Allied Telesis AT-9000/28 Скачать руководство пользователя | Manualshive

Страница: 1160 / 1278

background image

Chapter 79: Secure HTTPS Web Browser Server

1160

Section XI: Management Security

Overview

The switch has a web browser server for remote management of the unit
with a web browser application from management workstations on your
network. The server has a secure HTTPS mode and a non-secure HTTP
mode. Web browser management sessions that use the secure HTTPS
mode are protected against snooping because the packets exchanged
between the switch and your management workstations are encrypted.
Only the switch and the workstations are able to decipher the packets.

In contrast, web browser management sessions conducted in the non-
secure HTTP mode are vulnerable to eavesdropping because the packets
are sent in clear text.

This chapter explains how to configure the switch for the secure HTTPS
mode. For directions on the non-secure mode, refer to Chapter 77, “Non-
secure HTTP Web Browser Server” on page 1147.

Certificates

When you initiate an HTTPS connection from your management
workstation to the switch, the switch responds by sending a certificate to
your workstation. This file contains the encryption key that the two devices
use to encrypt and decrypt their packets to each other. Also included in
the certificate is a distinguished name that identifies the owner of the
certificate, which in the case of a certificate for your switch, is the switch
itself and your company.

The switch does not come with a certificate. You have to create it, along
with the encryption key and distinguished name, as part of the HTTPS
configuration process.

There are two ways to create the certificate. The quickest and easiest way
is to have the switch create it itself. This type of certificate is called a self-
signed certificate because the switch authenticates the certificate itself.

Another option is to create the encryption key and have someone else
issue the certificate. That person, group, or organization is called a
certification authority (CA), of which there are public and private CAs. A
public CA issues certificates typically intended for use by the general
public, for other companies or organizations. Public CAs require proof of
the identify of the company or organization before they will issue a
certificate. VeriSign is an example of a public CA.

Because the certificate for the switch is not intended for general use and
will only be used by you and other network managers to manage the
device, having a public CA issue the certificate will probably be
unnecessary.

Some large companies have private CAs. This is a person or group that is
responsible for issuing certificates for the company’s network equipment.

«
...
1158
1159
1160
1161
1162
...
»

Содержание AT-9000/28

Страница 1: ...25R 26R 27R 28R PWR SYS MODE COL SPD DUP ACT AT 9000 28 Gigabit Ethernet Switch with 4 Combo SFP Ports SELECT RS 232 CONSOLE 2323 AT 9000 52 Gigabit Ethernet Switch with 4 SFP Ports SELECT PWR SYS 49...

Страница 2: ...ng University of Posts and Telecommunications All rights reserved Copyright c 2003 by Fabasoft R D Software GmbH Co KG All rights reserved Copyright c 2004 2006 by Internet Systems Consortium Inc ISC...

Страница 3: ...esis logo are trademarks of Allied Telesis Incorporated Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation All other product names company names logos or other designat...

Страница 4: ......

Страница 5: ...count 42 AlliedWare Plus Command Modes 43 Moving Down the Hierarchy 46 ENABLE Command 46 CONFIGURE TERMINAL Command 46 CLASS MAP Command 46 LINE CONSOLE 0 Command 47 LINE VTY Command 47 POLICY MAP Com...

Страница 6: ...Command Line Management Commands 77 Question Mark Key 79 CLEAR SCREEN 81 CONFIGURE TERMINAL 82 COPY RUNNING CONFIG STARTUP CONFIG 83 DISABLE 84 DO 85 ENABLE 86 END 87 EXIT 88 LENGTH 89 LOGOUT 91 QUIT...

Страница 7: ...Configuration 147 Enabling or Disabling Ports 148 Enabling or Disabling Backpressure 149 Enabling or Disabling Flow Control 150 Resetting Ports 153 Configuring Threshold Limits for Ingress Packets 15...

Страница 8: ...16 Adding an IPv6 Management Address 216 Adding an IPv6 Default Gateway Address 217 Deleting an IPv6 Management Address and Default Gateway 218 Displaying an IPv6 Management Address and Default Gatewa...

Страница 9: ...85 Overview 286 Command and Member Switches 286 Common VLAN 286 Guidelines 287 General Steps 287 Configuring the Command Switch 289 Configuring a Member Switch 291 Managing the Member Switches of an E...

Страница 10: ...345 NO SWITCHPORT BLOCK EGRESS MULTICAST 346 NO SWITCHPORT BLOCK INGRESS MULTICAST 347 SWITCHPORT BLOCK EGRESS MULTICAST 348 SWITCHPORT BLOCK INGRESS MULTICAST 349 Section III File System 351 Chapter...

Страница 11: ...odem 394 Downloading Files with Enhanced Stacking 396 Downloading New Management Software with Enhanced Stacking 396 Chapter 27 File Transfer Commands 399 COPY FILENAME ZMODEM 400 COPY FLASH TFTP 401...

Страница 12: ...ds 458 Guidelines 458 Creating New Aggregators 460 Setting the Load Distribution Method 461 Adding Ports to Aggregators 462 Removing Ports from Aggregators 463 Deleting Aggregators 464 Displaying Aggr...

Страница 13: ...tocol 523 Configuring the Switch Parameters 524 Setting the Forward Time Hello Time and Max Age 524 Setting the Bridge Priority 525 Enabling or Disabling BPDU Guard 525 Configuring the Port Parameters...

Страница 14: ...N Example 570 Creating VLANs 572 Adding Untagged Ports to VLANs 573 Adding Tagged Ports to VLANs 575 Removing Untagged Ports from VLANs 577 Removing Tagged Ports from VLANs 578 Deleting VLANs 579 Disp...

Страница 15: ...n Switches 639 VLAN Hierarchy 640 Guidelines 641 General Steps 642 Creating MAC Address based VLANs 643 Adding MAC Addresses to VLANs and Designating Egress Ports 644 Removing MAC Addresses 645 Deleti...

Страница 16: ...STACKING 697 Section VIII Port Security 699 Chapter 52 MAC Address based Port Security 701 Overview 702 Static Versus Dynamic Addresses 702 Intrusion Actions 702 Guidelines 703 Configuring Ports 704 E...

Страница 17: ...Access Control on the Switch 745 Displaying Authenticator Ports 746 Displaying EAP Packet Statistics 747 Chapter 55 802 1x Port based Network Access Control Commands 749 AAA AUTHENTICATION DOT1X DEFA...

Страница 18: ...NO SNMP SERVER ENABLE TRAP 809 NO SNMP SERVER ENABLE TRAP AUTH 810 NO SNMP SERVER HOST 811 NO SNMP SERVER VIEW 813 NO SNMP TRAP LINK STATUS 814 SHOW RUNNING CONFIG SNMP 815 SHOW SNMP SERVER 816 SHOW...

Страница 19: ...l LLDP TLVs 879 Optional LLDP MED TLVs 881 Enabling LLDP and LLDP MED on the Switch 884 Configuring Ports to Only Receive LLDP and LLDP MED TLVs 885 Configuring Ports to Send Only Mandatory LLDP TLVs...

Страница 20: ...W LLDP INTERFACE 953 SHOW LLDP LOCAL INFO INTERFACE 955 SHOW LLDP NEIGHBORS DETAIL 957 SHOW LLDP NEIGHBORS INTERFACE 961 SHOW LLDP STATISTICS 963 SHOW LLDP STATISTICS INTERFACE 965 SHOW LOCATION 967 C...

Страница 21: ...20 SHOW RMON STATISTICS 1022 Chapter 67 Advanced Access Control Lists ACLs 1023 Overview 1024 Filtering Criteria 1024 Actions 1024 ID Numbers 1025 How Ingress Packets are Compared Against ACLs 1025 Gu...

Страница 22: ...Special Password 1097 Deactivating Command Mode Restriction and Deleting the Special Password 1098 Activating or Deactivating Password Encryption 1099 Displaying the Local Manager Accounts 1100 Chapt...

Страница 23: ...l Port Number 1150 Disabling the Web Browser Server 1151 Displaying the Web Browser Server 1152 Chapter 78 Non secure HTTP Web Browser Server Commands 1153 SERVICE HTTP 1154 IP HTTP PORT 1155 NO SERVI...

Страница 24: ...S and TACACS Client Commands 1203 AAA ACCOUNTING LOGIN 1205 AAA AUTHENTICATION ENABLE TACACS 1207 AAA AUTHENTICATION LOGIN 1209 IP RADIUS SOURCE INTERFACE 1211 LOGIN AUTHENTICATION 1213 NO LOGIN AUTHE...

Страница 25: ...t Settings 1258 RADIUS Client 1259 Remote Manager Account Authentication 1260 RMON 1261 Secure Shell Server 1262 sFlow Agent 1263 Simple Network Management Protocol SNMPv1 SNMPv2c and SNMPv3 1264 Simp...

Страница 26: ...Contents 26...

Страница 27: ...MAC Address Table Commands 273 Table 23 SHOW MAC ADDRESS TABLE Command Unicast Addresses 283 Table 24 SHOW MAC ADDRESS TABLE Command Multicast Addresses 283 Table 25 Enhanced Stacking Commands 299 Ta...

Страница 28: ...IEW Command 819 Table 77 SNMPv3 Commands 829 Table 78 sFlow Agent Commands 865 Table 79 SHOW COLLECTOR Command 875 Table 80 Mandatory LLDP TLVs 879 Table 81 Optional LLDP TLVs 879 Table 82 Optional LL...

Страница 29: ...CLs Example 1045 Table 122 Assigning Numbered IP ACLs to VTY Lines Example 1046 Table 123 Assigning MAC ACLs to VTY Lines Example 1047 Table 124 Removing Numbered IP ACLs from VTY Lines Example 1049 T...

Страница 30: ...Tables 30...

Страница 31: ...3 Contacting Allied Telesis on page 34 Caution The software described in this documentation contains certain cryptographic functionality and its export is restricted by U S law As of this writing it h...

Страница 32: ...s Note Notes provide additional information Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data Warning Warnings inform you that pe...

Страница 33: ...Guide 33 Where to Find Web based Guides The installation and user guides for all of the Allied Telesis products are available for viewing in portable document format PDF from our web site at www allie...

Страница 34: ...nty information refer to the Allied Telesis web site at www alliedtelesis com support Returning Products Products for return or repair must first be assigned a return materials authorization RMA numbe...

Страница 35: ...ns the following chapters Chapter 1 AlliedWare Plus Command Line Interface on page 37 Chapter 2 Starting a Management Session on page 59 Chapter 3 Basic Command Line Management on page 71 Chapter 4 Ba...

Страница 36: ...36 Section I Getting Started...

Страница 37: ...on page 38 Management Interfaces on page 41 Local Manager Account on page 42 AlliedWare Plus Command Modes on page 43 Moving Down the Hierarchy on page 46 Moving Up the Hierarchy on page 51 Port Numbe...

Страница 38: ...e a terminal or a PC with a terminal emulator program and the management cable that comes with the switch Note The initial management session of the switch must be from a local management session Remo...

Страница 39: ...t sessions in that it gives you access to the same command line interface and the same functions But where they differ is SSH management sessions are secure against snooping because the packets are en...

Страница 40: ...Line Interface 40 Section I Getting Started Remote Network MIB RFC 1757 Allied Telesis managed switch MIBs The Allied Telesis managed switch MIBs atistackinfo mib and atistackswitch mib are available...

Страница 41: ...itch has two management interfaces AlliedWare Plus command line Web browser windows The AlliedWare Plus command line is available from local management sessions and remote Telnet and Secure Shell mana...

Страница 42: ...anagement modes and commands The default manager account is referred to as local because the switch authenticates the user name and password itself If more manager accounts are needed you can add up t...

Страница 43: ...ore To perform a management function you first have to move to the mode that has the appropriate commands For instance to configure the speeds and wiring configurations of the ports you have to move t...

Страница 44: ...switch settings Lists the files in the file system Pings remote systems Sets the date and time Saves the current configuration Downloads new versions of the management software Restores the default se...

Страница 45: ...f Service policies Port Interface mode config if Configures port settings Disables and enables ports Configures the port mirror Configures 802 1x port based network access control Creates static port...

Страница 46: ...u use this command to move from the User Exec mode to the Privileged Exec mode The format of the command is enable Figure 2 ENABLE Command CONFIGURE TERMINAL Command You use this command to move from...

Страница 47: ...ty line_id The range of the LINE_ID parameter is 0 to 9 For information on the VTY lines refer to VTY Lines on page 62 This example enters the Virtual Terminal Line mode for VTY line 2 Figure 6 LINE V...

Страница 48: ...can configure more than one port at a time This example enters the Port Interface mode for ports 11 to 15 and 22 Figure 10 INTERFACE PORT Command Multiple Ports The INTERFACE PORT command is also loc...

Страница 49: ...mple enters the VLAN Interface mode for a VLAN that has the VID 12 Figure 13 INTERFACE VLAN Command Note A VLAN must be identified in this command by its VID and not by its name INTERFACE TRUNK Comman...

Страница 50: ...LDP civic location entry Figure 15 LLDP LOCATION CIVIC LOCATION Command LOCATION COORD LOCATION Command You use this command to move from the Global Configuration mode to the Coordinate Location mode...

Страница 51: ...ll probably want to return to the User Exec mode or Privileged Exec mode after you have configured a feature to verify your changes with the appropriate SHOW command And while you could step back thro...

Страница 52: ...he Privileged Exec mode use the DISABLE command Figure 19 Returning to the User Exec Mode with the DISABLE Command Privileged Executive Mode User Executive Mode Global Configuration Mode Class Map Mod...

Страница 53: ...networking modules It is used to identify the networking modules by their slot numbers This number should always be 0 for AT 9000 Series switches because they are not modular switches Port number Thi...

Страница 54: ...an also combine individual ports and port ranges in the same command as illustrated in these commands which enter the Port Interface mode for ports 5 to 11 and ports 16 and 18 awplus enable awplus con...

Страница 55: ...n SFP module is installed but does not have a link to a network device The twisted pair port automatically changes to the redundant status mode when an SFP module establishes a link with a network dev...

Страница 56: ...ons This manual uses the following command format conventions screen text font This font illustrates the format of a command and command examples Brackets indicate optional parameters Vertical line se...

Страница 57: ...Initializing System done Initializing Board done Initializing Serial Interface done Initializing Timer Library done Initializing IPC done Initializing Event Log done Initializing Switch Models done In...

Страница 58: ...LAN done Initializing ENCO done Initializing PKI done Initializing PortAccess done Initializing PAAcctRcv done Initializing SSH done Initializing IFM done Initializing IFMV6 done Initializing RTM done...

Страница 59: ...ections Starting a Local Management Session on page 60 Starting a Remote Telnet or SSH Management Session on page 62 What to Configure First on page 64 Ending a Management Session on page 69 Note The...

Страница 60: ...nagement Cable to the Console Port 2 Connect the other end of the cable to an RS 232 port on a terminal or PC with a terminal emulator program 3 Configure the terminal or terminal emulator program as...

Страница 61: ...he initial management session of the switch enter manager as the user name friend as the password The user name and password are case sensitive The local management session has started when the Allied...

Страница 62: ...nfigure First on page 64 or Chapter 9 IPv4 and IPv6 Management Addresses on page 207 For remote SSH management you must create an encryption key pair and configure the SSH server on the switch For ins...

Страница 63: ...ve your workstation unattended during a management session For instructions on how to set this timer refer to Configuring the Management Session Timers on page 107 Number of SHOW command scroll lines...

Страница 64: ...ts shipping container the file when you create it will be nearly empty The quickest and easiest way to create a new boot configuration file and to designate it as the active file is with the BOOT CONF...

Страница 65: ...username manager password clearsky2a Note Write down the new password and keep it in a safe and secure location If you forget the manager password you will not be able to manage the switch if there ar...

Страница 66: ...Ns refer to Chapter 41 Port based and Tagged VLANs on page 559 The network devices i e syslog servers TFTP servers etc must be members of the same subnet as a management IP address or have access to i...

Страница 67: ...interface vlan1 Use the INTERFACE VLAN command to move to the VLAN Interface mode of the Default_VLAN awplus config if ip address 149 82 112 72 24 Assign the management IPv4 address to the switch usi...

Страница 68: ...6 port1 0 23 Enter the Port Interface mode for ports 5 6 and 23 awplus config if switchport access vlan 5 Add the ports as untagged ports to the VLAN with the SWITCHPORT ACCESS VLAN command awplus co...

Страница 69: ...Management Session To end a management session from below the Privileged Exec mode return to the Privileged Exec mode and enter EXIT awplus config exit awplus exit To end a management session from th...

Страница 70: ...Chapter 2 Starting a Management Session 70 Section I Getting Started...

Страница 71: ...mmand Line Management This chapter contains the following sections Clearing the Screen on page 72 Displaying the On line Help on page 73 Saving Your Configuration Changes on page 75 Ending a Managemen...

Страница 72: ...ith commands you can start fresh by entering the CLEAR SCREEN command in the User Exec or Privileged Exec mode If you re in a lower mode you ll have to move up the mode hierarchy to one of these modes...

Страница 73: ...he available parameters for the FLOWCONTROL command in the Port Interface mode Figure 27 Displaying Subsequent Keywords of a Keyword Note You must type a space between the keyword and the question mar...

Страница 74: ...ment 74 Section I Getting Started Figure 28 Displaying the Class of a Parameter awplus enable awplus configure terminal awplus config hostname STRING sysName awplus enable awplus configure terminal aw...

Страница 75: ...the COPY RUNNING CONFIG STARTUP CONFIG command both of which are found in the Privileged Exec mode When you enter either of these command the switch copies its running configuration into the active bo...

Страница 76: ...on I Getting Started Ending a Management Session To end a management session from the Privileged Exec mode enter the EXIT command awplus config exit awplus exit To end a management session from the Us...

Страница 77: ...h the current settings from the switch DISABLE on page 84 Privileged Exec Returns you to the User Exec mode from the Privileged Exec mode DO on page 85 Global Configuration Performs commands in the Pr...

Страница 78: ...oves you up one mode TERMINAL LENGTH on page 93 Privileged Exec Specifies the maximum number of lines that the SHOW commands display at one time on the screen WRITE on page 94 Privileged Exec Updates...

Страница 79: ...displays the available parameters Note You must type a space between a keyword and the question mark Otherwise the on line help returns the previous keyword Typing after a keyword or parameter that re...

Страница 80: ...t Commands 80 Section I Getting Started This example displays the class of the value for the SPANNING TREE HELLO TIME command in the Global Configuration mode awplus enable awplus configure terminal a...

Страница 81: ...and Line User s Guide Section I Getting Started 81 CLEAR SCREEN Syntax clear screen Parameters None Modes User Exec and Privileged Exec modes Description Use this command to clear the screen Example a...

Страница 82: ...ion I Getting Started CONFIGURE TERMINAL Syntax configure terminal Parameters None Mode Privileged Exec mode Description Use this command to move from the Privileged Exec mode to the Global Configurat...

Страница 83: ...anent storage When you enter the command the switch copies its parameter settings into the active boot configuration file The switch saves only those parameters that are not at their default settings...

Страница 84: ...agement Commands 84 Section I Getting Started DISABLE Syntax disable Parameters None Mode Privileged Exec mode Description Use this command to return to the User Exec mode from the Privileged Exec mod...

Страница 85: ...None Mode Global Configuration mode Description Use this command to perform commands in the Privileged Exec mode from the Global Configuration mode Example This example performs the SHOW INTERFACE co...

Страница 86: ...ne Management Commands 86 Section I Getting Started ENABLE Syntax enable Parameters None Mode User Exec mode Description Use this command to move from the User Exec mode to the Privileged Exec mode Ex...

Страница 87: ...User s Guide Section I Getting Started 87 END Syntax end Parameters None Mode All modes below the Global Configuration mode Description Use this command to return to the Privileged Exec mode Example...

Страница 88: ...Getting Started EXIT Syntax exit Parameters None Mode All modes except the User Exec and Privileged Exec modes Description Use this command to move up one mode in the mode hierarchy This command is id...

Страница 89: ...t methods To set this parameter for local management sessions enter the command in the Console Line mode To set this parameter for the ten VTY lines for remote Telnet and SSH sessions enter the same c...

Страница 90: ...Chapter 4 Basic Command Line Management Commands 90 Section I Getting Started awplus config line console 0 awplus config line no length...

Страница 91: ...LOGOUT Syntax logout Parameters None Mode User Exec mode Description Use this command to end a management session Example This example shows the sequence of commands to logout starting from the Globa...

Страница 92: ...Getting Started QUIT Syntax quit Parameters None Mode All modes except the User Exec and Privileged Exec modes Description Use this command to move up one mode in the mode hierarchy This command is id...

Страница 93: ...t want the SHOW commands to pause Mode Privileged Exec mode Description Use this command to specify the maximum number of lines the SHOW commands display at one time on the screen during local managem...

Страница 94: ...ter the command the switch copies its parameter settings into the active boot configuration file The switch saves only those parameters that are not at their default settings Note Parameter changes th...

Страница 95: ...dress Commands on page 221 Chapter 11 Simple Network Time Protocol SNTP Client on page 245 Chapter 12 SNTP Client Commands on page 253 Chapter 13 MAC Address Table on page 265 Chapter 14 MAC Address T...

Страница 96: ...96 Section II Basic Operations...

Страница 97: ...gs on page 100 Manually Setting the Date and Time on page 101 Pinging Network Devices on page 102 Resetting the Switch on page 103 Restoring the Default Settings to the Switch on page 104 Setting the...

Страница 98: ...n mode A name can have up to 39 alphanumeric characters Special characters except for spaces and quotation marks are allowed This example assigns the name Switch12 to the switch awplus enable awplus c...

Страница 99: ...s in length Spaces and special characters are allowed To view the information use the SHOW SYSTEM command in the User Exec and Privileged Exec modes Here is an example that assigns the switch this con...

Страница 100: ...rivileged Exec mode The settings which are displayed in their equivalent command line commands are limited to just those parameters that have been changed from their default values The information inc...

Страница 101: ...rth day of the month is 04 mm Use this variable to specify the month The month must be specified in two digits Include a zero for the first nine months of the year For example June is 06 yyyy Use this...

Страница 102: ...instructs the switch to send ICMP Echo Requests to a network device known by the IP address 149 122 14 15 awplus enable awplus ping 149 122 14 15 The results of the ping are displayed on the screen No...

Страница 103: ...network traffic may be lost The reset can take from thirty seconds to two minutes depending on the number and complexity of the commands in the active boot configuration file Note Any configuration ch...

Страница 104: ...s enable awplus delete Sales_unit cfg awplus reboot If you do not know the name of the active boot configuration file you can display it with the SHOW BOOT command in the Privileged Exec mode Figure 2...

Страница 105: ...figuration file you want to rename The FILENAME2 parameter is the file s new name The extensions of the files must be cfg For example if the name of the active boot configuration file is Sales_unit cf...

Страница 106: ...serial terminal port on the switch This example sets the baud rate of the Console port on the switch to 57600 bps awplus enable awplus configure terminal awplus config conf baud rate set 57600 To disp...

Страница 107: ...set The timer for local management sessions is set in the Line Console mode which is accessed using the LINE CONSOLE 0 command from the Global Configuration mode This example of the commands sets the...

Страница 108: ...one person can manage the unit at a time You set the maximum number of sessions with the SERVICE MAXMANAGER command in the Global Configuration mode The default is three manager sessions This example...

Страница 109: ...ver you use the CLEAR SCREEN command to clear the screen The banners are not displayed by web browser management sessions The commands for setting the banners are located in the Global Configuration m...

Страница 110: ...able awplus configure terminal awplus config banner login Type CTRL D to finish This switch is located in building 2A wiring closet 4M awplus config Here is an example of the BANNER EXEC command awplu...

Страница 111: ...Exec Restores the default settings to all the parameter settings on the switch EXEC TIMEOUT on page 119 Line Console Sets the console timer which is used to end inactive management sessions HOSTNAME...

Страница 112: ...n file SHOW SWITCH on page 133 Privileged Exec Displays general information about the switch SHOW SYSTEM on page 135 User Exec Displays general information about the switch SHOW USERS on page 136 Priv...

Страница 113: ...inish is displayed on your screen Enter a banner message of up to 256 characters Spaces and special characters are allowed When you are finished hold down the CTRL key and type D Web browser managemen...

Страница 114: ...rompt Type CTRL D to finish is displayed on your screen Enter a login message of up to 4 000 characters Spaces and special characters are allowed When you are finished hold down the CTRL key and type...

Страница 115: ...n your screen Enter a message of the day banner of up to 256 characters Spaces and special characters are allowed When you are finished hold down the CTRL key and type D Web browser management session...

Страница 116: ...ions of the switch Note If you change the baud rate of the serial terminal port during a local management session your session will be interrupted To resume the session you must change the speed of yo...

Страница 117: ...st be specified in two digits Include a zero for the first nine months of the year For example June is 06 year Specifies the year The year must be specified in four digits for example 2011 or 2012 Mod...

Страница 118: ...ings Caution The switch will not forward network traffic while it initializes its management software Some network traffic may be lost To resume managing the switch after restoring the default setting...

Страница 119: ...is deemed inactive by the switch if there is no management activity for the duration of a timer Local management sessions which are conducted through the Console port on the switch and remote Telnet...

Страница 120: ...t Commands 120 Section II Basic Operations This example sets the session timer for the first vty 0 Telnet or SSH session to 5 minutes awplus enable awplus configure terminal awplus config line vty 0 a...

Страница 121: ...contain special characters except for spaces and quotation marks Mode Global Configuration mode Description Use this command to assign the switch a name The switch displays the name in the command li...

Страница 122: ...Parameters None Mode Global Configuration mode Description Use this command to enter the Line Console mode to set the session timer and to activate or deactivate remote authentication for local manage...

Страница 123: ...command to enter the Virtual Terminal Line mode for a VTY line to set the session timer or to activate or deactivate remote authentication for Telnet or SSH management sessions Refer to EXEC TIMEOUT...

Страница 124: ...s None Mode Global Configuration mode Description Use this command to delete the switch s name without assigning a new name Example This example deletes the current name of the switch without assignin...

Страница 125: ...k device such as a RADIUS server or a Telnet client to troubleshoot communication problems Note To send ICMP Echo Requests the switch must have a management IP address For background information refer...

Страница 126: ...it initializes its management software Some network traffic may be lost The reset can take from 10 seconds to two minutes depending on the number and complexity of the commands in the active boot conf...

Страница 127: ...rk traffic while it initializes its management software Some network traffic may be lost The reset can take from 10 seconds to two minutes depending on the number and complexity of the commands in the...

Страница 128: ...Chapter 6 Basic Switch Management Commands 128 Section II Basic Operations Example The following example resets the switch awplus enable awplus reload...

Страница 129: ...mode Description Use this command to set the maximum number of manager sessions that can be open on the switch simultaneously This feature makes it possible for more than one person to manage the unit...

Страница 130: ...e port used for local management sessions of the switch Here is an example of the information Figure 32 SHOW BAUD RATE Command To set the baud rate refer to BAUD RATE SET on page 116 Note The baud rat...

Страница 131: ...II Basic Operations 131 SHOW CLOCK Syntax show clock Parameters None Modes User Exec mode Description Use this command to display the system s current date and time Example This example displays the...

Страница 132: ...mmand line commands The command displays only the settings that have been changed from their default values and includes those values that have not yet been saved in the active boot configuration file...

Страница 133: ...e Version v1 0 0 Application Software Build date May 2010 10 24 12 MAC Address 00 15 77 CC E2 42 Console Disconnect Timer Interval 10 minute s Telnet Server status Enabled MAC address aging time 300 s...

Страница 134: ...119 Telnet Server Status The status of the Telnet server The switch can be remotely managed from a Telnet client on your network when the server is enabled When the server is disabled the switch cann...

Страница 135: ...n Figure 34 SHOW SYSTEM Command Example This example displays general information about the switch awplus show system Switch System Status Fri 16 Sep 2011 00 37 26 Board ID Bay Board Name Rev Serial N...

Страница 136: ...the device with a web browser application or an SNMP application are not displayed by this command Figure 35 is an example of the information Figure 35 SHOW USERS Command The columns are described in...

Страница 137: ...er to whom the account belongs to entered a command on the switch The value will always be zero for the account you are currently using to manage the switch Location The network device from which the...

Страница 138: ...nd to add contact information to the switch The contact information is usually the name of the person who is responsible for managing the unit To remove the current contact information without adding...

Страница 139: ...escription Use this command to add location information to the switch To remove the current location information without adding new information use the NO form of this command Confirmation Command SHO...

Страница 140: ...a europe Europe japan Japan korea Korea nz New Zealand usa USA Mode Global Configuration mode Description Use this command to specify the territory of the switch The territory setting is not currently...

Страница 141: ...AT 9000 Switch Command Line User s Guide Section II Basic Operations 141 awplus configure terminal awplus config no system territory...

Страница 142: ...Chapter 6 Basic Switch Management Commands 142 Section II Basic Operations...

Страница 143: ...Enabling or Disabling Ports on page 148 Enabling or Disabling Backpressure on page 149 Enabling or Disabling Flow Control on page 150 Resetting Ports on page 153 Configuring Threshold Limits for Ingr...

Страница 144: ...paces and special characters are allowed You can assign a description to more than one port at a time To remove the current description from a port without assigning a new description use the NO form...

Страница 145: ...iation for duplex mode You should review the following information before configuring the ports Auto Negotiation may be activated separately for speed and duplex mode on a port For instance you may ac...

Страница 146: ...onfig interface port1 0 2 port1 0 4 awplus config if speed 10 awplus config if duplex full This example sets the speed on port 15 to Auto Negotiation and the duplex mode to half duplex awplus enable a...

Страница 147: ...configuration is the POLARITY command in the Port Interface mode Here is the format of the command polarity auto mdi mdix The AUTO setting activates auto MDI MDIX which enables a port to detect the wi...

Страница 148: ...ork device To disable ports use the SHUTDOWN command in the Port Interface mode To enable ports again use the NO SHUTDOWN command This example disables ports 1 to 4 awplus enable awplus configure term...

Страница 149: ...eeds and duplex modes manually If you enable backpressure the default setting a port initiates backpressure when it needs to prevent a buffer overrun from packet congestion If you disable backpressure...

