NC No cable attached NT Not tested NS Not supported This messa...

Page 937: ...ength if no fault is found To ensure more accurate measurement of the length to a fault first disable power saving mode on the link partner before running cable diagnostics For link down ports the rep...

Page 938: ...link partner If none is detected the switch automatically turns off the transmitter and most of the receive circuitry entering Sleep Mode In this mode the low power energy detection circuit continuou...

Page 939: ...wer save This command shows the configuration settings for power savings SYNTAX show power save interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 4...

Page 940: ...o 8 ports Table 27 1 Link Aggregation Commands Command Function Mode Manual Configuration Commands interface port channel Configures a trunk and enters interface configuration mode for the trunk GC po...

Page 941: ...Interface If the port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value of 0 this key is set to the same value as the port admin key la...

Page 942: ...runk This mode works best for switch to switch trunk links where traffic through the switch is destined for many different hosts Do not use this mode for switch to router trunk links where the destina...

Page 943: ...ring static trunks the switches must comply with the Cisco EtherChannel standard Use no channel group to remove a port group from a trunk Use no interface port channel to remove a trunk from the switc...

Page 944: ...has been established Console config interface ethernet 1 10 Console config if lacp Console config if interface ethernet 1 11 Console config if lacp Console config if interface ethernet 1 12 Console c...

Page 945: ...t admin key matches and 3 the LACP port channel key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a channel group is formed i e it has the null value...

Page 946: ...ximum number of allowed port members and LACP is subsequently enabled on another port using a higher priority than an existing member the newly configured port will replace an existing port member tha...

Page 947: ...tings for the partner only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with the partner EXAMPLE Console confi...

Page 948: ...meout to wait for the next LACP data unit LACPDU Use the no form to restore the default setting SYNTAX lacp timeout long short no lacp timeout long Specifies a slow timeout of 90 seconds short Specifi...

Page 949: ...ort channel counters internal neighbors sys id port channel Local identifier for a link aggregation group Range 1 12 counters Statistics for LACP protocol messages internal Configuration settings and...

Page 950: ...Marker PDUs received by this channel group LACPDUs Unknown Pkts Number of frames received that either 1 Carry the Slow Protocols Ethernet Type value but contain an unknown PDU or 2 are addressed to t...

Page 951: ...ocol information Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or cha...

Page 952: ...Priority Current administrative value of the port priority for the protocol partner Port Oper Priority Priority value assigned to this aggregation port by the partner Admin Key Current administrative...

Page 953: ...Chapter 27 Link Aggregation Commands 964 EXAMPLE Console show port channel load balance Trunk Load Balance Mode Destination IP address Console...

Page 954: ...to powered devices that were designed prior to the IEEE 802 3af PoE standard Use the no form to disable this feature SYNTAX no power inline compatible DEFAULT SETTING Enabled COMMAND MODE Global Conf...

Page 955: ...to the RJ 45 ports EXAMPLE Console config power inline compatible Console config end Console show power inline status Unit 1 Unit 1 Compatible mode Disabled Time Max Used Interface Admin Range Oper Po...

Page 956: ...Use the no form to turn off power for a port or the no form with the time range keyword to remove the time range settings SYNTAX power inline time range time range name no power inline time range tim...

Page 957: ...power budget of 400W All the RJ 45 ports support both the IEEE 802 3af and IEEE 802 3at standards The maximum number of ports which can supply power simultaneously at the specified levels are shown i...

Page 958: ...switch can drop power to one or more lower priority ports and thereby remain within its overall budget If a device is connected to a port after the switch has finished booting up and would cause the s...

Page 959: ...power inline time range rd Console config if RELATED COMMANDS time range 712 show power inline status This command displays the current power status for all ports or for specific ports SYNTAX show pow...

Page 960: ...ange 1 30 characters interface ethernet unit Unit identifier Range 1 port Port number Range 1 48 COMMAND MODE Privileged Exec EXAMPLE Console show power inline time range ethernet 1 5 Interface Time R...

Page 961: ...tatus On PoE Power Consumption 7 3 Watts Software Version Version 0068 Hex Build 00 Hex Console Table 28 5 show power mainpower display description Field Description PoE Maximum Available Power The av...

Page 962: ...ddress mac address access list acl name no port monitor interface vlan vlan id mac address mac address access list acl name interface ethernet unit port source port unit Unit identifier Range 1 port P...

Page 963: ...port monitor command to specify the source of the traffic to mirror Note that the destination port cannot be a trunk or trunk member port When mirroring traffic from a port or trunk the mirror port t...

Page 964: ...xample configures port 2 to monitor packets matching the MAC address 00 12 CF XX XX XX received by port 1 Console config access list mac m1 Console config mac acl permit 00 12 cf 00 00 00 ff ff ff 00...

Page 965: ...the following steps to configure an RSPAN session 1 Use the vlan rspan command to configure a VLAN to use for RSPAN Default VLAN 1 is prohibited 2 Use the rspan source command to specify the interface...

Page 966: ...no session can be configured for RSPAN Spanning Tree If the spanning tree is disabled BPDUs will not be flooded onto the RSPAN VLAN MAC address learning is not supported on RSPAN uplink ports when RS...

Page 967: ...itted packets both Mirror both received and transmitted packets DEFAULT SETTING Both TX and RX traffic is mirrored COMMAND MODE Global Configuration COMMAND USAGE One or more source ports can be assig...

Page 968: ...Traffic exiting the destination port is untagged COMMAND MODE Global Configuration COMMAND USAGE Only one destination port can be configured on the same switch per session but a destination port can...

Page 969: ...intermediate switch transparently passing mirrored traffic from one or more sources to one or more destinations destination Specifies this device as a switch configured with a destination port which...

Page 970: ...ession is allowed including both local and remote mirroring If local mirroring is enabled with the port monitor command then no session can be configured for RSPAN COMMAND MODE Global Configuration CO...

Page 971: ...sole show rspan session RSPAN Session ID 1 Source Ports mirrored ports None RX Only None TX Only None BOTH None Destination Port monitor port Eth 1 2 Destination Tagged Mode Untagged Switch Role Desti...

Page 972: ...runks When an interface is configured with this feature the traffic rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped rate limit This command defines the ra...

Page 973: ...ll designed or properly configured If there is too much traffic on your network performance can be severely degraded or everything can come to complete halt You can protect your network from traffic s...

Page 974: ...ms can be controlled at the hardware level using this command or at the software level using the auto traffic control command However only one of these control types can be applied to a port Enabling...

Page 975: ...icast storms IC Port auto traffic control action Sets the control action to limit ingress traffic or shut down the offending port IC Port auto traffic control alarm clear threshold Sets the lower thre...

Page 976: ...rol and the apply timer expires IC Port snmp server enable port traps atc multicast control release Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response...

Page 977: ...traffic control response of rate limiting can be released automatically or manually The control response of shutting down a port can only be released manually Figure 30 2 Storm Control by Shutting Do...

Page 978: ...enable port traps atc broadcast control apply command or snmp server enable port traps atc multicast control apply command EXAMPLE This example sets the apply timer to 200 seconds for all ports Conso...

Page 979: ...ic traffic control for broadcast or multicast storms Use the no form to disable this feature SYNTAX no auto traffic control broadcast multicast broadcast Specifies automatic storm control for broadcas...

Page 980: ...utdown If a control response is triggered the port is administratively disabled A port disabled by automatic traffic control can only be manually re enabled DEFAULT SETTING rate control COMMAND MODE I...

Page 981: ...beneath which a cleared storm control trap is sent Range 1 255 kilo packets per second DEFAULT SETTING 250 kilo packets per second COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Once the...

Page 982: ...DE Interface Configuration Ethernet COMMAND USAGE Once the upper threshold is exceeded a trap message may be sent if configured by the snmp server enable port traps atc broadcast alarm fire command or...

Page 983: ...c control control release command EXAMPLE Console config interface ethernet 1 1 Console config if auto traffic control broadcast auto control release Console config if auto traffic control control rel...

Page 984: ...config if snmp server enable port traps atc broadcast alarm clear Console config if RELATED COMMANDS auto traffic control action 991 auto traffic control alarm clear threshold 992 snmp server enable...

Page 985: ...pply Console config if RELATED COMMANDS auto traffic control alarm fire threshold 993 auto traffic control apply timer 988 snmp server enable port traps atc broadcast control release This command send...

Page 986: ...1 Console config if snmp server enable port traps atc multicast alarm clear Console config if RELATED COMMANDS auto traffic control action 991 auto traffic control alarm clear threshold 992 snmp serv...

Page 987: ...pply Console config if RELATED COMMANDS auto traffic control alarm fire threshold 993 auto traffic control apply timer 988 snmp server enable port traps atc multicast control release This command send...

Page 988: ...command shows interface configuration settings and storm control status for the specified port SYNTAX show auto traffic control interface interface interface ethernet unit port unit Unit identifier R...

Page 989: ...Chapter 30 Congestion Control Commands Automatic Traffic Control Commands 1000 Console...

Page 990: ...tate caused by a loopback event a trap message is sent and the event recorded in the system log Loopback detection must be enabled both globally and on an interface for loopback detection to take effe...

Page 991: ...Console config loopback detection Console config interface ethernet 1 1 Console config if no spanning tree loopback detection Console config if loopback detection Console config loopback detection ac...

Page 992: ...operation regardless of the remaining recover time EXAMPLE This example sets the loopback detection mode to block user traffic Console config loopback detection action block Console config loopback de...

Page 993: ...onfiguration EXAMPLE Console config loopback detection transmit interval 60 Console config loopback detection trap This command sends a trap when a loopback condition is detected or when the switch re...

Page 994: ...tion feature SYNTAX loopback detection release COMMAND MODE Privileged Exec EXAMPLE Console loopback detection release Console config show loopback detection This command shows loopback detection conf...

Page 995: ...t Information Port Admin State Oper State Eth 1 1 Enabled Normal Eth 1 2 Disabled Disabled Eth 1 3 Disabled Disabled Console show loopback detection ethernet 1 1 Loopback Detection Information of Eth...

Page 996: ...SYNTAX udld message interval message interval no message interval message interval The interval at which a port sends UDLD probe messages after linkup or detection phases Range 7 90 seconds DEFAULT S...

Page 997: ...based on information received in UDLD messages whether that s information about the exchange of proper neighbor identification or the absence of such Hence albeit bound by a timer normal mode determi...

Page 998: ...o be taken Whenever a UDLD device learns about a new neighbor or receives a re synchronization request from an out of synch neighbor it re starts the detection process on its side of the connection an...

Page 999: ...Oper State Msg Invl Trunk Port State Det Invl Trunk 1 Enabled Normal Console show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface...

Page 1000: ...DLD operational state Disabled Link down Link up Advertisement Detection Disabled port Advertisement Single neighbor Advertisement Multiple neighbors Port State Shows the UDLD port state Unknown Bidir...