Страница 150: ...on off The FLOWCONTROL SEND command controls whether or not a port sends pause packets during periods of packet congestion If you set it to ON the port sends pause packets when it reaches the point o...

Страница 151: ...disable flow control use the NO FLOWCONTROL command in the Port Interface mode This example disables flow control on ports 22 and 23 awplus enable awplus configure terminal awplus config interface po...

Страница 152: ...Chapter 7 Port Parameters 152 Section II Basic Operations If flow control isn t configured on a port this message is displayed Flow control is not set on interface port1 0 2...

Страница 153: ...SET command in the Port Interface mode This command performs a hardware reset The port parameter settings are retained The reset takes just a second or two to complete This example resets ports 16 and...

Страница 154: ...rameter the acronym for database lookup failure is for unknown unicast packets The VALUE parameter specifies the maximum permitted number of ingress packets per second a port will accept The range is...

Страница 155: ...lus config if no storm control broadcast This example disables unknown unicast rate limiting on port 5 6 and 15 awplus enable awplus configure terminal awplus config interface port1 0 5 port1 0 6 port...

Страница 156: ...s accomplished with the RENEGOTIATE command in the Port Interface mode The command does not have any parameters A port must already be set to Auto Negotiation before you can use this command This exam...

Страница 157: ...e default settings on a port use the PURGE command in the Port Interface mode This example returns ports 12 13 and 15 to their default settings awplus enable awplus configure terminal awplus config in...

Страница 158: ...d duplex mode settings for ports 18 and 20 awplus show interface port1 0 18 port1 0 20 status Here is an example of the information the command displays Figure 37 SHOW INTERFACE STATUS Command The col...

Страница 159: ...an example of the display Figure 39 SHOW RUNNING CONFIG INTERFACE Command For a description of the command see SHOW RUNNING CONFIG INTERFACE on page 202 Interface port1 0 1 Link is UP administrative s...

Страница 160: ...at of the command show platform table port port counters This example displays the statistics for ports 23 and 24 awplus show platform table port port1 0 23 port1 0 24 counter The statistics are descr...

Страница 161: ...0 Port Interface Sets a limit on the amount of traffic that can be transmitted per second from the port FCTRLLIMIT on page 171 Port Interface Specifies threshold levels for flow control FLOWCONTROL on...

Страница 162: ...W INTERFACE STATUS on page 193 Privileged Exec Displays the speed and duplex mode settings of the ports SHOW PLATFORM TABLE PORT on page 195 Privileged Exec Displays packet statistics for the individu...

Страница 163: ...This prevents a buffer overrun and the subsequent loss and retransmission of network packets A port initiates backpressure by transmitting on the shared link to cause a data collision which causes it...

Страница 164: ...is example configures ports 8 and 21 to 100 Mbps half duplex mode with backpressure disabled awplus enable awplus configure terminal awplus config interface port1 0 8 port1 0 21 awplus config if speed...

Страница 165: ...o 7935 cells The default value is 7935 cells Mode Port Interface mode Description Use this command to specify a threshold level for backpressure on a port Confirmation Command SHOW RUNNING CONFIG on p...

Страница 166: ...ou want to clear You can specify more than one port at a time in the command Mode User Exec mode and Privileged Exec mode Description Use this command to clear the packet counters of the ports To disp...

Страница 167: ...be easier to identify if they have descriptions Use the NO form of this command to remove descriptions from ports without assigning new descriptions Confirmation Command SHOW INTERFACE on page 190 Ex...

Страница 168: ...lex can both send and receive packets simultaneously Note To avoid a duplex mode mismatch between switch ports and network devices do not select Auto Negotiation on ports that are connected to network...

Страница 169: ...mode on port 11 half duplex awplus enable awplus configure terminal awplus config interface port1 0 11 awplus config if duplex half This example configures the duplex mode with Auto Negotiation on po...

Страница 170: ...00 000 kilobits per second Mode Port Interface mode Description Use this command to set a limit on the amount of traffic that can be transmitted per second from the port Confirmation Command SHOW RUNN...

Страница 171: ...nge is 1 to 7935 cells The default value is 7935 cells Mode Port Interface mode Description Use this command to specify threshold levels for flow control on the ports Confirmation Command SHOW RUNNING...

Страница 172: ...s experiencing traffic congestion initiates flow control by sending pause packets These packets instruct the link partner to stop transmitting packets A port continues to issue pause packets so long a...

Страница 173: ...0 19 awplus config if speed 100 awplus config if duplex full awplus config if flowcontrol send on awplus config if flowcontrol receive on This example configures ports 18 to 21 and 24 to 10 Mbps full...

Страница 174: ...Chapter 8 Port Parameter Commands 174 Section II Basic Operations awplus config if duplex full awplus config if flowcontrol send off awplus config if flowcontrol receive on...

Страница 175: ...nner An oversubscribed port can prevent other ports from forwarding packets to each other because ingress packets on a port are buffered in a First In First Out FIFO manner If a port has at the head o...

Страница 176: ...e oversubscribed port For example referring to the figure above when the utilization of the storage capacity of port D exceeds the threshold the switch signals the other ports to discard packets desti...

Страница 177: ...hange in its link state To disable link traps on a port refer to NO LINKTRAP on page 180 Note For the switch to send SNMP traps you must activate SNMP and specify one or more trap receivers For instru...

Страница 178: ...rt Interface mode Description Use this command to disable egress rate limiting on the ports Confirmation Command SHOW RUNNING CONFIG on page 132 Example This example disable egress rate limiting on th...

Страница 179: ...ter None Mode Port Interface mode Description Use this command to disable flow control on ports Confirmation Command SHOW FLOWCONTROL INTERFACE on page 188 Example This example disables flow control o...

Страница 180: ...raps on the ports of the switch The switch does not send traps when a port on which link trap is disabled experiences a change in its link state i e goes up or down Confirmation Command SHOW INTERFACE...

Страница 181: ...Interface mode Description Use this command to enable ports so that they forward packets again This is the default setting for a port Confirmation Command SHOW RUNNING CONFIG on page 132 Example This...

Страница 182: ...NING CONFIG on page 132 Examples This example removes the threshold limit for broadcast packets on port 12 awplus enable awplus configure terminal awplus config interface port1 0 12 awplus config if n...

Страница 183: ...as MDI medium dependent interface and MDI X medium dependent interface crossover To forward traffic a port on the switch and a port on a network device must have different settings For instance the wi...

Страница 184: ...rameter Commands 184 Section II Basic Operations This example activates auto MDI MDIX on ports 1 to 3 awplus enable awplus configure terminal awplus config interface port1 0 1 port1 0 3 awplus config...

Страница 185: ...default settings to these port parameters Enabled status NO SHUTDOWN Description Speed Duplex mode MDI MDI X Flow control Backpressure Head of line blocking threshold Backpressure cells Example This...

Страница 186: ...egotiate its speed and duplex mode with its network device You might use this command if you believe that a port and a network device did not establish the highest possible common settings during the...

Страница 187: ...ion Use this command to perform a hardware reset on the ports The ports retain their parameter settings The reset takes only a second or two to complete You might reset a port if it is experiencing a...

Страница 188: ...elds are described in Table 9 Port Send Receive RxPause TxPause admin admin 1 0 13 yes yes 6520 7823 Table 9 SHOW FLOWCONTROL INTERFACE Command Parameter Description Port Port number Send admin Whethe...

Страница 189: ...asic Operations 189 Example This command displays the flow control settings for port 2 awplus show flowcontrol interface port1 0 2 TxPause The number of transmitted pause packets Table 9 SHOW FLOWCONT...

Страница 190: ...state is UP Address is 0015 77cc e243 Description index 1 mtu 9198 Unknown Ingress Multicast Blocking Disabled Unknown Egress Multicast Blocking Disabled SNMP link status traps Enabled Suppressed in 0...

Страница 191: ...ort Description The port s description To set the description refer to DESCRIPTION on page 167 Index mtu The maximum packet size of the ports The ports have a maximum packet size of 9198 bytes This is...

Страница 192: ...Section II Basic Operations Examples This command displays the current operational state of all the ports awplus show interface This command displays the current operational state of ports 1 to 4 awpl...

Страница 193: ...Command The fields are described in Table 11 Port Name Status Vlan Duplex Speed Type port1 0 1 Port_01 down 3 half 100 10 100 1000Base T port1 0 2 Port_02 up 11 auto auto 10 100 1000Base T port1 0 2...

Страница 194: ...and 18 awplus show interface port1 0 17 port1 0 18 status Duplex The duplex mode setting of the port The setting can be half full or auto for Auto Negotiation To set the duplex mode refer to DUPLEX on...

Страница 195: ...ter displays the statistics for all the ports The statistics are described in Table 12 To clear the packet counters refer to CLEAR PORT COUNTER on page 166 Table 12 SHOW PLATFORM TABLE PORT COUNTERS C...

Страница 196: ...signals the port has encountered UnsupportOpcode Number of MAC Control frames with unsupported opcode UndersizePkts Number of frames that were less than the minimum length as specified in the IEEE 80...

Страница 197: ...kets that were discarded prior to transmission because of an error ipInHdrErrors Number of ingress packets that were discarded because of a hardware error Miscellaneous Counters MAC TxErr Number of fr...

Страница 198: ...command to display information about the SFP modules in the switch Figure 44 SHOW SYSTEM PLUGGABLE Command Example This example displays SFP module information awplus show system pluggable System Plu...

Страница 199: ...on page 198 Figure 45 SHOW SYSTEM PLUGGABLE DETAIL Command The OM1 field specifies the link length supported by the pluggable transceiver using 62 5 micron multi mode fiber The OM2 field specifies th...

Страница 200: ...igure 46 shows an example of the information when you enter the following command awplus show storm control port1 0 15 Figure 46 SHOW STORM CONTROL Command See Table 13 for a description of the table...

Страница 201: ...m control This command displays the settings of ports 15 and 18 awplus show storm control port1 0 15 port1 0 18 DlfLevel Indicates the maximum number of unknown unicast packets destination lookup fail...

Страница 202: ...displays only the settings that have been changed from their default values and includes those values that have not yet been saved in the active boot configuration file See Figure 47 for an example d...

Страница 203: ...isable ports that are unused to secure them from unauthorized use or that are having problems with network cables or their link partners The default setting for the ports is enabled To reactivate a po...

Страница 204: ...n Mode Port Interface mode Description Use this command to manually set the speeds of the twisted pair ports or to activate Auto Negotiation Confirmation Commands Configured speed SHOW INTERFACE STATU...

Страница 205: ...esholds for the ingress packets on the ports Ingress packets that exceed the thresholds are discarded by the ports Thresholds can be set independently for broadcast packets multicast packets and unkno...

Страница 206: ...wplus enable awplus configure terminal awplus config interface port1 0 4 awplus config if storm control multicast level 100000 This example sets the threshold level of 200 000 packets per second for i...

Страница 207: ...Management Addresses This chapter contains the following information Overview on page 208 Assigning an IPv4 Management Address and Default Gateway on page 211 Assigning an IPv6 Management Address and...

Страница 208: ...address Table 14 Features that Require an IP Management Address Feature Description Supported by IPv4 Address Supported by IPv6 Address 802 1x port based network access control Used for port security...

Страница 209: ...your network for storage yes TACACS client Used for remote management authentication using a TACACS server on your network yes Telnet client Used to manage other network devices from the switch yes T...

Страница 210: ...ent address can be assigned manually or from a DHCP server on your network To learn the switch s MAC address to add to a DHCP server refer to SHOW SWITCH on page 133 An IPv6 address must be assigned m...

Страница 211: ...mmand ip address ipaddress mask dhcp The IPADDRESS parameter is the IPv4 management address to be assigned the switch The address is specified in this format nnn nnn nnn nnn Each NNN is a decimal numb...

Страница 212: ...awplus configure terminal Enter the Global Configuration mode awplus config vlan database Use the VLAN DATABASE command to enter the VLAN Configuration mode awplus config vlan vlan 17 name Tech_suppor...

Страница 213: ...r of the same subnet as the management IPv4 address The command for assigning the default gateway is the IP ROUTE command in the Global Configuration mode Here is the format ip route 0 0 0 0 0 ipaddre...

Страница 214: ...DDRESS DHCP command This example of the command deletes the management address assigned by a DHCP server from a VLAN on the switch with the VID of 23 awplus enable awplus configure terminal awplus con...

Страница 215: ...xec mode awplus show ip interface Here is an example of the information from the command Figure 49 SHOW IP INTERFACE Command The columns are defined in Table 16 on page 239 Destination Mask NextHop In...

Страница 216: ...r instructions refer to Chapter 41 Port based and Tagged VLANs on page 559 If the switch already has an IPv4 address the IPv6 address must be assigned to the same VLAN as that address Here is the form...

Страница 217: ...nterface vlan8 awplus config vlan ipv6 address 1857 80cf d54 1a 8f57 64 awplus config vlan exit Note You cannot use a DHCP server to assign the switch a dynamic IPv6 address The switch supports only a...

Страница 218: ...V6 ADDRESS command in the VLAN Interface mode in which the current address is assigned This example of the command deletes the address from a VLAN with the VID 21 awplus enable awplus configure termin...

Страница 219: ...s is with the SHOW IPV6 INTERFACE command shown here awplus show ipv6 interface Here is an example of the information from the command Figure 51 SHOW IPV6 INTERFACE Command The columns are defined in...

Страница 220: ...Chapter 9 IPv4 and IPv6 Management Addresses 220 Section II Basic Operations...

Страница 221: ...address IPV6 ADDRESS on page 230 VLAN Interface Assigns the switch a static IPv6 management address IPV6 ROUTE on page 232 Global Configuration Assigns the switch an IPv6 default gateway address NO IP...

Страница 222: ...Operations SHOW IPV6 INTERFACE on page 242 Privileged Exec Displays the IPv4 management address SHOW IPV6 ROUTE on page 243 Privileged Exec Displays the IPv6 management address and default gateway Ta...

Страница 223: ...R IPV6 NEIGHBORS Syntax clear ipv6 neighbors Parameters none Mode Privileged Exec mode Description Use this command to clear all of the dynamic IPv6 neighbor entries Example This example clears all of...

Страница 224: ...alent to masks 255 255 0 0 and 255 255 255 0 respectively Mode VLAN Interface mode Description Use this command to manually assign the switch an IPv4 management address You must perform this command f...

Страница 225: ...efault_VLAN which has the VID 1 awplus enable awplus configure terminal awplus config interface vlan1 awplus config vlan ip address 142 35 78 21 24 This example assigns the switch the IPv4 management...

Страница 226: ...the VLAN to which you want to assign the address The switch must have a management IPv4 address to support the features listed in Table 14 on page 208 The switch can have only one IPv4 address and it...

Страница 227: ...This example activates the DHCP client so that the switch obtains its IPv4 management address from a DHCP server on your network The address is applied to a VLAN with the VID 4 awplus enable awplus co...

Страница 228: ...nagement network devices such as Telnet clients and syslog servers that are not members of the same subnet as its IPv4 address You must assign the switch a default gateway address if both of the follo...

Страница 229: ...Line User s Guide Section II Basic Operations 229 Example This example assigns the switch the IPv4 default gateway address 143 87 132 45 awplus enable awplus configure terminal awplus config ip route...

Страница 230: ...ubnet mask of the address The mask is a decimal number that represents the number of bits from left to right that constitute the network portion of the address For example an address whose network des...

Страница 231: ...TE on page 243 Examples This example assigns the IPv6 management address 4c57 17a9 11 190 a1d4 64 to the Default_VLAN which has the VID 1 awplus enable awplus configure terminal awplus config interfac...

Страница 232: ...t gateway is an address of an interface on a router or other Layer 3 device It defines the first hop to reaching the remote subnets or networks where the network devices are located You must assign th...

Страница 233: ...User s Guide Section II Basic Operations 233 Example This example assigns the switch the IPv6 default gateway address 45ab 672 934c 78 17cb awplus enable awplus configure terminal awplus config ipv6 r...

Страница 234: ...rform this command from the VLAN Interface mode of the VLAN to which the address is attached Note The switch uses the IPv4 management address to perform the features listed Table 14 on page 208 If you...

Страница 235: ...the address is attached This command also disables the DHCP client Note The switch uses the IPv4 management address to perform the features listed Table 14 on page 208 If you delete it the switch wil...

Страница 236: ...ault gateway Mode Global Configuration mode Description Use this command to delete the current IPv4 default gateway The command must include the current default gateway Confirmation Command SHOW IP RO...

Страница 237: ...which the address is attached Note The switch uses the IPv6 management address to perform the features listed Table 14 on page 208 If you delete it the switch will not support the features unless it a...

Страница 238: ...de Global Configuration mode Description Use this command to delete the current IPv6 default gateway from the switch The command must include the current default gateway Confirmation Command SHOW IPV6...

Страница 239: ...E Command The fields are described in Table 16 Example The following example displays the management IP address assigned to a switch awplus show ip interface Interface IP Address Status Protocol VLAN1...

Страница 240: ...Protocol RIPMetric 149 102 34 0 255 255 255 0 149 102 34 198 VLAN14 0 INTERFACE 1 0 0 0 0 0 0 0 0 149 102 34 212 VLAN14 0 STATIC 1 Table 17 SHOW IP ROUTE Command Parameter Description Destination Not...

Страница 241: ...mple The following example displays the management IP address and the default gateway on the switch awplus show ip route Protocol Not applicable to the AT 9000 Switch RIPMetric Not applicable to the A...

Страница 242: ...INTERFACE Command The fields are described in Table 18 Example The following example displays the IPv6 management address awplus show ipv6 interface Interface IPv6 Address Status Protocol VLAN3 0 832a...

Страница 243: ...t gateway on the switch Figure 55 is an example of the information The default route is display first followed by the management address Figure 55 SHOW IPV6 ROUTE Command Example The following example...

Страница 244: ...Chapter 10 IPv4 and IPv6 Management Address Commands 244 Section II Basic Operations...

Страница 245: ...tion Overview on page 246 Activating the SNTP Client and Specifying the IP Address of an NTP or SNTP Server on page 247 Configuring Daylight Savings Time and UTC Offset on page 248 Disabling the SNTP...

Страница 246: ...Daylight Savings Time For instructions refer to Configuring Daylight Savings Time and UTC Offset on page 248 You must specify the offset of the switch from Coordinated Universal Time UTC For instruct...

Страница 247: ...P address of an NTP or SNTP server use the NTP PEER command in the Global Configuration mode You can specify the IP address of only one server This example of the command specifies 1 77 122 54 as the...

Страница 248: ...ying the IP Address of an NTP or SNTP Server on page 247 This table lists the commands you use to configure the daylight savings time and UTC offset The commands are located in the Global Configuratio...

Страница 249: ...AT 9000 Switch Command Line User s Guide Section II Basic Operations 249 awplus config no clock summer time awplus config clock timezone 02 45...

Страница 250: ...sic Operations Disabling the SNTP Client To disable the SNTP client so that the switch doesn t obtain its date and time from an NTP or SNTP server use the NO PEER command in the Global Configuration m...

Страница 251: ...yed Figure 56 SHOW NTP ASSOCIATIONS Command The fields are described in Table 21 on page 261 To learn whether the switch has synchronized its time with the designated NTP or SNTP server use the SHOW N...

Страница 252: ...e Network Time Protocol SNTP Client 252 Section II Basic Operations Displaying the Date and Time To display the date and time use the SHOW CLOCK command in the User Exec mode or Privileged Exec mode a...

Страница 253: ...ctivates Daylight Savings Time and enables Standard Time NO NTP PEER on page 257 Global Configuration Disables the NTP client NTP PEER on page 258 Global Configuration Specifies the IP address of the...

Страница 254: ...f the switch is in a locale that uses DST you must remember to enable this in April when DST begins and disable it in October when DST ends If the switch is in a locale that does not use DST set this...

Страница 255: ...he default is 00 00 Mode Global Configuration mode Description Use this command to set the UTC offset which is used by the switch to convert the time from an SNTP or NTP server into local time You mus...

Страница 256: ...r time Parameters None Mode Global Configuration mode Description Use this command to disable Daylight Savings Time DST and activate Standard Time ST on the SNTP client Confirmation Command SHOW NTP A...

Страница 257: ...to deactivate the SNTP client on the switch When the client is disabled the switch does not obtain its date and time from an SNTP or NTP server the next time it is reset or power cycled Confirmation...

Страница 258: ...witch and to specify the IP address of the SNTP or NTP server from which it is to obtain its date and time You can specify only one SNTP or NTP server After you enter this command the switch automatic...

Страница 259: ...Mode Global Configuration mode Description Use this command to disable the SNTP client delete the IP address of the SNTP or NTP server and restore the client settings to the default values Confirmatio...

Страница 260: ...ommands 260 Section II Basic Operations SHOW CLOCK Syntax show clock Parameters None Modes User Exec mode and Privileged Exec mode Description Use this command to display the switch s date and time Ex...

Страница 261: ...ed here SNTP Configuration Status Enabled Server 172 17 118 15 UTC Offset 2 Daylight Savings Time DST Enabled Table 21 SHOW NTP ASSOCIATIONS Command Parameter Description Status The status of the SNTP...

Страница 262: ...C and local time The range is 12 to 12 hours The default is 0 hours This value is set with CLOCK TIMEZONE on page 255 Daylight Savings Time DST The status of the daylight savings time setting The stat...

Страница 263: ...he switch has synchronized its time with the specified NTP or SNTP server An example of the information is shown in Figure 59 Figure 59 SHOW NTP STATUS Command The IP address is the address of the NTP...

Страница 264: ...Chapter 12 SNTP Client Commands 264 Section II Basic Operations...

Страница 265: ...Table This chapter discusses the following topics Overview on page 266 Adding Static MAC Addresses on page 268 Deleting MAC Addresses on page 269 Setting the Aging Timer on page 271 Displaying the MAC...

Страница 266: ...s the packet to all its ports excluding the port where the packet was received If the ports are grouped into virtual LANs the switch floods the packet only to those ports that belong to the same VLAN...

Страница 267: ...seconds 5 minutes You can also enter addresses manually into the table These addresses are referred to as static addresses Static MAC addresses remain in the table indefinitely and are never deleted e...

Страница 268: ...d You can specify just one port vlan name or VID Use this variable to specify the name or the ID number of the VLAN of the port of the address This information is optional in the command This example...

Страница 269: ...and xx xx xx xx xx xx interface You can use this parameter to delete all of the static or dynamic addresses on a particular port You can specify more than one port at a time vlan You can use this para...

Страница 270: ...static addresses added to ports 2 to 5 awplus enable awplus clear mac address table static interface port1 0 2 port1 0 5 This example deletes all of the dynamic addresses learned on the ports of the V...

Страница 271: ...work devices are inactive To set the aging timer use the MAC ADDRESS TABLE AGEING TIME command in the Global Configuration mode Here is the format of the command mac address table ageing time value Th...

Страница 272: ...ed on port 2 awplus show mac address table interface port1 0 2 This example displays the addresses learned on the ports in a VLAN with the VID 8 awplus show mac address table vlan 8 Aging Interval 300...

Страница 273: ...EING TIME on page 276 Global Configuration Sets the aging timer which is used by the switch to identify inactive dynamic MAC addresses for deletion from the table MAC ADDRESS TABLE STATIC on page 278...

Страница 274: ...ress Specifies the port the MAC addresses to be deleted was learned on You can specify more than one port vlan Deletes MAC addresses learned on a specific VLAN macaddress Specifies the VID of the VLAN...

Страница 275: ...all of the dynamic addresses learned on ports 17 to 20 awplus enable awplus clear mac address table dynamic interface port1 0 17 port1 0 20 This example deletes all of the static addresses added to po...

Страница 276: ...nsidered inactive if no packets are sent to or received from the corresponding node for the duration of the timer Setting the aging timer to 0 disables the timer No dynamic MAC addresses are aged out...

Страница 277: ...mmand Line User s Guide Section II Basic Operations 277 This example returns the aging timer to its default setting of 300 seconds awplus enable awplus configure terminal awplus config no mac address...

Страница 278: ...s is to be assigned A unicast MAC address can be added to just one port vlan name Specifies the name of the VLAN where the node designated by the MAC address is a member vid Specifies the ID number of...

Страница 279: ...terface port1 0 4 vlan Production This example adds the static MAC address 00 A0 D2 18 1A 11 to port 7 in the Default_VLAN which has the VID 1 The port discards the packets from the specified node awp...

Страница 280: ...ed source MAC address port Specifies the port s where the MAC address is assigned vlan name Specifies the name of the VLAN where the node of the MAC address is a member This parameter is optional vid...

Страница 281: ...rding packets of the owner of the address awplus enable awplus configure terminal awplus config no mac address table static 00 A0 D2 18 1A 11 forward interface port1 0 12 vlan 1 This example deletes t...

Страница 282: ...a particular port or VLAN An example of the table is shown in Figure 61 Figure 61 SHOW MAC ADDRESS TABLE Command Aging Interval 300 second s Switch Forwarding Database Total Number of MAC Addresses 12...

Страница 283: ...he port is an untagged member Port The port where the address was learned or assigned The MAC address with port 0 is the address of the switch MAC The dynamic or static unicast MAC address learned on...

Страница 284: ...he entire MAC address table awplus show mac address table This example displays the MAC addresses learned on ports 1 to 4 awplus show mac address table interface port1 0 1 port1 0 4 This example displ...

Страница 285: ...wing topics Overview on page 286 Configuring the Command Switch on page 289 Configuring a Member Switch on page 291 Managing the Member Switches of an Enhanced Stack on page 293 Changing the Enhanced...

Страница 286: ...witches in the stack are known as member switches They can be managed either through the command switch with enhanced stacking or from local or remote management sessions Common VLAN The switches of a...

Страница 287: ...igning groups of AT 9000 Switches to different common VLANs The enhanced stacking feature on the AT 9000 Switch is not compatible with the same feature on other Allied Telesis switches such as the AT...

Страница 288: ...anage the stack from management workstations that are not members of the same subnet as the switch assign the command switch a default gateway that defines the first hop to reaching the subnet of the...

Страница 289: ...e not in the same subnet as the command switch 1 This step creates the common VLAN awplus enable Enter the Privileged Exec mode from the User Exec mode awplus configure terminal Enter the Global Confi...

Страница 290: ...LAN awplus config if ip address 149 22 88 5 24 Assign the VLAN the management IP address 149 22 88 5 and the subnet mask 255 255 255 0 awplus config if exit Return to the Global Configuration mode awp...

Страница 291: ...he member mode because that is the default setting awplus enable Enter the Privileged Executive mode from the User Executive mode awplus configure terminal Enter the Global Configuration mode awplus c...

Страница 292: ...nd in the Privileged Executive mode 4 Connect the switches together using ports of the common VLAN awplus config estack run Activate enhanced stacking on the switch awplus config exit Return to the Pr...

Страница 293: ...here Figure 62 SHOW ESTACK REMOTELIST Command 3 Use the RCOMMAND command in the Global Configuration mode to redirect the management session from the command switch to one of the member switches in t...

Страница 294: ...from the User Exec mode or Privileged Exec mode to return the management session to the command switch 7 To manage another member switch in the enhanced stack repeat this procedure starting with step...

Страница 295: ...member switch will not allow you to change its mode to the command mode if it is part of an active stack The easiest way to determine whether the switch is part of an active stack is to use the SHOW E...

Страница 296: ...r to command with the ESTACK COMMAND SWITCH command 3 On the original command switch restart enhanced stacking with the ESTACK RUN command and if desired reestablish its command mode with the ESTACK C...

Страница 297: ...may only use the command when you are managing a switch directly from a local management session or a remote Telnet SSH or web browser session When you disable enhanced stacking on a command switch yo...

Страница 298: ...Chapter 15 Enhanced Stacking 298 Section II Basic Operations...

Страница 299: ...Configuration Disables enhanced stacking on the switch RCOMMAND on page 304 Global Configuration Redirects the management session to a different switch in the enhanced stack REBOOT ESTACK MEMBER on p...

Страница 300: ...N on page 301 A switch that is a member of an active enhanced stack cannot be changed to the command mode You must first disable enhanced stacking on the current command switch in the stack You cannot...

Страница 301: ...301 ESTACK RUN Syntax estack run Parameter None Mode Global Configuration mode Description Use this command to activate enhanced stacking on the switch Confirmation Command SHOW ESTACK on page 307 Exa...

Страница 302: ...the mode to command mode and now want to return it to member mode Enhanced stacking must be activated on the switch for you to use the command To activate enhanced stacking refer to ESTACK RUN on pag...

Страница 303: ...k When you disable enhanced stacking on the command switch its mode is reset to member mode Consequently you must set it back again to the command mode if you reactivate enhanced stacking Note You sho...

Страница 304: ...tch to a member switch in the enhanced stack The member switch is identified by its ID number displayed with SHOW ESTACK REMOTELIST on page 310 You can manage only one member switch at a time Note You...

Страница 305: ...y reboot individual member switches or all of the member switches of a stack You must perform SHOW ESTACK REMOTELIST on page 310 prior to this command to determine the ID numbers of the switches Cauti...

Страница 306: ...his example reboots a member switch that has the ID number 3 awplus enable awplus show estack remotelist awplus reboot estack member 3 This example reboots all of the member switches of the enhanced s...

Страница 307: ...is an example of the information the command displays Figure 64 SHOW ESTACK Command The fields are described in Table 26 on page 307 Enhanced Stacking mode Member 1 MAC address 00 15 77 CC E2 42 Mode...

Страница 308: ...e number is the switch s stack ID number If the brackets are empty the switch did not detect a command switch on the common VLAN and so does not consider itself part of an enhanced stack Disabled Enha...

Страница 309: ...hanced stacking information about the command switch This command is equivalent to issuing the SHOW ESTACK command on the command switch Figure 65 is an example of the information the command displays...

Страница 310: ...The default is MAC address An example is shown in Figure 66 Figure 66 SHOW ESTACK REMOTELIST Command The list does not include the command switch on which you entered the command Note This command on...

Страница 311: ...ns 311 This example sorts the switches by host name awplus enable awplus configure terminal awplus config show estack remotelist name This example sorts the switches by model series awplus enable awpl...

Страница 312: ...Chapter 16 Enhanced Stacking Commands 312 Section II Basic Operations...

Страница 313: ...his chapter discusses the following topics Overview on page 314 Creating the Port Mirror or Adding New Source Ports on page 315 Removing Source Ports or Deleting the Port Mirror on page 316 Displaying...

Страница 314: ...ion port The source ports are the ports whose packets are to be mirrored and monitored The destination port is the port where the packets from the source ports are copied and where the network analyze...

Страница 315: ...awplus configure terminal awplus config interface port1 0 5 awplus config if mirror interface port1 0 3 direction receive The switch immediately begins to copy the monitored traffic from the source po...

Страница 316: ...mirror The destination port is port 11 awplus enable awplus configure terminal awplus config interface port1 0 11 awplus config if no mirror interface port1 0 2 To completely stop port mirroring and t...

Страница 317: ...ror In this example of the information the port mirror is enabled and the ingress and egress packets on ports 1 and 3 as well as the egress traffic on ports 11 to 13 are being copied to destination po...

Страница 318: ...Chapter 17 Port Mirror 318 Section II Basic Operations...

Страница 319: ...Interface Creates the port mirror and adds ports to the port mirror NO MIRROR on page 321 Port Interface Stops port mirroring completely NO MIRROR INTERFACE on page 322 Port Interface Removes source p...

Страница 320: ...ource port Mode Port Interface mode Description Use this command to create the port mirror or to add ports to the port mirror You must issue this command from the Port Interface mode of the destinatio...

Страница 321: ...deletes all the source ports from the port mirror You should enter this command in the Port Interface mode of the destination port of the port mirror Confirmation Command SHOW MIRROR on page 323 Exam...

Страница 322: ...n the Port Interface mode of the destination port of the port mirror To delete the port mirror and to return the destination port to normal operations use the NO MIRROR command Confirmation Command SH...

Страница 323: ...e Enabled Mirror To Destination Port 22 Ingress Rx Mirror Source Ports 1 3 Egress Tx Mirror Source Ports 1 3 11 13 Table 28 SHOW MIRROR Command Parameter Description Mirror Test Port Name The destinat...

Страница 324: ...Chapter 18 Port Mirror Commands 324 Section II Basic Operations Example awplus show mirror...

Страница 325: ...ing This chapter discusses the following topics Overview on page 326 Host Node Topology on page 328 Configuring the IGMP Snooping Parameters on page 329 Enabling IGMP Snooping on page 330 Disabling IG...

Страница 326: ...he router has no nodes that want to be members of multicast groups the router does not send multicast packets out the port This improves network performance by restricting the multicast packets only t...

Страница 327: ...eives multicast packets it floods the packets out all its ports except the port on which it received the packets Such flooding of packets can negatively impact network performance The switch maintains...

Страница 328: ...sent leave requests or have timed out The switch responds by immediately ceasing the transmission of additional multicast packets out the ports Multiple hosts Per Port The multiple hosts per port set...

Страница 329: ...out 50 awplus config ip igmp snooping mrouter interface port1 0 4 This example reactivates the auto detection of multicast router ports by removing the static router port 4 awplus enable awplus config...

Страница 330: ...ooping on the switch is the IP IGMP SNOOPING command in the Global Configuration mode After you enter the command the switch begins to build its multicast table as queries from the multicast router an...

Страница 331: ...MP snooping on the switch is the NO IP IGMP SNOOPING command in the Global Configuration mode To disable IGMP snooping awplus enable awplus configure terminal awplus config no ip igmp snooping When IG...

Страница 332: ...scribed in Table 31 on page 343 IGMP Snooping Configuration IGMP Snooping Status Enabled Querier Admin Disabled Host Topology Single Host Port Edge Host Router Timeout Interval 260 seconds Maximum IGM...

Страница 333: ...dentify inactive host nodes and multicast routers IP IGMP SNOOPING on page 337 Global Configuration Enables IGMP snooping on the switch IP IGMP SNOOPING MROUTER on page 338 Global Configuration Manual...

Страница 334: ...AR IP IGMP Syntax clear ip igmp Parameters None Mode Privileged Exec mode Description Use this command to clear all IGMP group membership records on all VLANs Example This example clears all IGMP grou...

Страница 335: ...resses Mode Global Configuration mode Description Use this command to specify the maximum number of multicast addresses the switch can learn If your network has a large number of multicast groups you...

Страница 336: ...MP reports from it for the duration of the timer The switch stops transmitting multicast packets from a port of an inactive host node if there are no additional host nodes A multicast router is deemed...

Страница 337: ...NOOPING Syntax ip igmp snooping Parameters None Mode Global Configuration mode Description Use this command to activate IGMP snooping on the switch Confirmation Command SHOW IP IGMP SNOOPING on page 3...

Страница 338: ...nually specify ports that are connected to multicast routers Manually specifying multicast router ports deactivates auto detect To reactivate auto detect remove all static multicast router ports For i...

Страница 339: ...n one host node Mode Global Configuration mode Description Use this command to specify the IGMP host node topology For background information refer to Host Node Topology on page 328 Confirmation Comma...

Страница 340: ...figuration mode Description Use this command to deactivate IGMP snooping on the switch When IGMP snooping is disabled the switch floods multicast packets on all ports except on ports that receive the...

Страница 341: ...outer port Mode Global Configuration mode Description Use this command to remove static multicast router ports Removing all multicast router ports activates auto detect Confirmation Command SHOW IP IG...

Страница 342: ...ping Status Enabled Querier Admin Disabled Host Topology Single Host Port Edge Host Router Timeout Interval 260 seconds Maximum IGMP Multicast Groups 64 Router Port s Auto Detect Router List VLAN Port...

Страница 343: ...the default setting multihost This is the multiple host per port topology This topology is appropriate when there is more than one host node per port on the switch To set this parameter refer to IP I...

Страница 344: ...it Host List Number of IGMP Multicast Groups The number of IGMP multicast groups that have active host nodes on the switch Multicast Group The multicast addresses of the groups ID The ID numbers of t...

Страница 345: ...mes forwarding unknown egress multicast packets on ports NO SWITCHPORT BLOCK INGRESS MULTICAST on page 347 Port Interface Resumes forwarding unknown ingress multicast packets on ports SWITCHPORT BLOCK...

Страница 346: ...terface mode Description Use this command to resume forwarding of unknown egress multicast packets on ports Confirmation Command SHOW INTERFACE on page 190 Example This example resumes forwarding of u...

Страница 347: ...face mode Description Use this command to resume forwarding of unknown ingress multicast packets on ports Confirmation Command SHOW INTERFACE on page 190 Example This example resumes forwarding of unk...

Страница 348: ...ticast packets on ports Note This feature does not block multicast packets that have reserved multicast addresses in the range of 01 80 C2 00 00 00 to 01 80 C2 00 00 0F Confirmation Command SHOW INTER...

Страница 349: ...ess multicast packets on ports Note This feature does not block multicast packets that have reserved multicast addresses in the range of 01 80 C2 00 00 00 to 01 80 C2 00 00 0F Confirmation Command SHO...

Страница 350: ...Chapter 21 Multicast Commands 350 Section II Basic Operations...

Страница 351: ...rs Chapter 22 File System on page 353 Chapter 23 File System Commands on page 361 Chapter 24 Boot Configuration Files on page 369 Chapter 25 Boot Configuration File Commands on page 375 Chapter 26 Fil...

Страница 352: ...352 Section III File System...

Страница 353: ...s Overview on page 354 Copying Boot Configuration Files on page 355 Renaming Boot Configuration Files on page 356 Deleting Boot Configuration Files on page 357 Displaying the Specifications of the Fil...

Страница 354: ...iles Encryption key pairs The file system has a flat directory structure All the files are stored in the root directory The file system does not support subdirectories Table 33 File Extensions and Fil...

Страница 355: ...parameter specifies the name of the boot configuration file you want to copy The DESTINATIONFILE parameter specifies the name of the new copy The name can be up to 16 alphanumeric characters and must...

Страница 356: ...aracters This example renames the Sales2sw cfg boot configuration file to unit12a cfg awplus enable awplus move Sales2sw cfg unit12a cfg Note If you rename the active boot configuration file you will...

Страница 357: ...le deletes the configuration file unit2a cfg awplus delete unit2a cfg Note If you delete the active boot configuration file you will have to designate another active boot configuration file before the...

Страница 358: ...free space and the amount of space used by the files currently stored in the file system It is the SHOW FILE SYSTEMS command Here is an example of the information Figure 71 SHOW FILE SYSTEMS Command...

Страница 359: ...s Guide Section III File System 359 Listing the Files in the File System To view the names of the files in the file system of the switch use the DIR command in the Privileged Exec mode awplus dir The...

Страница 360: ...Chapter 22 File System 360 Section III File System...

Страница 361: ...DELETE on page 363 Privileged Exec Deletes boot configuration files from the file system DELETE FORCE on page 364 Privileged Exec Deletes boot configuration files from the file system DIR on page 365...

Страница 362: ...iption Use this command to create copies of boot configuration files in the file system of the switch Creating copies of the active boot configuration file is an easy way to maintain a history of the...

Страница 363: ...em in the switch This command is equivalent to DELETE FORCE on page 364 Note If you delete the active configuration file the switch recreates it the next time you issue the WRITE command or the COPY R...

Страница 364: ...switch This command is equivalent to DELETE on page 363 Note If you delete the active configuration file the switch recreates it the next time you issue the WRITE command or the COPY RUNNING CONFIG S...

Страница 365: ...Line User s Guide Section III File System 365 DIR Syntax dir Parameter None Mode Privileged Exec mode Description Use this command to list the names of the files stored in the file system on the swit...

Страница 366: ...eged Exec mode Description Use this command to rename boot configuration files in the switch s file system Note If you rename the active boot configuration file the switch recreates it the next time y...

Страница 367: ...Type Flags Prefixes S D V Lcl Ntwk 16 8 flash rw None Static local Y Table 35 SHOW FILE SYSTEMS Command Parameter Description Size B The total amount of flash memory in the switch The amount is given...

Страница 368: ...s S D W The memory type static virtual or dynamic Lcl Ntwk Whether the memory is located locally or via a network connection For the AT 9000 Switches this is always Local Y N Whether the memory is acc...

Страница 369: ...les This chapter discusses the following topics Overview on page 370 Specifying the Active Boot Configuration File on page 371 Creating a New Boot Configuration File on page 373 Displaying the Active...

Страница 370: ...parameter settings every time you power off or reset the unit The switch as part of its initialization process whenever it is powered on or reset automatically refers to this file to set its paramete...

Страница 371: ...having to enter the WRITE command or the COPY RUNNING CONFIG STARTUP CONFIG command In fact you probably will not want to enter either of those commands after you specify a new active boot configurati...

Страница 372: ...nally marks it as the active boot configuration file The file is now ready to store any new parameter settings you might make to the switch In this example the settings of the switch are configured us...

Страница 373: ...cters not including the extension cfg If you specify the name of an existing file the new file overwrites the existing file It is important to understand that this command does not change the switch s...

Страница 374: ...is the command awplus show boot Here is an example of the information Figure 73 SHOW BOOT Command The Current boot config field displays the name of the active boot configuration file which for the sw...

Страница 375: ...e switch s current configuration to the active boot configuration file ERASE STARTUP CONFIG on page 380 Privileged Exec Returns the switch to its default settings NO BOOT CONFIG FILE on page 381 Globa...

Страница 376: ...tive boot configuration file enter a new filename in the command The command automatically creates the file updates it with the current settings of the switch and designates it as the active boot conf...

Страница 377: ...e sw12a cfg as the switch s active configuration file The example assumes that the file already exists in the file system of the switch and that you want to reconfigure the switch according to the set...

Страница 378: ...ion files Stored in the file system on the switch the files contain the current settings of the switch You might use this command to create a backup copy of the switch s current configuration This com...

Страница 379: ...torage When you enter the command the switch copies its parameter settings into the active boot configuration file The switch saves only those parameters that have been changed from their default sett...

Страница 380: ...boot configuration file To return the active configuration file to the default settings you must enter the WRITE or COPY RUNNING CONFIG STARTUP CONFIG command after the switch reboots and after you h...

Страница 381: ...oftware it uses the BOOT CFG file to configure its parameter settings To overwrite the settings in the active boot configuration file with the switch s current settings enter the WRITE or COPY RUNNING...

Страница 382: ...urrent boot image v2 1 1 Backup boot image Not set Default boot config cfg boot cfg Current boot config cfg switch2 cfg file exists Table 37 SHOW BOOT Command Field Description Current software The ve...

Страница 383: ...AT 9000 Switch Command Line User s Guide Section III File System 383 Example awplus show boot...

Страница 384: ...384 Section III File System SHOW STARTUP CONFIG Syntax show startup config Parameter None Mode Privileged Exec mode Description Use this command to display the contents of the active boot configurati...

Страница 385: ...mand the switch copies its parameter settings into the active boot configuration file The switch saves only those parameters that have been changed from their default settings Note Parameter changes t...

Страница 386: ...Chapter 25 Boot Configuration File Commands 386 Section III File System...

Страница 387: ...s This chapter discusses the following topics Overview on page 388 Uploading or Downloading Files with TFTP on page 389 Uploading or Downloading Files with Zmodem on page 393 Downloading Files with En...

Страница 388: ...o Chapter 79 Secure HTTPS Web Browser Server on page 1159 Here are the files you can upload from the switch Boot configuration files CA certificate requests Technical support text files Refer to SHOW...

Страница 389: ...Downloading New Management Software with TFTP To use TFTP to download new management software to the switch Caution This procedure causes the switch to reset The switch does not forward network traffi...

Страница 390: ...Wait for the switch to write the new management software to flash memory 6 To resume managing the switch start a new management session after the switch has reset 7 To confirm the new management softw...

Страница 391: ...e terminal awplus config boot config file switch1a cfg 6 At this point do one of the following To configure the switch using the settings in the newly designated active boot configuration file reset t...

Страница 392: ...the file to be uploaded from the switch to the TFTP server The filename can not contain spaces and must include the appropriate extension This example of the command uploads the boot configuration fil...

Страница 393: ...For instructions refer to Starting a Local Management Session on page 60 3 Enter this command in the Privileged Exec mode awplus copy zmodem You will see this prompt Waiting to receive 4 Use your term...

Страница 394: ...e HTTPS Web Browser Server on page 1159 Technical support text files Refer to SHOW TECH SUPPORT on page 1242 To upload a file from the switch using Zmodem 1 Start a local management session on the swi...

Страница 395: ...enter the command the switch displays this message Waiting to send 4 Use your terminal or terminal emulator program to begin the upload The upload must be Zmodem The upload should take only a few mom...

Страница 396: ...one of the previous procedures in this chapter 2 After you ve updated the management software on the command switch start a new local or remote session on it 3 Issue the SHOW ESTACK REMOTELIST comman...

Страница 397: ...This prompt is displayed Do you want confirmation before downloading each switch Yes No 7 Type Y for yes if you want the command switch to prompt you before it downloads its management software to ea...

Страница 398: ...Chapter 26 File Transfers 398 Section III File System...

Страница 399: ...ged Exec Uses TFTP to upload files from the switch COPY TFTP FLASH on page 402 Privileged Exec Uses TFTP to download new versions of the management software boot configuration files or CA certificates...

Страница 400: ...er with a Zmodem utility to upload boot configuration files from the file system in the switch to your terminal or computer This command must be performed from a local management session For instructi...

Страница 401: ...fy just one filename Mode Privileged Exec mode Description Use this command to upload configuration files from the file system in the switch to a TFTP server on your network You can perform the comman...

Страница 402: ...the management software boot configuration files or CA certificates to the switch from a TFTP server on your network You may perform the command from a local management session or a remote Telnet or...

Страница 403: ...em 403 awplus enable awplus copy tftp flash 149 22 121 45 at9000_app img This example downloads the boot configuration file sw12a cfg to the switch from a TFTP server with the IP address 112 141 72 11...

Страница 404: ...t session For instructions on how to use this command refer to Downloading Files to the Switch with Zmodem on page 393 Note You may not use Zmodem to download new versions of the management software t...

Страница 405: ...on enhanced stacking refer to Chapter 15 Enhanced Stacking on page 285 For instructions on how to use this command refer to Downloading New Management Software with Enhanced Stacking on page 396 Caut...

Страница 406: ...Chapter 27 File Transfer Commands 406 Section III File System...

Страница 407: ...vent Messages This section contains the following chapters Chapter 28 Event Log on page 409 Chapter 29 Event Log Commands on page 413 Chapter 30 Syslog Client on page 423 Chapter 31 Syslog Client Comm...

Страница 408: ...408 Section IV Event Messages...

Страница 409: ...409 Chapter 28 Event Log This chapter covers the following topics Overview on page 410 Displaying the Event Log on page 411 Clearing the Event Log on page 412...

Страница 410: ...ormally or what happened when a problem occurred The operation of the switch can be monitored by viewing the event messages generated by the device These events and the vital information about system...

Страница 411: ...he messages are displayed one screen at a time To cancel the log type q for quit Here is an example of the log Figure 76 SHOW LOG Command The columns are described in Table 41 on page 417 If you happe...

Страница 412: ...t Log 412 Section II Basic Operations Clearing the Event Log To clear all the messages from the event log use the CLEAR LOG BUFFERED command in the Privileged Exec mode Here is the command awplus clea...

Страница 413: ...the event log LOG BUFFERED on page 415 Global Configuration Specifies the types of event messages to be stored in the event log SHOW LOG on page 417 Privileged Exec Displays the event messages from ol...

Страница 414: ...ntax clear log buffered Parameters None Mode Privileged Exec mode Description Use this command to delete the event messages in the event log Confirmation Command SHOW LOG on page 417 Example The follo...

Страница 415: ...fy more than one module separate the modules with commas Mode Global Configuration mode Description Use this command to specify the types of event messages to be stored in the event log You can specif...

Страница 416: ...wplus configure terminal awplus config log buffered program igmpsnooping lacp pconfig This example configures the event log to save only those event messages that have a minimum severity level of 4 an...

Страница 417: ...d here date time facility severity program pid message 2010 Jan 15 14 39 04 user information awplus stp Set Configuration succeeded 2010 Jan 15 14 39 04 user information awplus stp Set Configuration s...

Страница 418: ...Management Software Modules Module Name Description ACL Port access control list CFG Switch configuration CLASSIFIER Classifiers used by ACL and QoS CLI Command line interface commands ENCO Encryption...

Страница 419: ...authentication protocol RTC Real time clock SNMP SNMP SSH Secure Shell protocol SSL Secure Sockets Layer protocol STP Spanning Tree and Rapid Spanning protocols SYSTEM Hardware status manager and oper...

Страница 420: ...d here OutputID Type Status Details 1 Temporary Enabled Wrap on Full Table 43 SHOW LOG CONFIG Command Parameter Description Output ID The ID number of the event log The event log has the ID 1 Type The...

Страница 421: ...This command is also used to view the configuration of the syslog client For information refer to SHOW LOG CONFIG on page 435 in Chapter 31 Syslog Client Commands on page 431 Example The following co...

Страница 422: ...and the SHOW LOG command display the same messages but in different order The SHOW LOG command displays the messages from oldest to newest To cancel the display type q for quit You cannot filter the l...

Страница 423: ...423 Chapter 30 Syslog Client Overview on page 424 Creating Syslog Server Definitions on page 425 Deleting Syslog Server Definitions on page 428 Displaying the Syslog Server Definitions on page 429...

Страница 424: ...ding a Management IP Address on page 66 or Chapter 9 IPv4 and IPv6 Management Addresses on page 207 The syslog servers must be members of the same subnet as the management IP address of the switch or...

Страница 425: ...mitted to the server For example specifying level 4 for a syslog server definition causes the switch to transmit levels 0 and 4 messages If you omit this parameter messages of all severity levels are...

Страница 426: ...ontrol PCFG Port configuration PKI Public Key Infrastructure PMIRR Port mirroring PSEC MAC address based port security PTRUNK Static port trunking QOS Quality of Service RADIUS RADIUS authentication p...

Страница 427: ...definition that sends messages from the RADIUS spanning tree protocols and static port trunks to a syslog server that has the IP address 156 74 134 76 awplus enable awplus configure terminal awplus co...

Страница 428: ...ost ipaddress To view the IP addresses of the syslog servers of the definitions use the SHOW LOG CONFIG command You can delete just one definition at a time with this command The switch stops sending...

Страница 429: ...ion Figure 79 SHOW LOG CONFIG Command Definition 1 relates to the event log and can be ignored Syslog server definitions start at 2 The columns in the display are described is Table 47 on page 435 The...

Страница 430: ...Chapter 30 Syslog Client 430 Section IV Event Messages...

Страница 431: ...able 46 Syslog Client Commands Command Mode Description LOG HOST on page 432 Global Configuration Creates syslog server definitions NO LOG HOST on page 434 Global Configuration Deletes syslog server d...

Страница 432: ...les are sent to the syslog server The modules are listed in Table 42 on page 418 You can specify more than one feature Separate multiple features with commas Omit this parameter to send messages from...

Страница 433: ...yslog server that has the IP address 149 152 122 143 The definition sends only those messages that have a minimum severity level of 4 and that are generated by the RADIUS client RADIUS and static port...

Страница 434: ...a syslog server Mode Global Configuration mode Description Use this command to delete syslog server definitions from the switch Confirmation Command SHOW LOG CONFIG on page 435 Example This example de...

Страница 435: ...OutputID Type Status Details 1 Temporary Enabled Wrap on Full 2 Syslog Enabled 169 55 55 55 3 Syslog Enabled 149 88 88 88 Table 47 SHOW LOG CONFIG Command Parameter Description Output ID The ID numbe...

Страница 436: ...displays the action of the log when it reaches maximum capacity Wrap on Full means that the log adds new entries by deleting old entries when it reaches maximum capacity This cannot be changed For sys...

Страница 437: ...section contains the following chapters Chapter 32 Static Port Trunks on page 439 Chapter 33 Static Port Trunk Commands on page 449 Chapter 34 Link Aggregation Control Protocol LACP on page 455 Chapte...

Страница 438: ...438 Section V Port Trunks...

Страница 439: ...view on page 440 Creating New Static Port Trunks or Adding Ports To Existing Trunks on page 444 Specifying the Load Distribution Method on page 445 Removing Ports from Static Port Trunks or Deleting T...

Страница 440: ...a link is lost on a port in a static port trunk the trunk s total bandwidth is reduced Although the traffic carried by a lost link is shifted to one of the remaining ports in the trunk the bandwidth r...

Страница 441: ...ues of the last three bits of a MAC or IP address Assume you selected source MAC address as the load distribution method and that the switch needed to transmit over the trunk a packet with a source MA...

Страница 442: ...unk s efficiency and performance Guidelines Here are the guidelines to using static port trunks A static trunk can have up to eight ports The switch supports up to a total of 32 static port trunks and...

Страница 443: ...agged members of the same VLAN A trunk cannot consist of untagged ports from different VLANs The switch selects the lowest numbered port in the trunk to handle broadcast packets and packets of unknown...

Страница 444: ...le that creates a new trunk of ports 22 to 23 and the ID number 1 awplus enable awplus configure terminal awplus config interface port1 0 22 port1 0 23 awplus config if static channel group 1 If a sta...

Страница 445: ...stination MAC address src ip Specifies source IP address dst ip Specifies destination IP address src dst ip Specifies source address destination IP address To enter the Static Port Trunk Interface mod...

Страница 446: ...interface port1 0 4 port1 0 5 awplus config if no static channel group To delete a static port trunk remove all its member ports This example deletes a trunk that consists of member ports 15 to 17 an...

Страница 447: ...mode or Privileged Exec mode awplus show static channel group Here is an example of the information Figure 82 SHOW STATIC CHANNEL GROUP Command To view the load distribution methods of static port tru...

Страница 448: ...Chapter 32 Static Port Trunks 448 Section V Port Trunks...

Страница 449: ...om existing static port trunks and deletes trunks from the switch PORT CHANNEL LOAD BALANCE on page 451 Static Port Trunk Interface Sets the load distribution methods of static port trunks SHOW STATIC...

Страница 450: ...do not remove ports from a static port trunk without first disconnecting their network cable Network loops can result in broadcast storms that can adversely affect network performance Note You cannot...

Страница 451: ...ommand to specify the load distribution methods of static port trunks The load distribution methods determine the manner in which the switch distributes packets among the ports of a trunk This command...

Страница 452: ...orts of static port trunks on the switch An example of the command is shown in Figure 83 Figure 83 SHOW STATIC CHANNEL GROUP Command To view the load distribution methods of static port trunks display...

Страница 453: ...er in the range of 1 to 32 This number is used by the switch to identify trunks and to assign trunk names A name of a trunk consists of the prefix sa followed by an ID number For instance if you assig...

Страница 454: ...ting ports in the trunk Consequently you check to see if its settings are appropriate prior to adding it to the trunk If the port will not be the lowest numbered port its settings are changed to match...

Страница 455: ...erview on page 456 Creating New Aggregators on page 460 Setting the Load Distribution Method on page 461 Adding Ports to Aggregators on page 462 Removing Ports from Aggregators on page 463 Deleting Ag...

Страница 456: ...tch with ports 11 to 18 as the active ports and ports 19 and 20 as the reserve ports If an active port loses its link the switch automatically activates one of the reserve ports to maintain maximum ba...

Страница 457: ...switch would activate all six links because it can handle up to eight active links in a trunk at one time while the other device would activate only four ports But by giving the other 802 3ad device t...

Страница 458: ...hat is part of an aggregator does not receive LACPDU packets it functions as a normal Ethernet port and forwards network packets along with LACPDU packets Load Distribution Methods The load distributi...

Страница 459: ...oad Distribution Methods on page 440 To function as a member of an aggregator a port must receive LACPDU packets from a remote network device A port that does not receive LACPDU packets while it is a...

Страница 460: ...number If the ports of a new aggregator are already members of other aggregators the switch automatically removes them from their current assignments before adding them to the new aggregator Caution...

Страница 461: ...enter the mode use the INTERFACE PO command from the Global Configuration mode in this format interface poid_number You specify the intended aggregator by adding its ID number as a suffix to PO Here...

Страница 462: ...and specify the ID number of the existing aggregator to which the new ports are to be assigned If you do not know the ID number use the SHOW ETHERCHANNEL DETAIL command If the new ports of an aggregat...

Страница 463: ...first disconnecting the network cable Leaving the network cable connected may result in a network loop which can cause a broadcast storm Note You cannot remove the base port of an aggregator The base...

Страница 464: ...de Caution Do not delete an aggregator without first disconnecting the network cables from its ports Leaving the network cables connected may result in a network loop which can cause a broadcast storm...

Страница 465: ...ERCHANNEL DETAIL The only information the SHOW ETHERCHANNEL DETAIL command doesn t include is the LACP system priority value That value can been seen with the SHOW LACP SYS ID command also in the Priv...

Страница 466: ...an example of the information Figure 85 SHOW LACP SYS ID Command it should be mentioned that while the system priority value is set as an integer with the LACP SYSTEM PRIORITY command this command dis...

Страница 467: ...s and deletes aggregators PORT CHANNEL LOAD BALANCE on page 472 LACP Port Trunk Interface Sets the load distribution method SHOW ETHERCHANNEL on page 474 Privileged Exec Displays the ports of the aggr...

Страница 468: ...isting aggregator that consists of ports 7 to 12 You have to delete and recreate an aggregator to change its base port To review the guidelines to creating or modifying aggregators refer to Guidelines...

Страница 469: ...e User s Guide Section V Port Trunks 469 This example adds port 15 to an existing aggregator that has the ID number 4 awplus enable awplus configure terminal awplus config interface port1 0 15 awplus...

Страница 470: ...o set the LACP priority of the switch The switch uses the LACP priority to resolve conflicts with other network devices when it creates aggregate trunks Confirmation Command SHOW LACP SYS ID on page 4...

Страница 471: ...leting and recreating the aggregator Caution To prevent creating a loop in your network topology you should not remove ports from an aggregator without first disconnecting their network cables Network...

Страница 472: ...ss Mode LACP Port Trunk Interface mode Description Use this command to set the load distribution methods of aggregators An aggregator can have only one load distribution method The load distribution m...

Страница 473: ...t Trunks 473 Example This example sets the load distribution method to source MAC address for the LACP trunk that has the ID number 22 awplus enable awplus configure terminal awplus config interface p...

Страница 474: ...se this command to display the ports of specific aggregators on the switch Figure 86 illustrates the information Figure 86 SHOW ETHERCHANNEL Command Example This example displays the ports of the aggr...

Страница 475: ...gator 1 po1 Mac address 00 15 77 D8 43 60 0000 Admin Key 0xff01 Oper Key 0x0101 Receive link count 4 Transmit link count 4 Individual 0 Ready 0 Distribution Mode MACBoth Partner LAG 0080 00 A0 D2 00 9...

Страница 476: ...re 88 illustrates the information Figure 88 SHOW ETHERCHANNEL SUMMARY Command Example awplus show etherchannel summary Aggregator 2 po2 Admin Key 0xff01 Oper Key 0x0101 Link Port1 0 2 sync Link Port1...

Страница 477: ...command to display the LACP priority value and MAC address of the switch Figure 88 illustrates the information Figure 89 SHOW LACP SYS ID Command Note The LACP priority value is set as an integer with...

Страница 478: ...e 90 SHOW PORT ETHERCHANNEL Command Example awplus show port etherchannel port1 0 5 Port 05 Aggregator LACP sw22 Receive machine state Default Periodic Transmission machine state Fast periodic Mux mac...

Страница 479: ...llowing chapters Chapter 36 Spanning Tree and Rapid Spanning Tree Protocols on page 481 Chapter 37 Spanning Tree Protocol STP on page 501 Chapter 38 STP Commands on page 509 Chapter 39 Rapid Spanning...

Страница 480: ...480 Section VI Spanning Tree Protocols...

Страница 481: ...on page 483 Path Costs and Port Costs on page 484 Port Priority on page 485 Forwarding Delay and Topology Changes on page 486 Hello Time and Bridge Protocol Data Units BPDU on page 487 Point to Point...

Страница 482: ...ty by activating backup redundant paths One of the primary differences between the two protocols is in the time each takes to complete the process referred to as convergence When a change is made to t...

Страница 483: ...the root bridge If two or more bridges have the same bridge priority number of those bridges the one with the lowest MAC address is designated as the root bridge You can change the bridge priority num...