Page 1001: ...Sets the aging time of the address table GC mac address table hash lookup depth Sets the hash lookup depth of address table GC mac address table static Maps a static address to a port in a VLAN GC ma...

Page 1002: ...kup depth Range 4 32 in multiples of 4 DEFAULT SETTING 4 COMMAND MODE Global Configuration EXAMPLE Console config mac address table hash lookup depth 32 Console config RELATED COMMANDS show mac addres...

Page 1003: ...a given interface link is down Static addresses are bound to the assigned interface and will not be moved When a static address is seen on another interface the address will be ignored and will not be...

Page 1004: ...ss mask Bits to match in the address interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 52 port channel channel id Range 1 16 vlan id VLAN ID Range 1 4094 sort Sort by...

Page 1005: ...on Timeout Console show mac address table aging time This command shows the aging time for entries in the address table DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show mac addre...

Page 1006: ...ress table hash lookup depth Configured Hash Lookup Depth 4 Activated Hash Lookup Depth 4 Console show mac address table mac learning config This command shows if MAC address learning has been enabled...

Page 1007: ...Chapter 33 Address Table Commands 1019...

Page 1008: ...DUs to all other ports or just to all other ports in the same VLAN when global spanning tree is disabled GC spanning tree transmission limit Configures the transmission limit for RSTP MSTP GC max hops...

Page 1009: ...ree mst cost Configures the path cost of an instance in the MST IC spanning tree mst port priority Configures the priority of an instance in the MST IC spanning tree port bpdu flooding Floods BPDUs to...

Page 1010: ...fig spanning tree cisco prestandard Console config spanning tree forward time This command configures the spanning tree bridge forward time globally for this switch Use the no form to restore the defa...

Page 1011: ...guration COMMAND USAGE This command sets the time interval in seconds at which the root device transmits a configuration message EXAMPLE Console config spanning tree hello time 5 Console config RELATE...

Page 1012: ...e mode This command selects the spanning tree mode for this switch Use the no form to restore the default SYNTAX spanning tree mode stp rstp mstp no spanning tree mode stp Spanning Tree Protocol IEEE...

Page 1013: ...ing tree instance can exist only on bridges that have compatible VLAN instance assignments Be careful when switching between spanning tree modes Changing modes stops all spanning tree instances for th...

Page 1014: ...e spanning tree priority globally for this switch Use the no form to restore the default SYNTAX spanning tree priority priority no spanning tree priority priority Priority of the bridge Range 0 61440...

Page 1015: ...panning tree is disabled globally on the switch or disabled on a specific port Use the no form to restore the default SYNTAX spanning tree system bpdu flooding to all to vlan no spanning tree system b...

Page 1016: ...ommand configures the maximum number of hops in the region before a BPDU is discarded Use the no form to restore the default SYNTAX max hops hop number hop number Maximum hop number for multiple spann...

Page 1017: ...Configuration COMMAND USAGE MST priority is used in selecting the root bridge and alternate bridge of the specified instance The device with the highest priority i e lowest numerical value becomes the...

Page 1018: ...64 instances You should try to group VLANs which cover the same general area of your network However remember that you must configure all bridges within the same MSTI Region page 1031 with the same s...

Page 1019: ...5 DEFAULT SETTING 0 COMMAND MODE MST Configuration COMMAND USAGE The MST region name page 1031 and revision number are used to designate a unique MST region A bridge i e spanning tree compliant device...

Page 1020: ...n edge port with the spanning tree edge port command EXAMPLE Console config interface ethernet 1 5 Console config if spanning tree edge port Console config if spanning tree bpdu filter Console config...

Page 1021: ...isabled 1043 spanning tree cost This command configures the spanning tree path cost for the specified interface Use the no form to restore the default auto configuration mode SYNTAX spanning tree cost...

Page 1022: ...for path cost is 65 535 EXAMPLE Console config interface ethernet 1 5 Console config if spanning tree cost 50 Console config if spanning tree edge port This command specifies an interface as an edge p...

Page 1023: ...figures the link type for Rapid Spanning Tree and Multiple Spanning Tree Use the no form to restore the default SYNTAX spanning tree link type auto point to point shared no spanning tree link type aut...

Page 1024: ...hen the port will drop the loopback BPDU according to IEEE Standard 802 1W 2001 9 3 4 Note 1 Port Loopback Detection will not be active if Spanning Tree is disabled on the switch EXAMPLE Console confi...

Page 1025: ...command configures the release mode for a port that was placed in the discarding state because a loopback BPDU was received Use the no form to restore the default SYNTAX spanning tree loopback detect...

Page 1026: ...les SNMP trap notification for Spanning Tree loopback BPDU detections Use the no form to restore the default SYNTAX no spanning tree loopback detection trap DEFAULT SETTING Disabled COMMAND MODE Inter...

Page 1027: ...e spanning tree algorithm to determine the best path between devices Therefore lower values should be assigned to interfaces attached to faster media and higher values assigned to interfaces with slow...

Page 1028: ...ELATED COMMANDS spanning tree mst cost 1039 spanning tree port bpdu flooding This command floods BPDUs to other ports when spanning tree is disabled globally or disabled on a specific port Use the no...

Page 1029: ...ed as an active link in the spanning tree Where more than one port is assigned the highest priority the port with lowest numeric identifier will be enabled EXAMPLE Console config interface ethernet 1...

Page 1030: ...interface the switch will wait for 20 seconds to ensure that the spanning tree has converged before enabling Root Guard EXAMPLE Console config interface ethernet 1 5 Console config if spanning tree ed...

Page 1031: ...ase This command manually releases a port placed in discarding state by loopback detection SYNTAX spanning tree loopback detection release interface interface ethernet unit port unit Unit identifier R...

Page 1032: ...nd on the selected interfaces i e RSTP or STP compatible EXAMPLE Console spanning tree protocol migration eth 1 5 Console show spanning tree This command shows the configuration for the common spannin...

Page 1033: ...tings and settings for all interfaces For a description of the items displayed under Spanning tree information see Configuring Global Settings for STA on page 193 For a description of the items displa...

Page 1034: ...ed BPDU Guard Auto Recovery Interval 300 BPDU Filter Status Disabled TC Propagate Stop Disabled This example shows a brief summary of global and interface setting for the spanning tree Console show sp...

Page 1035: ...Chapter 34 Spanning Tree Commands 1048 EXAMPLE Console show spanning tree mst configuration Mstp Configuration Information Configuration Name R D Revision Level 0 Instance VLANs 0 1 4094 Console...

Page 1036: ...ets when in protection state ERPS non revertive Enables non revertive mode which requires the protection state on the RPL to manually cleared ERPS propagate tc Enables propagation of topology change m...

Page 1037: ...filter out intermittent link faults and the wtr timer command to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure 5 Configure the ERPS Control VLAN CVL...

Page 1038: ...AULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ERPS must be enabled globally on the switch before it can enabled on an ERPS ring using the enable command EXAMPLE Console config...

Page 1039: ...Control VLAN SYNTAX no control vlan vlan id vlan id VLAN ID Range 1 4094 DEFAULT SETTING None COMMAND MODE ERPS Configuration COMMAND USAGE Configure one control VLAN for each ERPS ring First create...

Page 1040: ...activates the current ERPS ring Use the no form to disable the current ring SYNTAX no enable DEFAULT SETTING Disabled COMMAND MODE ERPS Configuration COMMAND USAGE Before enabling a ring the east and...

Page 1041: ...s duration a node will be unaware of new or existing ring requests transmitted from other nodes EXAMPLE Console config erps guard timer 300 Console config erps holdoff timer This command sets the time...

Page 1042: ...PS ring used for sending control packets Range 1 32 characters DEFAULT SETTING None COMMAND MODE ERPS Configuration COMMAND USAGE This switch can support up to six rings However ERPS control packets c...

Page 1043: ...pecified by the mep monitor command then the MEG level set by the meg level command must match the authorized maintenance level of the CFM domain to which the specified MEP belongs The MEP s primary V...

Page 1044: ...ps mep monitor east mep 1 Console config erps RELATED COMMANDS ethernet cfm domain 1275 ethernet cfm mep 1279 node id This command sets the MAC address for a ring node Use the no form to restore the d...

Page 1045: ...from nodes adjacent to the failed link The owner then enters protection state by unblocking the RPL However using this standard recovery procedure may cause a non EPRS device to become isolated when t...

Page 1046: ...he default revertive mode SYNTAX no non revertive DEFAULT SETTING Disabled COMMAND MODE ERPS Configuration COMMAND USAGE Revertive behavior allows the switch to automatically return the RPL from Prote...

Page 1047: ...an R APS NR RB message over both ring ports informing the ring that the RPL is blocked and performing a flush FDB action d The acceptance of the R APS NR RB message causes all ring nodes to unblock a...

Page 1048: ...NR message causes the RPL Owner Node to start the WTB timer b The WTB timer is cancelled if during the WTB period a higher priority request than NR is accepted by the RPL Owner Node or is declared lo...

Page 1049: ...re the Manual Switch was cleared receives an R APS NR message with a Node ID higher than its own Node ID it unblocks any ring port which does not have an SF condition and stops transmitting R APS NR m...

Page 1050: ...isable this feature SYNTAX no propagate tc DEFAULT SETTING Disabled COMMAND MODE ERPS Configuration COMMAND USAGE When a secondary ring detects a topology change it can pass a message about this event...

Page 1051: ...hout vc DEFAULT SETTING R APS with Virtual Channel COMMAND MODE ERPS Configuration COMMAND USAGE A sub ring may be attached to a primary ring with or without a virtual channel A virtual channel is use...

Page 1052: ...mstances it may not be desirable to use a virtual channel to interconnect the sub ring over an arbitrary Ethernet network In this situation the R APS messages are terminated on the interconnection poi...

Page 1053: ...nge 1 port Port number Range 1 12 port channel channel id Range 1 12 DEFAULT SETTING Not associated COMMAND MODE ERPS Configuration COMMAND USAGE Each node must be connected to two neighbors on the ri...

Page 1054: ...Configuration COMMAND USAGE The RPL neighbor node when configured is a ring node adjacent to the RPL that is responsible for blocking its end of the RPL under normal conditions i e the ring is establ...

Page 1055: ...ction state that is when a signal fault is detected on the ring or the protection state is enabled with the erps forced switch or erps manual switch command The east and west connections to the ring m...

Page 1056: ...ly set to 1 when a ring node supporting only the functionalities of G 8032v1 exists on the same ring with other nodes that support G 8032v2 When ring nodes running G 8032v1 and G 8032v2 co exist on a...

Page 1057: ...s COMMAND MODE Privileged Exec EXAMPLE Console clear erps statistics domain r d Console erps clear This command manually clears the protection state which has been invoked by a forced switch or manual...