Страница 484: ...aths must determine which path will be the primary active path and which path s will be placed in the standby blocking mode This is accomplished by an determination of path costs The path offering the...

Страница 485: ...es must select a preferred path In some instances this can involve the use of the port priority parameter This parameter is used as a tie breaker when two paths have the same cost The port priority ha...

Страница 486: ...ated to change from blocking to forwarding passes through two additional states listening and learning before beginning to forward frames The amount of time a port spends in these states is set by the...

Страница 487: ...root bridge has already been selected in the network and if not whether it has the lowest bridge priority number of all the bridges and should therefore become the root bridge The root bridge periodi...

Страница 488: ...e connected with one data link With the link operating in full duplex the ports are point to point ports Figure 91 Point to Point Ports If a port is operating in half duplex mode and is not connected...

Страница 489: ...mining whether a bridge port is point to point edge or both can be a bit confusing For that reason do not change the default values for this RSTP feature unless you have a good grasp of the concept In...

Страница 490: ...a network they operate together to create a single spanning tree domain Given this if you decide to activate spanning tree on the switch there is no reason not to use RSTP even if the other switches...

Страница 491: ...Figure 94 Two VLANs Sales and Production span two switches Two links consisting of untagged ports connect the separate parts of each VLAN If STP or RSTP is activated on the switches one of the links...

Страница 492: ...Section VI Spanning Tree Protocols You can avoid this problem by not activating spanning tree or by connecting VLANs using tagged instead of untagged ports For information about tagged and untagged po...

Страница 493: ...ng state skipping the intermediate listening and learning states Edge ports however can leave a spanning tree domain vulnerable to unwanted topology changes This can happen if someone connects a RSTP...

Страница 494: ...rts of the switch and any fiber optic transceivers installed in the unit Note A port disabled by the BPDU guard feature remains in that state until you enable it with the management software If a port...

Страница 495: ...nitoring the ports on the switch for BPDUs from the other RSTP devices If a port stops receiving BPDUs without a change to its link state that is the link on a port stays up the switch assumes that th...

Страница 496: ...tions in a network of three switches that have been connected to form a loop To block the loop switch 3 designates port 14 as an alternate port and places it in the blocking or discarding state Figure...

Страница 497: ...rates how loop guard works to maintain a loop free topology by keeping alternate ports in the blocking state when they stop receiving BPDUs Loop guard can also work on root and designated ports that a...

Страница 498: ...itch 3 transitions to the forwarding state from the blocking state to become the new root port for the switch The result is a network loop Figure 98 Loop Guard Example 4 But if loop guard is active on...

Страница 499: ...3 Port 4 Loop guard changes the port to the blocking state from the forwarding state 50 49 50R 49R AT 8100S 48 CONSOLE S2 S1 LINK ACT 50 49 50R 49R AT 8100S 48 CONSOLE S2 S1 LINK ACT 50 49 50R 49R AT...

Страница 500: ...Chapter 36 Spanning Tree and Rapid Spanning Tree Protocols 500 Section VI Spanning Tree Protocols...

Страница 501: ...ion Designating STP as the Active Spanning Tree Protocol on page 502 Enabling the Spanning Tree Protocol on page 503 Setting the Switch Parameters on page 504 Setting the Port Parameters on page 506 D...

Страница 502: ...pports other spanning tree protocols in addition to STP but only one of them can be active at a time on the device To designate STP as the active spanning tree protocol on the switch use the SPANNING...

Страница 503: ...otocol To enable STP on the switch use the SPANNING TREE STP ENABLE command in the Global Configuration mode Here is the command awplus enable awplus configure terminal awplus config spanning tree stp...

Страница 504: ...ime 5 awplus config spanning tree max age 20 If you want the switch to be the root bridge of the spanning tree domain assign it a low priority number with the SPANNING TREE PRIORITY command The bridge...

Страница 505: ...ommand Line User s Guide Section VI Spanning Tree Protocols 505 This example of the command sets the switch s priority value to 8 192 awplus enable awplus configure terminal awplus config spanning tre...

Страница 506: ...g interface port1 0 4 port1 0 18 awplus config if spanning tree path cost 40 This example of the SPANNING TREE PRIORITY command assigns a priority value of 32 awplus enable awplus configure terminal a...

Страница 507: ...rminal awplus config no spanning tree stp enable Note Before disabling the spanning tree protocol on the switch display the STP states of the ports and disconnect the network cables from any ports tha...

Страница 508: ...sing The words Spanning Tree in the first line signal whether spanning tree is enabled or disabled not which spanning tree protocol is activated on the switch For that you have to use the SHOW RUNNING...

Страница 509: ...the switch sends spanning tree configuration information when it is the root bridge or is trying to become the root bridge SPANNING TREE MAX AGE on page 514 Global Configuration Sets the maximum age p...

Страница 510: ...the switch display the STP states of the ports and disconnect the network cables from any ports that are in the discarding state Ports that are in the discarding state begin to forward traffic again...

Страница 511: ...displays the STP settings for all the ports awplus show spanning tree This command displays the STP settings for ports 1 and 4 awplus show spanning tree interface port1 0 1 port1 0 4 Default Bridge up...

Страница 512: ...e only if the switch is acting as the root bridge of the spanning tree domain Switches that are not acting as the root bridge use a dynamic value supplied by the root bridge The forward time max age a...

Страница 513: ...bridge or is trying to become the root bridge The forward time max age and hello time parameters should be set according to the following formulas as specified in IEEE Standard 802 1d max age 2 x for...

Страница 514: ...nits BPDUs are stored by the switch before they are deleted The forward time max age and hello time parameters should be set according to the following formulas as specified in IEEE Standard 802 1d ma...

Страница 515: ...ve spanning tree protocol on the switch You must select STP as the active spanning tree protocol before you can enable it or configure its parameters Only one spanning tree protocol can be active on t...

Страница 516: ...specify the cost of a port to the root bridge This cost is combined with the costs of the other ports in the path to the root bridge to determine the total path cost The lower the numeric value the hi...

Страница 517: ...ecomes the root bridge If two or more devices have the same priority value the device with the numerically lowest MAC address becomes the root bridge The range is 0 to 61 440 in increments of 4 096 Th...

Страница 518: ...s a tie breaker when two or more ports have equal costs to the root bridge The range is 0 to 240 in increments of 16 The priority values can be set only in increments of 16 The default is 128 Use the...

Страница 519: ...e STP on the switch You must designate STP as the active spanning tree protocol on the switch before you can enable it or configure its parameters For instructions refer to SPANNING TREE MODE STP on p...

Страница 520: ...Chapter 38 STP Commands 520 Section VI Spanning Tree Protocols...

Страница 521: ...ating RSTP as the Active Spanning Tree Protocol on page 522 Enabling the Rapid Spanning Tree Protocol on page 523 Configuring the Switch Parameters on page 524 Configuring the Port Parameters on page...

Страница 522: ...l This is accomplished with the SPANNING TREE MODE RSTP command in the Global Configuration mode Afterwards you can configure its settings and enable the protocol Here is the command awplus enable awp...

Страница 523: ...nd in the Global Configuration mode Here is the command awplus enable awplus configure terminal awplus config spanning tree rstp enable After you enter the command the switch immediately begins to par...

Страница 524: ...nning tree max age 10 Table 53 RSTP Switch Parameters To Use This Command Range Specify how long the ports remain in the listening and learning states before they transition to the forwarding state SP...

Страница 525: ...The range of the parameter is 0 to 61 440 in increments of 4 096 The priority values can be set only in increments of 4 096 This example assigns the switch the low priority number 4 096 to increase t...

Страница 526: ...Spanning Tree Protocols To disable the BPDU guard feature on the switch use the NO SPANNING TREE BPDU GUARD command in the Global Configuration mode Here is the command awplus enable awplus configure...

Страница 527: ...Parameters To Use This Command Range Specify port costs SPANNING TREE PATH COST path cost 6 to 40 Assign a priority value to be used as a tie breaker when two or more paths have equal costs to the ro...

Страница 528: ...orts This example designates ports 11 to 23 as point to point ports awplus enable awplus configure terminal awplus config interface port1 0 11 port1 0 23 awplus config if spanning tree link type point...

Страница 529: ...nfig if spanning tree loop guard A port disabled by this feature remains disabled until it starts to receive BPDU packets again or the switch is reset To disable the loop guard feature use the NO SPAN...

Страница 530: ...matically reactivates disabled ports after the specified period of time This example activates the timer and sets it to 1000 seconds awplus enable awplus configure terminal awplus config spanning tree...

Страница 531: ...stp enable To view the current status of RSTP refer to Displaying RSTP Settings on page 532 Note Before disabling the spanning tree protocol on the switch display the RSTP states of the ports and disc...

Страница 532: ...or RSTP Edge ports BPDU loop guard feature BPDU guard feature Force STP compatible version Port link type point to point or shared ports To view these parameters use the SHOW RUNNING CONFIG command in...

Страница 533: ...h NO SPANNING TREE RSTP ENABLE on page 540 Global Configuration Disables RSTP on the switch SHOW SPANNING TREE on page 541 User Exec and Privileged Exec Displays the RSTP settings on the switch SPANNI...

Страница 534: ...as the active spanning tree protocol on the switch SPANNING TREE PATH COST on page 551 Port Interface Specifies the costs of the ports to the root bridge SPANNING TREE PORTFAST on page 552 Port Interf...

Страница 535: ...meters None Mode Port Interface mode Description Use this command to remove ports as edge ports on the switch Confirmation Command SHOW RUNNING CONFIG on page 132 Example This example removes port 21...

Страница 536: ...Use this command to deactivate the timer for the RSTP BPDU guard feature When the timer is deactivated ports that the feature disables because they receive BPDU packets remain disabled until you manu...

Страница 537: ...default setting is disabled Note Ports that are disabled by the loop guard feature do not forward traffic again when you disable the feature They only forward traffic if they start to receive BPDUs a...

Страница 538: ...s None Mode Port Interface mode Description Use this command to remove ports as edge ports on the switch This command is equivalent to NO SPANNING TREE on page 535 Example This example removes port 21...

Страница 539: ...mode Description Use this command to disable the BPDU guard feature on the switch Note Edge ports disabled by the BPDU guard feature remain disabled until you enable them with the management software...

Страница 540: ...play the RSTP states of the ports and disconnect the network cables from any ports that are in the discarding state Ports that are in the discarding state begin to forward traffic again when RSTP is d...

Страница 541: ...e STP compatible version Port link type point to point or shared ports To view these parameters refer to SHOW RUNNING CONFIG on page 132 Default Bridge up Spanning Tree Enabled Default Bridge Priority...

Страница 542: ...Chapter 40 RSTP Commands 542 Section VI Spanning Tree Protocols Example awplus show spanning tree...

Страница 543: ...U guard feature The BPDU guard feature prevents unnecessary RSTP domain convergences by disabling edge ports if they receive BPDUs When the timer is activated the switch will automatically reactivate...

Страница 544: ...lt is 300 seconds Mode Global Configuration mode Description Use this command to specify the number of seconds that must elapse before the switch automatically enables ports that are disabled by the R...

Страница 545: ...he learning state and from the learning state to the forwarding state This parameter is active only if the switch is acting as the root bridge Switches that are not acting as the root bridge use a dyn...

Страница 546: ...ion information when it is the root bridge or is trying to become the root bridge The forward time max age and hello time parameters should be set according to the following formulas as specified in I...

Страница 547: ...ub with multiple switches connected to it Mode Port Interface mode Description Use this command to designate point to point ports and shared ports Confirmation Command SHOW RUNNING CONFIG on page 132...

Страница 548: ...packets the switch automatically disables it A port that has been disabled by the feature remains in that state until it begins to receive BPDU packets again or the switch is reset The default settin...

Страница 549: ...switch retains bridge protocol data units BPDUs before it deletes them The forward time maximum age and hello time parameters should be set according to the following formulas as specified in IEEE St...

Страница 550: ...rotocol you can enable or disable the spanning tree protocol and set the switch or port parameters RSTP is active on the switch only after you have designated it as the active spanning tree with this...

Страница 551: ...ommand to specify the cost of a port to the root bridge This cost is combined with the costs of the other ports in the path to the root bridge to determine the total path cost The lower the numeric va...

Страница 552: ...connected to spanning tree devices or to LANs that have spanning tree devices As a consequence edge ports do not receive BPDUs If an edge port starts to receive BPDUs it is no longer considered an edg...

Страница 553: ...itch monitors edge ports and disables them if they receive BPDU packets Note To enable an edge port that was disabled by the BPDU guard feature use the NO SHUTDOWN command For instructions refer to NO...

Страница 554: ...g tree domain becomes the root bridge If two or more devices have the same priority value the device with the numerically lowest MAC address becomes the root bridge The range is 0 to 61 440 in increme...

Страница 555: ...used as a tie breaker when two or more ports have equal costs to the root bridge The range is 0 to 240 in increments of 16 The priority values can be set only in increments of 16 The default is 128 U...

Страница 556: ...ion mode Description Use this command to enable the Rapid Spanning Tree Protocol on the switch You cannot enable RSTP until you have activated it with SPANNING TREE MODE RSTP on page 550 Confirmation...

Страница 557: ...ration Protocol on page 601 Chapter 44 GARP VLAN Registration Protocol Commands on page 617 Chapter 45 MAC Address based VLANs on page 635 Chapter 46 MAC Address based VLAN Commands on page 651 Chapte...

Страница 558: ...558 Section VII Virtual LANs...

Страница 559: ...N Overview on page 562 Tagged VLAN Overview on page 568 Creating VLANs on page 572 Adding Untagged Ports to VLANs on page 573 Adding Tagged Ports to VLANs on page 575 Removing Untagged Ports from VLAN...

Страница 560: ...VLAN traffic stays within the VLANs The nodes of a VLAN receive traffic only from nodes of the same VLAN This reduces the need for nodes to handle traffic not destined for them and frees up bandwidth...

Страница 561: ...ore than one switch This makes it possible to create VLANs of end nodes that are connected to switches located in different physical locations The switch supports the following types of VLANs you can...

Страница 562: ...hernet switches Note The switch is preconfigured with one port based VLAN called the Default_VLAN All ports on the switch are members of this VLAN The parts that make up a port based VLAN are VLAN nam...

Страница 563: ...e is another type of VLAN where VLAN membership is determined by information within the frames themselves rather than by a port s PVID This type of VLAN is explained in Tagged VLAN Overview on page 56...

Страница 564: ...an change its untagged VLAN assignment After the VLAN assignment is made the port s role can be changed back again to authenticator or supplicant if desired You cannot delete the Default VLAN from the...

Страница 565: ...have been assigned PVID values A port s PVID is assigned automatically by the switch when you create the VLANs The PVID of a port is the same as the VID in which the port is an untagged member In the...

Страница 566: ...n two switches Figure 105 Port based VLAN Example 2 WAN 2 3 4 5 6 7 9 19 1 21 23 17 15 11 13 8 10 12 14 18 20 22 24 16 25 26 27 28 2 3 4 5 6 7 9 19 1 21 23 17 15 11 13 8 10 12 14 18 20 22 24 16 25 26...

Страница 567: ...cted to ports 9 to 13 on the top switch and ports 16 18 to 20 and 22 on the bottom switch Because this VLAN spans multiple switches it needs a direct connection between its various parts to provide a...

Страница 568: ...nes the requirements and standards for tagging The device must be able to process the tagged information on received frames and add tagged information to transmitted frames The benefit of a tagged VLA...

Страница 569: ...ANs the PVID of a port determines the VLAN where the port is an untagged member Because a tagged port determines VLAN membership by examining the tagged header within the frames that it receives and n...

Страница 570: ...mple of a Tagged VLAN WAN 2 3 4 5 6 7 9 19 1 21 23 17 15 11 13 8 10 12 14 18 20 22 24 16 25 26 27 28 2 3 4 5 6 7 9 19 1 21 23 17 15 11 13 8 10 12 14 18 20 22 24 16 25 26 27 28 Router Sales VLAN VID 2...

Страница 571: ...the lower switch These ports have been made tagged members of the Sales and Engineering VLANs so that they can carry traffic from both VLANs simultaneously These ports provide a common connection tha...

Страница 572: ...an one switch should be assigned the same VID number on each switch Here is the format of the command vlan vid name name This example creates the Engineering VLAN and assigns it the VID 5 awplus enabl...

Страница 573: ...an untagged member of a VLAN Here is the format of the command switchport access vlan vid The VID parameter is the VLAN to which you want to add the untagged port If you don t know the number use the...

Страница 574: ...Chapter 41 Port based and Tagged VLANs 574 Section VII Virtual LANs awplus config interface port1 0 11 port1 0 18 awplus config if switchport access vlan 4...

Страница 575: ...nd has the format shown here switchport mode trunk ingress filter enable disable For an explanation of the optional INGRESS FILTER parameter refer to SWITCHPORT MODE TRUNK on page 591 Once a port is l...

Страница 576: ...hat particular VLAN A port can have only one native VLAN The command for setting the native VLAN of tagged ports is the SWITCHPORT TRUNK NATIVE VLAN command in the Port interface mode Here is the comm...

Страница 577: ...o the Default_VLAN You can remove more than one port at a time from a VLAN and the same command can be used to remove untagged ports from different VLANs This example removes untagged port 5 from its...

Страница 578: ...LANs from which the port is to be removed This example removes tagged ports 18 and 19 from the VLAN with the VID 7 awplus enable awplus configure terminal awplus config interface port1 0 18 port1 0 19...

Страница 579: ...on mode You can delete only one VLAN at a time and you cannot delete the Default_VLAN The untagged ports of deleted VLANs are automatically returned back to the Default_VLAN Here is the format of the...

Страница 580: ...le of the information is shown in Figure 107 Figure 107 SHOW VLAN ALL Command The information is described in Table 58 on page 586 VLAN ID Name Type State Member ports u Untagged t Tagged 1 default ST...

Страница 581: ...ed ports NO VLAN on page 585 VLAN Configuration Deletes VLANs from the switch SHOW VLAN on page 586 User Exec and Privileged Exec Displays all the VLANs on the switch SWITCHPORT ACCESS VLAN on page 58...

Страница 582: ...the Default_VLAN if they are set to the authenticator role for 802 1x port based network access control You must first remove the authenticator role For instructions refer to NO DOT1X PORT CONTROL on...

Страница 583: ...o VLANs once the trunk mode has been removed Note You must first remove a port from all tagged VLAN assignments before you can remove its tagged designation For instructions refer to SWITCHPORT TRUNK...

Страница 584: ...N for ingress and egress untagged packets A tagged port can have only one native VLAN Note This command will not work if the tagged port is already a tagged member of the Default_VLAN because a port c...

Страница 585: ...ed VLAN to the Default_VLAN as untagged ports Static addresses assigned to the ports of a deleted VLAN become obsolete and should be deleted from the MAC address table For instructions refer to NO MAC...

Страница 586: ...e 108 Figure 108 SHOW VLAN Command The columns in the table are described here VLAN ID Name Type State Member ports u Untagged t Tagged 1 default STATIC ACTIVE 1 u 20 u 21 u 22 u 23 u 26 u 27 u 28 u 5...

Страница 587: ...show vlan State The states of the VLANs A VLAN has an Active state if it has at least one tagged or untagged port and an Inactive state if it does not have any ports Member Ports The untagged u and ta...

Страница 588: ...witch automatically removes it from its current untagged VLAN assignment before moving it to its new assignment For example if you add port 4 as an untagged port to a VLAN the switch automatically rem...

Страница 589: ...wplus config interface port1 0 5 port1 0 7 awplus config if switchport access vlan 12 This example returns port 15 as an untagged port to the Default_VLAN which has the VID 1 awplus enable awplus conf...

Страница 590: ...untagged ports to VLANs The second command is SWITCHPORT ACCESS VLAN on page 588 The access mode is the default setting for all ports on the switch Consequently you only need to perform this command f...

Страница 591: ...PORT TRUNK ALLOWED VLAN on page 593 The INGRESS FILTER parameter controls whether the tagged port accepts or rejects tagged packets containing VIDs that do not match any of its tagged VIDs If ingress...

Страница 592: ...rtual LANs This example designates port 18 as a tagged port and disables ingress filtering so that it accepts all tagged packets awplus enable awplus configure terminal awplus config interface port1 0...

Страница 593: ...d Adds the port as a tagged port to all the VLANs on the switch except for the designated VLAN You can specify more than one VID remove vid Removes the port as a tagged port from the designated VLAN Y...

Страница 594: ...nd SHOW VLAN on page 586 Examples of Adding Tagged Ports to VLANs This example designates port 5 as a tagged port and adds it to the VLAN with the VID 22 awplus enable awplus configure terminal awplus...

Страница 595: ...Tagged Ports from VLANs This example removes tagged port 17 from the VLAN with the VID 8 awplus enable awplus configure terminal awplus config interface port1 0 17 awplus config if switchport trunk al...

Страница 596: ...to designate native VLANs for tagged ports The native VLAN of a tagged port specifies the appropriate VLAN for ingress untagged packets A tagged port can have only one native VLAN and the VLAN must a...

Страница 597: ...VII Virtual LANs 597 This example reestablishes the Default_VLAN as the native VLAN for tagged ports 18 and 20 awplus enable awplus configure terminal awplus config interface port1 0 18 port1 0 20 aw...

Страница 598: ...uld assign the Sales VLAN on each switch the same VID value name Specifies a name for a new VLAN A name can be from 1 to 20 characters in length The first character must be a letter it cannot be a num...

Страница 599: ...nal awplus config vlan database awplus config vlan vlan 5 name Engineering This example creates a new VLAN with the VID 17 and the name Manufacturing awplus enable awplus configure terminal awplus con...

Страница 600: ...Chapter 42 Port based and Tagged VLAN Commands 600 Section VII Virtual LANs...

Страница 601: ...Intermediate Switches on page 607 Enabling GVRP on the Switch on page 608 Enabling GIP on the Switch on page 609 Enabling GVRP on the Ports on page 610 Setting the GVRP Timers on page 611 Disabling GV...

Страница 602: ...t it It then does the following If the PDU contains a VID of a VLAN that does not exist on the switch it creates the designated VLAN and adds the port that received the PDU as a tagged member of the V...

Страница 603: ...from port 3 containing all the VIDs of the VLANs on the switch including the new GVRP_VLAN_11 with its VID of 11 Note that port 3 is not yet a member of the VLAN Ports are added to VLANs when they rec...

Страница 604: ...he PDU on port 3 and then adds the port as a tagged dynamic GVRP port to the dynamic GVRP_VLAN_11 VLAN There is now a communications path for the end nodes of the Sales VLAN on switches 1 and 3 GVRP c...

Страница 605: ...all dynamic GVRP VLANs and dynamic GVRP port assignments The dynamic assignments are relearned by the switch as PDUs arrive on the ports from other switches GVRP has three timers join timer leave tim...

Страница 606: ...ake the port a member of the VLANs giving the intruder access to restricted areas of your network Here are a couple suggestions to protect against this type of network intrusion Activating GVRP only o...

Страница 607: ...that it receives from the GVRP active switches GVRP PDUs are management frames intended for the switch s CPU In all likelihood a GVRP inactive switch will discard the PDUs because it will not recogni...

Страница 608: ...n the Global Configuration mode It is the GVRP ENABLE command After the command is entered the switch immediately begins to transmit PDUs from those ports where GVRP is enabled and to learn dynamic GV...

Страница 609: ...rately from GVRP on the switch GIP must be enabled if the switch is using GVRP The command for activating GIP is the GVRP APPLICANT STATE ACTIVE command in the Global Configuration mode Here is the co...

Страница 610: ...Because the default setting for GVRP on the ports is enabled you should only need to use this command if you want to enable GVRP after disabling it on a port This example of the command activates GVR...

Страница 611: ...equation Join Timer 2 x Leave Timer The commands for setting the timers are in the Global Configuration mode They are gvrp timer join value gvrp timer leave value gvrp timer leaveall value The timers...

Страница 612: ...on the ports use the GVRP REGISTRATION NONE command in the Port Interface mode This example of the command deactivates GVRP on ports 4 and 5 awplus enable awplus configure terminal awplus config inte...

Страница 613: ...st be enabled if the switch is using GVRP There is never any reason to disable GIP Even if the switch is not performing GVRP you can still leave GIP enabled The command for disabling GIP is GVRP APPLI...

Страница 614: ...o disable GVRP to stop the switch from learning any further dynamic VLANs or GVRP ports use the NO GVRP ENABLE command in the Global Configuration mode Here is the command awplus enable awplus configu...

Страница 615: ...g the GVRP Default Settings To disable GVRP and to return the timers to their default settings use the PURGE GVRP command in the Global Configuration mode awplus enable awplus configure terminal awplu...

Страница 616: ...the switch and the three timer settings Here is the command awplus show gvrp timer Here is an example of the information the command provides Figure 110 SHOW GVRP TIMER Command For reference informati...

Страница 617: ...imer GVRP TIMER LEAVE on page 624 Global Configuration Sets the GARP Leave Timer GVRP TIMER LEAVEALL on page 625 Global Configuration Sets the GARP Leave All timer NO GVRP ENABLE on page 626 Global Co...

Страница 618: ...s SHOW GVRP STATISTICS on page 631 User Exec and Privileged Exec Displays GARP packet and message counters SHOW GVRP TIMER on page 633 User Exec and Privileged Exec Displays the GARP time values Table...

Страница 619: ...TE ACTIVE Syntax gvrp applicant state active Parameters None Mode Global Configuration mode Description Use this command to enable GIP on the switch GIP must be enabled for GVRP to operate properly Ex...

Страница 620: ...yntax gvrp applicant state normal Parameters None Mode Global Configuration mode Description Use this command to disable GIP Note Do not disable GIP if the switch is running GVRP GIP is required for p...

Страница 621: ...Section VII Virtual LANs 621 GVRP ENABLE Syntax gvrp enable Parameters None Mode Global Configuration mode Description Use this command to enable GVRP on the switch Example awplus enable awplus confi...

Страница 622: ...command to enable or disable GVRP on a port A port where GVRP is enabled transmits GVRP PDUs A port where GVRP is disabled does not send GVRP PDUs Examples This example enables GVRP on ports 5 and 6...

Страница 623: ...fault is 20 centiseconds Mode Global Configuration mode Description Use this command to set the GARP Join Timer This timer must be set in relation to the GVRP Leave Timer according to the following eq...

Страница 624: ...one hundredths of a second The range is 30 to 180 centiseconds The default is 60 centiseconds Mode Global Configuration mode Description Use this command to set the GARP Leave Timer Note The setting f...

Страница 625: ...The range is 500 to 3000 centiseconds The default is 1000 centiseconds Mode Global Configuration mode Description Use this command to set the GARP Leave All timer Note The settings for this timer must...

Страница 626: ...s 626 Section VII Virtual LANs NO GVRP ENABLE Syntax no gvrp enable Parameters None Mode Global Configuration mode Description Use this command to disable GVRP on the switch Example awplus enable awpl...

Страница 627: ...Ns 627 PURGE GVRP Syntax purge gvrp Parameters None Mode Global Configuration mode Description Use this command to disable GVRP on the switch and to return the timers to their default values Example a...

Страница 628: ...s SHOW GVRP APPLICANT Syntax show gvrp applicant Parameter None Modes Privileged Exec mode Description Use this command to display the following parameters for the GIP connected ring for the GARP appl...

Страница 629: ...ation Parameters None Modes Privileged Exec mode Description Use this command to display the following parameters for the internal database for the GARP application Each attribute is represented by a...

Страница 630: ...rameter None Modes Privileged Exec mode Description Use this command to display the following parameters for the GID state machines for the GARP application The output is shown on a per GID index basi...

Страница 631: ...P Packets Receive Discarded GARP Disabled Receive DIscarded Port Not Listening Transmit Discarded Port Not Sending Receive Discarded Invalid Port Receive Discarded Invalid Protocol Receive Discarded I...

Страница 632: ...egistration Protocol Commands 632 Section VII Virtual LANs Receive GARP Messages Empty Transmit GARP Messages Empty Receive GARP Messages Bad Message Receive GARP Messages Bad Attribute Example awplus...

Страница 633: ...er Parameter None Modes Privileged Exec mode Description Use this command to display the current values for the following GARP application parameters GARP application protocol GVRP status GVRP GIP sta...

Страница 634: ...Chapter 44 GARP VLAN Registration Protocol Commands 634 Section VII Virtual LANs...

Страница 635: ...lines on page 641 General Steps on page 642 Creating MAC Address based VLANs on page 643 Adding MAC Addresses to VLANs and Designating Egress Ports on page 644 Removing MAC Addresses on page 645 Delet...

Страница 636: ...with the same resources regardless of the points at which they access the network If you employed port based or tagged VLANs for roaming users you might have to constantly reconfigure the VLANs moving...

Страница 637: ...ress based VLANs relieves you from having to map each address to its corresponding egress port Instead you only need to be sure that all the egress ports in a MAC address based VLAN are assigned to at...

Страница 638: ...he VLANs will be flooded out port 4 This means that whatever device is connected to the port receives the flooded traffic form all three VLANs If security is a major concern for your network you might...

Страница 639: ...addresses Figure 111 illustrates an example of a MAC address based VLAN that spans two AT 9000 28SP Switches The VLAN consists of three nodes on each switch Table 62 on page 640 lists the details of...

Страница 640: ...e device If there is a match the switch considers the packet as a member of the corresponding MAC address based VLAN and not the port based VLAN and forwards it out the egress ports defined for the co...

Страница 641: ...ss based VLAN and an untagged member of a port based VLAN Given that there is no way for the switch to determine the VLAN to which the broadcast packet belongs it floods the packet on all ports of all...

Страница 642: ...AN Configuration mode to assign a name and a VID to the new VLAN and to designate the VLAN as a MAC address based VLAN 2 Use the VLAN SET MACADDRESS command in the Global Configuration mode to assign...

Страница 643: ...094 The VID of the VLAN must be unique from all other VLANs on the switch The name of a VLAN can be up to 20 characters It cannot contain any spaces and the first character must be a letter not a numb...

Страница 644: ...ddress based VLAN to which the address is to be added and the MAC ADDRESS parameter is the address which has to be entered in this format xx xx xx xx xx xx The MACADDRESS and DESTADDRESS keywords are...

Страница 645: ...awplus config interface port1 0 6 port1 0 8 awplus config if no vlan 23 macaddress 11 8a 92 ce 76 28 Before MAC addresses can be completely removed from this type of VLAN you must first remove them f...

Страница 646: ...VLANs from the switch use the NO VLAN command in the VLAN Configuration mode You can delete only one VLAN at a time Here is the format of the command no vlan vid This example deletes the VLAN with th...

Страница 647: ...re described in Table 64 on page 656 VLAN 5 MAC Associations Total number of associated MAC addresses 5 MAC Address Ports 5A 9E 84 31 23 85 port1 0 13 port1 0 18 1A 87 9B 52 36 D5 port1 0 18 26 72 9A...

Страница 648: ...vlan vlan 21 name Sales type macaddress Use the VLAN MACADDRESS to assign the name Sales and the VID 21 to the new VLAN and to designate it as a MAC address based VLAN awplus config vlan exit Return t...

Страница 649: ...84 22 67 17 awplus config if vlan set 21 macaddress 00 30 84 78 75 1c awplus config if vlan set 21 macaddress 00 30 79 7a 11 10 awplus config if vlan set 21 macaddress 00 30 42 53 10 3a awplus config...

Страница 650: ...ACADDRESS command in the Port Interface mode to assign the ports one MAC address awplus config if end Return to the Privileged Exec mode awplus show vlan macaddress Confirm the configuration with the...

Страница 651: ...tion Removes MAC addresses from VLANs NO VLAN MACADDRESS Port Interface Mode on page 654 Port Interface Removes MAC addresses from egress ports SHOW VLAN MACADDRESS on page 655 Privileged Exec Display...

Страница 652: ...ID Mode VLAN Configuration mode Description Use this command to delete MAC address based VLANs from the switch You can delete only one VLAN at a time with this command Confirmation Command SHOW VLAN M...

Страница 653: ...figuration mode Description Use this command to remove MAC addresses from MAC address based VLANs You can remove only one address at a time with this command The command does not accept ranges or wild...

Страница 654: ...n Use this command to remove MAC addresses from egress ports in MAC address based VLANs Confirmation Command SHOW VLAN MACADDRESS on page 655 Examples This example removes the MAC address 00 30 84 32...

Страница 655: ...Figure 113 SHOW VLAN MACADDRESS Command VLAN 11 MAC Associations Total number of associated MAC addresses 5 MAC Address Ports 5A 9E 84 31 23 85 port1 0 4 port1 0 8 1A 87 9B 52 36 D5 port1 0 4 26 72 9...

Страница 656: ...vlan macaddress Table 64 SHOW VLAN MACADDRESS Command Parameter Description VLAN VID MAC Associations The VID of the MAC address based VLAN Total Number of Associate MAC Addresses Total number of MAC...

Страница 657: ...first character of the name must be a letter it cannot be a number VLANs will be easier to identify if their names reflect the functions of their subnetworks or workgroups for example Sales or Accoun...

Страница 658: ...658 Section VII Virtual LANs Example This example creates a MAC address based VLAN that has the name Sales and the VID 3 awplus enable awplus configure terminal awplus config vlan database awplus con...

Страница 659: ...escription Use this command to add MAC addresses to MAC address based VLANs You can add only one address at a time with this command You cannot use ranges or wildcards The specified VLAN must already...

Страница 660: ...AN Commands 660 Section VII Virtual LANs This example adds the MAC address 00 30 84 32 76 1A to a MAC address based VLAN with the VID 12 awplus enable awplus configure terminal awplus config vlan set...

Страница 661: ...d to assign MAC addresses to egress ports for MAC address based VLANs The specified MAC address must already be assigned to the VLAN For instructions refer to VLAN SET MACADDRESS Global Configuration...

Страница 662: ...Chapter 46 MAC Address based VLAN Commands 662 Section VII Virtual LANs awplus config interface port1 0 1 port1 0 4 awplus config if vlan set 24 macaddress 00 30 84 75 11 b2...

Страница 663: ...ANs This chapter provides the following topics Overview on page 664 Guidelines on page 665 Creating Private VLANs on page 666 Adding Host and Uplink Ports on page 667 Deleting VLANs on page 668 Displa...

Страница 664: ...of one or more host ports and an uplink port Host Ports The host ports of a private port VLAN can only forward traffic to and receive traffic from an uplink port and are prohibited from forwarding tr...

Страница 665: ...The host and uplink ports of private port VLANs are untagged ports and as such transmit only untagged traffic The switch can support private port based tagged and MAC address based VLANs at the same...

Страница 666: ...number has the range of 2 to 4094 The VID of a private port VLAN must be unique from all other VLANs on the switch You cannot assign names to private port VLANs This example assigns the VID 26 to a ne...

Страница 667: ...the switch Private VLANs are created with the PRIVATE VLAN command explained in Creating Private VLANs on page 666 This example of the command adds ports 2 to 7 as host ports of a private port VLAN t...

Страница 668: ...rt VLANs are automatically returned by the switch to the Default_VLAN Here is the format of the command no vlan vid The VID parameter is the VID of the private port VLAN you want to delete The command...

Страница 669: ...TE VLAN command in the Privileged Exec mode displays the private port VLANs currently existing on the switch along with their host and uplink ports Here is the command awplus show vlan private vlan He...

Страница 670: ...Chapter 47 Private Port VLANs 670 Section VII Virtual LANs...

Страница 671: ...letes VLANs from the switch PRIVATE VLAN on page 673 VLAN Configuration Creates private port VLANs SHOW VLAN PRIVATE VLAN on page 674 Privileged Exec Displays the private port VLANs on the switch SWIT...

Страница 672: ...st one VID Mode VLAN Configuration mode Description Use this command to delete private port VLANs from the switch You can delete one VLAN at a time with this command Confirmation Command SHOW VLAN PRI...

Страница 673: ...ode VLAN Configuration mode Description Use this command to create new private port VLANs You can create just one VLAN at a time Refer to SWITCHPORT MODE PRIVATE VLAN HOST on page 675 to add host port...

Страница 674: ...how vlan private vlan Parameters None Mode Privileged Exec mode Description Use this command to display the private port VLANs on the switch Here is an example of the information Figure 115 SHOW VLAN...

Страница 675: ...Mode Port Interface mode Description Use this command to add host ports to private port VLANs Devices connected to host ports in a private port VLAN can only communicate with the uplink port Confirmat...

Страница 676: ...uplink port Mode Port Interface mode Description Use this command to add an uplink port to a private port VLAN A private port VLAN can have only one uplink port Confirmation Command SHOW VLAN PRIVATE...

Страница 677: ...8 Port Interface Removes ports from voice VLANs SWITCHPORT VOICE DSCP on page 679 Port Interface Assigns an DSCP value to a port in a VLAN that carries voice traffic SWITCHPORT VOICE VLAN on page 680...

Страница 678: ...mmand to remove a port from a voice VLAN A port retains the CoS priority and DSCP values that were assigned to it as a voice VLAN member Confirmation Command SHOW VLAN on page 586 Example This example...

Страница 679: ...rt can have only one DSCP value A port however can have both voice VLAN DSCP and CoS values Use the NO form of this command to remove a DSCP value from a port without replacing it with a new value Con...

Страница 680: ...in turn sends its packets using this VLAN ID A port can be a member of just one voice VLAN at a time A port that is already a member of a voice VLAN is removed from its current assignment before it i...

Страница 681: ...uide Section VII Virtual LANs 681 Example This example adds ports 5 to 16 to a voice VLAN that has the VID 12 awplus enable awplus configure terminal awplus config interface port1 0 5 port1 0 16 awplu...

Страница 682: ...this CoS value A port can have only one CoS value A port however can have both voice VLAN CoS and DSCP values Use the NO form of this command to remove a CoS value from a port without replacing it wi...

Страница 683: ...683 Chapter 50 VLAN Stacking This chapter provides the following topics Overview on page 684 Components on page 686 VLAN Stacking Process on page 687 Example of VLAN Stacking on page 688...

Страница 684: ...ative headers is that different customers are likely to use the same VIDs in their networks And requiring that customers reconfigure their VLANs by assigning unique VIDs not used by other customers is...

Страница 685: ...eted at the point the packets leave the metro network and reenter the customer networks Figure 117 Metro Provider 802 1Q Header in Untagged Packets Note To maintain the best performance of a network i...

Страница 686: ...ot handle tagged packets But with VLAN stacking customer ports may handle tagged or untagged packets The extra 802 1Q headers are added to or deleted from the packets at the customer ports The action...

Страница 687: ...etwork is received by the customer port on switch A 2 The customer port adds the new 802 1Q header giving it the same VID number as the VLAN in which the customer port is a member 3 The modified packe...

Страница 688: ...er the Privileged Executive mode from the User Executive mode awplus configure terminal Enter the Global Configuration mode awplus config vlan database Enter the VLAN Configuration mode awplus config...

Страница 689: ...t access vlan 79 Add the ports as untagged ports to the VLAN with the SWITCHPORT ACCESS VLAN command awplus config if switchport vlan stacking customer edge port Use the SWITCHPORT VLAN STACKING comma...

Страница 690: ...awplus show vlan Use the SHOW VLAN command again to confirm the configuration of the ABC_Inc VLAN TPID INTERFACES c Customer Edge Port p Provider Port 0x8100 port1 0 5 c 0x8100 port1 0 6 c 0x8100 port...

Страница 691: ...value to 0x8100 with the PLATFORM VLAN STACKING TPID command awplus exit Return to the Privileged Exec mode awplus show vlan vlan stacking Use the SHOW VLAN VLAN STACKING command to confirm the change...

Страница 692: ...Chapter 50 VLAN Stacking 692 Section VII Virtual LANs...

Страница 693: ...Interface Removes ports from VLAN stacking PLATFORMVLAN STACKING TPID on page 695 Global Configuration Specifies the Tag Protocol Identifier TPID value SHOW VLAN VLAN STACKING on page 696 Privileged E...

Страница 694: ...rt Interface mode Description Use this command to remove ports from VLAN stacking Confirmation Command SHOW VLAN VLAN STACKING on page 696 Example This example removes ports 3 to 16 and 21 from VLAN s...

Страница 695: ...t one TPID value The value must be entered in hexadecimal format Mode Global Configuration mode Description Use this command to specify the Tag Protocol Identifier TPID value that applies to all frame...

Страница 696: ...to display the port assignments of VLAN stacking Here is an example of the information Figure 119 SHOW VLAN VLAN STACKING Command Example awplus enable awplus show vlan vlan stacking TPID INTERFACES c...

Страница 697: ...r edge port or provider port This is sometimes referred to as VLAN double tagging nested VLANs or QinQ Confirmation Command SHOW VLAN VLAN STACKING on page 696 Examples awplus enable awplus configure...

Страница 698: ...Chapter 51 VLAN Stacking Commands 698 Section VII Virtual LANs...

Страница 699: ...chapters Chapter 52 MAC Address based Port Security on page 701 Chapter 53 MAC Address based Port Security Commands on page 709 Chapter 54 802 1x Port based Network Access Control on page 721 Chapter...

Страница 700: ...700 Section VIII Port Security...

Страница 701: ...This chapter contains the following topics Overview on page 702 Configuring Ports on page 704 Enabling MAC Address based Security on Ports on page 706 Disabling MAC Address based Security on Ports on...

Страница 702: ...as dynamic addresses can learn new addresses when addresses are timed out from the table by the switch The addresses are aged out according to the aging time of the MAC address table Note For backgrou...

Страница 703: ...security and 802 1x port based access control on the same port To configure a port as an Authenticator or Supplicant in 802 1x port based access control you must remove MAC address based port securit...

Страница 704: ...the MAC address table The intrusion action is set to protect so that the ports discard packets with unknown MAC addresses after they ve learned the maximum number of addresses but the switch doesn t s...

Страница 705: ...ecurity aging awplus config if switchport port security violation restrict This example configures ports 8 and 20 to learn up to five MAC addresses each The addresses are stored as static addresses in...

Страница 706: ...u are ready to activate the feature on the ports This is accomplished with the SWITCHPORT PORT SECURITY command in the Port Interface mode This example of the command activates port security on ports...

Страница 707: ...s use the NO SWITCHPORT PORT SECURITY command in the Port Interface mode This example of the command removes port security from port 23 awplus enable awplus configure terminal awplus config interface...

Страница 708: ...E Command The fields are defined in Table 71 on page 712 If you are interested in viewing just the number of packets the ports have discarded because they had invalid source MAC addresses you can use...

Страница 709: ...page 712 Privileged Exec Displays the security mode settings of the ports SHOW PORT SECURITY INTRUSION INTERFACE on page 715 Privileged Exec Displays the number of packets the ports have discarded SW...

Страница 710: ...nd to remove MAC address based security from the ports Note To activate ports that were disabled by the shutdown intrusion action refer to NO SHUTDOWN on page 181 Confirmation Command SHOW PORT SECURI...

Страница 711: ...atic addresses are never deleted from the table ports that learn their maximum numbers of source MAC addresses cannot learn new addresses even when the source nodes of the learned addresses are inacti...

Страница 712: ...ORT SECURITY INTERFACE Command The fields are described in Table 71 Port Security Configuration Port1 0 15 Security Enabled YES Port Status ENABLED Violation Mode PROTECT Aging NO Maximum MAC Addresse...

Страница 713: ...ns are Protect Protect intrusion action Restrict Restrict intrusion action Disable Shutdown intrusion action Aging The status of MAC address aging on the port If the aging status is No the MAC address...

Страница 714: ...arned on the port Lock Status Whether or not the port has learned its maximum number of MAC addresses The port will have a Locked status if it has learned its maximum number of MAC addresses and an Un...

Страница 715: ...discard because the packets had unknown source MAC addresses The ports begin to discard packets after learning their maximum number of source MAC addresses This information is also available with SHOW...

Страница 716: ...ace mode Description Use this command to activate MAC address based security on ports Confirmation Command SHOW PORT SECURITY INTERFACE on page 712 Example This example activates MAC address based sec...

Страница 717: ...as dynamic MAC address in the MAC address table Ports that learn their maximum numbers of addresses can learn new addresses as inactive addresses are deleted from the table Confirmation Command SHOW P...

Страница 718: ...specify the maximum number of dynamic MAC addresses that ports can learn Ports that learn their maximum numbers of MAC addresses discard ingress packets with unknown MAC addresses Use the no form of t...

Страница 719: ...ingress frames that have unknown source MAC addresses The no form of this command NO SWITCHPORT PORT SECURITY VIOLATION returns the value to protect which is the default setting Confirmation Command S...

Страница 720: ...curity violation restrict This example sets the intrusion action on port 2 to shutdown The switch disables the port and sends an SNMP trap if the port learns its maximum number of MAC addresses and th...

Страница 721: ...page 727 Supplicant and VLAN Associations on page 731 Guest VLAN on page 734 RADIUS Accounting on page 735 General Steps on page 736 Guidelines on page 737 Enabling 802 1x Port Based Network Access Co...

Страница 722: ...87 then you know that you can also use the RADIUS client software on the switch along with a RADIUS server on your network to create new remote manager accounts Note RADIUS with Extensible Authenticat...

Страница 723: ...ith an EAPOL Start packet to which the authenticator responds with a EAP Request Identity packet The supplicant responds with an EAP Response Identity packet to the authentication server via the authe...

Страница 724: ...nnot authenticate itself and must communicate with the switch through a port that is set to the none role Authenticator Role The authenticator role activates port access control on a port Ports in thi...

Страница 725: ...ts who have been assigned valid combinations Another advantage is that the authentication is not tied to any specific computer or node An end user can log on from any system and still be verified by t...

Страница 726: ...places the port in the authorized state without any authentication exchange required The port transmits and receives normal traffic without authenticating the client Note A supplicant connected to an...

Страница 727: ...his mode permits multiple clients on an authenticator port An authenticator mode forwards packets from all clients once one client has successfully logged on This mode is typically used in situations...

Страница 728: ...method one client must have 802 1x client firmware and must provide a username and password during authentication The other clients do not need 802 1x client firmware to forward traffic through the p...

Страница 729: ...provide each client with a separate username and password combination and the clients must provide their combinations to forward traffic through a switch port If the authentication method is MAC addr...

Страница 730: ...tiple Supplicant Mode AT 9000 28 Gigabit Ethernet Switch with 4 Combo SFP Ports PWR SYS MODE SELECT COL SPD DUP ACT RS 232 CONSOLE 1451 RADIUS Authentication Server Port 6 Role Authenticator Operating...

Страница 731: ...ce requirements and security levels The problem with a port based VLAN is that VLAN membership is determined by the port on the switch to which the device is connected If a different device that needs...

Страница 732: ...DIUS server for example the VID of a nonexistent VLAN it leaves the port in the unauthorized state to deny access to the port Multiple Supplicant Mode The initial authentication on an authenticator po...

Страница 733: ...Tunnel Medium Type The transport medium to be used for the tunnel specified by Tunnel Private Group Id The only supported value is 802 6 Tunnel Private Group ID The ID of the tunnel the authenticated...

Страница 734: ...he port is not required to log on and has full access to the resources of the Guest VLAN If the switch receives 802 1x packets on the port signalling that a supplicant is logging on it moves the port...

Страница 735: ...The event information the switch sends to the RADIUS server includes The port number where an event occurred The date and time when an event occurred The number of packets transmitted and received by...

Страница 736: ...alphanumeric characters and spaces An account for a supplicant connected to an authenticator port set to the MAC address based authentication mode must use the MAC address of the node as both the use...

Страница 737: ...set to the multiple supplicant mode is 320 An authenticator port stops accepting new clients after the maximum number is reached The maximum number of authenticated clients on the entire switch is 0 N...

Страница 738: ...1 and 2 If only server 3 responds then all future requests go to all three servers You cannot change the untagged VLAN assignment of a port after it has been designated as an authenticator port To cha...

Страница 739: ...r the AAA AUTHENTICATION DOT1X DEFAUT GROUP RADIUS command The command has no parameters Here is the command awplus enable awplus configure terminal awplus config aaa authentication dot1x default grou...

Страница 740: ...ve network interrupts network operations because the designated ports stop forwarding traffic until the clients log on If your switch is part of an active network the DOT1X PORT CONTROL FORCE UNAUTHOR...

Страница 741: ...connected to a single node Multiple host mode For authenticator ports that are connected to multiple nodes The ports forward all traffic after just one supplicant successfully logs on Multiple suppli...

Страница 742: ...example configures ports 16 to 19 to use the MAC address authentication method and the multiple supplicant mode so that the nodes are authenticated individually awplus enable awplus configure termina...

Страница 743: ...22 so that the clients must reauthenticate every 12 hours 43200 seconds awplus enable awplus configure terminal awplus config interface port1 0 21 port1 0 22 awplus config if dot1x port control auto...

Страница 744: ...ator role so that they forward traffic without authenticating clients go to the Port Interface mode of the ports and enter the NO DOT1X PORT CONTROL command This example removes the authenticator role...

Страница 745: ...orward packets without authentication go to the Global Configuration mode and enter the NO AAA AUTHENTICATION DOT1X DEFAULT GROUP RADIUS command Here is the command awplus enable awplus configure term...

Страница 746: ...thenticator settings for port 2 awplus show dot1x interface port1 0 2 Here is an example of what you will see Figure 127 SHOW DOT1X INTERFACE Command Authentication Info for interface port1 0 2 portEn...

Страница 747: ...d display the same information Here is an example of the information Figure 128 SHOW DOT1X STATISTICS INTERFACE Command Authentication Statistics for interface port1 0 2 EAPOL Frames Rx 0 EAPOL Frames...

Страница 748: ...Chapter 54 802 1x Port based Network Access Control 748 Section VIII Port Security...

Страница 749: ...ace Sets the operating modes on authenticator ports AUTH REAUTHENTICATION on page 758 Port Interface Activates reauthentication on the authenticator ports AUTH TIMEOUT QUIET PERIOD on page 759 Port In...

Страница 750: ...771 Port Interface Sets ports to the authenticator role DOT1X PORT CONTROL FORCE AUTHORIZED on page 772 Port Interface Configures ports to the 802 1X port based authenticator role in the forced autho...

Страница 751: ...CANT INTERFACE on page 784 Privileged Exec Displays the number and types of supplicants on authenticator ports SHOW DOT1X on page 785 Privileged Exec Displays whether 802 1 port based network access c...

Страница 752: ...etwork access control on the switch The default setting for this feature is disabled Note You should activate and configure the RADIUS client software on the switch before activating port based access...

Страница 753: ...AN Associations on page 731 Confirmation Command SHOW AUTH MAC INTERFACE on page 781 or SHOW DOT1X INTERFACE on page 786 Examples This example activates dynamic VLAN assignment on authenticator port 1...

Страница 754: ...t based Network Access Control Commands 754 Section VIII Port Security their VLAN assignments awplus enable awplus configure terminal awplus config interface port1 0 4 awplus config if auth dynamic vl...

Страница 755: ...a guest VLAN until a supplicant successfully logs on at which point it is moved to the VLAN specified in a supplicant s account on the RADIUS server A port must already be designated as an authentica...

Страница 756: ...nt logs on This is referred to as piggy backing multi supplicant Specifies the multiple supplicant operating mode An authenticator port set to this mode requires that all clients log on Mode Port Inte...

Страница 757: ...ogs on awplus enable awplus configure terminal awplus config interface port1 0 8 awplus config if auth host mode multi host This example configures authenticator ports 12 and 13 to the multiple suppli...

Страница 758: ...on on the authenticator ports The clients must periodically reauthenticate according to the time interval set with AUTH TIMEOUT REAUTH PERIOD on page 760 Confirmation Command SHOW AUTH MAC INTERFACE o...

Страница 759: ...he default value is 60 seconds Mode Port Interface mode Description Use this command to set the number of seconds that an authenticator port waits after a failed authentication with a client before ac...

Страница 760: ...ify the time interval for reauthentication of clients on an authenticator port Reauthentication must be enabled on a authenticator port for the timer to work Reauthentication on a port is activated wi...

Страница 761: ...o 600 seconds The default value is 30 seconds Mode Port Interface mode Description Use this command to set the amount of time the switch waits for a response from a RADIUS authentication server Confir...

Страница 762: ...value is 30 seconds Mode Port Interface mode Description Use this command to set the retransmission time for EAP request frames from authenticator ports Confirmation Command SHOW AUTH MAC INTERFACE on...

Страница 763: ...itial frames from a supplicant and automatically sends it as the supplicant s username and password to the authentication server This authentication method does not require 802 1x client software on s...

Страница 764: ...n Use this command to force ports that are using MAC address authentication into the unauthorized state You might use this command to reauthenticate the nodes on authenticator ports Example This examp...

Страница 765: ...in the unauthorized state Generally authenticator ports that are in the unauthorized state discard all ingress and egress traffic until a client logs on There are however two exceptions one of which...

Страница 766: ...broadcast or multicast packets until at least one client has logged on Confirmation Command SHOW AUTH MAC INTERFACE on page 781 or SHOW DOT1X INTERFACE on page 786 Examples This example configures au...

Страница 767: ...tagged and untagged ports in the same VLAN as the ingress port Mode Global Configuration mode Description Use this command to control the action of the switch to EAP packets when 802 1x authentication...

Страница 768: ...ntrol Commands 768 Section VIII Port Security This example configures the switch to forward EAP packets only to untagged ports in the VLANs of the ingress ports awplus enable awplus configure terminal...

Страница 769: ...iption Use this command to force authenticator ports into the unauthorized state You might use this command to force supplicants on authenticator ports to reauthenticate themselves again by logging in...

Страница 770: ...0 retransmissions The default value is 2 Mode Port Interface mode Description Use this command to specify the maximum number of times the switch transmits EAP Request packets to a client before it tim...

Страница 771: ...the unauthorized state forwarding only EAPOL frames until a client has successfully logged on For background information refer to Operational Settings for Authenticator Ports on page 726 Confirmation...

Страница 772: ...the authorized state without any authentication exchanges required The ports transmit and receive traffic normally without 802 1X based authentication of the clients For background information refer...

Страница 773: ...role the switch blocks all authentication on the ports which means that no clients can log on and forward packets through them For background information refer to Operational Settings for Authenticato...

Страница 774: ...1 to 65 535 seconds Mode Port Interface mode Description Use this command to set the amount of time that an authenticator port on the switch waits for a reply from a client to an EAP request identity...

Страница 775: ...ers None Mode Global Configuration mode Description Use this command to disable 802 1x port based network access control on the switch All authenticator ports forward packets without any authenticatio...

Страница 776: ...disable dynamic VLAN assignments of authentication ports For background information refer to Supplicant and VLAN Associations on page 731 Confirmation Command SHOW AUTH MAC INTERFACE on page 781 or SH...

Страница 777: ...ption Use this command to remove the VID of a guest VLAN from an authenticator port Confirmation Command SHOW AUTH MAC INTERFACE on page 781 or SHOW DOT1X INTERFACE on page 786 Example This example re...

Страница 778: ...t have to periodically reauthenticate after the initial authentication Reauthentication is still required if there is a change to the status of the link between a client and the switch or the switch i...

Страница 779: ...authenticator ports but authentication is based on the usernames and passwords provided by the supplicants and not on the MAC addresses of the nodes To completely remove authentication from ports ref...

Страница 780: ...ption Use this command to remove ports from the authenticator role so that they forward traffic without authentication Confirmation Command SHOW AUTH MAC INTERFACE on page 781 or SHOW DOT1X INTERFACE...

Страница 781: ...T1X INTERFACE Command on page 786 An example is shown in Figure 129 Figure 129 SHOW AUTH MAC INTERFACE Command Example awplus show auth mac interface port1 0 1 port1 0 4 Authentication Info for interf...

Страница 782: ...nd to display session status information of authenticator ports This command is equivalent to SHOW DOT1X SESSIONSTATISTICS INTERFACE Command on page 787 An example is shown in Figure 130 Figure 130 SH...

Страница 783: ...t to SHOW DOT1X STATISTICS INTERFACE Command on page 788 An example is shown in Figure 131 Figure 131 SHOW AUTH MAC STATISTICS INTERFACE Command Example awplus show auth mac statistics interface port1...

Страница 784: ...upplicants on authenticator ports This command is equivalent to SHOW DOT1X SUPPLICANT INTERFACE Command on page 789 An example is shown in Figure 132 Figure 132 SHOW AUTH MAC SUPPLICANT INTERFACE Comm...

Страница 785: ...work access control is enabled or disabled on the switch and the IP address of the RADIUS server Only the first IP address in the server table on the switch is displayed To view all the server IP addr...

Страница 786: ...nt to SHOW AUTH MAC INTERFACE on page 781 An example is shown in Figure 134 Figure 134 SHOW DOT1X INTERFACE Command Example awplus show dot1x interface port1 0 1 port1 0 4 Authentication Info for inte...

Страница 787: ...isplay session status information of authenticator ports This command is equivalent to SHOW AUTH MAC SESSIONSTATISTICS INTERFACE on page 782 An example is shown in Figure 135 Figure 135 SHOW DOT1X SES...

Страница 788: ...is equivalent to SHOW AUTH MAC STATISTICS INTERFACE on page 783 An example is shown in Figure 136 Figure 136 SHOW DOT1X STATISTICS INTERFACE Command Example awplus show dot1x statistics interface por...

Страница 789: ...ommand is equivalent to SHOW AUTH MAC SUPPLICANT INTERFACE Command on page 784 An example is shown in Figure 137 Figure 137 SHOW DOT1X SUPPLICANT INTERFACE Command The BRIEF parameter displays an abbr...

Страница 790: ...Chapter 55 802 1x Port based Network Access Control Commands 790 Section VIII Port Security...

Страница 791: ...Simple Network Management Protocols This section contains the following chapters Chapter 56 SNMPv1 and SNMPv2c on page 793 Chapter 57 SNMPv1 and SNMPv2c Commands on page 805 Chapter 58 SNMPv3 Command...

Страница 792: ...792 Section IX Simple Network Management Protocols...

Страница 793: ...on page 794 Enabling SNMPv1 and SNMPv2c on page 796 Creating Community Strings on page 797 Adding or Removing IP Addresses of Trap or Inform Receivers on page 798 Deleting Community Strings on page 8...

Страница 794: ...available from the Allied Telesis web site at www alliedtelesis com A community string must be assigned an access level The levels are Read and Read Write A community string that has an access level o...

Страница 795: ...nd the messages The format can be either SNMPv1 or SNMPv2c For inform messages the format is always SNMPv2c For instructions refer to Adding or Removing IP Addresses of Trap or Inform Receivers on pag...

Страница 796: ...mode The command has no parameters The switch begins to send trap and inform messages to the receivers and permits remote management from SNMP workstations as soon as you enter the command This assume...

Страница 797: ...mmand The COMMUNITY parameter is the name of the new string It can be up to 15 alphanumeric characters and is case sensitive Spaces are not allowed The RW and RO options define the access levels of ne...

Страница 798: ...he format of the trap messages The switch can send trap messages in either SNMPv1 or SNMPv2c format Inform messages can only be sent in SNMPv2c format Note SNMP must be activated on the switch for you...

Страница 799: ...2c format awplus enable awplus configure terminal awplus config snmp server host 143 154 76 17 informs version 2c st_bldg2 To remove IP addresses of trap or inform receivers from community strings use...

Страница 800: ...mand Here is the format no snmp server community community You can delete only one community string at a time with the command which is found in the Global Configuration mode The COMMUNITY parameter i...

Страница 801: ...isable SNMP on the switch use the NO SNMP SERVER command You cannot remotely manage the switch with an SNMP application when SNMP is disabled Furthermore the switch stops transmitting trap and inform...

Страница 802: ...VER COMMUNITY Command The information that the command provides for each community string includes the community name and the access level of read write or read only There is also a view field which f...

Страница 803: ...on the command shows you Figure 140 SHOW RUNNING CONFIG SNMP Command snmp server no snmp server enable trap auth snmp server community sw12eng1 rw snmp server community sw12eng1limit rw snmp server co...

Страница 804: ...Chapter 56 SNMPv1 and SNMPv2c 804 Section X Simple Network Management Protocols...

Страница 805: ...uthentication traps NO SNMP SERVER HOST on page 811 Global Configuration Removes the IP addresses of trap and inform receivers from the community strings NO SNMP SERVER VIEW on page 813 Global Configu...