Page 1058: ...witching as follows a The ring node where a forced switch command was issued blocks the traffic channel and R APS channel on the ring port to which the command was issued and unblocks the other ring p...

Page 1059: ...or more forced switches are allowed in the ring which may inadvertently cause the segmentation of an ring It is the responsibility of the operator to prevent this effect if it is undesirable Ring pro...

Page 1060: ...n this situation the erps manual switch command triggers protection switching as follows a If no other higher priority commands exist the ring node where a manual switch command was issued blocks the...

Page 1061: ...pted b A ring node with a local manual switch command which receives an R APS MS message with a different Node ID clears its manual switch request and starts transmitting R APS NR messages The ring no...

Page 1062: ...sages Enabled Shows if the specified ring is enabled Ver Shows the ERPS version MEL The maintenance entity group MEG level providing a communication channel for ring automatic protection switching R A...

Page 1063: ...eception of traffic is blocked and the forwarding of R APS messages is blocked but the transmission of locally generated R APS messages is allowed and the reception of all R APS messages is allowed Fo...

Page 1064: ...n R APS messages Propagate TC Shows if the ring is configured to propagate topology change notification messages Non ERPS Device Protect Shows if the RPL owner node is configured to send non standard...

Page 1065: ...Clear SF The number of times a clear command was issued to terminate protection state entered through a forced switch or manual switch SF The number of signal fault messages NR The number of no reques...

Page 1066: ...nsion MIB Editing VLAN Groups Sets up VLAN groups including name VID and state Configuring VLAN Interfaces Configures VLAN interface parameters including ingress and egress tagging mode ingress filter...

Page 1067: ...cal switch EXAMPLE Console config bridge ext gvrp Console config garp timer This command sets the values for the join leave and leaveall timers Use the no form to restore the timers default values SYN...

Page 1068: ...or data rate These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration deregistration Timer values are applied to GVRP for all the ports on all VLANs...

Page 1069: ...GVRP If a VLAN has been added to the set of allowed VLANs for an interface then you cannot add it to the set of forbidden VLANs for that same interface GVRP cannot be enabled for ports set to Access m...

Page 1070: ...bridge ext Maximum Supported VLAN Numbers 4094 Maximum Supported VLAN ID 4094 Extended Multicast Filtering Services No Static Entry Individual Port Yes VLAN Version Number 2 VLAN Learning IVL Configur...

Page 1071: ...Range 1 port Port number Range 1 52 port channel channel id Range 1 16 DEFAULT SETTING Shows both global and interface specific configuration COMMAND MODE Normal Exec Privileged Exec EXAMPLE Console...

Page 1072: ...the no form to restore the default settings or delete a VLAN SYNTAX vlan vlan id name vlan name media ethernet state active suspend rspan no vlan vlan id name state vlan id VLAN ID specified as a sin...

Page 1073: ...lan database Console config vlan vlan 105 name RD5 media ethernet Console config vlan RELATED COMMANDS show vlan 1093 CONFIGURING VLAN INTERFACES Table 36 4 Commands for Configuring VLAN Interfaces Co...

Page 1074: ...VLAN enter any Layer 3 configuration commands and save the configuration settings To change a Layer 3 normal VLAN back to a Layer 2 VLAN use the no interface command EXAMPLE The following example sho...

Page 1075: ...e config interface ethernet 1 1 Console config if switchport acceptable frame types tagged Console config if RELATED COMMANDS switchport mode 1090 switchport allowed vlan This command configures VLAN...

Page 1076: ...ed member Otherwise it is only necessary to add at most one VLAN as untagged and this should correspond to the native VLAN for the interface If a VLAN on the forbidden list for an interface is manuall...

Page 1077: ...pecifies an access VLAN interface The port transmits and receives untagged frames on a single VLAN only hybrid Specifies a hybrid VLAN interface The port may transmit tagged or untagged frames trunk S...

Page 1078: ...hen using Access mode and an interface is assigned to a new VLAN its PVID is automatically set to the identifier for that VLAN When using Hybrid mode the PVID for an interface can be set to any VLAN f...

Page 1079: ...oup tags 1 and 2 groups that are unknown to those switches to pass through their VLAN trunking ports VLAN trunking is mutually exclusive with the access switchport mode see the switchport mode command...

Page 1080: ...ive Ports Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 9 S Eth1 10 S Eth1 11 S Eth1 12 S Eth1 13 S Eth1 14 S Eth1 15 S Eth1 16 S Eth1 17 S Eth1 18 S Eth1...

Page 1081: ...ol Identifier TPID value of the tunnel access port This step is required if the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is...

Page 1082: ...fore advisable to disable spanning tree on these ports dot1q tunnel system tunnel control This command sets the switch to operate in QinQ mode Use the no form to disable QinQ operating mode SYNTAX no...

Page 1083: ...service provider s tag is stripped off and the packet passed on to the VLAN indicated by the inner tag If no inner tag is found the packet is passed onto the native VLAN defined for the uplink port E...

Page 1084: ...s Note that all customer interfaces should be configured as access interfaces that is a user to network interface and service provider interfaces as uplink interfaces that is a network to network inte...

Page 1085: ...match cvid 30 6 Configures port 1 as member of VLANs 10 20 and 30 to avoid filtering out incoming frames tagged with VID 10 20 or 30 on port 1 Console config interface ethernet 1 1 Console config if...

Page 1086: ...dard 802 1Q trunk Frames arriving on the port containing any other ethertype are looked upon as untagged frames and assigned to the native VLAN of that port The specified ethertype only applies to por...

Page 1087: ...nsole show dot1q tunnel service 100 802 1Q Tunnel Service Subscriptions Port Match C VID S VID Eth 1 5 1 100 Eth 1 6 1 100 Console RELATED COMMANDS switchport dot1q tunnel mode 1095 CONFIGURING L2CP T...

Page 1088: ...es 10 12 CF 00 00 02 a reserved address for other specified protocol types as defined in IEEE 802 1ad Provider Bridges or a user defined address All intermediate switches carrying this traffic across...

Page 1089: ...d on an uplink port and recognized as a CDP VTP STP PVST protocol packet where STP means STP RSTP MSTP it is forwarded to the following ports in the same S VLAN a all access ports for which L2PT has b...

Page 1090: ...ole config l2protocol tunnel tunnel dmac 01 80 C2 00 00 01 Console config switchport l2protocol tunnel This command enables Layer 2 Protocol Tunneling L2PT for the specified protocol Use the no form t...

Page 1091: ...gs on traffic crossing the service provider s network However if any switch in the path crossing the service provider s network does not support this feature then the switches directly connected to th...

Page 1092: ...ort 1 and VLAN 100 to VLAN 10 for downstream traffic leaving port 1 then the VLAN IDs will be swapped as shown below Figure 36 3 Configuring VLAN Translation The maximum number of VLAN translation ent...

Page 1093: ...ole show vlan translation Interface Old VID New VID Eth 1 1 10 100 Console CONFIGURING PROTOCOL BASED VLANS The network devices required to support multiple protocols cannot be easily grouped into a c...

Page 1094: ...lan protocol group group id add remove frame type frame protocol type protocol no protocol vlan protocol group group id group id Group identifier of this protocol group Range 1 2147483647 frame2 Frame...

Page 1095: ...ic is forwarded Range 1 4094 priority The priority assigned to untagged ingress traffic Range 0 7 where 7 is the highest priority DEFAULT SETTING No protocol groups are mapped for any interface Priori...

Page 1096: ...ociated with protocol groups SYNTAX show protocol vlan protocol group group id group id Group identifier for a protocol group Range 1 2147483647 DEFAULT SETTING All protocol groups are displayed COMMA...

Page 1097: ...ingress frames are checked against the IP subnet to VLAN mapping table If an entry is found for that subnet these frames are assigned to the VLAN indicated in the entry If no IP subnet is matched the...

Page 1098: ...frame If no mapping is found the PVID of the receiving port is assigned to the frame The IP subnet cannot be a broadcast or multicast IP address When MAC based IP subnet based or protocol based VLANs...

Page 1099: ...d to the VLAN indicated in the entry If no MAC address is matched the untagged frames are classified as belonging to the receiving port s VLAN ID PVID mac vlan This command configures MAC address to V...

Page 1100: ...nnot be 101 or 001 A mask for the MAC address 00 50 6e 00 5f b1 translated into binary MAC 00000000 01010000 01101110 00000000 01011111 10110001 could be 11111111 11xxxxxx xxxxxxxx xxxxxxxx xxxxxxxx x...

Page 1101: ...oice vlan voice vlan id Specifies the voice VLAN ID Range 1 4094 DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE When IP telephony is deployed in an enterprise network it is r...

Page 1102: ...e config voice vlan 1234 Console config voice vlan aging This command sets the Voice VLAN ID time out Use the no form to restore the default SYNTAX voice vlan aging minutes no voice vlan minutes Speci...

Page 1103: ...x xx xx xx or xxxxxxxxxxxx Range 80 00 00 00 00 00 to FF FF FF FF FF FF description User defined text that identifies the VoIP devices Range 1 32 characters DEFAULT SETTING None COMMAND MODE Global Co...

Page 1104: ...elected you must select the method to use for detecting VoIP traffic either OUI or 802 1AB LLDP using the switchport voice vlan rule command When OUI is selected be sure to configure the MAC address r...

Page 1105: ...cts a method for detecting VoIP traffic on a port Use the no form to disable the detection method on the port SYNTAX no switchport voice vlan rule oui lldp oui Traffic from VoIP devices is detected by...

Page 1106: ...port that are tagged with the voice VLAN ID VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list or through LLDP that discovers VoIP devices attached to the switch P...

Page 1107: ...to Enabled OUI 6 100 Eth 1 2 Disabled Disabled OUI 6 NA Eth 1 3 Manual Enabled OUI 5 100 Eth 1 4 Auto Enabled OUI 6 100 Eth 1 5 Disabled Disabled OUI 6 NA Eth 1 6 Disabled Disabled OUI 6 NA Eth 1 7 Di...

Page 1108: ...t and weighted queuing Use the no form to restore the default value SYNTAX queue mode strict wrr strict wrr queue type list Table 37 1 Priority Commands Command Group Function Priority Commands Layer...

Page 1109: ...ced Weighted Round Robin WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue This prev...

Page 1110: ...0 weight3 The ratio of weights for queues 0 3 determines the weights used by the WRR scheduler Range 1 255 DEFAULT SETTING Weights 1 2 4 6 are assigned to queues 0 3 respectively COMMAND MODE Global C...

Page 1111: ...tagged frames If the incoming frame is an IEEE 802 1Q VLAN tagged frame the IEEE 802 1p User Priority bits will be used The switch provides four priority queues for each port It can be configured to u...

Page 1112: ...ch Table 37 3 Priority Commands Layer 3 and 4 Command Function Mode qos map cos dscp Maps CoS CFI values in incoming packets to per hop behavior and drop precedence values for internal priority proces...