Страница 806: ...hentication traps which are activated separately SNMP SERVER ENABLE TRAP AUTH on page 823 Global Configuration Activates the transmission of SNMP authentication traps SNMP SERVER HOST on page 824 Glob...

Страница 807: ...figuration mode Description Use this command to disable SNMPv1 SNMPv2c and SNMPv3 on the switch The switch does not permit remote management from SNMP applications when SNMP is disabled It also does s...

Страница 808: ...SNMPv2c community strings from the switch Deleting community strings with this command also deletes any IP addresses of SNMP trap or inform receivers assigned to the community strings You can delete o...

Страница 809: ...ap Parameters None Mode Global Configuration mode Description Use this command to disable the transmission of all SNMP traps except for link status and authentication traps which are disabled separate...

Страница 810: ...P AUTH Syntax no snmp server enable trap auth Parameters None Mode Global Configuration mode Description Use this command to disable the transmission of SNMP traps Confirmation Command SHOW RUNNING CO...

Страница 811: ...he IP address of an inform message receiver community_string Specifies the SNMP community string to which the IP address of the trap or inform receiver is assigned This parameter is case sensitive Mod...

Страница 812: ...102 of a trap receiver from the community string station12a awplus enable awplus configure terminal awplus config no snmp server host 115 124 187 4 traps version 2c station12a This example removes th...

Страница 813: ...case sensitive oid Specifies the OID of the view Mode Global Configuration mode Description Use this command to delete SNMP views You can delete just one view at a time with this command Confirmation...

Страница 814: ...to disable the transmission of SNMP link status notifications traps when ports establish links linkUp or lose links linkDown to network devices Confirmation Command SHOW INTERFACE on page 190 Example...

Страница 815: ...hown in Figure 142 Figure 141 SHOW RUNNING CONFIG SNMP Command Example awplus show running config snmp snmp server no snmp server enable trap auth snmp server community sw12eng1 rw snmp server communi...

Страница 816: ...displays whether SNMP is enabled or disabled on the switch You can remotely manage the switch with SNMPv1 or v2c when the server is enabled Remote management is not possible when the server is disable...

Страница 817: ...e described in Table 75 SNMP community information Community Name private Access Read Write View None Community Name public Access Read only View None Table 75 SHOW SNMP SERVER COMMUNITY Command Param...

Страница 818: ...Chapter 57 SNMPv1 and SNMPv2c Commands 818 Section IX Simple Network Management Protocols Example awplus show snmp server community...

Страница 819: ...ch Here is an example of the display Figure 144 SHOW SNMP SERVER VIEW Command The fields in the entries are described in Table 76 Example awplus show snmp server view SNMP View information View Name s...

Страница 820: ...ion mode Description Use this command to activate SNMPv1 SNMPv2c and SNMPv3 on the switch The switch permits remote management from SNMP applications when SNMP is enabled The switch also sends SNMP me...

Страница 821: ...rw ro Specifies the access level of a new community string of read write RW or read only RO Mode Global Configuration mode Description Use this command to create new SNMPv1 and SNMPv2c community stri...

Страница 822: ...Parameters None Mode Global Configuration mode Description Use this command to activate the transmission of all SNMP traps except for link status and authentication traps which are activated separatel...

Страница 823: ...Syntax snmp server enable trap auth Parameters None Mode Global Configuration mode Description Use this command to activate the transmission of SNMP authentication failure traps Confirmation Command S...

Страница 824: ...ommunity Specifies an SNMP community string This parameter is case sensitive Mode Global Configuration mode Description Use this command to specify IP addresses of network devices to receive trap and...

Страница 825: ...ing tlpaac78 The traps are sent in the SNMPv1 format awplus enable awplus configure terminal awplus config snmp server host 152 34 32 18 traps version 1 tlpaac78 This example assigns the IPv6 address...

Страница 826: ...rmits access to the part of the MIB tree specified by the OID Mode Global Configuration mode Description Use this command to create SNMPv1 and SNMPv2c views on the switch Views are used to restrict th...

Страница 827: ...his example creates the new view AlliedTelesis that limits the available MIB objects to those in the OID 1 3 6 1 4 1 207 awplus enable awplus configure terminal awplus config snmp server view AlliedTe...

Страница 828: ...to transmit link status notifications traps when ports establish links linkUp or lose links linkDown to network devices Confirmation Command SHOW INTERFACE on page 190 Example This example configures...

Страница 829: ...age 835 Global Configuration Deletes SNMPv3 users from the switch NO SNMP SERVER VIEW on page 836 Global Configuration Deletes SNMPv3 views from the switch SHOW SNMP SERVER on page 837 Privileged Exec...

Страница 830: ...Configuration Creates SNMPv3 groups SNMP SERVER HOST on page 846 Global Configuration Creates SNMPv3 host entries SNMP SERVER USER on page 847 Global Configuration Creates SNMPv3 users SNMP SERVER VIE...

Страница 831: ...onfiguration mode Description Use this command to disable SNMPv1 v2c and v3 on the switch The switch does not permit remote management from SNMP applications when SNMP is disabled It also does not sen...

Страница 832: ...l Parameters None Mode Global Configuration mode Description Use this command to return the SNMP engine ID value to the default value Confirmation Command SHOW SNMP SERVER on page 837 Example This exa...

Страница 833: ...minimum security level of the group to be deleted The options are auth Authentication but no privacy noauth No authentication or privacy priv Authentication and privacy Mode Global Configuration mode...

Страница 834: ...th priv Specifies the minimum security level of the user associated with this entry The options are noauth No authentication nor privacy auth Authentication but no privacy priv Authentication and priv...

Страница 835: ...u want to delete from the switch The name is case sensitive Mode Global Configuration mode Description Use this command to delete SNMPv3 users You can delete just one user at a time with this command...

Страница 836: ...ch The name is case sensitive OID Specifies the OID of the subtree of the view to be deleted Mode Global Configuration mode Description Use this command to delete SNMPv3 views from the switch Confirma...

Страница 837: ...displays whether SNMP is enabled or disabled on the switch You can remotely manage the switch with SNMPv1 or v2c when the server is enabled Remote management is not possible when the server is disabl...

Страница 838: ...tion IX Simple Network Management Protocols SHOW SNMP SERVER GROUP Syntax show snmp server group Parameters None Mode Privileged Exec mode Description Use this command to display the SNMPv3 groups Exa...

Страница 839: ...ction IX Simple Network Management Protocols 839 SHOW SNMP SERVER HOST Syntax show snmp server host Parameters None Mode Privileged Exec mode Description Use this command to display the SNMPv3 host en...

Страница 840: ...ection IX Simple Network Management Protocols SHOW SNMP SERVER USER Syntax show snmp server user Parameters None Mode Privileged Exec mode Description Use this command to display the SNMPv3 users Exam...

Страница 841: ...on IX Simple Network Management Protocols 841 SHOW SNMP SERVER VIEW Syntax show snmp server view Parameter None Mode Privileged Exec mode Description Use this command to display the SNMPv3 views on th...

Страница 842: ...n mode Description Use this command to activate SNMPv1 v2c and v3 on the switch The switch permits remote management from SNMP applications when SNMP is enabled The switch also sends SNMP messages to...

Страница 843: ...ription Use this command to configure the SNMPv3 engine ID Note Changing the SNMPv3 engine ID from its default value is not recommended because the SNMP server on the switch may fail to operate proper...

Страница 844: ...n but no privacy noauth No authentication or privacy priv Authentication and privacy readview Specifies the name of an existing SNMPv3 view that specifies the MIB objects the members of the group can...

Страница 845: ...te private This example creates a group called swengineering with a minimum security level of authentication and privacy The group has the read view internet and the write view ATI awplus enable awplu...

Страница 846: ...iv Specifies the minimum security level of the user associated with this entry The options are noauth No authentication nor privacy auth Authentication but no privacy priv Authentication and privacy u...

Страница 847: ...md5 The MD5 Message Digest Algorithms authentication protocol sha The SHA Secure Hash Algorithms authentication protocol auth_password Specifies a password for authentication A password can have up t...

Страница 848: ...ntication or privacy awplus enable awplus configure terminal awplus config snmp server user dcraig This example creates the user bjones The user is assigned authentication using SHA and the authentica...

Страница 849: ...by the OID Mode Global Configuration mode Description Use this command to create SNMPv3 views on the switch Views are used to restrict the MIB objects that network managers can access through SNMPv3 g...

Страница 850: ...s 850 Section IX Simple Network Management Protocols awplus enable awplus configure terminal awplus config snmp server view AlliedTelesis 1 3 6 1 excluded awplus config snmp server view AlliedTelesis...

Страница 851: ...61 LLDP and LLDP MED on page 877 Chapter 62 LLDP and LLDP MED Commands on page 911 Chapter 63 Address Resolution Protocol ARP on page 969 Chapter 64 Address Resolution Protocol ARP Commands on page 9...

Страница 852: ...852 Section X Network Management...

Страница 853: ...lowing topics Overview on page 854 Configuring the sFlow Agent on page 856 Configuring the Ports on page 857 Enabling the sFlow Agent on page 859 Disabling the sFlow Agent on page 860 Displaying the s...

Страница 854: ...rts This value defines the average number of ingress packets from which the agent samples one packet For example a sampling rate of 1000 on a port prompts the agent to send one packet from an average...

Страница 855: ...port the agent depending on its internal dynamics may send the information to the collector before five minutes have actually elapsed Guidelines Here are the guidelines to the sFlow agent You can spe...

Страница 856: ...lector ip ipaddress port udp_port The IPADDRESS parameter specifies the IP address of the collector and the UDP_PORT parameter its UDP port This example specifies the IP address of the sFlow collector...

Страница 857: ...ferent ports can have different rates The packet sampling rate is controlled with the SFLOW SAMPLING RATE command in the Port Interface mode Here is the format of the command sflow sampling rate value...

Страница 858: ...rt can have just one polling rate but different ports can have different settings The command to set this value is the SFLOW POLLING INTERVAL command in the Port Interface mode Here is the format of t...

Страница 859: ...awplus config sflow enable This command assumes that you have already performed these steps Added the IP address of the collector to the sFlow agent with the SFLOW COLLECTOR IP command Used the SFLOW...

Страница 860: ...the sFlow agent from collecting performance data on the ports on the switch and from sending the data to the collector on your network use the NO SFLOW ENABLE command in the Global Configuration mode...

Страница 861: ...LOW command in the Global Configuration mode Here is the command awplus config show sflow Here is an example of what you ll see Figure 146 SHOW SFLOW Command The fields are described in Table 79 on pa...

Страница 862: ...ss of the collector before configuring the polling and sampling rates of the ports The next series of commands configures the sFlow settings of the ports awplus enable Enter the Privileged Executive m...

Страница 863: ...g if sflow sampling rate 50000 Use the SFLOW SAMPLING RATE command to set the sampling rate of the ports to 1 packet for every 50000 packets awplus config if sflow polling interval 1800 Use the SFLOW...

Страница 864: ...tes and polling intervals there may be long periods of time in which the agent on the switch does not send any information to the collectors For instance if there is little or no traffic on port 23 in...

Страница 865: ...to the sFlow agent on the switch SFLOW ENABLE on page 869 Global Configuration Activates the sFlow agent on the switch SFLOW POLLING INTERVAL on page 870 Port Interface Sets the polling intervals tha...

Страница 866: ...sFlow collector Mode Global Configuration mode Description Use this command to delete the IP address of an sFlow collector from the switch Confirmation Command SHOW SFLOW DATABASE on page 874 Example...

Страница 867: ...None Mode Global Configuration mode Description Use this command to disable the sFlow agent to stop the switch from transmitting sample and counter data to the sFlow collector on your network Confirm...

Страница 868: ...ort of an sFlow collector on your network The packet sampling data and the packet counters from the ports are sent by the switch to the specified collector You can specify just one collector If the IP...

Страница 869: ...ption Use this command to activate the sFlow agent on the switch The switch uses the agent to gather packet sampling data and packet counters from the designated ports and to transmit the data to the...

Страница 870: ...the ports by the sFlow agent The ports can have different polling intervals To remove sFlow monitoring from a port enter the NO form of this command NO SFLOW POLLING INTERVAL You must disable the sFl...

Страница 871: ...AT 9000 Switch Command Line User s Guide Section X Network Management 871 awplus config interface port1 0 21 awplus config if no sflow polling interval...

Страница 872: ...o the sFlow collector For example a sample rate of 700 on a port means that one sample packet is taken for every 700 ingress packets The ports can have different sampling rates To disable packet sampl...

Страница 873: ...mand Line User s Guide Section X Network Management 873 This example disables packet sampling on port 7 awplus enable awplus configure terminal awplus config interface port1 0 7 awplus config if no sf...

Страница 874: ...the Global Configuration mode You can enter either SHOW SFLOW or SHOW SFLOW DATABASE to display the same information Description Use this command to display the settings of the sFlow agent on the swi...

Страница 875: ...r of ports configured to be sampled or polled Port The port number Sample rate The rate of ingress packet sampling on the port For example a rate of 500 means that one in every 500 packets is sent to...

Страница 876: ...Chapter 60 sFlow Agent Commands 876 Section X Network Management Example awplus enable awplus configure terminal awplus config show sflow database...

Страница 877: ...uring Ports to Send LLDP MED Civic Location TLVs on page 891 Configuring Ports to Send LLDP MED Coordinate Location TLVs on page 895 Configuring Ports to Send LLDP MED ELIN Location TLVs on page 899 R...

Страница 878: ...rotocol That is the information transmitted in LLDP advertisements flows in one direction only from one device to its neighbors and the communication ends there Transmitted advertisements do not solic...

Страница 879: ...that transmitted the advertisements Time to Live TTL The length of time in seconds for which the information received in the advertisements remains valid If the value is greater than zero the informa...

Страница 880: ...N identifiers This is not supported on the AT 9000 Switch VLAN names The names of the VLANs in which the transmitting port is either an untagged or tagged member Protocol IDs List of protocols that ar...

Страница 881: ...cy location hardware configuration and for Power over Ethernet capable devices power management LLDP MED TLVs unlike the other TLVs are only sent if the switch detects that an LLDP MED activated devic...

Страница 882: ...n Identification Number ELIN Extended power management The following PoE information Power Type field Power Sourcing Entity PSE Power Source field current power source either Primary Power Source or B...

Страница 883: ...ventory management The current hardware platform and the software version identical on every port on the switch Hardware Revision Firmware Revision Software Revision Serial Number Manufacturer Name Mo...

Страница 884: ...egins to transmit advertisements from those ports that are configured to send TLVs and begins to populate its neighbor information table as advertisements from the neighbors arrive on the ports The co...

Страница 885: ...lus enable Enter the Privileged Executive mode from the User Executive mode awplus configure terminal Enter the Global Configuration mode awplus config interface port1 0 4 port1 0 18 Enter the Port In...

Страница 886: ...ace port1 0 16 port1 0 20 Enter the Port Interface mode for ports 16 to 20 awplus config if lldp transmit receive Configure the ports to accept and send TLVs to their neighbors awplus config if no lld...

Страница 887: ...figure the ports to send the TLVs Table 83 Optional LLDP TLVs TLV Designator Description port description Port description system name System name system description System description system capabili...

Страница 888: ...TLVs from the ports with the NO LLDP MED TLV SELECT command awplus config if lldp tlv select port description awplus config if lldp tlv select link aggregation awplus config if lldp tlv select mac phy...

Страница 889: ...enable Enter the Privileged Executive mode from the User Executive mode awplus configure terminal Enter the Global Configuration mode awplus config interface port1 0 3 port1 0 4 Enter the Port Interf...

Страница 890: ...se the SHOW LLDP INTERFACE command to confirm the configuration Optional TLVs Enabled for Tx Port Rx Tx Notif Management Addr Base 802 1 802 3 MED 3 Rx Tx 0 0 0 0 McNp 4 Rx Tx 0 0 0 0 McNp Transmit op...

Страница 891: ...orts on the switch and then configure the ports to send it as their civic location TLV Here are the main steps to creating civic location TLVs 1 Starting in the Global Configuration mode use the LOCAT...

Страница 892: ...state CA street suffix Blvd unit A11 Table 84 Abbreviated List of LLDP MED Civic Location Entry Parameters Parameter Example awplus enable Enter the Privileged Executive mode from the User Executive...

Страница 893: ...et Suffix Avenue Postal Code 95132 Building 1020 Primary Road Name North Hacienda awplus configure terminal Enter the Global Configuration mode awplus config interface port1 0 14 Enter the Port Interf...

Страница 894: ...e the SHOW LLDP INTERFACE command to confirm the port is configured to send the location entry ID Element Type Element 8 Country US State CA City San Jose Street Suffix Avenue Postal Code 95132 Buildi...

Страница 895: ...The parameters are listed in Table 85 Table 85 LLDP MED Coordinate Location Entry Parameters Parameter Value latitude Latitude value in decimal degrees The range is 90 0 to 90 0 The parameter accepts...

Страница 896: ...e ID number 16 Latitude 37 29153547 Longitude 121 91528320 Datum nad83 navd Altitude 10 25 meters The example is assigned to port 15 altitude meters Altitude in meters The range is 2097151 0 to 209715...

Страница 897: ...number 16 awplus config_coord latitude 37 29153547 awplus config_coord longitude 121 91528320 awplus config_coord datum nad83 navd awplus config_coord altitude 10 25 meters Use the parameter commands...

Страница 898: ...eged Exec mode awplus show location coord location interface port1 0 15 Use the SHOW LOCATION command to confirm the configuration awplus show lldp interface port1 0 15 Use the SHOW LLDP INTERFACE com...

Страница 899: ...ED TLV SELECT command to configure the ports to send the TLV in their advertisements Here is an example of how to create an ELIN location entry and apply it to a port The specifications of the entry a...

Страница 900: ...ID number 3 to the port awplus config_if lldp med tlv select location Use the LLDP MED TLV SELECT command to configure the port to send the location entry in its advertisements awplus config_if end R...

Страница 901: ...s example stops ports 4 and 5 from including the system capabilities and the management address TLVs in their advertisements awplus enable awplus configure terminal awplus config interface port1 0 4 p...

Страница 902: ...ich is located in the Port Interface mode This example stops ports 6 and 11 from sending the location and inventory management TLVs in their advertisements awplus enable awplus configure terminal awpl...

Страница 903: ...can delete just one entry at a time and must include both the type and the ID number of the location entry to be deleted This example deletes the civic location ID 22 awplus enable awplus configure te...

Страница 904: ...switch use the NO LLDP RUN command in the Global Configuration mode The command has no parameters After the protocols are disabled the switch neither sends advertisements to nor collects information f...

Страница 905: ...nd awplus show lldp Here is an example of the information Figure 148 SHOW LLDP Command The fields are defined in Table 90 on page 951 LLDP Global Configuration Default Values LLDP Status Enabled Disab...

Страница 906: ...on Abbreviations RC LLDP Remote Tables Change TC LLDP MED Topology Change TLV Abbreviations Base Pd Port Description Sn System Name Sd System Description Sc System Capabilities Ma Management Address 8...

Страница 907: ...mple of the summary information The fields are defined in Table 92 on page 961 To view all the neighbor information use the SHOW LLDP NEIGHBORS DETAIL command The command has this format show lldp nei...

Страница 908: ...mple clears the information the switch has received from all the neighbors awplus enable awplus clear lldp table This example clears the information the switch has received from the neighbor connected...

Страница 909: ...e ports such as after you ve configured the ports or if you believe that ports are not sending the correct information The command has this format show lldp local info interface port To view the TLVs...

Страница 910: ...same statistics for individual ports use this command show lldp statistics interface port You can view the statistics of more than one port at a time as demonstrated in this example which displays th...

Страница 911: ...s on the switch LLDP MANAGEMENT ADDRESS on page 919 Port Interface Replaces the default management IP address TLV on the ports LLDP MED NOTIFICATIONS on page 921 Port Interface Configures the switch t...

Страница 912: ...the value of the transmission delay timer which is the minimum time interval between transmissions of LLDP advertisements due to a change in LLDP local information LOCATION CIVIC LOCATION on page 935...

Страница 913: ...the LLDP port settings SHOW LLDP LOCAL INFO INTERFACE on page 955 Privileged Exec Displays the current configurations of the LLDP advertisements that the ports on the switch can transmit to LLDP comp...

Страница 914: ...is parameter specifies all the ports Mode Privileged Exec mode Description Use this command to clear the LLDP statistics packet and event counters on the ports You can delete the statistics from all p...

Страница 915: ...this command to clear the LLDP and LLDP MED information the switch has received from its neighbors You can delete all the information the switch has amassed or just the information from neighbors on s...

Страница 916: ...mode Description Use this command to set the holdtime multiplier value The transmit interval is multiplied by the holdtime multiplier to give the Time To Live TTL the switch advertises to the neighbor...

Страница 917: ...se this command to add LLDP MED location information to the ports on the switch The same command is used to add civic coordinate and ELIN locations The specified location entry must already exist To r...

Страница 918: ...his example adds the ELIN location ID 27 to port 21 awplus enable awplus configure terminal awplus config interface port1 0 21 awplus config_if lldp location elin location id 27 This example removes t...

Страница 919: ...P address if present Here are the possible default values for a port A port that belongs to the same VLAN as the management IP address uses the address as its TLV default value A port that belongs to...

Страница 920: ...its management IP address TLV awplus enable awplus configure terminal awplus config interface port1 0 2 awplus config if lldp management address 149 122 54 2 This example returns the management IP ad...

Страница 921: ...d to or disconnected from the specified ports To prevent the switch from transmitting topology change notifications refer to NO LLDP NOTIFICATIONS on page 945 Confirmation Command SHOW LLDP INTERFACE...

Страница 922: ...ch inventory management Specifies the inventory management TLV Mode Port Interface mode Description Use this command to specify the LLDP MED TLVs the ports are to transmit to their neighbors The defau...

Страница 923: ...923 This example configures port 2 to send the capabilities and the location TLVs to its neighbor awplus enable awplus configure terminal awplus config interface port1 0 2 awplus config if lldp med t...

Страница 924: ...rd order Use the NO form of this command to configure the switch to accept only advertisements with TLVs that adhere to the correct order Advertisements in which the TLVs are not in the standard order...

Страница 925: ...re ports to send LLDP SNMP notifications traps To prevent ports from transmitting LLDP SNMP notifications refer to NO LLDP NOTIFICATIONS on page 945 Confirmation Command SHOW LLDP INTERFACE on page 95...

Страница 926: ...val The range is 5 to 3600 seconds Mode Global Configuration mode Description Use this command to set the notification interval This is the minimum interval between LLDP SNMP notifications traps Confi...

Страница 927: ...0 seconds Mode Global Configuration mode Description Use this command to set the reinitialization delay This is the number of seconds that must elapse after LLDP is disabled on a port before it can be...

Страница 928: ...tion mode Description Use this command to activate LLDP on the switch Once you have activated LLDP the switch begins to transmit and accept advertisements on its ports To deactivate LLDP refer to NO L...

Страница 929: ...Description Use this command to set the transmit interval This is the interval between regular transmissions of LLDP advertisements The transmit interval must be at least four times the transmission...

Страница 930: ...y one TLV in a command To select all the TLVs use the ALL option The optional TLVs are listed in Table 87 Table 87 Optional TLVs TLV Description all Sends all optional TLVs link aggregation mac phy co...

Страница 931: ...Descriptions on page 144 or DESCRIPTION on page 167 port vlan Sends the ID number VID of the port based or tagged VLAN where the port is an untagged member power management Transmits Power over Ethern...

Страница 932: ...transmit the optional LLDP port description port vlan and system description TLVs awplus enable awplus configure terminal awplus config interface port1 0 14 port1 0 22 awplus config if lldp tlv selec...

Страница 933: ...y TLVs and any optional LLDP TLVs they have been configured to send Ports configured to receive LLDP advertisements accept all advertisements from their neighbors Confirmation Command SHOW LLDP INTERF...

Страница 934: ...ssion delay timer This is the minimum time interval between transmissions of LLDP advertisements due to a change in LLDP local information The transmission delay timer cannot be greater than a quarter...

Страница 935: ...r Mode Global Configuration mode Description Use this command to create or modify LLDP MED civic location entries on the switch This command moves you to the Civic Location mode which contains the par...

Страница 936: ...bine any of the parameters in a single location entry To remove parameters from a location entry use the NO forms of the parameter commands for example NO UNIT leading street direction West name J Smi...

Страница 937: ...entifier 5 awplus config_civic country US awplus config_civic city San Jose awplus config_civic state CA awplus config_civic building 100 awplus config_civic primary road name New Adams awplus config_...

Страница 938: ...switch This command moves you to the Coordinate Location mode which contains the parameters you use to define the entries The parameters are listed in Table 89 Table 89 LLDP MED Coordinate Location E...

Страница 939: ...d between the two keywords as shown here altitude n floors altitude meters Altitude in meters The range is 2097151 0 to 2097151 0 meters The parameter accepts up to eight digits to the right of the de...

Страница 940: ...tion coord location identifier 16 awplus config_coord latitude 37 29153547 awplus config_coord longitude 121 91528320 awplus config_coord datum nad83 navd awplus config_coord altitude 10 25 meters awp...

Страница 941: ...and coordinate entries You can specify just one ID number Mode Global Configuration mode Description Use this command to create or modify LLDP MED ELIN location entries on the switch To create a new E...

Страница 942: ...end LLDP MED topology change notifications when devices are connected to or disconnected from the specified ports Confirmation Command SHOW LLDP INTERFACE on page 953 Example This example configures t...

Страница 943: ...t ext Specifies the extended power via MDI TLV This TLV does not apply to the AT 9000 Switches inventory management Specifies the inventory management TLV Mode Port Interface mode Description Use this...

Страница 944: ...stops ports 2 and 16 from transmitting the LLDP MED capabilities and network policy TLVs awplus enable awplus configure terminal awplus config interface port1 0 2 port1 0 16 awplus config if no lldp...

Страница 945: ...rt Interface mode Description Use this command to prevent ports from sending LLDP SNMP notifications traps Confirmation Command SHOW LLDP INTERFACE on page 953 Example This example prevents port 14 fr...

Страница 946: ...ription Use this command to disable LLDP and LLDP MED on the switch The switch when LLDP and LLDP MED are disabled neither sends advertisements to nor collects information from its neighbors The LLDP...

Страница 947: ...isted in Table 87 on page 930 To stop ports from transmitting LLDP MED TLVs refer to NO LLDP MED TLV SELECT on page 943 Confirmation Command SHOW LLDP INTERFACE on page 953 Examples This example confi...

Страница 948: ...om transmitting and or accepting LLDP and LLDP MED advertisements to or from their neighbors Confirmation Command SHOW LLDP INTERFACE on page 953 Examples This example stops ports 12 from transmitting...

Страница 949: ...tion entry at a time Mode Global Configuration mode Description Use this command to delete LLDP MED location entries from the switch The same command is used to remove civic locations coordinate locat...

Страница 950: ...ED Commands 950 Section X Network Management This example removes the ELIN location IDs 3 and 4 awplus enable awplus configure terminal awplus config no location elin location id 3 awplus config no lo...

Страница 951: ...Enabled Disabled Notification Interval 5 secs 5 Tx Timer Interval 30 secs 30 Hold time Multiplier 4 4 Computed TTL value 120 secs Reinitialization Delay 2 secs 2 Tx Delay 2 secs 2 Fast Start Count 3...

Страница 952: ...nitialization delay This is the minimum time that must elapse after LLDP has been disabled before it can be initialized again Tx Delay The transmission delay This is the minimum time interval between...

Страница 953: ...P MED Topology Change TLV Abbreviations Base Pd Port Description Sn System Name Sd System Description Sc System Capabilities Ma Management Address 802 1 Pv Port VLAN ID Pp Port And Protocol VLAN ID Vn...

Страница 954: ...X Network Management Examples This example displays the LLDP settings for all the ports on the switch awplus show lldp interface This example displays the LLDP settings for ports 5 6 and 11 awplus sh...

Страница 955: ...933 or that have not established links with their LLDP counterparts cannot be displayed with this command Here is an example of the information Figure 153 SHOW LLDP LOCAL INFO INTERFACE Command LLDP...

Страница 956: ...port1 0 23 Power Via MDI PoE Not Supported Link Aggregation Supported Disabled Maximum Frame Size 1522 Octets LLDP MED Device Type Network Connectivity LLDP MED Capabilities LLDP MED Capabilities Net...

Страница 957: ...d LLDP Detailed Neighbor Information Neighbors table last updated 0 hrs 0 mins 20 secs ago Chassis ID Type MAC address Chassis ID 0015 77d8 4360 Port ID Type Port component Port ID 25 TTL 120 secs Por...

Страница 958: ...rted Inventory Information Hardware Revision A Firmware Revision v1 0 0 Software Revision v1 0 0 Serial Number A04161H09020007 Manufacturer Name ATI Model Name AT 9000 52 Asset ID not advertised Table...

Страница 959: ...List of protocols that are accessible through the neighbor s port Extended Power Via MDI PoE Not supported on the AT 9000 Switch Inventory Information Hardware Revision The hardware revision number o...

Страница 960: ...P and LLDP MED Commands 960 Section X Network Management This example displays the information from all of the neighbors that are connected to ports 1 and 4 awplus show lldp neighbors interface port1...

Страница 961: ...92 Total number of neighbors on these ports 1 System Capability Codes O Other P Repeater B Bridge W WLAN Access Point R Router T Telephone C DOCSIS Cable Device S Station Only LLDP MED Device Class an...

Страница 962: ...w lldp neighbors interface This example displays a summary of the information from the neighbors connected to ports 1 and 4 awplus show lldp neighbors interface port1 0 1 port1 0 4 Neighbor System Nam...

Страница 963: ...ommand The information the command displays is explained in Table 93 Global LLDP Packet and Event counters Frames Out 345 In 423 In Errored 0 In Dropped 0 TLVs Unrecognized 0 Discarded 0 Neighbors New...

Страница 964: ...nserted into the neighbor table Neighbors Deleted Entries Number of times the information advertised by neighbors has been removed from the neighbor table Neighbors Dropped Entries Number of times the...

Страница 965: ...e information Figure 159 SHOW LLDP STATISTICS INTERFACE Command The information the command displays is explained in Table 94 LLDP Packet and Event counters Port 2 Frames Out 15 In 12 In Errored 0 In...

Страница 966: ...ort Neighbors New Entries Number of times the information advertised by the neighbor on the port has been inserted into the neighbor table Neighbors Deleted Entries Number of times the information adv...

Страница 967: ...his command to display the civic coordinate and ELIN location entries on the switch Here is an example of a civic location entry Figure 160 SHOW LOCATION Command for a Civic Location The information t...

Страница 968: ...plays all the coordinate location entries awplus show location coord location The following example displays just coordinate location entry 16 awplus show location coord location identifier 16 The fol...

Страница 969: ...l ARP This chapter contains the following topics Overview on page 970 Adding Static ARP Entries on page 972 Deleting Static and Dynamic ARP Entries on page 973 Enabling and Disabling Proxy ARP on page...

Страница 970: ...t gateway as the destination MAC address Proxy ARP allows the hosts that do not support routing or do not have knowledge of the network structure to determine the physical addresses of hosts on other...

Страница 971: ...nto the ARP table in the ARP cache On the AT 9000 switches the dynamic ARP entries are time stamped and set to time out in 300 seconds Static ARP Entries A manually entered ARP entry is called a stati...

Страница 972: ...pology By creating fixed routes statically you can reduce ARP broadcasting requests To add a static ARP entry use the ARP command in the Global Configuration mode Here is the format of the command arp...

Страница 973: ...ce The following example deletes all of the dynamic ARP entries in the ARP cache awplus enable awplus configure terminal awplus config clear arp cache You can delete one static ARP entry with the NO A...

Страница 974: ...XY ARP command in the VLAN Interface mode Proxy ARP is disabled by default The following example enables Proxy ARP on VLAN 4 awplus enable awplus configure terminal awplus config interface vlan4 awplu...

Страница 975: ...awplus show arp An example is shown in Figure 161 Figure 161 SHOW ARP Command The fields are described in Table 98 on page 983 IP ARP ARP Cache Timeout 300 seconds Total ARP Entries 215 IP Address MAC...

Страница 976: ...Chapter 63 Address Resolution Protocol ARP 976 Section X Network Management...

Страница 977: ...CACHE on page 979 Global Configuration Deletes all dynamic ARP entries from the ARP cache IP PROXY ARP on page 980 VLAN Interface Enables Proxy ARP on a VLAN interface NO ARP IP ADDRESS on page 981 Gl...

Страница 978: ...t to the ARP cache The ARP entry must not already exist in the ARP cache The switch can support up to 512 static ARP entries Note The switch must have an management IP address to support static ARP en...

Страница 979: ...e Global Configuration mode Description Use this command to delete all dynamic ARP entries from the ARP cache on the switch Confirmation Command SHOW ARP on page 983 Example The following example dele...

Страница 980: ...nfiguration mode Description Use this command to enable Proxy ARP on a VLAN interface Proxy ARP is disabled by default Confirmation Command SHOW RUNNING CONFIG on page 132 Example The following exampl...

Страница 981: ...n mode Description Use this command to delete a static ARP entry from the ARP cache Static ARP entries do not expire and you must remove them manually This command can delete only one ARP entry at a t...

Страница 982: ...ne Mode VLAN Interface mode Description Use this command to disable Proxy ARP on a VLAN interface Proxy ARP is disabled by default Confirmation Command SHOW ARP on page 983 Example The following examp...

Страница 983: ...ARP Cache Timeout 300 seconds Total ARP Entries 215 IP Address MAC Address Interface Port Type 149 122 34 4 00 06 5B B2 44 21 vlan2 2 Dynamic 149 122 34 12 00 A0 D2 18 EE A1 vlan2 3 Dynamic 149 122 3...

Страница 984: ...switch awplus show arp Type Indicates the type of entry The type is one of the following Static Static entry added with the ARP IP ADDRESS MAC ADDRESS command Dynamic Dynamic entry learned from ARP re...

Страница 985: ...985 Chapter 65 RMON This chapter contains the following topics Overview on page 986 RMON Port Statistics on page 987 RMON Histories on page 989 RMON Alarms on page 992...

Страница 986: ...ort statistics to identify traffic trends or patterns For instructions refer to RMON Histories on page 989 Alarm group This group is used to create alarms that trigger event log messages or SNMP traps...

Страница 987: ...s the format of the command rmon collection stats stats_id owner owner The STATS_ID parameter is the ID number of the new group The range is 1 to 65535 The groups will be easier to identify if their I...

Страница 988: ...lus show rmon statistics Here is an example of the information Figure 163 SHOW RMON STATISTICS Command The fields are described in Table 105 on page 1022 Deleting Statistics Groups To delete RMON stat...

Страница 989: ...ing History Groups on page 990 Deleting History Groups on page 991 Adding History Groups The command for creating history groups is the RMON COLLECTION HISTORY command This command is in the Port Inte...

Страница 990: ...story group of three buckets the switch deletes the first bucket when it adds the fourth bucket To stop a history from gathering any more statistics you must delete it This example configures the swit...

Страница 991: ...oups from the switch The switch stops collecting port statistic histories as soon as you enter the command This example of the command deletes the history group with the ID 2 on port 2 awplus enable a...

Страница 992: ...port must have an RMON statistics group if it is to have an alarm When you create an alarm you specify the port to which it is to be assigned not by the port number but rather by the ID number of the...

Страница 993: ...d SNMP traps and enter messages in the event log rmon event event_id log trap community_string description description owner owner The EVENT_ID parameter is a value from 1 to 65535 that uniquely ident...

Страница 994: ...variable is the ID number of the statistics group on the port the alarm is to monitor The port is specified indirectly in the command by the ID number of the statistics group For example if the alarm...

Страница 995: ...essage in the event log if the ingress traffic on the port exceeds 20000 packets per minute or falls below 1000 packets The first sequence of steps adds an RMON statistics group to port 22 The alarm w...

Страница 996: ...onfigure terminal Enter the Global Configuration mode awplus config rmon event 3 log description Enter_log_message Create the event with the RMON EVENT LOG command awplus config exit Return to the Pri...

Страница 997: ...sses of the host nodes and activate SNMP on the switch awplus show rmon alarm Use the SHOW RMON ALARM command to verify the configuration of the new alarm Alarm Index 1 Variable etherStatsPkts 22 Inte...

Страница 998: ...unity string with the SHOW RUNNING CONFIG command SNMP Server Enabled IP Protocol IPv4 SNMPv3 Engine ID Configured Not set SNMPv3 Engine ID actual 0x80001f8880241d7f08386d438e SNMP Host information Co...

Страница 999: ...g if end Return to the Privileged Exec mode awplus show rmon statistics Use the SHOW RMON STATISTICS command to verify the configuration of the new group Stats Index 20 Data source ifindex 20 Owner Ag...

Страница 1000: ...interval 60 delta rising threshold 10000 event 2 falling threshold 1000 event 2 Create the alarm with the RMON ALARM command awplus config exit Return to the Privileged Exec mode awplus show rmon alar...

Страница 1001: ...RMON COLLECTION HISTORY on page 1010 Port Interface Creates history groups on the ports RMON COLLECTION STATS on page 1012 Port Interface Creates statistics groups on the ports RMON EVENT LOG on page...

Страница 1002: ...Commands 1002 Section X Network Management SHOW RMON STATISTICS on page 1022 Privileged Exec Displays the statistics groups that are assigned to the ports Table 100 RMON Commands Continued Command Mo...

Страница 1003: ...er of the alarm you want to delete You can delete only one alarm at a time The range is 1 to 65535 Mode Global Configuration mode Description Use this command to delete alarms from the switch Confirma...

Страница 1004: ...u can delete only one group at a time The range is 1 to 65535 Mode Port Interface mode Description Use this command to delete history groups from ports on the switch Confirmation Command SHOW RMON HIS...

Страница 1005: ...roup you want to delete The range is 1 to 65535 Mode Port Interface mode Description Use this command to delete statistics groups from ports on the switch Confirmation Command SHOW RMON STATISTICS on...

Страница 1006: ...you want to delete from the switch You can delete only one event at a time The range is 1 to 65535 Mode Global Configuration mode Description Use this command to delete events from the switch Confirma...

Страница 1007: ...ready exist For more information on the OID and STATS_ID variables refer to Creating RMON Alarms on page 994 interval Specifies the polling interval in seconds The range is 1 to 65535 seconds delta Sp...

Страница 1008: ...987 or RMON COLLECTION STATS on page 1012 The port of an alarm is specified indirectly in the command You use the STATS_ID parameter to specify the ID number of the RMON statistics group you added to...

Страница 1009: ...of RMON alarms refer to RMON Alarms on page 992 etherStatsMulticastPkts 1 3 6 1 2 1 16 1 1 1 7 stats_id etherStatsCRCAlignErrors 1 3 6 1 2 1 16 1 1 1 8 stats_id etherStatsUndersizePkts 1 3 6 1 2 1 16...

Страница 1010: ...orts over time You can view the snapshots with an SNMP program to look for trends or patterns in the numbers or types of ingress packets on the ports A history group can be applied to just one port an...

Страница 1011: ...vals in two hours The group is assigned the ID number 1 awplus enable awplus configure terminal awplus config interface port1 0 14 awplus config if rmon collection history 1 buckets 8 interval 900 Thi...

Страница 1012: ...statistics groups on the ports of the switch The groups are used to view RMON port statistics from SNMP workstations on your network and to create RMON alarms A port can have only one RMON statistics...

Страница 1013: ...are not allowed owner Specifies an owner of up to 20 alphanumeric characters for the event Spaces and special characters are not allowed Mode Global Configuration mode Description Use this command to...

Страница 1014: ...of up to 20 alphanumeric characters for the event Spaces and special characters are not allowed owner Specifies an owner of up to 20 alphanumeric characters for the event Spaces and special character...

Страница 1015: ...escription Specifies a description of up to 20 alphanumeric characters for the event Spaces and special characters are not allowed owner Specifies an owner of up to 20 alphanumeric characters for the...

Страница 1016: ...The fields are described in Table 102 Alarm Index 2 Variable etherStatsBroadcastPkts 2 Interval 80 Alarm Type rising and falling Rising Threshold 1000 Event Index 5 Falling Threshold 100 Event Index...

Страница 1017: ...and falling meaning the alarm has both a rising threshold and a falling threshold Rising Threshold The rising threshold Event Index The ID number of the event the alarm performs if the rising threshol...

Страница 1018: ...bed in Table 103 Event index 2 Description broadcast_packets Event type log trap Event community name wkst12a Last Time Sent 0 Owner Agent Event index 3 Description port24_traffic Event type log Event...

Страница 1019: ...event log and sends an SNMP trap Event community name The SNMP community string used to send SNMP traps Last Time Sent The number of seconds the switch had been operating when it last sent the event t...

Страница 1020: ...re 167 SHOW RMON HISTORY Command The fields are described in Table 104 History Index 1 Data source ifindex 2 Buckets requested 50 Buckets granted 50 Interval 800 Owner William History Index 4 Data sou...

Страница 1021: ...ts granted The number of buckets allocated by the switch for the history group The value in this field will be less than the value in the buckets requested field if the switch did not have sufficient...

Страница 1022: ...8 SHOW RMON STATISTICS Command The fields are described in Table 105 Example awplus show rmon statistics Stats Index 5 Data source ifindex 5 Owner Agent Stats Index 16 Data source ifindex 16 Owner Age...

Страница 1023: ...llowing sections Overview on page 1024 Creating ACLs on page 1027 Assigning ACLs to Ports on page 1042 Removing ACLs from Ports on page 1044 Restricting Remote Access on page 1046 Unrestricting Remote...

Страница 1024: ...date or time to begin filtering Numbered IPv4 ACLs are only compatible with IPv4 addresses They are not compatible with IPv6 addresses Filtering Criteria All types of ACLs identify packets using filte...

Страница 1025: ...match Since ports forward all ingress packets unless they have deny ACLs permit ACLs are only necessary in situations where you want a port to forward packets that are a subset of a larger traffic flo...

Страница 1026: ...ts As a result you must apply ACLs to the ingress ports of the designated traffic flows ACLs for static port trunks or LACP trunks must be assigned to the individual ports of the trunks A port that ha...

Страница 1027: ...Numbered IPv4 ACL with TCP Port Packets Example on page 1035 Numbered IPv4 ACL with UDP Port Packets Example on page 1037 Table 107 ACCESS LIST Commands for Creating ACLs To Do This Task Use This Com...

Страница 1028: ...pter 17 Port Mirror on page 313 The SRC_IPADDRESS and DST_IPADDRESS parameters specify the source and destination IP addresses Choose from the following options any Matches any IP address ipaddress ma...

Страница 1029: ...ID number 3015 specifies the packets from the permitted subnet while the deny ACL with the ID number 3011 specifies all traffic Table 108 Blocking Ingress Packets Example Command Description awplus e...

Страница 1030: ...rst Table 110 Creating a Permit ACL Followed by a Deny ACL Example Command Description awplus enable Enter the Privileged Executive mode from the User Executive mode awplus configure terminal Enter th...

Страница 1031: ...e ACCESS LIST command awplus config access list 3018 deny ip any any Create the deny ACL awplus config interface port1 0 21 port1 0 22 Move to the Port Interface mode for ports 21 and 22 awplus config...

Страница 1032: ...ng the filtering criteria of the ACL Here are the possible actions permit Forwards all ingress packets that match the ACL Ports by default accept all ingress packets Consequently a permit ACL is only...

Страница 1033: ...The IP address and the mask are separated by a slash for example 149 11 11 0 24 host ipaddress Matches packets with a specified IP address and is an alternative to the IPADRESS MASK variable for addr...

Страница 1034: ...be used together with the port mirror feature explained in Chapter 17 Port Mirror on page 313 The protocol_number parameter specifies a protocol number You can specify one protocol number per command...

Страница 1035: ...ny order The ACTION parameter specifies the action that the port performs on packets matching the filtering criteria of the ACL Here are the possible actions permit Forwards all ingress packets that m...

Страница 1036: ...rameter matches packets that are less than the TCP port number specified by the SRC_TCP_PORT or DST_TCP_PORT parameter The gt parameter matches packets that are greater than the TCP port number specif...

Страница 1037: ...ward a subset of packets that are otherwise discarded deny Discards all ingress packets that match the ACL copy to mirror Copies all ingress packets that match the ACL to the destination port of the m...

Страница 1038: ...ter matches packets that are less than the TCP port number specified by the SRC_TCP_PORT or DST_TCP_PORT parameter The gt parameter matches packets that are greater than the TCP port number specified...

Страница 1039: ...that match the ACL Ports by default accept all ingress packets Consequently a permit ACL is only necessary when you want a port to forward a subset of packets that are otherwise discarded deny Discar...

Страница 1040: ...ecifies the destination MAC address of the ingress packets Here are the possible options dst_mac_address Specifies the destination MAC address of the packets The address must be entered in hexadecimal...

Страница 1041: ...00 00 00 00 ff ff Defines ACL 4012 to deny any MAC addresses with the source MAC address of a4 54 86 12 00 00 00 00 00 ff ff awplus config interface port1 0 19 Access the Port Interface mode for port...

Страница 1042: ...UP command in the Port Interface mode Using this command you can add one Numbered IP ACL to a port or several ports The ACL must exist on the switch Here is the format of the command access group id_n...

Страница 1043: ...C addresses starting with 45 2A B5 and assigns it to port 7 awplus config_if access group 3075 Apply the ACL to the ports with the ACCESS GROUP command Table 118 Assigning Numbered IP ACLs Continued C...

Страница 1044: ...see ACCESS GROUP on page 1057 You can remove one ACL at a time See Table 120 The following example removes an ACL with an ID number of 3082 from port 15 Removing MAC Address ACLs To remove a MAC ACL...

Страница 1045: ...le 121 Removing MAC Address ACLs Example Command Description awplus enable Enter the Privileged Executive mode from the User Executive mode awplus configure terminal Enter the Global Configuration mod...

Страница 1046: ...ge 1046 Assigning MAC ACLs to VTY Lines on page 1047 Assigning Numbered IP ACLs to VTY Lines The following example creates two Numbered IP ACLs The first ACL created with an ID of 3000 permits IP addr...

Страница 1047: ...sses access to the switch awplus config line vty 0 9 Access the LINE VTY mode for lines 0 through 9 awplus config line access class 3000 Assigns ACL 3000 to VTY lines 0 through 9 awplus config line ac...

Страница 1048: ...er of 4001 that denies all IP addresses access to the switch awplus config line vty 0 9 Access the LINE VTY mode for lines 0 through 9 awplus config line access class 4000 Assigns ACL 4000 to VTY line...

Страница 1049: ...3001 are removed from VTY Lines 0 through 9 See Table 124 Table 124 Removing Numbered IP ACLs from VTY Lines Example Command Description awplus enable Enter the Privileged Executive mode from the User...

Страница 1050: ...with ID numbers 3018 and 3019 from the switch The following example deletes a MAC ACL with ID number 4415 from the switch Table 125 Deleting Numbered IP ACLs Example 1 Command Description awplus enab...

Страница 1051: ...ax followed by an example display awplus show access list Figure 169 SHOW ACCESS LIST Command As you can see from the example the SHOW ACCESS LIST command doesn t display which if any ports the ACLs a...

Страница 1052: ...Use the SHOW RUNNING CONFIG command to display the ACLs assigned to VTY lines Here is the format of the command awplus show running config See Figure 171 for an example of the display that pertains to...

Страница 1053: ...ACLs that filter packets based on source and destination IP addresses ACCESS LIST PROTO on page 1070 Global Configuration Creates ACLs that identify packets based on protocol numbers and source and de...

Страница 1054: ...ent SHOW ACCESS LIST on page 1087 Privileged Exec Displays the ACLs on the switch SHOW INTERFACE ACCESS GROUP on page 1088 Privileged Exec Displays the port assignments of the ACLs Table 127 Access Co...

Страница 1055: ...e switch via Telnet Web SNMP or SSH access You can add one ACL to multiple VTY lines with this command Note Allied Telesis recommends specifying all ten of the VTY lines with the ACCESS LIST command b...

Страница 1056: ...tch All other IP addresses are denied remote access to the switch awplus enable awplus configure terminal awplus config interface vlan10 awplus config if ip address 10 0 0 20 24 awplus config if quit...

Страница 1057: ...as they are assigned ACLs This command works for all ACLs except for MAC address ACLs which are added to ports with the MAC ACCESS GROUP command See MAC ACCESS GROUP on page 1083 Note If a port is to...

Страница 1058: ...D of 3022 to port 15 awplus enable awplus configure terminal awplus config interface port1 0 15 awplus config if access group 3022 This example removes an IP ACL with an ID of 3001 from port 7 awplus...

Страница 1059: ...ress packets that match the ACL copy to mirror Copies all ingress packets that match the ACL to the destination port of the mirror port This action must be used together with the port mirror feature e...

Страница 1060: ...address of the packets The address must be entered in hexadecimal in this format xx xx xx xx xx xx any Matches any destination MAC address dst_mac_mask Specifies the destination MAC address mask The...

Страница 1061: ...awplus show interface port1 0 3 access group This example configures port 7 to accept only those packets that have source MAC addresses starting with 45 2A B5 awplus enable awplus configure terminal a...

Страница 1062: ...ination port of the port mirror This action must be used together with the port mirror feature explained in Chapter 17 Port Mirror on page 313 scr_ipaddress Specifies the source IP address of the ingr...

Страница 1063: ...ts that have a destination IP address of a specific subnet or end node host ipaddress Matches packets with a destination IP address of a specific end node The HOST keyword indicates that the address i...

Страница 1064: ...st is assigned the ID number 3094 awplus enable awplus configure terminal awplus config access list 3094 deny icmp 152 12 45 0 24 any awplus config interface port1 0 4 port1 0 5 awplus config_if acces...

Страница 1065: ...ingress IGMP packets with a VID of 12 from ports 12 to 20 awplus enable awplus configure terminal awplus config access list 3156 deny icmp any any vlan 12 awplus config interface port1 0 12 port1 0 2...

Страница 1066: ...port This action must be used together with the port mirror feature explained in Chapter 17 Port Mirror on page 313 scr_ipaddress Specifies the source IP address of the ingress packets the access list...

Страница 1067: ...kets that have a destination IP address of a specific subnet or end node host ipaddress Matches packets with a destination IP address of a specific end node The HOST keyword indicates that the address...

Страница 1068: ...list 3095 deny ip any 149 112 2 0 24 awplus config interface port1 0 11 port1 0 13 awplus config_if access group 3095 awplus config_if end awplus show access list awplus show interface port1 0 11 port...

Страница 1069: ...inal awplus config access list 3011 permit ip any 149 124 47 0 24 awplus config access list 3012 deny ip any any awplus config interface port1 0 22 port1 0 23 awplus config_if access group 3011 awplus...

Страница 1070: ...st be used together with the port mirror feature explained in Chapter 17 Port Mirror on page 313 protocol_number Specifies a protocol number You can specify one protocol number Refer to Table 128 Prot...

Страница 1071: ...hat have a destination IP address of a specific subnet or end node host ipaddress Matches packets with a destination IP address of a specific end node The HOST keyword indicates that the address is of...

Страница 1072: ...IANA 11 Network Voice Protocol RFC741 17 UDP User Datagram Protocol RFC768 20 Host monitoring RFC869 27 RDP Reliable Data Protocol RFC908 28 IRTP Internet Reliable Transaction Protocol RFC938 29 ISO...

Страница 1073: ...list 3016 deny proto 28 any any awplus config interface port1 0 2 60 Destination Options for IPv6 RFC1883 88 EIGRP Enhanced Interior Gateway Routing Protocol 89 OSPFIGP RFC1583 97 Ethernet within IP E...

Страница 1074: ...t1 0 5 port1 0 6 awplus config_if access group 3011 awplus config_if end awplus show access list awplus show interface port1 0 5 port1 0 6 access group This example configures port 18 to accept untagg...

Страница 1075: ...he destination port of the mirror port This action must be used together with the port mirror feature explained in Chapter 17 Port Mirror on page 313 src_ipaddress Specifies the source IP address of t...

Страница 1076: ...ameter ne Matches packets that are not equal to the TCP port number specified by the SRC_TCP_PORT or DST_TCP_PORT parameter range Matches packets with TCP port numbers within the range Separate the nu...

Страница 1077: ...CP port numbers Confirmation Commands SHOW ACCESS LIST on page 1087 and SHOW INTERFACE ACCESS GROUP on page 1088 Examples This example creates an ACL ID number 3045 that discards all untagged ingress...

Страница 1078: ...TCP port numbers The list is assigned the ID number 3255 awplus enable awplus configure terminal awplus config access list 3255 deny tcp any any vlan 27 awplus config interface port1 0 14 awplus conf...

Страница 1079: ...the destination port of the mirror port This action must be used together with the port mirror feature explained in Chapter 17 Port Mirror on page 313 src_ipaddress Specifies the source IP address of...

Страница 1080: ...ameter ne Matches packets that are not equal to the UDP port number specified by the SRC_UDP_PORT or DST_UDP_PORT parameter range Matches packets with UDP port numbers within the range Separate the nu...

Страница 1081: ...8 Examples This example creates a Numbered IPv4 ACL with an ID number of 3118 that discards all untagged ingress UDP packets on ports 18 and 19 awplus enable awplus configure terminal awplus config ac...

Страница 1082: ...access group 3078 awplus config_if end awplus show access list awplus show interface port1 0 18 access group This example configures port 21 to forward tagged UDP port 67 to 87 packets only if they ar...

Страница 1083: ...Use the no version of this command NO MAC ACCESS LIST to remove a MAC address ACL from a switch Note If a port is to have both permit and deny ACLs you must add the permit ACLs first because ingress...

Страница 1084: ...e Description Use this command to delete ACLs from the switch ACLS must first be removed from their port assignments before they can be deleted For instructions refer to NO ACCESS GROUP on page 1085 a...

Страница 1085: ...Description Use this command to remove ACLs from ports on the switch This command works for all ACLs except for MAC address ACLs which are removed with NO MAC ACCESS GROUP on page 1086 Confirmation Co...

Страница 1086: ...port at a time with this command Mode Port Interface mode Description Use this command to remove MAC address ACLs from ports on the switch Confirmation Commands SHOW INTERFACE ACCESS GROUP on page 10...

Страница 1087: ...IP ACLs on the switch If you do not specify an option all three ACL types are displayed To display the port assignments of the ACLs refer to SHOW INTERFACE ACCESS GROUP on page 1088 Example This examp...

Страница 1088: ...e Privileged Exec mode Description Use this command to display the port assignments of the ACLs Here is an example of the information Figure 173 SHOW INTERFACE ACCESS GROUP Command Example This exampl...

Страница 1089: ...1119 Chapter 74 Telnet Client Commands on page 1123 Chapter 75 Secure Shell SSH Server on page 1127 Chapter 76 SSH Server Commands on page 1139 Chapter 77 Non secure HTTP Web Browser Server on page 1...

Страница 1090: ...1090 Section XI Management Security...

Страница 1091: ...on page 1095 Deleting Local Manager Accounts on page 1096 Activating Command Mode Restriction and Creating the Special Password on page 1097 Deactivating Command Mode Restriction and Deleting the Spec...

Страница 1092: ...ation refer to Chapter 81 RADIUS and TACACS Clients on page 1187 Privilege Levels Manager accounts have privilege levels that determine where in the command mode structure managers can go and conseque...

Страница 1093: ...ining the special password is the ENABLE PASSWORD command in the Global Configuration mode For instructions on how to use the command refer to Activating Command Mode Restriction and Creating the Spec...

Страница 1094: ...the switch searches the running configuration for plaintext passwords and encrypts them It also automatically encrypts the plaintext passwords of new manager accounts When you deactivate password enc...

Страница 1095: ...ic characters including special characters Spaces are not allowed To enter an encrypted password precede it with the number 8 This example of the command creates an account for the user john The privi...

Страница 1096: ...it to manage the switch If you delete the account with which you logged on to the switch your current management session is not interrupted But you will not be able to use that account again to log i...

Страница 1097: ...l Configuration mode The switch can have only one special password Here is the format of the command enable password 8 password The PASSWORD parameter specifies the special password You can enter the...

Страница 1098: ...the special password is the NO ENABLE PASSWORD command in the Global Configuration mode When command mode restriction is deactivated manager accounts with a privilege level of 15 do not have to enter...

Страница 1099: ...awplus configure terminal awplus config service password encryption When password encryption is activated the switch searches the running configuration for plaintext passwords and encrypts them It al...

Страница 1100: ...132 to display the running configuration Here is an example of several accounts Figure 176 Displaying the Local Manager Accounts in the Running Configuration username manager privilege 15 password We...

Страница 1101: ...assword NO ENABLE PASSWORD on page 1103 Global Configuration Deactivates command mode restriction on the switch NO SERVICE PASSWORD ENCRYPTION on page 1104 Global Configuration Disables password encry...

Страница 1102: ...ssword When command mode restriction is active managers with a privilege level of 15 must enter the password to move to the Privileged Exec mode from the User Exec mode Managers who do not know the pa...

Страница 1103: ...s command to deactivate command mode restriction on the switch to allow managers who have the privilege level 15 to access all of the command modes without having to enter the special password Confirm...

Страница 1104: ...in the running configuration file unless they are entered in their encrypted forms in the USERNAME command Also the switch decrypts all of the passwords of the current manager accounts in the running...

Страница 1105: ...rom the switch Note You can delete the default manager account from the switch Caution Do not delete all of the local manager accounts that have the privilege level 15 if the switch does not have any...

Страница 1106: ...nd to activate password encryption This feature encrypts all of the manager account passwords in the running configuration of the switch and the passwords of new manager accounts This is the default s...

Страница 1107: ...ccess to all of the command modes unless command mode restriction is activated Manager accounts with the privilege level 1 are restricted to the User Exec mode 8 Specifies that the password is encrypt...

Страница 1108: ...is activated The password is laf238pl awplus enable awplus configure terminal awplus config username allen privilege 15 password laf238pl This example creates a manager account for the user sjones Th...

Страница 1109: ...ter 71 Telnet Server This chapter provides the following topics Overview on page 1110 Enabling the Telnet Server on page 1111 Disabling the Telnet Server on page 1112 Displaying the Telnet Server on p...

Страница 1110: ...e access to it through routers or other Layer 3 devices If the Telnet clients are not members of the same subnet as the switch s management IP address the switch must have a default gateway This is th...

Страница 1111: ...mand Here is the command awplus enable awplus configure terminal awplus config service telnet Once the server is started you can conduct remote management sessions over your network from Telnet client...

Страница 1112: ...al awplus config no service telnet Note If you disable the server from a remote Telnet management session your session ends To resume managing the unit establish a local management session or remote w...

Страница 1113: ...lnet Server To display the status of the Telnet server use the SHOW TELNET command in the User Exec mode or Privileged Exec mode Here is the command awplus show telnet Here is the information the comm...

Страница 1114: ...Chapter 71 Telnet Server 1114 Section XI Management Security...

Страница 1115: ...et Server Commands Command Mode Description NO SERVICE TELNET on page 1116 Global Configuration Disables the Telnet server SERVICE TELNET on page 1117 Global Configuration Enables the Telnet server SH...

Страница 1116: ...et server is enabled Note Your management session ends if you disable the server from a remote Telnet session To resume managing the unit establish a local management session or remote web browser ses...

Страница 1117: ...hat you can remotely manage the switch with a Telnet application protocol The default setting for the Telnet server is enabled Note The switch must have a management IP address for remote Telnet manag...

Страница 1118: ...de User Exec mode and Privileged Exec mode Description Use this command to display the status of the Telnet server on the switch The status of the server can be either enabled or disabled Here is the...

Страница 1119: ...1119 Chapter 73 Telnet Client This chapter provides the following topics Overview on page 1120 Starting a Remote Management Session with the Telnet Client on page 1121...

Страница 1120: ...switch must have a management IP address that is of the same type IPv4 or IPv6 as the addresses on the remote devices For example the switch must have an IPv6 address for you to remotely manage devic...

Страница 1121: ...l port number of the Telnet client The default is 23 For example if the IPv4 address of the remote device is 149 174 154 12 you enter awplus enable awplus telnet 149 174 154 12 You should now see the...