Page 1113: ...7 cfi Canonical Format Indicator Set to this parameter to 0 to indicate that the MAC address information carried in the frame is in canonical format Range 0 1 DEFAULT SETTING COMMAND MODE Global Conf...

Page 1114: ...ch a packet is sent and two bits for drop precedence namely color which is used by Random Early Detection RED to control traffic congestion The specified mapping applies to all interfaces EXAMPLE Cons...

Page 1115: ...1 Referring to Table 37 5 note that the DSCP value for these packets is now set to 25 3x23 1 and passed on to the egress interface Console config qos map dscp mutation 3 1 from 1 Console config qos m...

Page 1116: ...pping applies to all interfaces EXAMPLE Console config qos map phb queue 0 from 1 2 3 Console config qos map trust mode This command sets QoS mapping to DSCP or CoS Use the no form to restore the defa...

Page 1117: ...ess packet type is IPv4 then priority processing will be based on the CoS and CFI values in the ingress packet For an untagged packet the default port priority see page 1124 is used for priority proce...

Page 1118: ...le Console show qos map dscp mutation DSCP mutation map x y x PHB y drop precedence d1 d2 0 1 2 3 4 5 6 7 8 9 0 0 0 0 1 0 0 0 3 0 0 0 1 0 0 0 3 1 0 1 1 1 1 0 1 3 1 0 1 1 1 0 1 3 2 0 2 1 2 0 2 3 2 2 0...

Page 1119: ...face ethernet unit port unit Unit identifier Range 1 port Port number Range 1 52 COMMAND MODE Privileged Exec EXAMPLE The following shows that the trust mode is set to CoS Console show qos map trust m...

Page 1120: ...affic classification for the policy to act on PM rename Redefines the name of a policy map PM police flow Defines an enforcer for classified traffic based on a metered flow rate PM C police srtcm colo...

Page 1121: ...c that exceeds the specified rate or just reduce the DSCP service level for traffic exceeding the specified rate 6 Use the service policy command to assign a policy map to a specific interface NOTE Cr...

Page 1122: ...ription of a class map or policy map SYNTAX description string string Description of the class map or policy map Range 1 64 characters COMMAND MODE Class Map Configuration Policy Map Configuration EXA...

Page 1123: ...ap If match criteria includes a MAC ACL or VLAN rule then neither an IP ACL nor IP priority rule can be included in the same class map Up to 16 match entries can be included in a class map EXAMPLE Thi...

Page 1124: ...characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Use the policy map command to specify the name of the policy map and then use the class command to configure policies f...

Page 1125: ...t command and one of the police commands to specify the match criteria where the set phb command sets the per hop behavior value in matching packets This modifies packet priority for internal processi...

Page 1126: ...packet is within the CIR and BC There are enough tokens to service the packet the packet is set green violate action Action to take when packet exceeds the CIR and BC There are not enough tokens to se...

Page 1127: ...e that incoming packets will receive and then uses the police flow command to limit the average bandwidth to 100 000 Kbps the burst rate to 4000 bytes and configure the response to drop any violating...

Page 1128: ...rate cannot exceed the configured interface speed and the committed burst and excess burst cannot exceed 16 Mbytes The srTCM as defined in RFC 2697 meters a traffic stream and processes its packets a...

Page 1129: ...decremented by B down to the minimum value of 0 else If the packet has been precolored as yellow or green and if Te t B 0 the packets is yellow and Te is decremented by B down to the minimum value of...

Page 1130: ...ize BC in bytes Range 0 16000000 at a granularity of 4k bytes peak rate Peak information rate PIR in kilobits per second Range 0 1000000 kbps at a granularity of 64 kbps or maximum port speed whicheve...

Page 1131: ...ed the incoming packet stream so that each packet is either green yellow or red The marker re colors an IP packet according to the results of the meter The color is coded in the DS field RFC 2474 of t...

Page 1132: ...rate Console config policy map rd policy Console config pmap class rd class Console config pmap c set phb 3 Console config pmap c police trtcm color blind 100000 4000 1000000 6000 conform action tran...

Page 1133: ...nfiguration COMMAND USAGE The set ip dscp command is used to set the priority values in the packet s ToS field for matching packets EXAMPLE This example creates a policy called rd policy uses the clas...

Page 1134: ...le creates a policy called rd policy uses the class command to specify the previously defined rd class uses the set phb command to classify the service that incoming packets will receive and then uses...

Page 1135: ...ess interface Console config interface ethernet 1 1 Console config if service policy input rd policy Console config if show class map This command displays the QoS class maps which define matching cri...

Page 1136: ...Displays all policy maps and all classes COMMAND MODE Privileged Exec EXAMPLE Console show policy map Policy Map rd policy Description class rd class set PHB 3 Console show policy map rd policy class...

Page 1137: ...Chapter 38 Quality of Service Commands 1150...

Page 1138: ...traffic to the attached VLANs IGMP Filtering and Throttling Configures IGMP filtering and throttling MLD Snooping Configures Multicast Listener Discovery snooping for IPv6 MLD Filtering and Throttling...

Page 1139: ...p snooping vlan last memb query intvl Configures the last member query interval GC ip igmp snooping vlan mrd Sends multicast router solicitation messages GC ip igmp snooping vlan proxy address Configu...

Page 1140: ...interface settings will not take effect until snooping is re enabled globally EXAMPLE The following example enables IGMP snooping globally Console config ip igmp snooping Console config ip igmp snoopi...

Page 1141: ...Disabled VLAN Based on global setting COMMAND MODE Global Configuration COMMAND USAGE When proxy reporting is enabled with this command the switch performs IGMP Snooping with Proxy Reporting as define...

Page 1142: ...COMMAND MODE Global Configuration COMMAND USAGE As described in Section 9 1 of RFC 3376 for IGMP Version 3 the Router Alert Option can be used to protect against DOS attacks One common method of attac...

Page 1143: ...n flood This command enables flooding of multicast traffic if a spanning tree topology change notification TCN occurs Use the no form to disable flooding SYNTAX no ip igmp snooping tcn flood DEFAULT S...

Page 1144: ...p port relations for multicast channels The root bridge also sends an unsolicited Multicast Router Discover MRD request to quickly locate the multicast routers in this VLAN The proxy query and unsolic...

Page 1145: ...TING Disabled COMMAND MODE Global Configuration COMMAND USAGE Once the table used to store multicast entries for IGMP snooping and multicast routing is filled no new entries are learned If no router p...

Page 1146: ...tore the default SYNTAX ip igmp snooping vlan vlan id version 1 2 3 no ip igmp snooping version vlan id VLAN ID Range 1 4094 1 IGMP Version 1 2 IGMP Version 2 3 IGMP Version 3 DEFAULT SETTING Global I...

Page 1147: ...COMMAND USAGE If version exclusive is disabled on a VLAN then this setting is based on the global setting If it is enabled on a VLAN then this setting takes precedence over the global setting When thi...

Page 1148: ...OMMAND MODE Global Configuration COMMAND USAGE If immediate leave is not used a multicast router or querier will send a group specific query message when an IGMPv2 v3 group leave message is received T...

Page 1149: ...ere are no more group members Range 1 255 DEFAULT SETTING 2 COMMAND MODE Global Configuration COMMAND USAGE This command will take effect only if IGMP snooping proxy reporting or IGMP querier is enabl...

Page 1150: ...lan id VLAN ID Range 1 4094 DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE Multicast Router Discovery MRD uses multicast router advertisement multicast router solicitation an...

Page 1151: ...ource address vlan id VLAN ID Range 1 4094 source address The source address used for proxied IGMP query and report and leave messages Any valid IP unicast address DEFAULT SETTING 0 0 0 0 COMMAND MODE...

Page 1152: ...last IGMP message received from a downstream host in report and leave messages sent upstream from the multicast router port EXAMPLE The following example sets the source address for proxied IGMP quer...

Page 1153: ...ooping vlan vlan id query resp intvl vlan id VLAN ID Range 1 4094 interval The maximum time the system waits for a response to general queries Range 10 31740 tenths of a second DEFAULT SETTING 100 10...

Page 1154: ...MPLE The following shows how to statically configure a multicast group on a port Console config ip igmp snooping vlan 1 static 224 0 0 12 ethernet 1 5 Console config clear ip igmp snooping groups dyna...

Page 1155: ...ing vlan vlan id vlan id VLAN ID 1 4094 COMMAND MODE Privileged Exec COMMAND USAGE This command displays global and VLAN specific IGMP configuration settings See Configuring IGMP Snooping and Query Pa...

Page 1156: ...Port 1 224 1 1 1 Eth 1 1 show ip igmp snooping group This command shows known multicast group source and host port mappings for the specified VLAN interface or for all interfaces if none is specified...

Page 1157: ...time m s VLAN Group Port Up time Expire Count 1 224 1 1 1 00 00 00 37 2 P Eth 1 1 R Eth 1 2 M 0 H Console show ip igmp snooping mrouter This command displays information on statically configured and...

Page 1158: ...put interface ethernet 1 1 Interface Report Leave G Query G S S Query Drop Join Succ Group Eth 1 1 23 11 4 10 5 14 5 Console Table 39 3 show ip igmp snooping statistics input display description Field...

Page 1159: ...splay description Field Description Interface Shows interface Report The number of IGMP membership reports sent from this interface Leave The number of leave messages sent from this interface G Query...

Page 1160: ...ved The number of specific queries received on this interface Specific Query Sent The number of specific queries sent from this interface Warn Rate Limit The rate at which received query messages of t...

Page 1161: ...service based on a specific subscription plan The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port and IGMP throttling limits th...

Page 1162: ...ed multicast group is denied the IGMP join report is dropped IGMP filtering and throttling only applies to dynamically learned multicast groups it does not apply to statically configured groups The IG...

Page 1163: ...eny EXAMPLE Console config ip igmp profile 19 Console config igmp profile permit deny This command sets the access mode for an IGMP filter profile Use the no form to delete a profile number SYNTAX per...

Page 1164: ...39 1 1 1 Console config igmp profile range 239 2 3 1 239 2 3 100 Console config igmp profile ip igmp authentication This command enables IGMP authentication on the specified interface When enabled and...

Page 1165: ...initiate RADIUS authentication IS_EX MODE_IS_EXCLUDE Indicates that the interface s filter mode is EXCLUDE for the specified multicast address The Source Address fields in this Group Record contain t...

Page 1166: ...E The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface Only one profile can be assigned to an interface A profile can also b...

Page 1167: ...trunk members the trunk uses the throttling settings of the first port member in the trunk EXAMPLE Console config interface ethernet 1 1 Console config if ip igmp max groups 10 Console config if ip ig...

Page 1168: ...ommand can be used to drop any query packets received on the specified interface If this switch is acting as a Querier this prevents it from being affected by messages received from another Querier EX...

Page 1169: ...t port unit Unit identifier Range 1 port Port number Range 1 52 port channel channel id Range 1 16 DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Using this command without specifying...

Page 1170: ...1 Ethernet 1 1 information IGMP Profile 19 Deny Range 239 1 1 1 239 1 1 1 Range 239 2 3 1 239 2 3 100 Console show ip igmp profile This command displays IGMP filtering profiles created on the switch...

Page 1171: ...OMMAND USAGE Using this command without specifying an interface displays all interfaces EXAMPLE Console show ip igmp query drop interface ethernet 1 1 Ethernet 1 1 Enabled Console show ip igmp throttl...

Page 1172: ...COMMAND USAGE Using this command without specifying an interface displays all interfaces EXAMPLE Console show ip multicast data drop interface ethernet 1 1 Ethernet 1 1 Enabled Console MLD SNOOPING M...

Page 1173: ...stness Configures the robustness variable GC ipv6 mld snooping router port expire time Configures the router port expire time GC ipv6 mld snooping unknown multicast mode Sets an action for unknown mul...

Page 1174: ...no form to disable this feature SYNTAX no ipv6 mld snooping querier DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE If enabled the switch will serve as querier if elected The...

Page 1175: ...by this command When this message is received by downstream hosts all receivers build an MLD report for the multicast groups they have joined EXAMPLE Console config ipv6 mld snooping query interval 15...

Page 1176: ...GE A port will be removed from the receiver list for a multicast service when no MLD reports are detected in response to a number of MLD queries The robustness variable sets the number of queries on p...

Page 1177: ...g unknown multicast mode flood Floods the unknown multicast data packets to all ports to router port Forwards the unknown multicast data packets to router ports DEFAULT SETTING to router port COMMAND...

Page 1178: ...sabled COMMAND MODE Global Configuration COMMAND USAGE If MLD immediate leave is not used a multicast router or querier will send a group specific query message when an MLD group leave message is rece...

Page 1179: ...onnections MLD snooping may not always be able to locate the MLD querier Therefore if the MLD querier is a known multicast router switch connected over the network to an interface port or trunk on the...

Page 1180: ...ear ipv6 mld snooping groups dynamic This command clears multicast group information dynamically learned through MLD snooping SYNTAX clear ipv6 mld snooping groups dynamic COMMAND MODE Privileged Exec...

Page 1181: ...ipv6 mld snooping COMMAND MODE Privileged Exec EXAMPLE The following shows MLD Snooping configuration information Console show ipv6 mld snooping Service Status Disabled Querier Status Disabled Robust...

Page 1182: ...list COMMAND MODE Privileged Exec EXAMPLE The following shows MLD Snooping group mapping information Console show ipv6 mld snooping group source list Console show ipv6 mld snooping group source list...

Page 1183: ...e Table 39 10 IGMP Filtering and Throttling Commands Command Function Mode ipv6 mld filter Enables MLD filtering and throttling on the switch GC ipv6 mld profile Sets a profile number and enters MLD f...

Page 1184: ...rmitted the MLD join report is forwarded as normal If a requested multicast group is denied the MLD join report is dropped MLD filtering and throttling only applies to dynamically learned multicast gr...

Page 1185: ...X permit deny DEFAULT SETTING deny COMMAND MODE MLD Profile Configuration COMMAND USAGE Each profile has only one access mode either permit or deny When the access mode is set to permit MLD join repor...

Page 1186: ...to an interface on the switch Use the no form to remove a profile from an interface SYNTAX no ipv6 mld filter profile number profile number An MLD filter profile number Range 1 4294967295 DEFAULT SETT...

Page 1187: ...the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group MLD throttling can also be set on a trunk interface When ports are configured as...

Page 1188: ...ipv6 mld query drop This command drops any received MLD query packets Use the no form to restore the default setting SYNTAX no ipv6 mld query drop DEFAULT SETTING Disabled COMMAND MODE Interface Conf...

Page 1189: ...ethernet unit port unit Unit identifier Range 1 port Port number Range 1 52 port channel channel id Range 1 16 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show ipv6 mld filter ML...

Page 1190: ...drop MLD query packets SYNTAX show ipv6 mld throttle interface interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 52 port channel channel id Range 1 16 DEFAULT SET...

Page 1191: ...can be used to transmit multicast traffic such as television channels across a service provider s network Any multicast traffic entering an MVR VLAN is sent to all subscribers This can significantly...

Page 1192: ...ets sent upstream GC mvr vlan Specifies the VLAN through which MVR multicast data is received GC mvr immediate leave Enables immediate leave capability IC mvr type Configures an interface as an MVR re...

Page 1193: ...emove the binding SYNTAX no mvr domain domain id associated profile profile name domain id An independent multicast domain Range 1 5 profile name The name of a profile containing one or more MVR group...

Page 1194: ...the no form of this command to restore the default setting SYNTAX mvr priority priority no mvr priority priority The CoS priority assigned to all multicast traffic forwarded into the MVR VLAN Range 0...

Page 1195: ...registered to receive data from that multicast group The IP address range from 224 0 0 0 to 239 255 255 255 is used for multicast streams MVR group addresses cannot fall within the reserved IP multica...

Page 1196: ...switching is enabled an MVR source port serves as the upstream or host interface The source port performs only the host portion of MVR by sending summarized membership reports and automatically disabl...

Page 1197: ...expected packet loss and thereby the number of times to generate report and group specific queries Use the no form to restore the default setting SYNTAX mvr robustness value value no mvr robustness va...

Page 1198: ...rds multicast streams which the source port has dynamically joined In other words both the receiver port and source port must subscribe to a multicast group before a multicast stream is forwarded to a...

Page 1199: ...ration COMMAND USAGE This command specifies the VLAN through which MVR multicast data is received This is the VLAN to which all source ports must be assigned The VLAN specified by this command must be...

Page 1200: ...not send out a group specific query when an IGMPv2 v3 leave message is received the same as it would without this option having been used Instead of immediately deleting that group it will look up the...

Page 1201: ...ports cannot be set to access mode see the switchport mode command One or more interfaces may be configured as MVR source ports A source port is able to both receive and send data for multicast groups...

Page 1202: ...eiver port using this command The IP address range from 224 0 0 0 to 239 255 255 255 is used for multicast streams MVR group addresses cannot fall within the reserved IP multicast address range of 224...

Page 1203: ...number Range 1 52 port channel channel id Range 1 16 vlan vlan id VLAN identifier Range 1 4094 COMMAND MODE Privileged Exec EXAMPLE Console clear ip igmp snooping statistics Console show mvr This com...

Page 1204: ...t traffic forwarded into the MVR VLAN MVR Proxy Switching Shows if MVR proxy switching is enabled MVR Robustness Value Shows the number of reports or query messages sent when proxy switching is enable...

Page 1205: ...s for all attached interfaces COMMAND MODE Privileged Exec EXAMPLE The following displays information about the interfaces attached to the MVR VLAN in domain 1 Console show mvr domain 1 interface MVR...

Page 1206: ...ifier Range 1 port Port number Range 1 52 port channel channel id Range 1 16 unknown Entry created by receiving a multicast stream user Snooping entry learned from user s configuration settings DEFAUL...

Page 1207: ...1 MVR Forwarding Entry Count 1 Flag S Source port R Receiver port H Host counts number of hosts joined to group on this port P Port counts number of ports joined to group Up time Group elapsed time d...

Page 1208: ...st domain Range 1 5 interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 52 port channel channel id Range 1 16 vlan vlan id VLAN ID Range 1 4094 query Displays MVR query...

Page 1209: ...on this interface Leave The number of leave messages received on this interface G Query The number of general query messages received on this interface G S S Query The number of group specific or grou...

Page 1210: ...ace Other Querier Expire The time after which this querier is assumed to have expired Other Querier Uptime Other querier s time up Self Querier This querier s IP address Self Querier Expire This queri...

Page 1211: ...Transmit General Number of general queries transmitted Group Specific Number of group specific queries transmitted Received General Number of general queries received Group Specific Number of group sp...

Page 1212: ...ceived General Number of general queries received Group Specific Number of group specific queries received V Warning Count Number of queries received on MVR that were configured by IGMP version 1 2 or...

Page 1213: ...al queries GC mvr6 proxy switching Enables MVR proxy switching where the source port acts as a host and the receiver port acts as an MVR router with querier service enabled GC mvr6 robustness value Co...

Page 1214: ...V6 profile can only be associated with one MVR6 domain EXAMPLE The following an MVR6 group address profile to domain 1 Console config mvr6 domain 1 associated profile rd Console config mvr6 domain Thi...

Page 1215: ...he no form of this command to restore the default setting SYNTAX mvr6 priority priority no mvr6 priority priority The CoS priority assigned to all multicast traffic forwarded into the MVR6 VLAN Range...

Page 1216: ...registered to receive data from that multicast group IGMP snooping and MVR share a maximum number of 1023 groups Any multicast streams received in excess of this limitation will be flooded to all por...

Page 1217: ...ervice enabled Use the no form to disable this function SYNTAX no mvr6 proxy switching DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE When MVR proxy switching is enabled an MV...

Page 1218: ...LE The following example enable MVR6 proxy switching Console config mvr6 proxy switching Console config RELATED COMMANDS mvr6 robustness value 1231 mvr6 robustness value This command configures the ex...

Page 1219: ...ce ports on the switch and to all receiver ports that have elected to receive data on that multicast address When the mvr6 source port mode dynamic command is used the switch only forwards multicast s...

Page 1220: ...d fields Note that the IP address ff02 X is reserved EXAMPLE Console config mvr6 domain 1 upstream source ip 2001 DB8 2222 7223 72 Console config mvr6 vlan This command specifies the VLAN through whic...

Page 1221: ...the switch follows the standard rules by sending a group specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group bef...

Page 1222: ...eiver or source port can join or leave multicast groups configured under MVR6 A port which is not configured as an MVR receiver or source port can use MLD snooping to join or leave multicast groups us...

Page 1223: ...multicast traffic is flooded Range 1 4094 group Defines a multicast service sent to the selected port ip address Statically configures an interface to receive multicast traffic from the IPv6 address...

Page 1224: ...DE Privileged Exec COMMAND USAGE This command only clears entries learned though MVR6 Statically configured multicast addresses are not cleared EXAMPLE Console clear mvr6 groups dynamic Console clear...

Page 1225: ...VR6 settings Console show mvr6 MVR6 802 1p Forwarding Priority Disabled MVR6 Proxy Switching Enabled MVR6 Robustness Value 2 MVR6 Proxy Query Interval 125 sec MVR6 Source Port Mode Always Forward Doma...

Page 1226: ...ndependent multicast domain Range 1 5 DEFAULT SETTING Displays configuration settings for all attached interfaces MVR6 Source Port Mode Shows if the switch only forwards multicast streams which the so...

Page 1227: ...dress for an MVR multicast group DEFAULT SETTING Displays configuration settings for all domains and all forwarding entries COMMAND MODE Privileged Exec EXAMPLE The following shows information about t...

Page 1228: ...rwarding Entry Count 1 Flag S Source port R Receiver port H Host counts number of hosts join the group on this port P Port counts number of forwarding ports Up time Group elapsed time d h m s Expire G...

Page 1229: ...e query domain id An independent multicast domain Range 1 5 interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 52 port channel channel id Range 1 16 vlan vlan id VLAN I...

Page 1230: ...ceived on this interface Leave The number of leave messages received on this interface G Query The number of general query messages received on this interface G S S Query The number of group specific...

Page 1231: ...ire Time The time after which this querier is assumed to have expired Self Querier Address This querier s IPv6 address Self Querier Uptime This querier s time up Self Querier Expire Time This querier...

Page 1232: ...globally on the switch GC lldp holdtime multiplier Configures the time to live TTL value sent in LLDP advertisements GC lldp med fast start count Configures how many medFastStart packets are transmit...

Page 1233: ...ransmission of SNMP trap notifications about LLDP MED changes IC lldp med tlv ext poeb Configures an LLDP MED enabled port to advertise its extended Power over Ethernet configuration and usage informa...

Page 1234: ...ultiplier or 65536 Range 2 10 DEFAULT SETTING Holdtime multiplier 4 TTL 4 30 120 seconds COMMAND MODE Global Configuration COMMAND USAGE The time to live tells the receiving LLDP agent how long to ret...

Page 1235: ...s Use the no form to restore the default setting SYNTAX lldp notification interval seconds no lldp notification interval seconds Specifies the periodic interval at which SNMP notifications are sent Ra...

Page 1236: ...conds COMMAND MODE Global Configuration EXAMPLE Console config lldp refresh interval 60 Console config lldp reinit delay This command configures the delay before attempting to re initialize after LLDP...

Page 1237: ...es of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects and to increase the probability that multiple rather than single changes are reported in each trans...

Page 1238: ...clude information about the specific interface associated with this address and an object identifier indicating the type of hardware component or protocol entity associated with this address The inter...

Page 1239: ...ription Console config if lldp basic tlv system capabilities This command configures an LLDP enabled port to advertise its system capabilities Use the no form to disable this feature SYNTAX no lldp ba...

Page 1240: ...m name This command configures an LLDP enabled port to advertise the system name Use the no form to disable this feature SYNTAX no lldp basic tlv system name DEFAULT SETTING Enabled COMMAND MODE Inter...

Page 1241: ...VLAN information Use the no form to disable this feature SYNTAX no lldp dot1 tlv proto vid DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This option...

Page 1242: ...his feature SYNTAX no lldp dot1 tlv vlan name DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This option advertises the name of all VLANs to which thi...

Page 1243: ...his feature SYNTAX no lldp dot3 tlv mac phy DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This option advertises MAC PHY configuration status which i...

Page 1244: ...Ethernet capabilities including whether or not PoE is supported currently enabled if the port pins through which power is delivered can be controlled the port pins selected to deliver power and the po...

Page 1245: ...nformation The address location is specified as a type and value pair with the civic address CA type being defined in RFC 4776 The following table describes some of the CA type numbers and provides ex...

Page 1246: ...if lldp med location civic addr country US Console config if lldp med location civic addr what 2 Console config if lldp med notification This command enables the transmission of SNMP trap notificatio...

Page 1247: ...etails such as power availability from the switch and power state of the switch including whether the switch is operating from primary or backup power the Endpoint Device could use this information to...

Page 1248: ...nabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This option advertises location identification details EXAMPLE Console config interface ethernet 1 1 Console config if l...

Page 1249: ...network policy configurations frequently result in voice quality degradation or complete service disruption EXAMPLE Console config interface ethernet 1 1 Console config if lldp med tlv network policy...

Page 1250: ...fig if show lldp config This command shows LLDP configuration settings for all ports SYNTAX show lldp config detail interface detail Shows configuration summary interface ethernet unit port unit Unit...

Page 1251: ...ame MED Notification Status Enabled MED Enabled TLVs Advertised med cap network policy location ext poe inventory MED Location Identification Location Data Format Civic Address LCI Country Name US Wha...

Page 1252: ...00 1A 7E AC 2B 16 Ethernet Port on unit 1 port 4 Console show lldp info local device detail ethernet 1 1 LLDP Local Port Information Detail Port Eth 1 1 Port ID Type MAC Address Port ID B4 0E DC 34 9...

Page 1253: ...rnet Port on unit 1 port 1 System Description SSE G2252P System Capabilities Bridge Enabled Capabilities Bridge Management Address 192 168 0 4 IPv4 Port VLAN ID 1 Port and Protocol VLAN ID VLAN 2 supp...

Page 1254: ...Entries List Last Updated 49 seconds New Neighbor Entries Count 4 Neighbor Entries Deleted Count 0 Neighbor Entries Dropped Count 0 Neighbor Entries Ageout Count 0 Port NumFramesRecvd NumFramesSent N...

Page 1255: ...ace messages Fault notification is also provided by SNMP alarms which are automatically generated by maintenance points when connectivity faults or configuration errors are detected in the local maint...

Page 1256: ...nance association GC snmp server enable traps ethernet cfm cc Enables SNMP traps for CFM continuity check events GC mep archive hold time Sets the time that data from a missing MEP is kept in the cont...

Page 1257: ...et cfm linktrace cache size Sets the maximum size for the link trace cache GC ethernet cfm linktrace Sends CFM link trace messages to the MAC address for a MEP PE clear ethernet cfm linktrace cache Cl...

Page 1258: ...cross check messages page 1295 Defining CFM Structures ethernet cfm ais level This command configures the maintenance level at which Alarm Indication Signal AIS information will be sent within the spe...

Page 1259: ...in the CFM domain Frames with AIS information can be issued at the client s maintenance level by a MEP upon detecting defect conditions For example defect conditions may include Signal failure conditi...

Page 1260: ...rd Console config ethernet cfm ais suppress alarm This command suppresses sending frames containing AIS information following the detection of defect conditions Use the no form to restore the default...

Page 1261: ...ais suppress alarm md voip ma rd Console config ethernet cfm domain This command defines a CFM maintenance domain sets the authorized maintenance level and enters CFM configuration mode Use the no fo...

Page 1262: ...Ps within an MA MIPs are automatically generated by the CFM protocol when the mip creation option in this command is set to default or explicit and the MIP creation state machine is invoked as defined...

Page 1263: ...Global Configuration COMMAND USAGE To avoid generating an excessive number of traps the complete CFM maintenance structure and process parameters should be configured prior to globally enabling CFM p...

Page 1264: ...configuration mode the MA name and VLAN identifier specified by this command and the DSAPs configured with the mep crosscheck mpid command create a unique service instance for each customer If only th...

Page 1265: ...ING character string COMMAND MODE CFM Domain Configuration EXAMPLE This example specifies the name format as character string Console config ethernet cfm domain index 1 name voip level 3 Console confi...

Page 1266: ...command and 3 finally the MEP using this command An interface may belong to more than one domain This command can be used to configure an interface as a MEP for different MAs in different domains To...

Page 1267: ...clears AIS defect information for the specified MEP SYNTAX clear ethernet cfm ais mpid mpid md domain name ma ma name mpid Maintenance end point identifier Range 1 8191 domain name Domain name Range 1...

Page 1268: ...T SETTING None COMMAND MODE Privileged Exec EXAMPLE This example shows the global settings for CFM Console show ethernet cfm configuration global CFM Global Status Enabled Crosscheck Start Delay 10 se...

Page 1269: ...om a remote MEP which as an expired entry in the archived database CC Mep Down Trap Sends a trap if this device loses connectivity with a remote MEP or connectivity has been restored to a remote MEP w...

Page 1270: ...MIP Creation steve 1 voip 1 4 Default Console show ethernet cfm maintenance points local This command displays the maintenance points configured on this device SYNTAX show ethernet cfm maintenance poi...

Page 1271: ...MD Name Level Direct VLAN Port CC Status MAC Address 1 rd 0 UP 1 Eth 1 1 Enabled 00 12 CF 3A A8 C0 Console show ethernet cfm maintenance points local detail mep This command displays detailed CFM inf...

Page 1272: ...the Bridge port up or down Interface The port to which this MEP is attached CC Status Shows if the MEP will generate CCM messages MAC Address MAC address of the local maintenance point If a CCM for t...

Page 1273: ...evel for this domain Range 0 7 ma name Maintenance association name Range 1 43 alphanumeric characters DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Use the mpid keyword with this co...

Page 1274: ...CC Lifetime Length of time to hold messages about this MEP in the CCM database Age of Last CC Message Length of time the last CCM message about this MEP has been in the CCM database Frame Loss Percen...

Page 1275: ...nature and size of the MA The maintenance of a MIP CCM database by a MIP presents some difficulty for bridges carrying a large number of Service Instances and for whose MEPs are issuing CCMs at a hig...

Page 1276: ...ntinuity check messages for the specified maintenance association Console config ethernet cfm cc enable md voip ma rd Console config snmp server enable traps ethernet cfm cc This command enables SNMP...

Page 1277: ...ts the time that data from a missing MEP is retained in the continuity check message CCM database before being purged Use the no form to restore the default setting SYNTAX mep archive hold time hold t...

Page 1278: ...ain or the level keyword to clear it for a specific maintenance level EXAMPLE Console clear ethernet cfm maintenance points remote domain voip Console clear ethernet cfm errors This command clears con...

Page 1279: ...orized maintenance level for this domain Range 0 7 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show ethernet cfm errors Level VLAN MPID Interface Remote MAC Reason MA Name 5 2 40...

Page 1280: ...ed with a specific VID lista one or more of the VIDs in this MA can pass through the bridge port no MEP is configured facing outward down on any bridge port for this MA and some other MA y at a higher...

Page 1281: ...AULT SETTING All continuity checks are enabled COMMAND MODE Global Configuration COMMAND USAGE For this trap type to function cross checking must be enabled on the required maintenance associations us...

Page 1282: ...access points DSAPs have already been created with the ethernet cfm mep command at the same maintenance level and in the same MA DSAPs are MEPs that exist on the edge of the domain and act as primary...

Page 1283: ...arted using this command with the enable keyword EXAMPLE This example enables cross checking within the specified maintenance association Console ethernet cfm mep crosscheck enable md voip ma rd Conso...

Page 1284: ...se this command to enable the link trace cache to store the results of link trace operations initiated on this device Use the ethernet cfm linktrace command to transmit a link trace message Link trace...

Page 1285: ...ace cache size entries entries The number of link trace responses stored in the link trace cache Range 1 4095 entries DEFAULT SETTING 100 entries COMMAND MODE Global Configuration COMMAND USAGE Before...

Page 1286: ...SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Link trace messages can be targeted to MEPs not MIPs Before sending a link trace message be sure you have configured the target MEP for the spec...

Page 1287: ...m linktrace cache This command displays the contents of the link trace cache COMMAND MODE Privileged Exec EXAMPLE Console show ethernet cfm linktrace cache Hops MA IP Alias Ingress MAC Ing Action Rela...

Page 1288: ...ally Down MEP that has another Down MEP at a higher MD level on the same bridge port that is causing the bridge port s MAC_Operational parameter to be false IngBlocked The ingress port can be identifi...

Page 1289: ...on of a fault or receipt of some other error report Loopback messages can also used to confirm the successful restoration or initiation of connectivity The receiving maintenance point should respond t...

Page 1290: ...t notify lowest priority priority Lowest priority default allowed to generate a fault alarm Range 1 6 DEFAULT SETTING Priority level 2 COMMAND MODE CFM Domain Configuration COMMAND USAGE A fault alarm...

Page 1291: ...efore another fault alarm can be generated Range 3 10 seconds Table 41 7 Remote MEP Priority Levels Priority Level Level Name Description 1 allDef All defects 2 macRemErrXcon DefMACstatus DefRemoteCCM...

Page 1292: ...nce end point identifier Range 1 8191 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE This example shows the fault notification settings configured for one MEP Console show ethernet cfm faul...

Page 1293: ...xx xx xx or xxxxxxxxxxxx domain name Domain name Range 1 43 alphanumeric characters ma name Maintenance association name Range 1 43 alphanumeric characters count The number of times to retry sending t...

Page 1294: ...mation with TxTimeStampf copied from the DM request information RxTimeStampf Timestamp at the time of receiving a frame with DM request information and TxTimeStampb Timestamp at the time of transmitti...

Page 1295: ...errored frame link events IC efm oam link monitor frame window Sets the monitor period for errored frame link events IC efm oam mode Sets the OAM operational mode to active or passive IC clear efm oam...

Page 1296: ...the no form to disable this function SYNTAX no efm oam critical link event critical event dying gasp critical event If a critical event occurs the local OAM entity this switch indicates this to its pe...

Page 1297: ...face Configuration COMMAND USAGE An errored frame is a frame in which one or more bits are errored If this feature is enabled and an errored frame link event occurs the local OAM entity this switch se...

Page 1298: ...size no efm oam link monitor frame window size The period of time in which to check the reporting threshold for errored frame link events Range 10 65535 units of 10 milliseconds DEFAULT SETTING 10 uni...

Page 1299: ...o discovery messages EXAMPLE Console config interface ethernet 1 1 Console config if efm oam mode active Console config if clear efm oam counters This command clears statistical counters for various O...

Page 1300: ...start stop interface start Starts remote loopback test mode stop Stops remote loopback test mode interface unit port unit Unit identifier Range 1 port Port number Range 1 52 DEFAULT SETTING None COMMA...

Page 1301: ...rface number of packets packet size interface unit port unit Unit identifier Range 1 port Port number Range 1 52 number of packets Number of packets to send Range 1 99999999 packet size Size of packet...

Page 1302: ...a hyphen to designate a range of ports Range 1 52 COMMAND MODE Normal Exec Privileged Exec EXAMPLE Console show efm oam counters interface 1 1 Port OAMPDU Type TX RX 1 1 Information 1121 1444 1 1 Eve...

Page 1303: ...t 1 Port 1 Connection to remote device is up at Local When the link is up this event will be written to OAM event log Console clear efm oam event log Use he clear efm oam event log command to clear th...

Page 1304: ...oam status interface This command displays OAM configuration settings and event counters SYNTAX show efm oam status interface interface list brief interface unit port unit Unit identifier Range 1 por...

Page 1305: ...ched OAM enabled devices SYNTAX show efm oam status remote interface interface list interface list unit port unit Unit identifier Range 1 port Port number or list of ports To enter a list separate non...

Page 1306: ...domain list name name Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 68 characters DEFAULT SETTING None Table 43 1 Address Table Commands Co...

Page 1307: ...ed EXAMPLE This example adds two domain names to the current list and then displays the list Console config ip domain list sample com jp Console config ip domain list sample com uk Console config end...

Page 1308: ...mand defines the default domain name appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation Use the no form to remove the current domain name...

Page 1309: ...r static entries or the clear host command to clear dynamic entries EXAMPLE This example maps an IPv4 address to a host name Console config ip host rd5 192 168 1 55 Console config end Console show hos...

Page 1310: ...t 192 168 1 55 10 1 0 55 Console RELATED COMMANDS ip domain name 1323 ip domain lookup 1322 ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address Use...

Page 1311: ...ole show dns cache No Flag Type IP Address TTL Domain Console clear host This command deletes dynamic entries from the DNS table SYNTAX clear host name name Name of the host Range 1 100 characters Rem...

Page 1312: ...com 5 4 CNAME POINTER TO 3 115 www wa1 b yahoo com Console show hosts This command displays the static host name to address mapping table COMMAND MODE Privileged Exec Table 43 2 show dns cache displa...

Page 1313: ...1 b yahoo com Console Table 43 3 show hosts display description Field Description No The entry number for each resource record Flag The field displays 2 for a static entry or 4 for a dynamic entry sto...

Page 1314: ...ure SYNTAX no ip dhcp dynamic provision Table 44 1 DHCP Commands Command Group Function DHCP Client Allows interfaces to dynamically acquire IP address information DHCP Relay Relays DHCP requests from...

Page 1315: ...m the DHCP server To ask for a DHCP reply with option 66 67 the client can inform the server that it is interested in option 66 67 by sending a DHCP request that includes a parameter request list opti...

Page 1316: ...1 0 netmask 255 255 255 0 pool allow members of OPT66_67 range 192 168 1 10 192 168 1 20 EXAMPLE In the following example enables dhcp dynamic provisioning Console config ip dhcp dynamic provisioning...

Page 1317: ...default DHCP option 66 67 parameters are not carried in a DHCP server reply To ask for a DHCP reply with option 66 67 information the DHCP client request sent by this switch includes a parameter reque...

Page 1318: ...st for any IP interface that has been set to BOOTP or DHCP mode through the ip address command DHCP requires the server to reassign the client s last address if available If the BOOTP or DHCP server h...

Page 1319: ...server through a normal four message exchange solicit advertise request reply or through a rapid two message exchange solicit reply The rapid commit option must be enabled on both client and server fo...

Page 1320: ...flags are set to 1 DHCPv6 is used for both address and other configuration settings This combination is known as DHCPv6 stateful in which a DHCPv6 server assigns stateful addresses to IPv6 hosts The...

Page 1321: ...E Console show ipv6 dhcp duid DHCPv6 Unique Identifier DUID 0001 0001 50AB9A72 B40EDC34E63C Console show ipv6 dhcp vlan This command shows DHCPv6 information for the specified interface s SYNTAX show...

Page 1322: ...subnet where the client is located Then the switch forwards the packet to a DHCP server on another network When the server receives the DHCP request it allocates a free IP address for the DHCP client...

Page 1323: ...s own IP address into the request so the DHCP server will know the subnet where the client is located Then the switch forwards the packet to the DHCP server on another network When the server receives...

Page 1324: ...switch by default You must manually configure a new address to manage the switch over your network or to connect the switch to existing IP subnets You may also need to a establish a default gateway b...

Page 1325: ...mmand which provides the same function bootp Obtains IP address from BOOTP dhcp Obtains IP address from DHCP DEFAULT SETTING DHCP COMMAND MODE Interface Configuration VLAN COMMAND USAGE An IP address...

Page 1326: ...P or DHCP IP is enabled but will not function until a BOOTP or DHCP reply has been received Requests are broadcast periodically by the router in an effort to learn its IP address BOOTP and DHCP values...

Page 1327: ...ocal address for a default gateway include zone id information indicating the VLAN identifier after the delimiter For example FE80 7272 1 identifies VLAN 1 as the interface EXAMPLE The following examp...

Page 1328: ...utes generated fragments fragment succeeded fragment failed ICMP Statistics ICMP received input errors destination unreachable messages time exceeded messages parameter problem message echo request me...

Page 1329: ...with the TTL value set at one This causes the first router to discard the datagram and return an error message The trace function then sends several probe messages at each subsequent TTL level and di...

Page 1330: ...he size specified because the switch adds header information DEFAULT SETTING count 5 size 32 bytes COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE Use the ping command to see if another site on...

Page 1331: ...ARP CONFIGURATION This section describes commands used to configure the Address Resolution Protocol ARP on the switch clear arp cache This command deletes all dynamic entries from the Address Resolut...

Page 1332: ...an IPv6 default gateway for traffic GC ipv6 address Configures an IPv6 global unicast address and enables IPv6 on an interface IC ipv6 address autoconfig Enables automatic configuration of IPv6 global...

Page 1333: ...ocal address may be used by different interfaces nodes in different zones RFC 4007 Therefore when specifying a link local address include zone id information indicating the VLAN identifier after the d...

Page 1334: ...dicating how many contiguous bits from the left of the address comprise the prefix i e the network portion of the address DEFAULT SETTING No IPv6 addresses are defined COMMAND MODE Interface Configura...

Page 1335: ...0 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds...

Page 1336: ...ch Console config interface vlan 1 Console config if ipv6 address autoconfig Console config if ipv6 enable Console config if end Console show ipv6 interface VLAN 1 is up IPv6 is enabled Link local add...

Page 1337: ...Note that the value specified in the ipv6 prefix may include some of the high order host bits if the specified prefix length is less than 64 bits If the specified prefix length exceeds 64 bits then t...

Page 1338: ...1 ff34 9608 ff02 1 IPv6 link MTU is 1500 bytes ND DAD is enabled number of DAD attempts 3 ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable...

Page 1339: ...addresses and the first 16 bit group in the host address is padded with a zero in the form 0269 Console config interface vlan 1 Console config if ipv6 address FE80 269 3EF9 FE19 6779 link local Consol...

Page 1340: ...for an interface that has been explicitly configured with an IPv6 address EXAMPLE In this example IPv6 is enabled on VLAN 1 and the link local address FE80 2E0 CFF FE00 FD 64 is automatically generat...

Page 1341: ...4094 ipv6 prefix The IPv6 network portion of the address assigned to the interface The prefix must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexad...

Page 1342: ...nsmission of multicast traffic Link local multicast addresses cover the same types as used by link local unicast addresses including all nodes FF02 1 all routers FF02 2 and solicited nodes FF02 1 FFXX...

Page 1343: ...or all IPv6 unicast and multicast traffic as well as ICMP UDP and TCP statistics Console show ipv6 traffic IPv6 Statistics IPv6 received 0 total received 0 header errors 0 too big errors 0 no routes 0...

Page 1344: ...6 headers including version number mismatch other format errors hop count exceeded IPv6 options etc too big errors The number of input datagrams that could not be forwarded because their size exceeded...

Page 1345: ...number of output datagrams which this entity received and forwarded to their final destinations In entities which do not act as IPv6 routers this counter will include only those packets which were So...

Page 1346: ...ges The number of Redirect messages received by the interface group membership query messages The number of ICMPv6 Group Membership Query messages received by the interface group membership response m...

Page 1347: ...ges sent For a host this object will always be zero since hosts do not send redirects group membership query messages The number of ICMPv6 Group Membership Query messages sent by the interface group m...

Page 1348: ...ent zones RFC 4007 Therefore when specifying a link local address include zone id information indicating the VLAN identifier after the delimiter For example FE80 7272 1 identifies VLAN 1 as the interf...

Page 1349: ...reach a specified destination The same link local address may be used by different interfaces nodes in different zones RFC 4007 Therefore when specifying a link local address include zone id informat...

Page 1350: ...MODE Interface Configuration Ethernet Port Channel COMMAND USAGE IPv6 Router Advertisements RA convey information that enables nodes to auto configure on the network This information may include the d...

Page 1351: ...ge 1 52 port channel channel id Range 1 16 COMMAND MODE Privileged Exec EXAMPLE Console show ipv6 nd raguard interface ethernet 1 1 Interface RA Guard Eth 1 1 Yes Console show ipv6 neighbors This comm...

Page 1352: ...ng RFC 4293 R Reachable Positive confirmation was received within the last ReachableTime interval that the forward path to the neighbor was functioning While in REACH state the device takes no special...

Page 1353: ...ND Snooping 1368 ND SNOOPING Neighbor Discover ND Snooping maintains an IPv6 prefix table and user address binding table These tables can be used for stateless address auto configuration or for addres...

Page 1354: ...re SYNTAX no ipv6 nd snooping vlan vlan id vlan range Table 45 9 ND Snooping Commands Command Function Mode ipv6 nd snooping Enables ND snooping globally or on a specified VLAN or range of VLANs GC ip...

Page 1355: ...g a table entry with the same prefix for a specified timeout period the entry is deleted Once ND snooping is enabled both globally and on the required VLANs the switch will start monitoring NS message...

Page 1356: ...form to disable this feature SYNTAX no ipv6 nd snooping auto detect DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE If auto detection is enabled the switch periodically sends...

Page 1357: ...val between which the auto detection process sends NS messages to determine if a dynamic user binding is still valid Use the no form to restore the default setting SYNTAX ipv6 nd snooping auto detect...

Page 1358: ...n entry in the prefix table based upon the Prefix Information contained in the message If an RA message is not received for a table entry with the same prefix for the specified timeout period the entr...

Page 1359: ...ork Discovery protocol are configured as trusted interfaces RA messages received from a trusted interface are added to the prefix table and forwarded toward their destination NS messages received from...

Page 1360: ...ace Console show ipv6 nd snooping This command shows the configuration settings for ND snooping SYNTAX show ipv6 nd snooping COMMAND MODE Privileged Exec EXAMPLE Console show ipv6 nd snooping Global N...

Page 1361: ...100 1 Eth 1 1 0012 cf01 0203 2001 1 3400 2 Eth 1 2 Console show ipv6 nd snooping prefix This command shows all entries in the address prefix table SYNTAX show ipv6 nd snooping prefix interface vlan v...

Page 1362: ...r to the enterprise network GLOBAL ROUTING CONFIGURATION IPv4 Commands ip route This command configures static routes Use the no form to remove static routes SYNTAX ip route destination ip netmask nex...

Page 1363: ...route and the same destination can be reached through a dynamic route at a lower administration distance then the dynamic route will be used If both static and dynamic paths have the same lowest cost...

Page 1364: ...USAGE The FIB contains information required to forward IP traffic It contains the interface identifier and next hop information for each reachable destination network prefix based on the IP routing ta...

Page 1365: ...ains the set of all available routes from which optimal entries are selected for use by the Forwarding Information Base see Command Usage under the show ip route command EXAMPLE Console show ip route...

Page 1366: ...Chapter 46 IP Routing Commands Global Routing Configuration 1381 Connected 2 Total 2 FIB 0 Console...

Page 1367: ...1383 SECTION IV APPENDICES This section provides additional information and includes these items Software Specifications on page 1385 Troubleshooting on page 1389 License Information on page 1391...

Page 1368: ...ex 1000BASE SX LX LH 1000 Mbps at full duplex SFP FLOW CONTROL Full Duplex IEEE 802 3 2005 Half Duplex Back pressure STORM CONTROL Broadcast multicast or unicast traffic throttled above a critical thr...

Page 1369: ...ooping Layer 2 Multicast VLAN Registration ADDITIONAL FEATURES BOOTP Client DHCP Client DNS Client Proxy LLDP Link Layer Discover Protocol RMON Remote Monitoring groups 1 2 3 9 SMTP Email Alerts SNMP...

Page 1370: ...duplex flow control ISO IEC 8802 3 IEEE 802 3ac VLAN tagging DHCP Client RFC 2131 DHCPv6 Client RFC 3315 HTTPS ICMP RFC 792 IGMP RFC 1112 IGMPv2 RFC 2236 IGMPv3 RFC 3376 partial support IPv4 IGMP RFC...

Page 1371: ...P Bridge MIB RFC 2674P Port Access Entity MIB IEEE 802 1X Port Access Entity Equipment MIB Power Ethernet MIB RFC 3621 Private MIB Q Bridge MIB RFC 2674Q Quality of Service MIB RADIUS Authentication C...

Page 1372: ...eeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the ma...

Page 1373: ...Repeat the sequence of commands or other actions that lead up to the error 7 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 8 Set...

Page 1374: ...re and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that you know you can...

Page 1375: ...e at no charge to all third parties under the terms of this License c If the modified program normally reads commands interactively when run you must cause it when started running for such interactive...

Page 1376: ...itions for copying distributing or modifying the Program or works based on it 7 Each time you redistribute the Program or any work based on the Program the recipient automatically receives a license f...

Page 1377: ...tions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRAN...

Page 1378: ...ss of the TFTP server that contains the devices system files and the name of the boot file CFM Connectivity Fault Management provides fault monitoring for end to end connections within a designated se...

Page 1379: ...ding treatment or per hop behavior at each network node DiffServ allocates different levels of service to users on the network with mechanisms such as traffic meters shapers droppers packet markers at...

Page 1380: ...MAC address the 7th bit in the high order byte is set to 1 equivalent to the IEEE Global Local bit to indicate the uniqueness of the 48 bit address GARP Generic Attribute Registration Protocol GARP i...

Page 1381: ...to first enter a user ID and password for authentication IEEE 802 3AC Defines frame extensions for VLAN tagging IEEE 802 3X Defines Ethernet frame start stop requests and timers used for flow control...

Page 1382: ...lows ports to automatically negotiate a trunked link with LACP configured ports on another device LAYER 2 Data Link layer in the ISO 7 Layer Data Communications Protocol This is related directly to th...

Page 1383: ...n demand across a service provider s network MVR simplifies the configuration of multicast services by using a common VLAN for distribution while still preserving security and data isolation for subsc...

Page 1384: ...rver to control access to RADIUS compliant devices on the network RMON Remote Monitoring RMON provides comprehensive network monitoring capabilities It eliminates the polling required in standard SNMP...

Page 1385: ...sed for software downloads UDP User Datagram Protocol UDP provides a datagram mode for packet switched communications It uses IP as the underlying transport mechanism to provide access to IP like serv...

Page 1386: ...ntrol action auto traffic control alarm clear threshold auto traffic control alarm fire threshold auto traffic control apply timer auto traffic control auto control release auto traffic control contro...

Page 1387: ...groups dynamic clear mvr6 statistics clear network access clear pppoe intermediate agent statistics clock summer time date clock summer time predefined clock summer time recurring clock timezone clus...

Page 1388: ...nk monitor frame window efm oam mode efm oam remote loopback efm oam remote loopback test enable enable enable password end erps erps clear erps domain erps forced switch erps manual switch ethernet c...

Page 1389: ...art client ip dhcp restart relay ip dhcp snooping ip dhcp snooping database flash ip dhcp snooping information option ip dhcp snooping information option circuit id ip dhcp snooping information policy...

Page 1390: ...resp intvl ip multicast data drop ip name server ip proxy arp ip route ip source guard ip source guard binding ip source guard max binding ip source guard mode ip ssh authentication retries ip ssh cr...

Page 1391: ...eachable time ipv6 nd snooping ipv6 nd snooping auto detect ipv6 nd snooping auto detect retransmit count ipv6 nd snooping auto detect retransmit interval ipv6 nd snooping max binding ipv6 nd snooping...

Page 1392: ...gging sendmail level logging sendmail source email logging trap login loopback detection trap loopback detection loopback detection action loopback detection recover time loopback detection release lo...

Page 1393: ...erval mvr6 proxy switching mvr6 robustness value mvr6 source port mode dynamic mvr6 type mvr6 upstream source ip mvr6 vlan mvr6 vlan group N name negotiation network access aging network access dynami...

Page 1394: ...power inline compatible power inline maximum allocation power inline priority power inline time range power mainpower maximum allocation power save pppoe intermediate agent pppoe intermediate agent f...

Page 1395: ...n rspan remote vlan rspan source S server service policy set cos set ip dscp set phb show access group show access list show access list arp show access list tcam utilization show accounting show arp...

Page 1396: ...interfaces transceiver threshold show ip access group show ip access list show ip arp inspection configuration show ip arp inspection interface show ip arp inspection log show ip arp inspection statis...

Page 1397: ...ice show lldp info remote device show lldp info statistics show log show logging show logging sendmail show loopback detection show mac access group show mac access list show mac address table show ma...

Page 1398: ...queue weight show radius server show reload show rmon alarms show rmon events show rmon history show rmon statistics show rspan show running config show snmp show snmp engine id show snmp group show...

Page 1399: ...p server view sntp client sntp poll sntp server spanning tree spanning tree bpdu filter spanning tree bpdu guard spanning tree cisco prestandard spanning tree cost spanning tree edge port spanning tre...

Page 1400: ...port tacacs server retransmit tacacs server timeout terminal test cable diagnostics timeout login response time range traceroute traceroute6 traffic segmentation traffic segmentation session traffic s...

Page 1401: ...List 1418 W watchdog software web auth web auth login attempts web auth quiet period web auth re authenticate IP web auth re authenticate Port web auth session timeout web auth system auth control wh...

Search results

Summary of Contents for SSE-G2252

Reviews:

Related manuals for SSE-G2252

Brands by name

Popular brands

Supermicro SSE-G2252, User Manual

Search results

Summary of Contents for SSE-G2252

Reviews:

Related manuals for SSE-G2252

Brands by name

Popular brands