Страница 1122: ...Chapter 73 Telnet Client 1122 Section XI Management Security...

Страница 1123: ...131 Table 131 Telnet Client Commands Command Mode Description TELNET on page 1124 Privileged Exec Starts Telnet management sessions on remote devices that have IPv4 addresses TELNET6 on page 1125 Pri...

Страница 1124: ...the protocol port number of the Telnet client The default value is 23 Mode Privileged Exec mode Description Use this command to start Telnet management sessions on network devices that have IPv4 addre...

Страница 1125: ...protocol port number of the Telnet client The default value is 23 Mode Privileged Exec mode Description Use this command to start Telnet management sessions on network devices that have IPv6 addresse...

Страница 1126: ...Chapter 74 Telnet Client Commands 1126 Section XI Management Security...

Страница 1127: ...erview on page 1128 Support for SSH on page 1129 SSH and Enhanced Stacking on page 1131 Creating the Encryption Key Pair on page 1133 Enabling the SSH Server on page 1134 Disabling the SSH Server on p...

Страница 1128: ...hm You can choose from three available algorithms to create the key for SSH RSA RSA1 DSA The algorithms are for different versions of SSH The RSA algorithm is used with SSH2 RSA1 with SSH1 and DSA wit...

Страница 1129: ...SSH options and features are not supported IDEA or Blowfish encryption Nonencrypted Secure Shell sessions Tunnelling of TCP IP traffic Guidelines Here are the guidelines to using SSH to manage the sw...

Страница 1130: ...configure SSH server on the command switch not on the member switches Note If your switch is in a network that is protected by a firewall you may need to configure the firewall to permit SSH connectio...

Страница 1131: ...s Consequently there is no encryption between a command switch and a member switch The result is that SSH encryption only occurs between your workstation and the command switch not between your workst...

Страница 1132: ...Management Security Because enhanced stacking does not allow for SSH encrypted management sessions between a management station and a member switch you configure SSH only on the command switch of a st...

Страница 1133: ...he other keys because you can specify a length in bits by using the VALUE parameter in the command The other keys have a fixed key length of 1024 bits The range is 768 to 20 bits Entering the length i...

Страница 1134: ...s the SERVICE SSH command in the Global Configuration mode Here is the command awplus enable awplus configure terminal awplus config service ssh After you enter the command the switch searches its dat...

Страница 1135: ...h with SSH enter the following commands awplus enable awplus configure terminal awplus config no ssh service Note If you disable the server during a remote SSH management session your session ends To...

Страница 1136: ...ring a remote SSH management session your session ends To resume managing the unit with the manager account you must wait for the console timer on the switch to expire and then establish a local manag...

Страница 1137: ...d Line User s Guide Section XI Management Security 1137 Displaying the SSH Server To display the current settings of the server enter this command in the Privileged Exec or Global Configuration mode a...

Страница 1138: ...Chapter 75 Secure Shell SSH Server 1138 Section XI Management Security...

Страница 1139: ...STKEY on page 1141 Global Configuration Creates encryption keys NO SERVICE SSH on page 1143 Global Configuration Disables the SSH server SERVICE SSH on page 1144 Global Configuration Activates the SSH...

Страница 1140: ...removed by the switch when you enter this command You do not have to enter the WRITE command or the COPY RUNNING CONFIG STARTUP CONFIG command Confirmation Command SHOW CRYPTO KEY HOSTKEY on page 114...

Страница 1141: ...and SHOW CRYPTO KEY HOSTKEY on page 1145 Description Use this command to create the encryption key for the Secure Shell server You must create the key before activating the server The switch can have...

Страница 1142: ...ected or unwanted switch behavior create a key during periods of low network activity Examples This example creates a DSA key awplus enable awplus configure terminal awplus config crypto key generate...

Страница 1143: ...server is disabled Note Your management session of the switch ends if you disable the server from a remote SSH management session To resume managing the switch from a local management session or a rem...

Страница 1144: ...abling the server For instructions refer to CRYPTO KEY GENERATE HOSTKEY on page 1141 If the switch has more than one key it chooses the active pair based on this order RSA RSA1 DSA For example if the...

Страница 1145: ...SA1 key Mode Global Configuration mode Description Use this command to display the encryption keys Here is an example of the information for an RSA key Figure 180 SHOW CRYPTO KEY HOSTKEY Command Examp...

Страница 1146: ...cription Use this command to display the current status of the SSH server Versions supported Server Status Server Port Host Key ID Host Key Bits size of host key in bits Server Key ID Server Key Bits...

Страница 1147: ...This chapter provides the following topics Overview on page 1148 Enabling the Web Browser Server on page 1149 Setting the Protocol Port Number on page 1150 Disabling the Web Browser Server on page 11...

Страница 1148: ...individual captures the management packet that contains your user name and password he or she could use that information to access the switch and make unauthorized changes to its configuration settin...

Страница 1149: ...a management IP address For instructions refer to Chapter 9 IPv4 and IPv6 Management Addresses on page 207 If the web browser server is already configured for secure HTTPS and you are changing it back...

Страница 1150: ...ault setting of port 80 for the protocol port of the HTTP web server can be adjusted with the IP HTTP PORT command in the Global Configuration mode This example of the command changes the protocol por...

Страница 1151: ...the NO SERVICE HTTP command in the Global Configuration mode awplus enable awplus configure terminal awplus config no service http No further web browser management session are permitted by the switch...

Страница 1152: ...e HTTP web server is enabled or disabled on the switch issue the SHOW IP HTTP command in the Privileged Exec mode The command also displays the protocol port number if the server is enabled Here is th...

Страница 1153: ...Server Commands Command Mode Description SERVICE HTTP on page 1154 Global Configuration Enables the HTTP web browser server IP HTTP PORT on page 1155 Global Configuration Sets the protocol port number...

Страница 1154: ...one Mode Global Configuration mode Description Use this command to activate the HTTP web browser server on the switch The switch supports non secure HTTP web browser management sessions when the serve...

Страница 1155: ...umber for the HTTP web server listens on The range is 0 to 65535 Mode Global Configuration mode Description Use this command to set the TCP port for the web browser server Confirmation Command SHOW IP...

Страница 1156: ...n the switch to prevent any further remote management with a web browser Any active web browser management session are interrupted and are not allowed to continue You might disable the server to preve...

Страница 1157: ...IP HTTP Syntax show ip http Parameters None Mode Privileged Exec mode Description Use this command to display the status of the HTTP server on the switch Here is an example of the information Figure...

Страница 1158: ...Chapter 78 Non secure HTTP Web Browser Server Commands 1158 Section XI Management Security...

Страница 1159: ...s Overview on page 1160 Creating a Self signed Certificate on page 1163 Configuring the HTTPS Web Server for a Certificate Issued by a CA on page 1166 Enabling the Web Browser Server on page 1170 Disa...

Страница 1160: ...ertificate is a distinguished name that identifies the owner of the certificate which in the case of a certificate for your switch is the switch itself and your company The switch does not come with a...

Страница 1161: ...tself and your company The name of the owner is entered in the form of a distinguished name which has six parts Common name cn This is the IP address or name of the switch Organizational unit ou This...

Страница 1162: ...wser applications must be members of the same network as the management IP address of the switch or they must have access to it through routers or other Layer 3 devices The web browser server cannot o...

Страница 1163: ...onsists of 4 to 20 alphanumeric characters that are used to used to export the certificate in PKCS12 file format Although the switch doesn t allow you to export certificates you re still required to i...

Страница 1164: ...les Organization Jones_Industries Location San_Jose State California Country US Duration 365 days awplus enable Enter the Privileged Exec mode from the User Exec mode awplus configure terminal Enter t...

Страница 1165: ...the HTTPS server with SERVICE HTTPS on page 1180 awplus config exit Return to the Privileged Exec mode awplus show ip https Confirm the confirmation with SHOW IP HTTPS on page 1184 HTTPS server enabl...

Страница 1166: ...s command must be exactly the same as the corresponding values from the CRYPTO CERTIFICATE GENERATE command used to create the self signed certificate This includes the ID_NUMBER parameter Any differe...

Страница 1167: ...these specifications ID number 1 Key length 512 Passphrase hazeltime Common name 124 201 76 54 This is the IP address of the switch Organizational unit Production Organization ABC_Industries Location...

Страница 1168: ...age 387 awplus config crypto certificate 1 import Import the new certificate into the certificate database with CRYPTO CERTIFICATE IMPORT on page 1177 awplus config ip https certificate 1 Designate th...

Страница 1169: ...re HTTP web browser server is enabled on the unit disabled it with NO SERVICE HTTP on page 1156 awplus config service https Enable the HTTPS server with SERVICE HTTPS on page 1180 awplus config exit R...

Страница 1170: ...P address For instructions refer to Chapter 9 IPv4 and IPv6 Management Addresses on page 207 The switch should have a HTTPS certificate If the HTTP mode is enabled you must disable it with the NO HTTP...

Страница 1171: ...he NO SERVICE HTTPS command in the Global Configuration mode awplus enable awplus configure terminal awplus config no service https No further web browser management session are permitted by the switc...

Страница 1172: ...splays the protocol port number if the server is enabled Here is the command awplus enable awplus show ip https Here is an example of the display Figure 183 SHOW IP HTTPS Command The fields are descri...

Страница 1173: ...rts certificates from public or private CAs into the certificate database on the switch CRYPTO CERTIFICATE REQUEST on page 1178 Global Configuration Creates certificate enrollment requests for submitt...

Страница 1174: ...ion mode Description Use this command to delete unused certificates from the switch You can delete just one certificate at a time with this command Entering the WRITE or COPY RUNNING CONFIG STARTUP CO...

Страница 1175: ...export of certificates a passphrase is still required in the command common_name Specifies a common name for the certificate This should be the IP address or fully qualified URL designation of the swi...

Страница 1176: ...ificates are not stored in the active boot configuration file Note Generating a certificate is CPU intensive It should be performed before the switch is connected to your network or during periods of...

Страница 1177: ...ate CAs into the certificate database of the switch A certificate has to be residing in the file system on the switch before you can import it into the certificate database Entering the WRITE or COPY...

Страница 1178: ...epartment such as Network Support or IT This parameter can have up to 64 characters Spaces and special characters are not allowed organization Specifies the name of a company This parameter can have u...

Страница 1179: ...ation Command DIR on page 365 Example This example creates a certificate enrollment request that has these specifications ID number 2 Common name 167 214 121 45 Organizational unit Sales Organization...

Страница 1180: ...S web browser management sessions when the server is activated Here are the preconditions to activating the server The non secure HTTP server on the switch must be disabled For instructions refer to N...

Страница 1181: ...S web server The switch can have only one active certificate The certificate which must already exist on the switch can be a self signed certificate that the switch created itself or a certificate tha...

Страница 1182: ...he secure HTTPS web server on the switch The switch rejects secure HTTPS web browser management sessions when the server is deactivated You might disable the server to prevent remote web browser manag...

Страница 1183: ...tax show crypto certificate id_number Parameters id_number Specifies a certificate ID number Mode Privileged Exec mode Description Use this command to display detailed information about the certificat...

Страница 1184: ...ds are defined in Table 135 HTTPS server enabled Port 443 Certificate 1 is active Issued by self signed Valid from 5 17 2010 to 5 16 2011 Subject C US ST California L San_Jose O Jones_Industries OU Sa...

Страница 1185: ...active status indicates that the certificate was designated with IP HTTPS CERTIFICATE on page 1181 as the active certificate for the HTTPS server The switch can have just one active certificate Valid...

Страница 1186: ...Chapter 80 Secure HTTPS Web Browser Server Commands 1186 Section XI Management Security...

Страница 1187: ...nd TACACS Clients Overview on page 1188 Remote Manager Accounts on page 1189 Managing the RADIUS Client on page 1192 Managing the TACACS Client on page 1196 Configuring Remote Authentication of Manage...

Страница 1188: ...s This feature lets you add more manager accounts to the switch by transferring the task of authenticating the accounts from the switch to an authentication server on your network This feature is desc...

Страница 1189: ...tch and an authentication server when a manager logs on 1 The switch uses its RADIUS or TACACS client to transmit the user name and password to an authentication server on the network 2 The server che...

Страница 1190: ...ctive on the switch a manager account with a privilege level of 0 is restricted to the User Exec mode while an account with a privilege level of 15 has access to all the command modes For RADIUS the m...

Страница 1191: ...e not members of the same subnet as the management IP address the switch must have a default gateway The default gateway defines the IP address of the first hop to reaching the remote subnet of the se...

Страница 1192: ...three Also when you remove an IP address from the switch the place holder is retained For example if you make the following assignments server one is 186 178 11 154 server two is 186 178 11 156 serve...

Страница 1193: ...Configuration mode to enter a global encryption key in the client The format of the command is radius server key secret This example specifies 4tea23 as the global encryption key of the RADIUS servers...

Страница 1194: ...sables accounting messages The GROUP parameter indicates the user server group Specify the RADIUS server The LOCAL parameter indicates that authentication using the password provided in the ENABLE PAS...

Страница 1195: ...list of RADIUS servers awplus enable awplus configure terminal awplus config no radius server host 211 132 123 12 Displaying the RADIUS Client To display the settings of the RADIUS client use the SHOW...

Страница 1196: ...m the switch the place holder is retained For example if you make the following assignments server one is 186 178 11 154 server two is 186 178 11 156 server three is 186 178 11 158 Then you delete ser...

Страница 1197: ...indicates a start accounting message is sent at the beginning of a session and a stop accounting message is sent at the end of the session The STOP ONLY parameter indicates a stop accounting message...

Страница 1198: ...ress 122 124 15 7 from the TACACS client awplus enable awplus configure terminal awplus config no tacacs server host 122 114 15 7 Displaying the TACACS Client To display the settings of the TACACS cli...

Страница 1199: ...onfig aaa authentication login tacacs After you activate the feature all future log on attempts by managers are forwarded by the switch to the designated authentication servers for authentication To d...

Страница 1200: ...sole 0 awplus config line no login authentication Now even though remote authentication is activated the switch uses its local manager accounts to authenticate the user name and password whenever some...

Страница 1201: ...awplus config line vty 0 awplus config line no login authentication Now the switch uses the local manager accounts instead of the remote accounts to authenticate the user name and password when an adm...

Страница 1202: ...Chapter 81 RADIUS and TACACS Clients 1202 Section XI Management Security...

Страница 1203: ...le Line and Virtual Terminal Line Activates remote authentication for local management sessions and remote Telnet and SSH sessions NO LOGIN AUTHENTICATION on page 1215 Console Line and Virtual Termina...

Страница 1204: ...on page 1224 Privileged Exec Displays the configuration settings of the TACACS client TACACS SERVER HOST on page 1226 Global Configuration Adds IP addresses of TACACS servers to the TACACS client in...

Страница 1205: ...owing radius Uses all RADIUS servers tacacs Uses all TACACS servers Mode Global Configuration mode Description This command configures RADIUS or TACACS accounting for all login shell sessions This com...

Страница 1206: ...config aaa accounting login default start stop group radius To reset the configuration of the default accounting list use the following commands awplus enable awplus configure terminal awplus config n...

Страница 1207: ...mmand is attempted if a TACACS server is not available For information about this command see ENABLE PASSWORD on page 1102 This is an optional parameter Mode Global Configuration mode Description Use...

Страница 1208: ...d in the ENABLE PASSWORD command is attempted if a TACACS server is not available use the following commands awplus enable awplus configure terminal awplus config aaa authentication enable default gro...

Страница 1209: ...For information about this command see ENABLE PASSWORD on page 1102 This is an optional parameter Mode Global Configuration mode Description Use this command to enable RADIUS or TACACS on the switch...

Страница 1210: ...Examples To enable RADIUS servers on the switch use the following commands awplus enable awplus configure terminal awplus config aaa authentication login default group radius local To enable TACACS se...

Страница 1211: ...AN ID The RADIUS client uses the specified IP address on every outgoing RADIUS packet Use the no version of this command NO IP RADIUS SOURCE INTERFACE to remove the RADIUS source lP address from the c...

Страница 1212: ...nd TACACS Client Commands 1212 Section XI Management Security This example removes the RADIUS source IP address from the RADIUS client awplus enable awplus configure terminal awplus config no ip radiu...

Страница 1213: ...sole Line mode while remote authentication for remote Telnet and SSH management sessions is activated in the Virtual Terminal Line mode Note If the switch is unable to communicate with the authenticat...

Страница 1214: ...4 Section XI Management Security This example activates remote authentication for remote Telnet and SSH management sessions that use VTY line 0 awplus enable awplus configure terminal awplus config li...

Страница 1215: ...emote Telnet and SSH sessions Confirmation Command SHOW RUNNING CONFIG on page 132 Examples This example deactivates remote authentication for local management sessions awplus enable awplus configure...

Страница 1216: ...list Mode Global Configuration mode Description Use this command to delete IP addresses of RADIUS servers from the list of authentication servers on the switch You can delete only one IP address at a...

Страница 1217: ...delete just one address at a time with this command Mode Global Configuration mode Description Use this command to delete IP addresses of TACACS servers from the client You can delete only one IP addr...

Страница 1218: ...g The default UDP port for accounting is 1813 auth port Specifies the UDP destination port for RADIUS authentication requests If 0 is specified the server is not used for authentication The default UD...

Страница 1219: ...ch The accounting port is 1811 and the UDP port is 1815 The encryption key is kieran7 awplus enable awplus configure terminal awplus config radius server host 176 225 15 23 acct port 1811 auth port 18...

Страница 1220: ...n key To define two or three servers that use different encryption keys do not enter a global encryption key with this command Instead define the individual keys when you add the IP addresses of the s...

Страница 1221: ...rom a RADIUS server for an authentication request If the timeout expires without a response the client queries the next server in the list If there are no further servers in the list to query the swit...

Страница 1222: ...Interface 192 168 3 97 Timeout 5 sec Server Host 192 168 1 75 Authentication Port 1812 Accounting Port 1813 Table 137 SHOW RADIUS Command Parameter Description Source Interface An IP address assigned...

Страница 1223: ...ent Security 1223 Example awplus show radius Authentication Port The authentication protocol port Accounting Port The accounting protocol port Encryption Keys The server encryption keys if defined Tab...

Страница 1224: ...ibed in Table 138 TACACS Global Configuration Timeout 5 sec Server Host 149 123 154 12 Server Status Alive Server Host 149 123 154 26 Server Status Dead Table 138 SHOW TACACS Command Parameter Descrip...

Страница 1225: ...Server Status Indicates the status of the server host One of the following options is displayed Alive Indicates the server is working correctly The sockets are successful Dead Indicates the server has...

Страница 1226: ...ode Global Configuration mode Description Use this command to add IP addresses of TACACS servers to the TACACS client in the switch The list can have up to three TACACS authentication servers but you...

Страница 1227: ...agement Security 1227 This example adds the IP address 149 11 24 5 as the second TACACS authentication server in the list The server has the key mit762 awplus enable awplus configure terminal awplus c...

Страница 1228: ...n key To define two or three servers that use different encryption keys do not enter a global encryption key with this command Instead define the individual keys when you add the IP addresses of the s...

Страница 1229: ...rom a TACACS server for an authentication request If the timeout expires without a response the client queries the next server in the list If there are no further servers in the list to query the swit...

Страница 1230: ...Chapter 82 RADIUS and TACACS Client Commands 1230 Section XI Management Security...

Страница 1231: ...ION on page 1236 Privileged Exec Displays the memory allocations used by the processes SHOW MEMORY HISTORY on page 1237 Privileged Exec Displays a graph showing historical memory usage SHOW MEMORY POO...

Страница 1232: ...processes sleep Sorts the list by the average sleeping times thrds Sorts the list by the number of threads Mode Privileged Exec mode Description Use this command to display a list of running processe...

Страница 1233: ...e User s Guide 1233 SHOW CPU HISTORY Syntax show cpu history Parameters None Mode Privileged Exec mode Description Use this command to display graphs of historical CPU utilization of the switch Exampl...

Страница 1234: ...s 1234 SHOW CPU USER THREADS Syntax show cpu user threads Parameters None Mode Privileged Exec mode Description Use this command to display a list of CPU utilization and status of the user threads Exa...

Страница 1235: ...the peak amounts of memory the processes are currently using stk Sorts the list by the stack sizes of the processes Mode Privileged Exec mode Description Use this command to display the memory consum...

Страница 1236: ...stem process Mode Privileged Exec mode Description Use this command to display the memory allocations used by the processes Examples This example displays the memory allocations used by all the proces...

Страница 1237: ...ne User s Guide 1237 SHOW MEMORY HISTORY Syntax show memory history Parameters None Mode Privileged Exec mode Description Use this command to display a graph showing historical memory usage Example aw...

Страница 1238: ...ring Commands 1238 SHOW MEMORY POOLS Syntax show memory pools Parameters None Mode Privileged Exec mode Description Use this command to display a list of memory pools used by the processes Example awp...

Страница 1239: ...ry utilization Mode Privileged Exec mode Description Use this command to display a summary of the current running processes Examples This example lists the running processes by ID number awplus show p...

Страница 1240: ...tax show system serialnumber Parameters None Modes User Exec mode and Privileged Exec mode Description Use this command to display the serial number of the switch The serial number is also displayed w...

Страница 1241: ...system interrupts Parameters None Mode Privileged Exec mode Description Use this command to display the number of interrupts for each IRQ Interrupt Request used to interrupt input lines on a PIC Progr...

Страница 1242: ...name tech support followed by a string of numbers and the extension txt After performing the command upload the file from the switch using TFTP or Zmodem and email it to Allied Telesis technical suppo...

Страница 1243: ...43 With the ALL option the command performs the previous commands and these additional commands SHOW ARP SHOW INTERFACE SHOW IP INTERFACE SHOW IPV6 INTERFACE SHOW MAC ADDRESS TABLE Examples awplus sho...

Страница 1244: ...Chapter System Monitoring Commands 1244...

Страница 1245: ...P MED on page 1253 MAC Address based Port Security on page 1254 MAC Address Table on page 1255 Management IP Address on page 1256 Manager Account on page 1257 Port Settings on page 1258 RADIUS Client...

Страница 1246: ...Appendix B Management Software Default Settings 1246 Boot Configuration File The following table lists the names of the default configuration files Boot Configuration File Default Switch boot cfg...

Страница 1247: ...1247 Class of Service The following table lists the default mappings of the IEEE 802 1p priority levels to the egress port priority queues IEEE 802 1p Priority Level Port Priority Queue 0 Q2 1 Q0 lowe...

Страница 1248: ...1248 Console Port The following table lists the default settings for the Console port The baud rate is the only adjustable parameter on the port Console Port Setting Default Data Bits 8 Stop Bits 1 P...

Страница 1249: ...etwork Access Control Settings Default Port Access Control Disabled Authentication Method RADIUS EAP Port Roles None Authentication Port 1812 Authenticator Port Setting Default Authentication Mode 802...

Страница 1250: ...Appendix B Management Software Default Settings 1250 Enhanced Stacking The following table lists the enhanced stacking default setting Enhanced Stacking Setting Default Switch State Member...

Страница 1251: ...ine User s Guide 1251 GVRP This section provides the default settings for GVRP GVRP Setting Default Status Disabled GIP Status Enabled Join Timer 20 centiseconds Leave Timer 60 centiseconds Leave All...

Страница 1252: ...lowing table lists the IGMP Snooping default settings IGMP Snooping Setting Default IGMP Snooping Status Disabled Multicast Host Topology Single Host Port Edge Host Router Timeout Interval 260 seconds...

Страница 1253: ...following table lists the default settings for LLDP and LLDP MED LLDP an LLDP MED Default Status Disabled Notification Interval 5 seconds Transmit Interval 30 seconds Holdtime Multiplier 4 Reinitiali...

Страница 1254: ...tings 1254 MAC Address based Port Security The following table lists the MAC address based port security default settings MAC Address based Port Security Setting Default Status Disabled Intrusion Acti...

Страница 1255: ...9000 Switch Command Line User s Guide 1255 MAC Address Table The following table lists the default setting for the MAC address table MAC Address Table Setting Default MAC Address Aging Time 300 secon...

Страница 1256: ...Default Settings 1256 Management IP Address The following table lists the default settings for the management IP address Management IP Address Setting Default Management IP Address 0 0 0 0 Subnet Mas...

Страница 1257: ...owing table lists the manager account default settings Note Login names and passwords are case sensitive Manager Account Setting Default Manager Login Name manager Manager Password friend Console Disc...

Страница 1258: ...iation MDI MDI X Auto MDI MDIX Threshold Limits for Ingress Packets Disabled Broadcast Multicast or Unknown Unicast Packet Filtering Storm control 33 554 431 packets per second Override Priority No ov...

Страница 1259: ...IUS configuration default settings RADIUS Configuration Setting Default Global Encryption Key ATI Global Server Timeout Period 30 seconds RADIUS Server 1 Configuration 0 0 0 0 RADIUS Server 2 Configur...

Страница 1260: ...tings 1260 Remote Manager Account Authentication The following table describes the remote manager account authentication default settings Authentication Setting Default Server based Authentication Dis...

Страница 1261: ...lowing table lists the default settings for RMON collection histories There are no default settings for alarms or events RMON Setting Default History Buckets 50 History Polling Interval 1800 seconds O...

Страница 1262: ...ell Server The following table lists the SSH default settings The SSH port number is not adjustable SSH Setting Default Status Disabled Host Key ID Not Defined Server Key ID Not Defined Server Key Exp...

Страница 1263: ...ide 1263 sFlow Agent The default settings for the sFlow agent are listed in this table sFlow Agent Setting Default sFlow Agent Status Disabled sFlow Collector IP Address 0 0 0 0 UDP Port 6343 Port Sam...

Страница 1264: ...s 1264 Simple Network Management Protocol SNMPv1 SNMPv2c and SNMPv3 The following table describes the default settings for SNMPv1 SNMPv2c and SNMPv3 SNMP Communities Setting Default SNMP Status Disabl...

Страница 1265: ...uide 1265 Simple Network Time Protocol The following table lists the SNTP default settings SNTP Setting Default System Time Sat 01 Jan 2000 00 00 00 SNTP Status Disabled SNTP Server 0 0 0 0 UTC Offset...

Страница 1266: ...d Spanning Tree Protocol The following table describes the RSTP default settings Spanning Tree Setting Default Spanning Tree Status Enabled Active Protocol Version RSTP STP Setting Default Bridge Prio...

Страница 1267: ...AT 9000 Switch Command Line User s Guide 1267 BPDU Guard Disabled BPDU Guard Timeout Status Disabled BPDU Guard Timeout Interval 300 seconds RSTP Setting Default...

Страница 1268: ...Appendix B Management Software Default Settings 1268 System Name The default setting for the system name is listed in this table System Name Setting Default System Name awplus...

Страница 1269: ...9 TACACS Client The following table lists the TACACS client configuration default settings TACACS Client Configuration Setting Default TAC Server 1 0 0 0 0 TAC Server 2 0 0 0 0 TAC Server 3 0 0 0 0 TA...

Страница 1270: ...tware Default Settings 1270 Telnet Server The default settings for the Telnet server are listed in this table The Telnet port number is not adjustable Telnet Server Setting Default Telnet Server Enabl...

Страница 1271: ...s Guide 1271 VLANs This section provides the VLAN default settings VLAN Setting Default Default VLAN Name Default_VLAN all ports Management VLAN ID 1 Default_VLAN VLAN Type Port based Member Ports All...

Страница 1272: ...t Software Default Settings 1272 Web Server The following table lists the web server default settings Web Server Configuration Setting Default Status Disabled Operating Mode HTTP HTTP Port Number 80 H...

Страница 1273: ...CLASS MAP command 46 CLEAR ARP CACHE command 979 CLEAR IP IGMP command 334 CLEAR IPV6 NEIGHBORS command 223 CLEAR LLDP STATISTICS command 914 CLEAR LLDP TABLE command 907 915 CLEAR LOG BUFFERED comma...

Страница 1274: ...mmand 921 LLDP MED TLV SELECT command 889 892 896 899 922 LLDPNON STRICT MED TLV ORDER CHECKcommand 924 LLDP NOTIFICATION INTERVAL command 926 LLDP NOTIFICATIONS command 925 LLDP REINIT command 927 LL...

Страница 1275: ...OCAL command 832 NO SNMP SERVER GROUP command 833 NO SNMP SERVER HOST command 798 811 834 NO SNMP SERVER USER command 835 NO SNMP SERVER VIEW command 813 836 NO SPANNING TREE command 527 535 NO SPANNI...

Страница 1276: ...d 307 SHOW ESTACK COMMAND SWITCH command 309 SHOW ESTACK REMOTELIST command 293 310 396 SHOW ETHERCHANNEL command 474 SHOW ETHERCHANNEL DETAIL command 475 SHOW ETHERCHANNEL SUMMARY command 476 SHOW FI...

Страница 1277: ...UARD ROOT command 524 SPANNING TREE HELLO TIME command 504 513 524 546 SPANNING TREE LINK TYPE command 527 547 SPANNING TREE LOOP GUARD command 527 548 SPANNING TREE MAX AGE command 504 514 524 549 SP...

Страница 1278: ...Index 1278 Configuration mode 644 659 VLAN SET MACADDRESS command Port Interface mode 644 661 W WRITE command 75 94 385...

Отзывы:

Нет отзывов

Похожие инструкции для AT-9000/28

Бренд: Aastra Страницы: 2

Бренд: DBM Страницы: 50

SR8800 IM-FW-II

Бренд: H3C Страницы: 107

Бренд: 3Com Страницы: 12

Бренд: H3C Страницы: 16

H3C S3600 Series

Бренд: H3C Страницы: 10

Бренд: H3C Страницы: 42

Бренд: H3C Страницы: 2

H3C S7500E Series

Бренд: H3C Страницы: 34

Бренд: H3C Страницы: 33

Бренд: H3C Страницы: 14

Бренд: H3C Страницы: 56

H3C S7500E Series

Бренд: H3C Страницы: 112

Бренд: H3C Страницы: 15

SR8800 IM-FW-II

Бренд: H3C Страницы: 5

H3C S7500E Series

Бренд: H3C Страницы: 50

Бренд: H3C Страницы: 37

Бренд: H3C Страницы: 4

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды