Edge-Core ES3510MA Скачать руководство пользователя страница 258

Страница: 258 / 984

HAPTER

| Security Measures

AAA Authorization and Accounting

– 258 –

◆

DHCP Snooping

– Filter IP traffic on insecure ports for which the source

address cannot be identified via DHCP snooping.

OTE

The priority of execution for the filtering commands is Port Security,

Port Authentication, Network Access, Web Authentication, Access Control

Lists, IP Source Guard, and then DHCP Snooping.

AAA A

UTHORIZATION

AND

CCOUNTING

The Authentication, authorization, and accounting (AAA) feature provides

the main framework for configuring access control on the switch. The three

security functions can be summarized as follows:

◆

Authentication — Identifies users that request access to the network.

◆

Authorization — Determines if users can access specific services.

◆

Accounting — Provides reports, auditing, and billing for services that

users have accessed on the network.

The AAA functions require the use of configured RADIUS or

servers in the network. The security servers can be defined as sequential

groups that are applied as a method for controlling user access to specified

services. For example, when the switch attempts to authenticate a user, a

request is sent to the first server in the defined group, if there is no

response the second server will be tried, and so on. If at any point a pass

or fail is returned, the process stops.

The switch supports the following AAA features:

◆

Accounting for IEEE 802.1X authenticated users that access the

network through the switch.

◆

Accounting for users that access management interfaces on the switch

through the console and Telnet.

◆

Accounting for commands that users enter at specific CLI privilege

levels.

◆

Authorization of users that access management interfaces on the

switch through the console and Telnet.

To configure AAA on the switch, you need to follow this general process:

Configure RADIUS and server access parameters. See

"Configuring Local/Remote Logon Authentication" on page 259

Define RADIUS and server groups to support the accounting
and authorization of services.

Содержание ES3510MA

Страница 1: ...Management Guide www edge core com 8 Port Layer 2 Fast Ethernet Switch...

Страница 2: ...MANAGEMENT GUIDE ES3510MA FAST ETHERNET SWITCH Layer 2 Switch with 8 10 100BASE TX RJ 45 Ports and 2 Gigabit Combination Ports RJ 45 SFP ES3510MA E032010 ST R01 149100000046A...

Страница 3: ...our attention to related features or instructions CAUTION Alerts you to a potential hazard that could cause loss of data or damage the system or equipment WARNING Alerts you to a potential hazard that...

Страница 4: ...ABOUT THIS GUIDE 4...

Страница 5: ...and Restore 50 Authentication 50 Access Control Lists 51 Port Configuration 51 Port Mirroring 51 Port Trunking 51 Rate Limiting 51 Storm Control 51 Static Addresses 51 IEEE 802 1D Bridge 52 Store and...

Страница 6: ...cting to the Web Interface 73 Navigating the Web Browser Interface 74 Home Page 74 Configuration Options 75 Panel Display 75 Main Menu 76 4 BASIC MANAGEMENT TASKS 89 Displaying System Information 89 D...

Страница 7: ...forming Cable Diagnostics 132 Trunk Configuration 133 Configuring a Static Trunk 134 Configuring a Dynamic Trunk 137 Displaying LACP Port Counters 143 Displaying LACP Settings and Status for the Local...

Страница 8: ...gs for STA 197 Displaying Global Settings for STA 202 Configuring Interface Settings for STA 203 Displaying Interface Settings for STA 207 Configuring Multiple Spanning Trees 209 Configuring Interface...

Страница 9: ...Settings for Web Authentication 276 Network Access MAC Address Authentication 277 Configuring Global Settings for Network Access 279 Configuring Network Access for Ports 280 Configuring Port Link Det...

Страница 10: ...332 Displaying 802 1X Statistics 334 IP Source Guard 337 Configuring Ports for IP Source Guard 337 Configuring Static Bindings for IP Source Guard 339 Displaying Information for Dynamic IP Source Gua...

Страница 11: ...figuring General Settings for Clusters 406 Cluster Member Configuration 408 Managing Cluster Members 409 16 IP CONFIGURATION 411 Using the Ping Function 411 Setting the Switch s IP Address IP Version...

Страница 12: ...ng and Throttling for Interfaces 462 Multicast VLAN Registration 463 Configuring Global MVR Settings 465 Configuring MVR Interface Status 466 Assigning Static Multicast Groups to Interfaces 468 Displa...

Страница 13: ...e 495 banner configure company 496 banner configure dc power info 497 banner configure department 497 banner configure equipment info 498 banner configure equipment location 499 banner configure ip la...

Страница 14: ...Line 520 line 520 databits 521 exec timeout 522 login 522 parity 523 password 524 password thresh 525 silent time 526 speed 526 stopbits 527 timeout login response 527 disconnect 528 show line 529 Eve...

Страница 15: ...ow calendar 544 Time Range 545 time range 545 absolute 546 periodic 546 show time range 547 Switch Clustering 548 cluster 549 cluster commander 549 cluster ip pool 550 cluster member 551 rcommand 551...

Страница 16: ...nt 577 rmon collection history 578 rmon collection stats 579 show rmon alarm 580 show rmon event 580 show rmon history 580 show rmon statistics 581 24 AUTHENTICATION COMMANDS 583 User Accounts 583 ena...

Страница 17: ...server 600 accounting dot1x 601 accounting exec 601 authorization exec 602 show accounting 602 Web Server 603 ip http port 604 ip http server 604 ip http secure server 605 ip http secure port 606 Teln...

Страница 18: ...e authperiod 625 dot1x timeout supp timeout 625 dot1x timeout tx period 626 dot1x re authenticate 626 dot1x identity profile 627 dot1x max start 628 dot1x pae supplicant 628 dot1x timeout auth period...

Страница 19: ...show network access mac address table 653 show network access mac filter 654 Web Authentication 654 web auth login attempts 655 web auth quiet period 656 web auth session timeout 656 web auth system...

Страница 20: ...ection trust 679 show ip arp inspection configuration 680 show ip arp inspection interface 680 show ip arp inspection log 681 show ip arp inspection statistics 681 show ip arp inspection vlan 681 26 A...

Страница 21: ...708 show interfaces brief 708 show interfaces counters 709 show interfaces status 710 show interfaces switchport 711 test cable diagnostics 713 show cable diagnostics 714 power save 714 show power sav...

Страница 22: ...m clear 747 snmp server enable port traps atc broadcast alarm fire 748 snmp server enable port traps atc broadcast control apply 748 snmp server enable port traps atc broadcast control release 749 snm...

Страница 23: ...link type 771 spanning tree loopback detection 772 spanning tree loopback detection release mode 772 spanning tree loopback detection trap 773 spanning tree mst cost 774 spanning tree mst port priorit...

Страница 24: ...system tunnel control 797 switchport dot1q tunnel mode 798 switchport dot1q tunnel tpid 799 show dot1q tunnel 799 Configuring Port based Traffic Segmentation 800 traffic segmentation 800 show traffic...

Страница 25: ...ority default 820 show queue mode 821 show queue weight 821 Priority Commands Layer 3 and 4 822 qos map cos dscp 822 qos map dscp mutation 824 qos map phb queue 825 qos map trust mode 826 show qos map...

Страница 26: ...rsion exclusive 857 ip igmp snooping vlan general query suppression 858 ip igmp snooping vlan immediate leave 859 ip igmp snooping vlan last memb query count 860 ip igmp snooping vlan last memb query...

Страница 27: ...lldp reinit delay 886 lldp tx delay 887 lldp admin status 887 lldp basic tlv management ip address 888 lldp basic tlv port description 889 lldp basic tlv system capabilities 889 lldp basic tlv system...

Страница 28: ...client class id 912 ip dhcp restart client 912 ipv6 dhcp restart client vlan 913 show ipv6 dhcp duid 914 show ipv6 dhcp vlan 915 41 IP INTERFACE COMMANDS 917 IPv4 Interface 917 Basic IPv4 Configurati...

Страница 29: ...3 ipv6 nd ns interval 944 ipv6 nd reachable time 945 clear ipv6 neighbors 946 show ipv6 neighbors 946 SECTION IV APPENDICES 949 A SOFTWARE SPECIFICATIONS 951 Software Features 951 Management Features...

Страница 30: ...CONTENTS 30...

Страница 31: ...rs 106 Figure 15 Setting the Time Zone 107 Figure 16 Console Port Settings 108 Figure 17 Telnet Connection Settings 110 Figure 18 Displaying CPU Utilization 111 Figure 19 Displaying Memory Utilization...

Страница 32: ...nks 142 Figure 48 Displaying Connection Parameters for Dynamic Trunks 142 Figure 49 Displaying LACP Port Counters 144 Figure 50 Displaying LACP Port Internal Information 146 Figure 51 Displaying LACP...

Страница 33: ...Time 189 Figure 86 Displaying the Dynamic MAC Address Table 190 Figure 87 Clearing Entries in the Dynamic MAC Address Table 191 Figure 88 Mirroring Packets Based on the Source MAC Address 192 Figure...

Страница 34: ...DSCP Internal Mapping 234 Figure 120 Configuring a Class Map 237 Figure 121 Showing Class Maps 238 Figure 122 Adding Rules to a Class Map 238 Figure 123 Showing the Rules for a Class Map 239 Figure 12...

Страница 35: ...Network Access 280 Figure 155 Configuring Interface Settings for Network Access 282 Figure 156 Configuring Link Detection for Network Access 283 Figure 157 Configuring a MAC Address Filter for Network...

Страница 36: ...rt Supplicant 337 Figure 193 Setting the Filter Type for IP Source Guard 339 Figure 194 Configuring Static Bindings for IP Source Guard 340 Figure 195 Displaying Static Bindings for IP Source Guard 34...

Страница 37: ...NMPv3 Users 389 Figure 228 Showing Remote SNMPv3 Users 389 Figure 229 Configuring Trap Managers SNMPv1 393 Figure 230 Configuring Trap Managers SNMPv2c 393 Figure 231 Configuring Trap Managers SNMPv3...

Страница 38: ...8 Figure 266 Showing Static Entries in the DNS Table 438 Figure 267 Showing Entries in the DNS Cache 439 Figure 268 Multicast Filtering Concept 441 Figure 269 Configuring General Settings for IGMP Sno...

Страница 39: ...gure 287 Configuring Interface Settings for MVR 468 Figure 288 Assigning Static MVR Groups to a Port 469 Figure 289 Showing the Static MVR Groups Assigned to a Port 469 Figure 290 Displaying MVR Recei...

Страница 40: ...FIGURES 40...

Страница 41: ...re Queues 226 Table 15 Default Mapping of DSCP Values to Internal PHB Drop Values 230 Table 16 Default Mapping of CoS CFI to Internal PHB Drop Precedence 233 Table 17 Dynamic QoS Profiles 278 Table 18...

Страница 42: ...cription 535 Table 48 show logging trap display description 536 Table 49 Event Logging Commands 536 Table 50 Time Commands 540 Table 51 Time Range Commands 545 Table 52 Switch Cluster Commands 548 Tab...

Страница 43: ...Commands 690 Table 84 ARP ACL Commands 695 Table 85 ACL Information Commands 698 Table 86 Interface Commands 699 Table 87 show interfaces switchport display description 712 Table 88 Link Aggregation...

Страница 44: ...824 Table 119 Mapping Internal Per hop Behavior to Hardware Queues 825 Table 120 Quality of Service Commands 831 Table 121 Multicast Filtering Commands 849 Table 122 IGMP Snooping Commands 849 Table 1...

Страница 45: ...v6 interface display description 935 Table 141 show ipv6 mtu display description 937 Table 142 show ipv6 traffic display description 938 Table 143 show ipv6 neighbors display description 947 Table 144...

Страница 46: ...TABLES 46...

Страница 47: ...view of the switch and introduces some basic concepts about network switches It also describes the basic settings required to access the management interface This section includes these chapters Intro...

Страница 48: ...SECTION I Getting Started 48...

Страница 49: ...dress filtering General Security Measures Private VLANs Port Authentication Port Security DHCP Snooping IP Source Guard Access Control Lists Supports up to 512 rules 64 ACLs and a maximum of 32 rules...

Страница 50: ...ocally or can be verified via a remote authentication server i e RADIUS or TACACS Port based authentication is also supported via the IEEE 802 1X protocol This protocol uses Extensible Authentication...

Страница 51: ...bined into an aggregate connection Trunks can be manually set up or dynamically configured using Link Aggregation Control Protocol LACP IEEE 802 3 2005 The additional ports dramatically increase the t...

Страница 52: ...physical paths between segments this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network This prevents the creation o...

Страница 53: ...restrict traffic to specified interfaces based on protocol type IEEE 802 1Q TUNNELING QINQ This feature is designed for service providers carrying traffic for multiple customers across their networks...

Страница 54: ...uarantee real time delivery by setting the required priority level for the designated VLAN The switch uses IGMP Snooping and Query to manage multicast group registration SYSTEM DEFAULTS The switch s s...

Страница 55: ...nabled Flow Control Disabled Port Trunking Static Trunks None LACP all ports Disabled Congestion Control Rate Limiting Disabled Storm Control Broadcast Enabled 64 kbits sec Multicast Disabled Unknown...

Страница 56: ...signed Subnet Mask 255 255 255 0 Default Gateway 0 0 0 0 DHCP Client Enabled DNS Proxy service Disabled BOOTP Disabled Multicast Filtering IGMP Snooping Layer 2 Snooping Enabled Querier Disabled IGMP...

Страница 57: ...rd web browser such as Internet Explorer 5 x or above Netscape 6 2 or above and Mozilla Firefox 2 0 0 0 or above The switch s web management interface can be accessed from any computer attached to the...

Страница 58: ...provides an RS 232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch A null modem console cable is provided with the switch Attach a VT100 compatible...

Страница 59: ...rotocol An IPv4 address for this switch is obtained via DHCP by default To manually configure this address or enable dynamic address assignment via DHCP see Setting an IP Address on page 61 NOTE This...

Страница 60: ...enter admin 3 At the Password prompt also enter admin The password characters are not displayed on the console screen 4 The session is opened and the CLI displays the Console prompt indicating you hav...

Страница 61: ...ou can manually assign an IP address to the switch You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment Valid I...

Страница 62: ...6 on page 415 Link Local Address All link local addresses must be configured with a prefix of FE80 Remember that this address type makes the switch accessible over IPv6 for all devices attached to the...

Страница 63: ...v6 global unicast address for the switch complete the following steps 1 From the global configuration mode prompt type interface vlan 1 to access the interface configuration mode Press Enter 2 From th...

Страница 64: ...ote that the ip dhcp restart client command can also be used to start broadcasting service requests for all VLANs configured to obtain address assignments through BOOTP or DHCP It may be necessary to...

Страница 65: ...To generate an IPv6 link local address for the switch complete the following steps 1 From the Global Configuration mode prompt type interface vlan 1 to access the interface configuration mode Press En...

Страница 66: ...1000 milliseconds Console ENABLING SNMP MANAGEMENT ACCESS The switch can be configured to accept management commands from Simple Network Management Protocol SNMP applications You can configure the sw...

Страница 67: ...d mode is rw read write or ro read only Press Enter Note that the default mode is read only 2 To remove an existing string simply type no snmp server community string where string is the community acc...

Страница 68: ...he password greenpeace for authentication and the password einstien for encryption Console config snmp server view mib 2 1 3 6 1 2 1 included Console config snmp server view 802 1d 1 3 6 1 2 1 17 incl...

Страница 69: ...the start up configuration file is loaded Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings If you download directly to the...

Страница 70: ...e to FLASH finish Success Console To restore configuration settings from a backup server enter the following command 1 From the Privileged Exec mode prompt type copy tftp startup config and press Ente...

Страница 71: ...Interface Configuration on page 117 VLAN Configuration on page 155 Address Table Settings on page 185 Spanning Tree Algorithm on page 193 Rate Limit Configuration on page 217 Storm Control Configurat...

Страница 72: ...SECTION II Web Configuration 72...

Страница 73: ...ateway using an out of band serial connection BOOTP or DHCP protocol See Setting an IP Address on page 61 2 Set user names and passwords using an out of band serial connection Access to the web agent...

Страница 74: ...nistrator has Read Write access to all configuration parameters and statistics The default user name and password for the administrator is admin HOME PAGE When your web browser connects with the switc...

Страница 75: ...or item Check for newer versions of stored pages should be Every visit to the page NOTE When using Internet Explorer 5 0 you may have to manually refresh the screen after making configuration changes...

Страница 76: ...ade Automatically upgrades operation code if a newer version is found on the server 99 Time 103 Configure General Manual Manually sets the current time 103 SNTP Configures SNTP polling interval 104 Co...

Страница 77: ...aggregation group members on the local side 137 Partner Configures parameters for link aggregation group members on the remote side 137 Show Information 143 Counters Displays statistics for LACP prot...

Страница 78: ...ynamic VLAN 165 Show VLAN Shows the VLANs this switch has joined through GVRP 165 Show VLAN Member Shows the interfaces assigned to a VLAN through GVRP 165 Tunnel IEEE 802 1Q QinQ Tunneling 168 Config...

Страница 79: ...gure Configures global bridge settings for STP RSTP and MSTP 197 Show Information Displays STA values used for the bridge 202 Configure Interface Configure Configures interface settings for STA 203 Sh...

Страница 80: ...Creates a class map for a type of traffic 236 Show Shows configured class maps 236 Modify Modifies the name of a class map 236 Add Rule Configures the criteria used to classify ingress traffic 236 Sh...

Страница 81: ...service types 265 Configure Service Sets the accounting method applied to specific interfaces for 802 1X CLI command privilege levels for the console port and for Telnet 265 Show Information 265 Summ...

Страница 82: ...Copy Certificate Replaces the default secure site certificate 288 SSH Secure Shell 289 Configure Global Configures SSH server settings 292 Configure Host Key 293 Generate Generates the host key pair...

Страница 83: ...obal Enables authentication and EAPOL pass through 326 Configure Interface Sets authentication parameters for individual ports 328 Show Statistics Displays protocol statistics for the selected port 33...

Страница 84: ...ows configured engine ID for remote devices 375 Configure View 376 Add View Adds an SNMP v3 view of the OID MIB 376 Show View Shows configured SNMP v3 views 376 Add OID Subtree Specifies a part of the...

Страница 85: ...Global Globally enables clustering for the switch sets Commander status 406 Configure Member Adds switch Members to the cluster 408 Show Member Shows cluster switch member managed switch members 409...

Страница 86: ...ion Protocol Snooping 342 Configure Global Enables DHCP snooping globally MAC address verification information option and sets the information policy 345 Configure VLAN Enables DHCP snooping on a VLAN...

Страница 87: ...Range Shows multicast groups assigned to a profile 459 Configure Interface Assigns IGMP filter profiles to port interfaces and sets throttling action 462 MVR Multicast VLAN Registration 463 Configure...

Страница 88: ...CHAPTER 3 Using the Web Interface Navigating the Web Browser Interface 88...

Страница 89: ...tem start up files Setting the System Clock Sets the current time manually or through specified SNTP servers Console Port Settings Sets console port connection parameters Telnet Settings Sets Telnet c...

Страница 90: ...stem Location Specifies the system location System Contact Administrator responsible for the system WEB INTERFACE To configure general system information 1 Click System General 2 Specify the system na...

Страница 91: ...us Displays the status of the internal power supply Management Software Information Role Shows that this switch is operating as Master or Slave EPLD Version Version number of EEPROM Programmable Logic...

Страница 92: ...Management Commands on page 493 USAGE GUIDELINES To use jumbo frames both the source and destination end nodes such as a computer or server must support this feature Also when the connection is opera...

Страница 93: ...t addresses Refer to Setting Static Addresses on page 187 VLAN Version Number Based on IEEE 802 1Q 1 indicates Bridges that support only single spanning tree SST operation and 2 indicates Bridges that...

Страница 94: ...R HTTP Use the System File Copy page to upload download firmware or configuration settings using FTP TFTP or HTTP By backing up a file to an FTP TFTP server or management station that file can later b...

Страница 95: ...er Name The user name for FTP server access Password The password for FTP server access File Type Specify Operation Code to copy firmware File Name The file name should not contain slashes or the lead...

Страница 96: ...rrently used for startup and want to start using the new file reboot the system via the System Reset menu SAVING THE RUNNING CONFIGURATION TO A LOCAL FILE Use the System File Copy page to save the cur...

Страница 97: ...ory space WEB INTERFACE To save the running configuration file 1 Click System then File 2 Select Copy from the Action list 3 Select Running Config from the Copy Type list 4 Select the current startup...

Страница 98: ...art using the new firmware or configuration settings reboot the system via the System Reset menu SHOWING SYSTEM FILES Use the System File Show page to show the files in the system directory or to dele...

Страница 99: ...he host portion of the upgrade file location URL must be a valid IPv4 IP address DNS host names are not recognized Valid IP addresses consist of four numbers 0 to 255 separated by periods The path to...

Страница 100: ...ready stored on the switch s file system then the non startup image is deleted before the upgrade image is transferred The automatic upgrade process will take place in the background without impeding...

Страница 101: ...s the password for the FTP connection To differentiate the password from the user name and host portions of the URL a colon must precede the password and an at symbol must follow the password If the p...

Страница 102: ...e FTP root directory ftp switches upgrade 192 168 0 1 The user name is switches and the password is upgrade The image file is in the FTP root ftp switches upgrade 192 168 0 1 switches opcode The user...

Страница 103: ...or event entries You can also manually set the clock If the clock is not set manually or via SNTP the switch will only record the time from the factory default set at the last bootup When the SNTP cli...

Страница 104: ...ing the System Clock CONFIGURING SNTP Use the System Time Configure General SNTP page to configure the switch to send time synchronization requests to time servers Set the SNTP polling interval SNTP s...

Страница 105: ...m Time Configure Time Server page to specify the IP address for up to three SNTP time servers CLI REFERENCES sntp server on page 542 PARAMETERS The following parameters are displayed SNTP Server IP Ad...

Страница 106: ...west after of UTC You can choose one of the 80 predefined time zone definitions or your can manually configure the parameters for your local time zone PARAMETERS The following parameters are displaye...

Страница 107: ...stem waits for a user to log into the CLI If a login attempt is not detected within the timeout interval the connection is terminated for the session Range 0 300 seconds Default 0 seconds Exec Timeout...

Страница 108: ...aud rate for transmit to terminal and receive from terminal Set the speed to match the baud rate of the device connected to the serial port Range 9600 19200 or 38400 baud Default 115200 baud NOTE The...

Страница 109: ...Default 300 seconds Exec Timeout Sets the interval that the system waits until user input is detected If user input is not detected within the timeout interval the current session is terminated Range...

Страница 110: ...age to display information on CPU utilization CLI REFERENCES show process cpu on page 504 PARAMETERS The following parameters are displayed Time Interval The interval at which to update the displayed...

Страница 111: ...utilization parameters CLI REFERENCES show memory on page 504 PARAMETERS The following parameters are displayed Free Size The amount of memory currently free for use Used Size The amount of memory al...

Страница 112: ...512 PARAMETERS The following parameters are displayed System Reload Configuration Reset Mode Restarts the switch immediately or at the specified time s Immediately Restarts the system immediately In...

Страница 113: ...Daily Every day Weekly Day of the week at which to reload Range Sunday Saturday Monthly Day of the month at which to reload Range 1 31 WEB INTERFACE To restart the switch 1 Click System then Restart 2...

Страница 114: ...CHAPTER 4 Basic Management Tasks Resetting the System 114 Figure 21 Restarting the Switch In Figure 22 Restarting the Switch At...

Страница 115: ...CHAPTER 4 Basic Management Tasks Resetting the System 115 Figure 23 Restarting the Switch Regularly...

Страница 116: ...CHAPTER 4 Basic Management Tasks Resetting the System 116...

Страница 117: ...of the cable used to connect to other devices Traffic Segmentation Configures the uplinks and down links to a segmented group of ports VLAN Trunking Configures a tunnel across one or more intermediat...

Страница 118: ...an interface due to abnormal behavior e g excessive collisions and then re enable it after the problem has been resolved You may also disable an interface for security reasons Media Type Configures t...

Страница 119: ...lem Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub Default Autonegotiation enabled Advertised capabilities for 100Base TX 10half 10full 100...

Страница 120: ...e 117 CLI REFERENCES Interface Commands on page 699 WEB INTERFACE To configure port connection parameters 1 Click Interface Port General 2 Select Configure by Port Range from the Action List 3 Enter t...

Страница 121: ...n Media Type Media type used Options RJ 45 Copper Forced SFP Copper Forced SFP Forced or SFP Preferred Auto Default RJ 45 Copper Forced SFP SFP Preferred Auto Autonegotiation Shows if auto negotiation...

Страница 122: ...ch or exceed source port speed otherwise traffic may be dropped from the monitor port When mirroring port traffic the target port must be included in the same VLAN as the source port when using MSTP s...

Страница 123: ...Select Add from the Action List 3 Specify the source port 4 Specify the monitor port 5 Specify the traffic type to be mirrored 6 Click Apply Figure 28 Configuring Local Port Mirroring To display the c...

Страница 124: ...ion port on the same switch local port mirroring as described in Configuring Local Port Mirroring on page 122 or from one or more source ports on remote switches to a destination port on this switch r...

Страница 125: ...nnot be used as the destination for RSPAN traffic Spanning Tree If the spanning tree is disabled BPDUs will not be flooded onto the RSPAN VLAN MAC address learning is not supported on RSPAN uplink por...

Страница 126: ...Only one uplink port can be configured on a source switch but there is no limitation on the number of uplink ports configured on an intermediate or destination switch Only destination and uplink port...

Страница 127: ...session 1 Click Interface RSPAN 2 Set the Switch Role to None Source Intermediate or Destination 3 Configure the required settings for each switch participating in the RSPAN VLAN 4 Click Apply Figure...

Страница 128: ...statistics including a total count of different frame types and sizes passing through each port All values displayed have been accumulated since the last system reboot and are shown as counts per seco...

Страница 129: ...el protocols requested be transmitted and which were addressed to a broadcast address at this sub layer including those that were discarded or not sent Received Unknown Packets The number of packets r...

Страница 130: ...Received Octets Total number of octets of data received on the network This statistic can be used as a reasonable indication of Ethernet utilization Received Packets The total number of packets bad br...

Страница 131: ...tatistics 1 Click Interface Port Chart 2 Select the statistics mode to display Interface Etherlike RMON or All 3 If Interface Etherlike RMON statistics mode is chosen select a port from the drop down...

Страница 132: ...akes approximately 5 seconds The switch displays the results of the test immediately upon completion including common cable failures as well as the status and approximate length to a fault Potential c...

Страница 133: ...switch supports both static trunking and dynamic Link Aggregation Control Protocol LACP Static trunks have to be manually configured at both ends of the link and the switches must comply with the Cis...

Страница 134: ...k ports When configuring static trunks on switches of different types they must be compatible with the Cisco EtherChannel standard The ports at both ends of a trunk must be configured in an identical...

Страница 135: ...ing the ports and also disconnect the ports before removing a static trunk via the configuration interface PARAMETERS These parameters are displayed Trunk ID Trunk identifier Range 1 5 Member The init...

Страница 136: ...port for an additional trunk member 6 Click Apply Figure 39 Adding Static Trunks Members To configure connection parameters for a static trunk 1 Click Interface Trunk Static 2 Select Configure General...

Страница 137: ...Configuring Dynamic Trunks CLI REFERENCES Link Aggregation Commands on page 717 COMMAND USAGE To avoid creating a loop in the network be sure you enable LACP before connecting the ports and also disc...

Страница 138: ...ic link aggregation group LAG during local LACP setup on the switch Range 0 65535 Configure Aggregation Port General Port Port identifier Range 1 10 LACP Status Enables or disables LACP on a port Conf...

Страница 139: ...ort NOTE Configuring the port partner sets the remote side of an aggregate link i e the ports on the attached device The command attributes have the same meaning as those used for the port actor WEB I...

Страница 140: ...40 To enable LACP for a port 1 Click Interface Trunk Dynamic 2 Select Configure Aggregation Port from the Step list 3 Select Configure from the Action list 4 Click General 5 Enable LACP on the require...

Страница 141: ...st 3 Select Configure from the Action list 4 Click Actor or Partner 5 Configure the required settings 6 Click Apply Figure 45 Configuring LACP Parameters on a Port To show the active members of a dyna...

Страница 142: ...4 Modify the required interface settings See Configuring by Port List on page 117 for a description of the interface settings 5 Click Apply Figure 47 Configuring Connection Settings for Dynamic Trunk...

Страница 143: ...Table 6 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group LACPDUs Received Number of valid LACPDUs received on this channel group Marker...

Страница 144: ...te for the local side of a link aggregation CLI REFERENCES show lacp on page 723 PARAMETERS These parameters are displayed Table 7 LACP Internal Configuration Information Parameter Description LACP Sy...

Страница 145: ...lecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received pro...

Страница 146: ...FOR THE REMOTE SIDE Use the Interface Trunk Dynamic Configure Aggregation Port Show Information Neighbors page to display the configuration settings and operational state for the remote side of a lin...

Страница 147: ...o this aggregation port by the port s protocol partner Port Admin Priority Current administrative value of the port priority for the protocol partner Port Oper Priority Priority value assigned to this...

Страница 148: ...e is detected the switch automatically turns off the transmitter and most of the receive circuitry entering Sleep Mode In this mode the low power energy detection circuit continuously checks for energ...

Страница 149: ...ving Status Adjusts the power provided to ports based on the length of the cable used to connect to other devices Only sufficient power is used to maintain connection requirements Default Enabled on G...

Страница 150: ...downlink ports is only forwarded to and from uplink ports ENABLING TRAFFIC SEGMENTATION Use the Interface Traffic Segmentation Configure Global page to enable traffic segmentation CLI REFERENCES Confi...

Страница 151: ...nfiguring Port based Traffic Segmentation on page 800 PARAMETERS These parameters are displayed Interface Displays a list of ports or trunks Port Port Identifier Range 1 10 Trunk Trunk Identifier Rang...

Страница 152: ...he path connecting VLANs 1 and 2 you only need to create these VLAN groups in switches A and B Switches C D and E automatically allow frames with VLAN group tags 1 and 2 groups that are unknown to tho...

Страница 153: ...bled on Gigabit ports Trunk Trunk Identifier Range 1 5 VLAN Trunking Status Enables VLAN trunking on the selected interface WEB INTERFACE To enable VLAN trunking on a port or trunk 1 Click Interface V...

Страница 154: ...CHAPTER 5 Interface Configuration VLAN Trunking 154...

Страница 155: ...each subnet into separate domains This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains VLANs confine broadcast traffi...

Страница 156: ...a tagged port if you want it to carry traffic for one or more VLANs and any intermediate network devices or the host at the other end of the connection supports VLANs Then assign ports on the other V...

Страница 157: ...assigned If an end station or its network adapter supports the IEEE 802 1Q VLAN protocol it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join When t...

Страница 158: ...must first strip off the VLAN tag before forwarding the frame When the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag However when this switch receiv...

Страница 159: ...nfigured VLAN VLAN Name Name of the VLAN Status Operational status of configured VLAN Remote VLAN Shows if RSPAN is enabled on this VLAN see Configuring Remote Port Mirroring on page 124 WEB INTERFACE...

Страница 160: ...atic 2 Select Show from the Action list Figure 61 Showing Static VLANs ADDING STATIC MEMBERS TO VLANS Use the VLAN Static page to configure port members for the selected VLAN index interface or a rang...

Страница 161: ...annot be set to access mode and vice versa Hybrid Specifies a hybrid VLAN interface The port may transmit tagged or untagged frames 1Q Trunk Specifies a port as an end point for a VLAN trunk A trunk i...

Страница 162: ...transmitted by the port will be tagged that is carry a tag and therefore carry VLAN or CoS information Untagged Interface is a member of the VLAN All packets transmitted by the port will be untagged...

Страница 163: ...page WEB INTERFACE To configure static members by the VLAN index 1 Click VLAN Static 2 Select Edit Member by VLAN from the Step list 3 Set the Interface type to display as Port or Trunk 4 Modify the s...

Страница 164: ...LAN Members by Interface To configure static members by interface range 1 Click VLAN Static 2 Select Edit Member by Interface Range from the Step list 3 Set the Interface type to display as Port or Tr...

Страница 165: ...re dynamically configured based on join messages issued by host devices and propagated throughout the network GVRP must be enabled to permit automatic VLAN registration and to support VLANs which exte...

Страница 166: ...terval should be considerably larger than the Leave Time to minimize the amount of traffic generated by nodes rejoining the group Range 500 18000 centiseconds Default 1000 Show Dynamic VLAN Show VLAN...

Страница 167: ...s or timers for any interface 5 Click Apply Figure 66 Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch 1 Click VLAN Dynamic 2 Select Show Dynamic VLAN from the Step lis...

Страница 168: ...VLAN limit of 4096 QinQ tunneling uses a single Service Provider VLAN SPVLAN for customers who have multiple VLANs Customer VLAN IDs are preserved and traffic from different customers is segregated w...

Страница 169: ...entering a QinQ tunnel port are processed in the following manner 1 New SPVLAN tags are added to all incoming packets no matter how many tags they already have The ingress process constructs and inse...

Страница 170: ...native tag is added to the packet This outer tag is used for learning and switching packets within the service provider s network The TPID must be configured on a per port basis and the verification...

Страница 171: ...provider network There are some inherent incompatibilities between Layer 2 and Layer 3 switching Tunnel ports do not support IP Access Control Lists Layer 3 Quality of Service QoS and other QoS featur...

Страница 172: ...abled Ethernet Type The Tag Protocol Identifier TPID specifies the ethertype of incoming packets on a tunnel port Range hexadecimal 0800 FFFF Default 8100 Use this field to set a custom 802 1Q etherty...

Страница 173: ...the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames Then use the Configure Interface page to set the access interface on the edge switch to Tunnel mode and se...

Страница 174: ...nfiguration deprives users of the basic benefits of VLANs including security and easy accessibility To avoid these problems you can configure this switch with protocol based VLANs that divide the phys...

Страница 175: ...rame type used by this protocol Protocol Type Specifies the protocol type to match The available options are IP ARP RARP and IPv6 If LLC Other is chosen for the Frame Type the only available Protocol...

Страница 176: ...rom the Action list 4 Select an entry from the Frame Type list 5 Select an entry from the Protocol Type list 6 Enter an identifier for the protocol group 7 Click Apply Figure 72 Configuring Protocol V...

Страница 177: ...e associated VLAN When a frame enters a port that has been assigned to a protocol VLAN it is processed in the following manner If the frame is tagged it will be processed according to the standard rul...

Страница 178: ...lect a port or trunk 5 Enter the identifier for a protocol group 6 Enter the corresponding VLAN to which the protocol traffic will be forwarded 7 Click Apply Figure 74 Assigning Interfaces to Protocol...

Страница 179: ...to only one VLAN ID An IP subnet consists of an IP address and a mask When an untagged frame is received by a port the source IP address is checked against the IP subnet to VLAN mapping table and if a...

Страница 180: ...field 4 Enter a mask in the Subnet Mask field 5 Enter the identifier in the VLAN field Note that the specified VLAN need not already be configured 6 Enter a value to assign to untagged frames in the...

Страница 181: ...VLANs on page 808 COMMAND USAGE The MAC to VLAN mapping applies to all ports on the switch Source MAC addresses can be mapped to only one VLAN ID Configured MAC addresses cannot be broadcast or multic...

Страница 182: ...s in the MAC Address field 4 Enter an identifier in the VLAN field Note that the specified VLAN need not already be configured 5 Enter a value to assign to untagged frames in the Priority field 6 Clic...

Страница 183: ...led the target port can receive a mirrored packet twice once from the source mirror port and again from the source mirrored VLAN The target port receives traffic from all monitored source VLANs and ca...

Страница 184: ...mirroring 1 Click VLAN Mirror 2 Select Add from the Action list 3 Select the source VLAN and select a target port 4 Click Apply Figure 80 Configuring VLAN Mirroring To show the VLANs to be mirrored 1...

Страница 185: ...ed source address to a target port CONFIGURING MAC ADDRESS LEARNING Use the MAC Address Learning Status page to enable or disable MAC address learning on an interface CLI REFERENCES mac learning on pa...

Страница 186: ...ity Status see Configuring Port Security on page 323 is enabled on the same interface PARAMETERS These parameters are displayed Interface Displays a list of ports or trunks Port Port Identifier Range...

Страница 187: ...ress is seen on another interface the address will be ignored and will not be written to the address table Static addresses will not be removed from the address table when a given interface link is do...

Страница 188: ...dresses CHANGING THE AGING TIME Use the MAC Address Dynamic Configure Aging page to set the aging time for entries in the dynamic address table The aging time is used to age out dynamically learned fo...

Страница 189: ...source address for traffic entering the switch When the destination address for inbound traffic is found in the database the packets intended for that address are forwarded directly to the associated...

Страница 190: ...ng the Dynamic MAC Address Table CLEARING THE DYNAMIC ADDRESS TABLE Use the MAC Address Dynamic Clear Dynamic MAC page to remove any learned entries from the forwarding database CLI REFERENCES clear m...

Страница 191: ...ive manner CLI REFERENCES Local Port Mirroring Commands on page 727 COMMAND USAGE When mirroring traffic from a MAC address ingress traffic with the specified source address entering any port in the s...

Страница 192: ...rt The port that will mirror the traffic from the source port Range 1 10 WEB INTERFACE To mirror packets based on a MAC address 1 Click MAC Address Mirror 2 Select Add from the Action list 3 Specify t...

Страница 193: ...nt switch bridge or router in your network to ensure that only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes...

Страница 194: ...seconds compared to 30 seconds or more for STP by reducing the number of state changes before active ports start learning predefining an alternate route that can be used when a node or port fails and...

Страница 195: ...cations with STP or RSTP nodes in the global network Figure 92 Common Internal Spanning Tree Common Spanning Tree Internal Spanning Tree MSTP connects all bridges and LAN segments with a single Common...

Страница 196: ...eceive it s own BPDUs in a forward delay interval NOTE If loopback detection is not enabled and an interface receives it s own BPDU then the interface will drop the loopback BPDU according to IEEE Sta...

Страница 197: ...MAND USAGE Spanning Tree Protocol1 Uses RSTP for the internal state machine but sends only 802 1D BPDUs This creates one spanning tree instance for the entire network If multiple VLANs are implemented...

Страница 198: ...bridges that have compatible VLAN instance assignments Be careful when switching between spanning tree modes Changing modes stops all spanning tree instances for the previous mode and restarts the sy...

Страница 199: ...The maximum time in seconds a device can wait without receiving a configuration message before attempting to reconfigure All device ports except for designated ports should receive configuration messa...

Страница 200: ...his MSTI Maximum length 32 characters switch s MAC address Maximum Hop Count The maximum number of hops allowed in the MST region before a BPDU is discarded Range 1 40 Default 20 WEB INTERFACE To conf...

Страница 201: ...CHAPTER 8 Spanning Tree Algorithm Configuring Global Settings for STA 201 Figure 95 Configuring Global Settings for STA RSTP Figure 96 Configuring Global Settings for STA MSTP...

Страница 202: ...d MAC address where the address is taken from the switch system Designated Root The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device Root Po...

Страница 203: ...57 PARAMETERS These parameters are displayed Interface Displays a list of ports or trunks Spanning Tree Enables disables STA on this interface Default Enabled Priority Defines the priority used for th...

Страница 204: ...ines if the interface is attached to a point to point link or to shared media This is the default setting 3 Refer to Configuring Global Settings for STA on page 197 for information on setting the path...

Страница 205: ...that Edge Port should only be enabled for ports connected to an end node device Default Disabled Enabled Manually configures a port as an Edge Port Disabled Disables the Edge Port setting Auto The por...

Страница 206: ...on configured edge ports that are connected to end nodes By default STA sends BPDUs to all ports regardless of whether administrative edge is enabled on a port BDPU filtering is configured on a per p...

Страница 207: ...esses The rules defining port status are A port on a network segment with no other STA compliant bridging device is always forwarding If two ports of a switch are connected to the same segment and the...

Страница 208: ...er bridge is attached to this port Port Role Roles are assigned according to whether the port is part of the active topology connecting the bridge to the root bridge i e root port connecting a LAN thr...

Страница 209: ...multiple pathways across the network thereby balancing the traffic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new top...

Страница 210: ...ame MSTI settings PARAMETERS These parameters are displayed MST ID Instance identifier to configure Range 0 4094 VLAN ID VLAN to assign to this MST instance Range 1 4093 Priority The priority of a spa...

Страница 211: ...nstance To show the MSTP instances 1 Click Spanning Tree MSTP 2 Select Configure Global from the Step list 3 Select Show from the Action list The attributes displayed on this page are described under...

Страница 212: ...ect an MST instance from the MST ID list 5 Enter the VLAN group to add to the instance in the VLAN ID field Note that the specified member does not have to be a configured VLAN 6 Click Apply Figure 10...

Страница 213: ...port in the Spanning Tree Protocol If the path cost for all ports on a switch are the same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree...

Страница 214: ...INTERFACE To configure MSTP parameters for a port or trunk 1 Click Spanning Tree MSTP 2 Select Configure Interface from the Step list 3 Select Configure from the Action list 4 Enter the priority and p...

Страница 215: ...CHAPTER 8 Spanning Tree Algorithm Configuring Interface Settings for MSTP 215 Figure 106 Displaying MSTP Interface Settings...

Страница 216: ...CHAPTER 8 Spanning Tree Algorithm Configuring Interface Settings for MSTP 216...

Страница 217: ...can be applied to individual ports When an interface is configured with this feature the traffic rate will be monitored by the hardware to verify conformity Non conforming traffic is dropped conformin...

Страница 218: ...uration 218 WEB INTERFACE To configure rate limits 1 Click Traffic Rate Limit 2 Enable the Rate Limit Status for the required ports 3 set the rate limit for the individual ports 4 Click Apply Figure 1...

Страница 219: ...t packet rate on page 707 COMMAND USAGE Broadcast Storm Control is enabled by default Broadcast control does not effect IP multicast traffic PARAMETERS These parameters are displayed Interface Display...

Страница 220: ...nfigure broadcast storm control 1 Click Traffic Storm Control 2 Set the Status field to enable or disable storm control 3 Set the required threshold beyond which the switch will start dropping packets...

Страница 221: ...cessing LAYER 2 QUEUE SETTINGS This section describes how to configure the default priority for untagged frames set the queue mode set the weights assigned to each queue and map class of service tags...

Страница 222: ...k Apply Figure 109 Setting the Default Port Priority SELECTING THE QUEUE MODE Use the Traffic Priority Queue page to set the queue mode for the egress queues on any interface The switch can be set to...

Страница 223: ...rvice is used for the high priority queues and weighted service for the remaining queues The queues assigned to use strict priority should be specified using the Strict Mode field parameter A weight c...

Страница 224: ...ht Sets a weight for each queue which is used by the SDWRR scheduler Range 1 255 Default Weights 1 2 4 6 are assigned to queues 0 3 respectively WEB INTERFACE To configure the queue mode 1 Click Traff...

Страница 225: ...eight separate traffic priorities are defined in IEEE 802 1p Default priority levels are assigned according to recommendations in the IEEE 802 1p standard as shown in Table 12 The following table indi...

Страница 226: ...the highest CoS priority queue WEB INTERFACE To map internal PHB to hardware queues 1 Click Traffic Priority PHB to Queue 2 Select Add from the Action list 3 Set the queue mode 4 Map an internal PHB...

Страница 227: ...tings 227 Figure 113 Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map 1 Click Traffic Priority PHB to Queue 2 Select Show from the Action list 3 Select an interface F...

Страница 228: ...ine the hardware queues used for egress traffic not to replace the priority values These defaults are designed to optimize priority services for the majority of network applications It should not be n...

Страница 229: ...Apply Figure 115 Setting the Trust Mode MAPPING INGRESS DSCP VALUES TO INTERNAL DSCP VALUES Use the Traffic Priority DSCP to DSCP page to map DSCP values in incoming packets to per hop behavior and dr...

Страница 230: ...value in ingress packets Range 0 63 PHB Per hop behavior or the priority used for this router hop Range 0 7 Drop Precedence Drop precedence used for Random Early Detection in controlling traffic conge...

Страница 231: ...ity DSCP to DSCP 2 Select Add from the Action list 3 Set the PHB and drop precedence for any DSCP value 4 Click Apply Figure 116 Configuring DSCP to DSCP Internal Mapping To show the DSCP to internal...

Страница 232: ...for per hop behavior PHB which determines the queue to which a packet is sent and two bits for drop precedence namely color which is used by Random Early Detection RED to control traffic congestion R...

Страница 233: ...ority CoS to DSCP 2 Select Add from the Action list 3 Set the PHB and drop precedence for any of the CoS CFI combinations 4 Click Apply Figure 118 Configuring CoS to DSCP Internal Mapping Table 16 Def...

Страница 234: ...ayer 3 4 Priority Settings 234 To show the CoS CFI to internal PHB drop precedence map 1 Click Traffic Priority CoS to DSCP 2 Select Show from the Action list 3 Select an interface Figure 119 Showing...

Страница 235: ...t kinds of traffic can be marked for different kinds of forwarding All switches or routers that access the Internet rely on class information to provide the same forwarding treatment to packets in the...

Страница 236: ...ured to monitor the maximum throughput and burst rate Then specify the action to take for conforming traffic or the action to take for a policy violation 5 Use the Configure Interface page to assign a...

Страница 237: ...e lone match command ACL List Name of an access control list Any type of ACL can be specified including standard or extended IP ACLs and MAC ACLs IP DSCP A DSCP value Range 0 63 IP Precedence An IP Pr...

Страница 238: ...aps To edit the rules for a class map 1 Click Traffic DiffServ 2 Select Configure Class from the Step list 3 Select Add Rule from the Action list 4 Select the name of a class map 5 Specify type of tra...

Страница 239: ...ich indicates how to match the inbound packets according to an access list a DSCP or IP Precedence value or a member of specific VLAN A policy map is then configured which indicates the boundary param...

Страница 240: ...Early Detection A packet is marked green if it doesn t exceed the committed information rate and committed burst size yellow if it does exceed the committed information rate and committed burst size b...

Страница 241: ...roughput peak information rate PIR and their associated burst sizes committed burst size BC or burst rate and peak burst size BP Action may taken for traffic conforming to the maximum throughput excee...

Страница 242: ...red or if Tp t B 0 the packet is red else if the packet has been precolored as yellow or if Tc t B 0 the packet is yellow and Tp is decremented by B else the packet is green and both Tp and Tc are dec...

Страница 243: ...edence on page 233 Set PHB Configures the service provided to ingress traffic by setting the internal per hop behavior for a matching packet as specified in rule settings for a class map Range 0 7 See...

Страница 244: ...the maximum throughput but within the excess burst size or exceeding the excess burst size In addition to the actions defined by this command to transmit remark the DSCP service value or drop a packe...

Страница 245: ...committed burst size BC or burst rate and peak burst size BP and the action to take for traffic conforming to the maximum throughput exceeding the maximum throughput but within the peak information ra...

Страница 246: ...level Transmit Transmits in conformance traffic without any change to the DSCP service level Exceed Specifies whether traffic that exceeds the maximum rate CIR but is within the peak information rate...

Страница 247: ...onfigure Policy from the Step list 3 Select Add from the Action list 4 Enter a policy name 5 Enter a description 6 Click Add Figure 124 Configuring a Policy Map To show the configured policy maps 1 Cl...

Страница 248: ...behavior for matching packets to specify the quality of service to be assigned to the matching traffic class Use one of the metering options to define parameters such as the maximum throughput and bur...

Страница 249: ...raffic DiffServ Configure Interface page to bind a policy map to an ingress port CLI REFERENCES Quality of Service Commands on page 831 COMMAND USAGE First define a class map define a policy map and b...

Страница 250: ...o bind a policy map to a port 1 Click Traffic DiffServ 2 Select Configure Interface from the Step list 3 Check the box under the Ingress field to enable a policy map for a port 4 Select a policy map f...

Страница 251: ...isolating the VoIP traffic from other data traffic End to end QoS policies and high priority can be applied to VoIP VLAN traffic across the network guaranteeing the bandwidth it needs VLAN isolation...

Страница 252: ...ted on the switch Range 1 4093 Voice VLAN Aging Time The time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port Range 5 43200 minutes Default 1440 m...

Страница 253: ...rs are displayed Telephony OUI Specifies a MAC address range to add to the list Enter the MAC address in format 01 23 45 67 89 AB Mask Identifies a range of MAC addresses Selecting a mask of FF FF FF...

Страница 254: ...nterface page to configure ports for VoIP traffic you need to set the mode Auto or Manual specify the discovery method to use and set the traffic priority You can also enable security filtering to ens...

Страница 255: ...the port Default OUI OUI Traffic from VoIP devices is detected by the Organizationally Unique Identifier OUI of the source MAC address OUI numbers are assigned to manufacturers and form the first thr...

Страница 256: ...CHAPTER 13 VoIP Traffic Configuration Configuring VoIP Traffic Ports 256 Figure 132 Configuring Port Settings for a Voice VLAN...

Страница 257: ...are infeasible or impractical Network Access Configure MAC authentication intrusion response dynamic VLAN assignment and dynamic QoS assignment HTTPS Provide a secure web connection SSH Provide a sec...

Страница 258: ...ers in the network The security servers can be defined as sequential groups that are applied as a method for controlling user access to specified services For example when the switch attempts to authe...

Страница 259: ...e on page 586 COMMAND USAGE By default management access is always checked against the authentication database stored on the local switch If a remote authentication server is used you must specify the...

Страница 260: ...e logon authentication protocols that use software running on a central server to control access to RADIUS aware or TACACS aware devices on the network An authentication server contains a database of...

Страница 261: ...gest 5 TLS Transport Layer Security or TTLS Tunneled Transport Layer Security PARAMETERS These parameters are displayed Configure Server RADIUS Global Provides globally applicable RADIUS settings Serv...

Страница 262: ...CS server used for authentication messages Range 1 65535 Default 49 Set Key Mark this box to set or modify the encryption key Authentication Key Encryption key used to authenticate logon access for cl...

Страница 263: ...globally to all specified servers or select a specific Server Index to specify the parameters that apply to a specific server 5 To set or modify the authentication key mark the Set Key box enter the...

Страница 264: ...Step list 3 Select Add from the Action list 4 Select RADIUS or TACACS server type 5 Enter the group name followed by the index of the server to use for each priority level 6 Click Apply Figure 137 Co...

Страница 265: ...ters are displayed Configure Global Periodic Update Specifies the interval at which the local accounting service updates information for all users on the system to the accounting server Range 0 214748...

Страница 266: ...ed in the Configure Method page Range 1 255 characters Exec Console Method Name Specifies a user defined method name to apply to console connections Telnet Method Name Specifies a user defined method...

Страница 267: ...lick Apply Figure 139 Configuring Global Settings for AAA Accounting To configure the accounting method applied to various service types and the assigned server group 1 Click Security AAA Accounting 2...

Страница 268: ...e Action list Figure 141 Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces console commands entered at specific privilege levels and local console Telnet...

Страница 269: ...ecified service types 1 Click Security AAA Accounting 2 Select Show Information from the Step list 3 Click Summary Figure 144 Displaying a Summary of Applied AAA Accounting Methods To display basic ac...

Страница 270: ...Method Name Specifies an authorization method for service requests The default method is used for a requested service if no other methods have been defined Range 1 255 characters Server Group Name Spe...

Страница 271: ...the Exec service type and the assigned server group 1 Click Security AAA Authorization 2 Select Configure Method from the Step list 3 Specify the name of the authorization method and server group name...

Страница 272: ...Configure Service from the Step list 3 Enter the required authorization method 4 Click Apply Figure 148 Configuring AAA Authorization Methods for Exec Service To display a the configured authorization...

Страница 273: ...rameters are displayed User Name The name of the user Maximum length 32 characters maximum number of users 16 Access Level Specifies the user level Options 0 Normal 15 Privileged Normal privilege leve...

Страница 274: ...on are infeasible or impractical The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries All other traffic except for HTTP...

Страница 275: ...e enabled for any port where required under the Configure Interface menu Session Timeout Configures how long an authenticated session stays active before it must re authenticate itself Range 300 3600...

Страница 276: ...ress Indicates the IP address of each connected host Remaining Session Time Indicates the remaining time until the current authorization session for the host expires Apply Enables web authentication i...

Страница 277: ...n trunk ports CLI REFERENCES Network Access MAC Address Authentication on page 641 COMMAND USAGE MAC address authentication controls access to the network by authenticating the MAC address of each hos...

Страница 278: ...e Group ID attribute The VLAN list can contain multiple VLAN identifiers in the format 1u 2t 3u where u indicates an untagged VLAN and t a tagged VLAN The RADIUS server may optionally return dynamic Q...

Страница 279: ...itch restores the original QoS configuration for the port When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same po...

Страница 280: ...0000 seconds WEB INTERFACE To configure aging status and reauthentication time for MAC address authentication 1 Click Security Network Access 2 Select Configure Global from the Step list 3 Enable or d...

Страница 281: ...ment for an authenticated port When enabled any VLAN identifiers returned by the RADIUS server are applied to the port providing the VLANs have already been created on the switch GVRP is not used to c...

Страница 282: ...NMP trap and or shut down a port when a link event occurs CLI REFERENCES Network Access MAC Address Authentication on page 641 PARAMETERS These parameters are displayed Link Detection Status Configure...

Страница 283: ...age to designate specific MAC addresses or MAC address ranges as exempt from authentication MAC addresses present in MAC Filter tables activated on a port are treated as pre authenticated on that port...

Страница 284: ...a MAC address filter for MAC authentication 1 Click Security Network Access 2 Select Configure MAC Filter from the Step list 3 Select Add from the Action list 4 Enter a filter ID MAC address and opti...

Страница 285: ...Specifies a port interface Attribute Displays static or dynamic addresses Authenticated MAC Address List MAC Address The authenticated MAC address Interface The port interface associated with a secur...

Страница 286: ...CES Web Server on page 603 COMMAND USAGE Both the HTTP and HTTPS service can be enabled independently on the switch However you cannot configure both services to use the same UDP port HTTP can only be...

Страница 287: ...he HTTPS server feature on the switch Default Enabled HTTPS Port Specifies the UDP port number used for HTTPS connection to the switch s web interface Default Port 443 WEB INTERFACE To configure HTTPS...

Страница 288: ...se the default certificate for the switch is not unique to the hardware you have purchased When you have obtained these place them on your TFTP server and transfer them to the switch to replace the de...

Страница 289: ...l and rcp remote copy are not secure from hostile attacks The Secure Shell SSH includes server client applications intended as a secure replacement for the older Berkeley remote access tools SSH can a...

Страница 290: ...ear similar to the following example 10 1 0 54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 7654680172627257...

Страница 291: ...1 5 Clients a The client sends its RSA public key to the switch b The switch compares the client s public key to those stored in memory c If a match is found the switch uses its secret key to generate...

Страница 292: ...SSH Server Status Allows you to enable disable the SSH server on the switch Default Disabled Version The Secure Shell version number Version 2 0 is displayed but the switch supports management access...

Страница 293: ...After generating this key pair you must provide the host public key to SSH clients and import the client s public key to the switch as described in the section Importing User Public Keys on page 295...

Страница 294: ...emory to flash memory Otherwise the host key pair is stored to RAM by default Note that you must select this item prior to generating the host key pair Default Disabled WEB INTERFACE To generate the S...

Страница 295: ...or the user to be able to log in using the public key authentication mechanism If the user s public key does not exist on the switch SSH will revert to the interactive password authentication mechanis...

Страница 296: ...on 2 for SSHv2 clients TFTP Server IP Address The IP address of the TFTP server that contains the public key file you wish to import Source File Name The public key file to upload WEB INTERFACE To cop...

Страница 297: ...or any frames based on MAC address or Ethernet type To filter incoming packets first create an access list add the required rules and then bind the list to a specific port Configuring Access Control L...

Страница 298: ...uring which ACL functions are applied CLI REFERENCES Time Range on page 545 PARAMETERS These parameters are displayed Add Time Range Name Name of a time range Range 1 30 characters Add Rule Time Range...

Страница 299: ...etting the Name of a Time Range To show a list of time ranges 1 Click Security ACL 2 Select Configure Time Range from the Step list 3 Select Show from the Action list Figure 168 Showing a List of Time...

Страница 300: ...for the selected mode 7 Click Apply Figure 169 Add a Rule to a Time Range To show the rules configured for a time range 1 Click Security ACL 2 Select Configure Time Range from the Step list 3 Select...

Страница 301: ...or traps For example when binding an ACL to a port each rule in an ACL will use two PCEs and when setting an IP Source Guard filter rule for a port the system will also use two PCEs PARAMETERS These...

Страница 302: ...filter modes are supported IP Standard IPv4 ACL mode filters packets based on the source IPv4 address IP Extended IPv4 ACL mode filters packets based on the source or destination IPv4 address as well...

Страница 303: ...CL 2 Select Configure ACL from the Step list 3 Select Add from the Action list 4 Fill in the ACL Name field and select the ACL type 5 Click Apply Figure 172 Creating an ACL To show a list of ACLs 1 Cl...

Страница 304: ...Address and Subnet Mask fields Options Any Host IP Default Any Source IP Address Source IP address Source Subnet Mask A subnet mask containing four integers from 0 to 255 each separated by a period Th...

Страница 305: ...s matching the selected type Action An ACL can contain any combination of permit or deny rules Source Destination Address Type Specifies the source or destination IP address Use Any to include all pos...

Страница 306: ...yte 14 of the TCP header Range 0 63 Control Code Bit Mask Decimal number representing the code bits to match Range 0 63 The control bit mask is a decimal number for an equivalent binary bit mask that...

Страница 307: ...nded IP from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the address type Any Host or IP 8 If you select Host enter a specific address...

Страница 308: ...e with the Address and Bit Mask fields Options Any Host MAC Default Any Source Destination MAC Address Source or destination MAC address Source Destination Bit Mask Hexadecimal mask for source or dest...

Страница 309: ...Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the address type Any Host or MAC 8 If you select Host enter a specific address e g 11 22 33 44...

Страница 310: ...fault Request Source Destination IP Address Type Specifies the source or destination IPv4 address Use Any to include all possible addresses Host to specify a specific host address in the Address field...

Страница 311: ...e Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e Permit or Deny 7 Select the packet type Request Response All 8 Select the address type Any Host or IP 9 If you selec...

Страница 312: ...t CLI REFERENCES ip access group on page 688 show ip access group on page 689 mac access group on page 693 show mac access group on page 694 Time Range on page 545 COMMAND USAGE This switch supports A...

Страница 313: ...e middle attacks This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropr...

Страница 314: ...not affect the ARP Inspection configuration of any VLANs When ARP Inspection is disabled globally it is still possible to configure ARP Inspection for individual VLANs These configuration changes will...

Страница 315: ...e controlled basis After the system message is generated the entry is cleared from the log buffer Each log entry contains flow information such as the receiving VLAN the port number the source and des...

Страница 316: ...ARP Inspection 2 Select Configure General from the Step list 3 Enable ARP inspection globally enable any of the address validation options and adjust any of the logging parameters if required 4 Click...

Страница 317: ...RS These parameters are displayed ARP Inspection VLAN ID Selects any configured VLAN Default 1 ARP Inspection VLAN Status Enables ARP Inspection for the selected VLAN Default Disabled ARP Inspection A...

Страница 318: ...re subject to ARP packet rate limiting and all trusted ports are exempt from ARP packet rate limiting Packets arriving on trusted interfaces bypass all ARP Inspection and ARP Inspection Validation che...

Страница 319: ...us reasons CLI REFERENCES show ip arp inspection statistics on page 681 PARAMETERS These parameters are displayed Table 19 ARP Inspection Statistics Parameter Description Received ARP packets before A...

Страница 320: ...AN port and address components CLI REFERENCES show ip arp inspection log on page 681 PARAMETERS These parameters are displayed ARP packets dropped by additional validation Src MAC Count of packets tha...

Страница 321: ...to all IP addresses by default Once you add an entry to a filter list access to that interface is restricted to the specified addresses If anyone tries to access a management interface on the switch...

Страница 322: ...rt address and end address PARAMETERS These parameters are displayed Mode Web Configures IP address es for the web group SNMP Configures IP address es for the SNMP group Telnet Configures IP address e...

Страница 323: ...ess table will be authorized to access the network through that port If a device with an unauthorized MAC address attempts to use the switch port the intrusion will be detected and the switch can auto...

Страница 324: ...played Port Port number Action Indicates the action to be taken when a port security violation is detected None No action should be taken This is the default Trap Send an SNMP trap message Shutdown Di...

Страница 325: ...enticator responds with an EAPOL identity request The client provides its identity such as a user name in an EAPOL response to the switch which it forwards to the RADIUS server The RADIUS server verif...

Страница 326: ...nd client also have to support the same EAP authentication type MD5 PEAP TLS or TTLS Native support for these encryption methods is provided in Windows XP and in Windows 2000 with Service Pack 4 To su...

Страница 327: ...le User Name The dot1x supplicant user name Range 1 8 characters The global supplicant user name and password are used to identify this switch as a supplicant when responding to an MD5 challenge from...

Страница 328: ...s attached to the switch and the authentication server configure the parameters for the exchange of EAP messages between the authenticator and clients on the Authenticator configuration page When devi...

Страница 329: ...s the port to deny access to all clients either dot1x aware or otherwise Operation Mode Allows single or multiple hosts clients to connect to an 802 1X authorized port Default Single Host Single Host...

Страница 330: ...thentication information It may also send other EAP request frames to the client during an active connection as required for reauthentication Server Timeout Sets the time that a switch port waits for...

Страница 331: ...kets sent to the Supplicant without receiving a response Identifier Server Identifier carried in the most recent EAP Success Failure or Request packet received from the Authentication Server Reauthent...

Страница 332: ...t page to configure 802 1X port settings for supplicant requests issued from a port to an authenticator on another device When 802 1X is enabled and the control mode is set to Force Authorized see Con...

Страница 333: ...displayed Port Port number PAE Supplicant Enables PAE supplicant mode Default Disabled If the attached client must be authenticated through another device in the network supplicant status must be enab...

Страница 334: ...STATISTICS Use the Security Port Authentication Configure Interface page to display statistics for dot1x protocol exchanges for any port CLI REFERENCES show dot1x on page 630 PARAMETERS These paramete...

Страница 335: ...OL frames that have been received by this Supplicant in which the frame type is not recognized Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Supplicant Rx...

Страница 336: ...rt Authentication 336 WEB INTERFACE To display port authenticator statistics for 802 1X 1 Click Security Port Authentication 2 Select Show Statistics from the Step list 3 Click Authenticator Figure 19...

Страница 337: ...nooping on page 342 IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network This section describes commands used to co...

Страница 338: ...see page 345 IP source guard will check the VLAN ID source IP address port number and source MAC address for the SIP MAC option If a matching entry is found in the binding table and the entry type is...

Страница 339: ...All static entries are configured with an infinite lease time which is indicated with a value of zero in the table CLI REFERENCES ip source guard binding on page 669 COMMAND USAGE Static addresses en...

Страница 340: ...port to which a static entry is bound VLAN ID of a configured VLAN Range 1 4093 MAC Address A valid unicast MAC address IP Address A valid unicast IP address including classful types A B or C WEB INTE...

Страница 341: ...ed interface CLI REFERENCES show ip dhcp snooping binding on page 668 PARAMETERS These parameters are displayed Query by Port A port on this switch VLAN ID of a configured VLAN Range 1 4093 MAC Addres...

Страница 342: ...ion to a DHCP server This information can be useful in tracking an IP address back to a physical port COMMAND USAGE DHCP Snooping Process Network traffic may be disrupted when malicious DHCP messages...

Страница 343: ...only if the corresponding entry is found in the binding table If the DHCP packet is from a client such as a DISCOVER REQUEST INFORM DECLINE or RELEASE message the packet is forwarded if MAC address ve...

Страница 344: ...by the switch and in reply packets sent back from the DHCP server This information may specify the MAC address or IP address of the requesting device that is the switch in this context By default the...

Страница 345: ...information relay Default Disabled DHCP Snooping Information Option Policy Specifies how to handle DHCP client request packets which already contain Option 82 information Drop Drops the client s reque...

Страница 346: ...e DHCP snooping is globally disabled DHCP snooping can still be configured for specific VLANs but the changes will not take effect until DHCP snooping is globally re enabled When DHCP snooping is glob...

Страница 347: ...erface that is configured to receive only messages from within the network An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall When DHCP...

Страница 348: ...RMATION Use the IP Service DHCP Snooping Show Information page to display entries in the binding table CLI REFERENCES show ip dhcp snooping binding on page 668 PARAMETERS These parameters are displaye...

Страница 349: ...n the switch is reset However note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid Clear Removes all dynamically learned snooping entries...

Страница 350: ...CHAPTER 14 Security Measures DHCP Snooping 350...

Страница 351: ...it over a group of switches connected to the same local network CONFIGURING EVENT LOGGING The switch allows you to control the logging of error messages including the type of events that are recorded...

Страница 352: ...fault 7 NOTE The Flash Level must be equal to or less than the RAM Level WEB INTERFACE To configure the logging of error messages to system memory 1 Click Administration Log System 2 Select Configure...

Страница 353: ...andom access memory RAM i e memory flushed on power reset and up to 4096 entries in permanent flash memory Figure 202 Showing Error Messages Looged to System Memory REMOTE LOG CONFIGURATION Use the Ad...

Страница 354: ...ng or storing messages in the corresponding database Range 16 23 Default 23 Logging Trap Level Limits log messages that are sent to the remote syslog server for all levels up to the specified level Fo...

Страница 355: ...s level or higher will be sent to the configured email recipients For example using Level 7 will report all events from level 7 to level 0 Default Level 7 Email Source Address Sets the email address u...

Страница 356: ...ification capabilities and configuration settings LLDP also defines how to store and maintain information gathered about the neighboring network nodes it discovers SETTING LLDP TIMING ATTRIBUTES Use t...

Страница 357: ...t multiple rather than single changes are reported in each transmission This attribute must comply with the rule 4 Delay Interval Transmission Interval Reinitialization Delay Configures the delay befo...

Страница 358: ...Data Units Options Tx only Rx only TxRx Disabled Default TxRx SNMP Notification Enables the transmission of SNMP trap notifications about LLDP and LLDP MED changes Default Enabled This option sends ou...

Страница 359: ...ry management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VL...

Страница 360: ...tion included in the TLV field of advertised messages Link Aggregation The link aggregation capabilities aggregation status of the link and the IEEE 802 3 aggregated port identifier if this interface...

Страница 361: ...the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent There are several ways in which a chassis may be identified and a chassis ID subtype is used to indicate the...

Страница 362: ...the local system Interface Settings The attributes listed below apply to both port and trunk interface types When a trunk is listed the descriptions apply to the first port of the trunk Port Trunk Des...

Страница 363: ...e switch s ports which are advertising information through LLDP or to display detailed information about an LLDP enabled device connected to a specific port on the local switch CLI REFERENCES show lld...

Страница 364: ...identifier that is listed in the Port ID field Port Description A string that indicates the port s description If RFC 2863 is implemented the ifDescr object should be used for this field Port ID A str...

Страница 365: ...Remote VLAN Name List VLAN names associated with a port Remote Protocol Identity List Information about particular protocols that are accessible through a port This object represents an arbitrary loc...

Страница 366: ...airs only are in use Remote Power MDI Supported Shows whether MDI power is supported on the given port associated with the remote system Remote Power Pair Controlable Indicates whether the pair select...

Страница 367: ...ggregation state and or it does not support link aggregation this value should be zero Port Details 802 3 Extension Frame Information Remote Max Frame Size An integer value indicating the maximum supp...

Страница 368: ...tocol messages transmitted or received on all local interfaces CLI REFERENCES show lldp info statistics on page 898 PARAMETERS These parameters are displayed General Statistics on Remote Devices Neigh...

Страница 369: ...m to the general validation rules as well as any specific usage rules defined for the particular TLV Frames Invalid A count of all LLDPDUs received with one or more detectable errors Frames Received N...

Страница 370: ...LLDP Device Statistics General Figure 212 Displaying LLDP Device Statistics Port SIMPLE NETWORK MANAGEMENT PROTOCOL Simple Network Management Protocol SNMP is a communication protocol designed specifi...

Страница 371: ...rity models with each model having it s own security levels There are three security models defined SNMPv1 SNMPv2c and SNMPv3 Users are assigned to groups that are defined by a security model and spec...

Страница 372: ...your management station Configuring SNMPv3 Management Access 1 Use the Administration SNMP Configure Global page to enable SNMP on the switch and to enable trap messages 2 Use the Administration SNMP...

Страница 373: ...ation message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process Default Enabled Link up and Link down Traps5 Issues a notifi...

Страница 374: ...e to the switch This is referred to as the default engine ID If the local engine ID is deleted or changed all SNMP users will be cleared You will need to reconfigure all existing users PARAMETERS Thes...

Страница 375: ...mp server engine id on page 563 COMMAND USAGE SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore nee...

Страница 376: ...Apply Figure 215 Configuring a Remote Engine ID for SNMP To show the remote SNMP engine IDs 1 Click Administration SNMP 2 Select Configure Engine from the Step list 3 Select Show Remote Engine from t...

Страница 377: ...SNMP views configured in the Add View page OID Subtree Adds an additional object identifier of a branch within the MIB tree to the selected View Wild cards can be used to mask a specific portion of t...

Страница 378: ...ure 218 Showing SNMP Views To add an object identifier to an existing SNMP view of the switch s MIB database 1 Click Administration SNMP 2 Select Configure View from the Step list 3 Select Add OID Sub...

Страница 379: ...ricting them to specific read write and notify views You can use the pre defined default groups or create new groups to map a set of SNMP users to SNMP views CLI REFERENCES show snmp group on page 568...

Страница 380: ...nitializing itself and that its configuration may have been altered warmStart 1 3 6 1 6 3 1 1 5 2 A warmStart trap signifies that the SNMPv2 entity acting in an agent role is reinitializing itself suc...

Страница 381: ...storm is detected as normal traffic this trap is fired swAtcBcastStormTcApplyTrap 1 3 6 1 4 1 259 8 1 11 2 1 0 72 When ATC is activated this trap is fired swAtcBcastStormTcReleaseTrap 1 3 6 1 4 1 259...

Страница 382: ...singThresholdNotifica tion 1 3 6 1 4 1 259 8 1 11 2 1 0 109 This notification indicates that the memory utilization has risen from memoryUtiFallingThreshold to memoryUtiRisingThreshold swMemoryUtiFall...

Страница 383: ...ider removing the default strings CLI REFERENCES snmp server community on page 557 PARAMETERS These parameters are displayed Community String A community string that acts like a password and permits a...

Страница 384: ...lect Add Community from the Action list 4 Add new community strings as required and select the corresponding access rights from the Access Mode list 5 Click Apply Figure 223 Setting Community Access S...

Страница 385: ...ters Group Name The name of the SNMP group to which the user is assigned Range 1 32 characters Security Model The user security model SNMP v1 v2c or v3 Security Level The following security levels are...

Страница 386: ...ame and assign it to a group If the security model is set to SNMPv3 and the security level is authNoPriv or authPriv then an authentication protocol and password must be specified If the security leve...

Страница 387: ...e user resides The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and the remote user See Specifying Trap Managers on pa...

Страница 388: ...Privacy Password A minimum of eight plain text characters is required WEB INTERFACE To configure a remote SNMPv3 user 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Ad...

Страница 389: ...anagement Protocol 389 Figure 227 Configuring Remote SNMPv3 Users To show remote SNMPv3 users 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Show SNMPv3 Remote User fr...

Страница 390: ...received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider t...

Страница 391: ...tification message i e the targeted recipient Version Specifies whether to send notifications as SNMP v1 v2c or v3 traps Notification Type Traps Notifications are sent as trap messages Inform Notifica...

Страница 392: ...0 255 Default 3 Local User Name The name of a local user which is used to identify the source of SNMPv3 trap messages sent from the local switch Range 1 32 characters If an account for the specified u...

Страница 393: ...onfigure trap managers 1 Click Administration SNMP 2 Select Configure Trap from the Step list 3 Select Add from the Action list 4 Fill in the required parameters based on the selected SNMP version 5 C...

Страница 394: ...o specified events on an independent basis This switch is an RMON capable device which can independently perform a wide range of tasks significantly reducing network management traffic It can continuo...

Страница 395: ...ed again until the statistical value crosses the opposite bounding threshold and then back across the trigger threshold CLI REFERENCES Remote Monitoring Commands on page 575 COMMAND USAGE If an alarm...

Страница 396: ...ated After a falling event has been generated another such event will not be generated until the sampled value has risen above the falling threshold reaches the rising threshold and again moves back d...

Страница 397: ...Monitoring 397 Figure 233 Configuring an RMON Alarm To show configured RMON alarms 1 Click Administration RMON 2 Select Configure Global from the Step list 3 Select Show from the Action list 4 Click...

Страница 398: ...played Index Index to this entry Range 1 65535 Type Specifies the type of event to initiate None No event is generated Log Generates an RMON log entry when the event is triggered Log messages are proc...

Страница 399: ...N 2 Select Configure Global from the Step list 3 Select Add from the Action list 4 Click Event 5 Enter an index number the type of event to initiate the community string to send with trap messages the...

Страница 400: ...hich may reveal problems associated with high traffic levels broadcast storms or other unusual events It can also be used to predict network growth and plan for expansion before your network becomes t...

Страница 401: ...number of buckets granted are displayed on the Show page Owner Name of the person who created this entry Range 1 127 characters WEB INTERFACE To periodically sample statistics on a port 1 Click Admini...

Страница 402: ...elect Show from the Action list 4 Select a port from the list 5 Click History Figure 238 Showing Configured RMON History Samples To show collected RMON history samples 1 Click Administration RMON 2 Se...

Страница 403: ...COMMAND USAGE If statistics collection is already enabled on an interface the entry must be deleted before any changes can be made The information collected for each entry includes input octets packe...

Страница 404: ...om the Action list 4 Click Statistics 5 Select a port from the list as the data source 6 Enter an index number and the name of the owner for this entry 7 Click Apply Figure 240 Configuring an RMON Sta...

Страница 405: ...d RMON Statistical Samples To show collected RMON statistical samples 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select Show Details from the Action list 4 Select a...

Страница 406: ...ates or active Members through VLAN 4093 Once a switch has been configured to be a cluster Commander it automatically discovers other cluster enabled switches in the network These Candidate switches o...

Страница 407: ...tween 1 and 36 Note that you cannot change the cluster IP pool when the switch is currently in Commander mode Commander mode must first be disabled Default 10 254 254 1 Role Indicates the current role...

Страница 408: ...Address Select a discovered switch MAC address from the Candidate Table or enter a specific MAC address of a known switch WEB INTERFACE To configure cluster members 1 Click Administration Cluster 2 S...

Страница 409: ...CLUSTER MEMBERS Use the Administration Cluster Show Member page to manage another switch in the cluster CLI REFERENCES Switch Clustering on page 548 PARAMETERS These parameters are displayed Member ID...

Страница 410: ...g 410 Operate Remotely manage a cluster member WEB INTERFACE To manage a cluster member 1 Click Administration Cluster 2 Select Show Member from the Step list 3 Select an entry from the Cluster Member...

Страница 411: ...IPv4 Configuration Sets an IPv4 address for management access IPv6 Configuration Sets an IPv6 address for management access USING THE PING FUNCTION Use the IP General Ping page to send ICMP echo requ...

Страница 412: ...8 Pnging a Network Device SETTING THE SWITCH S IP ADDRESS IP VERSION 4 Use the System IP page to configure an IPv4 address for the switch An IPv4 address is obtained via DHCP by default for VLAN 1 To...

Страница 413: ...BOOTP is enabled IP will not function until a reply has been received from the server Requests will be broadcast periodically by the switch for an IP address DHCP BOOTP responses can include the IP ad...

Страница 414: ...he IP Address Mode to Static enter the IP address subnet mask and gateway 3 Click Apply Figure 249 Configuring a Static IPv4 Address To obtain an dynamic address through DHCP BOOTP for the switch 1 Cl...

Страница 415: ...via the web interface You can only restart DHCP service via the web interface if the current address is still available SETTING THE SWITCH S IP ADDRESS IP VERSION 6 This section describes how to conf...

Страница 416: ...ip default gateway on page 919 PARAMETERS These parameters are displayed Default Gateway Sets the IPv6 address of the default next hop router An IPv6 default gateway must be defined if the management...

Страница 417: ...iscover each other s presence to determine each other s link layer addresses to find routers and to maintain reachability information about the paths to active neighbors The key parameters used to fac...

Страница 418: ...ines if a new unicast IPv6 address already exists on the network before it is assigned to an interface Duplicate address detection is stopped on any interface that has been suspended see Configuring V...

Страница 419: ...figuration of IP address prefixes is not supported in the current software release If the router advertisements have the other stateful configuration flag set the switch will attempt to acquire other...

Страница 420: ...e full address with the network prefix FE80 To connect to a larger network with multiple subnets you must configure a global unicast address There are several alternatives to configuring this address...

Страница 421: ...t the value specified in the IPv6 Address field may include some of the high order host bits if the specified prefix length is less than 64 bits If the specified prefix length exceeds 64 bits then the...

Страница 422: ...fy the VLAN to configure select the address type and then enter an IPv6 address and prefix length 4 Click Apply Figure 253 Configuring an IPv6 Address SHOWING IPV6 ADDRESSES Use the IP IPv6 Configurat...

Страница 423: ...ow A node is also required to compute and join the associated solicited node multicast addresses for every unicast and anycast address it is assigned IPv6 addresses that differ only in the high order...

Страница 424: ...PV6 NEIGHBOR CACHE Use the IP IPv6 Configuration Show IPv6 Neighbor Cache page to display the IPv6 addresses detected for neighbor devices CLI REFERENCES show ipv6 neighbors on page 946 PARAMETERS The...

Страница 425: ...path was functioning While in STALE state the device takes no action until a packet is sent DELAY More than the ReachableTime interval has elapsed since the last positive confirmation was received th...

Страница 426: ...buffering capacity to forward a datagram and when the gateway can direct the host to send traffic on a shorter route ICMP is also used by routers to feed back information about more suitable routes t...

Страница 427: ...r some of the fragments Reassembled Succeeded The number of IPv6 datagrams successfully reassembled Note that this counter is incremented at the interface to which these datagrams were addressed which...

Страница 428: ...Parameter Problem Messages The number of ICMP Parameter Problem messages received by the interface Echo Request Messages The number of ICMP Echo request messages received by the interface Echo Reply...

Страница 429: ...f ICMP Router Advertisement messages sent by the interface Redirect Messages The number of Redirect messages sent For a host this object will always be zero since hosts do not send redirects Group Mem...

Страница 430: ...Address IP Version 6 430 WEB INTERFACE To show the IPv6 statistics 1 Click IP IPv6 Configuration 2 Select Show Statistics from the Action list 3 Click IPv6 ICMPv6 or UDP Figure 256 Showing IPv6 Statis...

Страница 431: ...acket too big message along with an acceptable MTU to this switch CLI REFERENCES show ipv6 mtu on page 936 PARAMETERS These parameters are displayed Table 31 Show MTU display description Field Descrip...

Страница 432: ...ration Setting the Switch s IP Address IP Version 6 432 WEB INTERFACE To show the MTU reported from other devices 1 Click IP IPv6 Configuration 2 Select Show MTU from the Action list Figure 259 Showin...

Страница 433: ...resses configure default domain names or specify one or more name servers to use for domain name to address translation CONFIGURING GENERAL DNS SERVICE PARAMETERS Use the IP Service DNS General Config...

Страница 434: ...s page to define a list of domain names that can be appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation If there is no domain list the def...

Страница 435: ...domain name Range 1 68 characters WEB INTERFACE To create a list domain names 1 Click IP Service DNS 2 Select Add Domain Name from the Action list 3 Enter one domain name at a time 4 Click Apply Figur...

Страница 436: ...r is specified the servers are queried in the specified sequence until a response is received or the end of the list is reached with no response If all name servers are deleted DNS will automatically...

Страница 437: ...o manually configure static entries in the DNS table that are used to map domain names to IP addresses CLI REFERENCES ip host on page 904 show hosts on page 908 COMMAND USAGE Static entries may be use...

Страница 438: ...vice DNS Static Host Table 2 Select Add from the Action list 3 Enter a host name and the corresponding address 4 Click Apply Figure 265 Configuring Static Entries in the DNS Table To show static entri...

Страница 439: ...er a DNS client can try each address in succession until it establishes a connection with the target device PARAMETERS These parameters are displayed No The entry number for each resource record Flag...

Страница 440: ...CHAPTER 17 IP Services Displaying the DNS Cache 440...

Страница 441: ...udio A multicast server does not have to establish a separate connection with each client It merely broadcasts its service to the network and any hosts that want to receive the multicast register with...

Страница 442: ...need to forward multicast traffic IGMP Snooping conserves bandwidth on network segments where no node has expressed interest in receiving a specific multicast service For switches that do not support...

Страница 443: ...d throughout the VLAN if unregistered flooding is enabled see Configuring IGMP Snooping and Query Parameters on page 444 Static IGMP Router Interface If IGMP snooping cannot locate the IGMP querier yo...

Страница 444: ...t the VLAN if unregistered flooding is enabled see Unregistered Data Flood in the Command Attributes section IGMP Querier A router or multicast enabled switch can periodically ask their hosts if they...

Страница 445: ...ology has stabilized and the new locations of all multicast receivers are learned If a topology change notification TCN is received and all the uplink ports are subsequently deleted a time out mechani...

Страница 446: ...arries the Router Alert option 2 Also when the switch is acting in the role of a multicast host such as when using proxy routing it should ignore version 2 or 3 queries that do not contain the Router...

Страница 447: ...ast traffic This feature is not supported for IGMPv3 snooping Default Disabled WEB INTERFACE To configure general settings for IGMP Snooping and Query 1 Click Multicast IGMP Snooping General 2 Adjust...

Страница 448: ...ies the interface attached to a multicast router WEB INTERFACE To specify a static interface attached to a multicast router 1 Click Multicast IGMP Snooping Multicast Router 2 Select Add Static Multica...

Страница 449: ...CES TO MULTICAST SERVICES Use the Multicast IGMP Snooping IGMP Member Add Static Member page to statically assign a multicast service to an interface Multicast filtering can be dynamically configured...

Страница 450: ...group Multicast IP The IP address for a specific multicast service WEB INTERFACE To statically assign an interface to a multicast service 1 Click Multicast IGMP Snooping IGMP Member 2 Select Add Stat...

Страница 451: ...2 Select Current Member from the Action list 3 Select the VLAN for which to display this information Figure 275 Showing Current Interfaces Assigned to a Multicast Service SETTING IGMP SNOOPING STATUS...

Страница 452: ...ast Router Discovery uses the following three message types to discover multicast routers Multicast Router Advertisement Advertisements are sent by routers to advertise that IP multicast forwarding is...

Страница 453: ...see page 444 the per VLAN interface settings for IGMP snooping take precedence When IGMP snooping is disabled globally snooping can still be configured per VLAN interface but the interface settings w...

Страница 454: ...TR 101 April 2006 including last leave and query suppression Last leave sends out a proxy query when the last member leaves a multicast group and query suppression means that neither specific queries...

Страница 455: ...rate more burst traffic This attribute will take effect only if IGMP snooping proxy reporting is enabled see page 444 Last Member Query Count The number of IGMP proxy group specific or group and sourc...

Страница 456: ...ticast IGMP Snooping Interface 2 Select Configure from the Action list 3 Select the VLAN to configure and update the required parameters 4 Click Apply Figure 276 Configuring IGMP Snooping on an Interf...

Страница 457: ...led on the switch see page 444 PARAMETERS These parameters are displayed VLAN An interface on the switch that is forwarding traffic to downstream ports for the specified multicast group address Group...

Страница 458: ...join IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port An IGMP filter profile can contain one or more addresses...

Страница 459: ...and throttling on the switch 1 Click Multicast IGMP Snooping Filtering 2 Select Configure General from the Action list 3 Enable IGMP Filter Status 4 Click Apply Figure 279 Enabling IGMP Filtering and...

Страница 460: ...ontrolled range Add Multicast Group Range Profile ID Selects an IGMP profile to configure Start Multicast IP Address Specifies the starting address of a range of multicast groups End Multicast IP Addr...

Страница 461: ...Profiles Created To add a range of multicast groups to an IGMP filter profile 1 Click Multicast IGMP Snooping Filtering 2 Select Add Multicast Group Range from the Action list 3 Select the profile to...

Страница 462: ...rottling on page 868 COMMAND USAGE IGMP throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can...

Страница 463: ...Action list 3 Select a profile to assign to an interface then set the maximum number of allowed multicast groups and the throttling response 4 Click Apply Figure 284 Configuring IGMP Filtering and Thr...

Страница 464: ...or receiver ports see Configuring MVR Interface Status on page 466 3 For multicast streams that will run for a long term and be associated with a stable set of hosts you can statically bind the multi...

Страница 465: ...he VLAN that serves as the channel for streaming multicast services using MVR MVR source ports should be configured as members of the MVR VLAN see Adding Static Members to VLANs on page 160 but MVR re...

Страница 466: ...vices you can enable the immediate leave function CLI REFERENCES Multicast VLAN Registration on page 875 COMMAND USAGE A port configured as an MVR receiver or source port can join or leave multicast g...

Страница 467: ...ticast groups which have been statically assigned to a port PARAMETERS These parameters are displayed Port Port identifier Type The following interface types are supported Source An uplink port that c...

Страница 468: ...pate in the MVR protocol as a source port or receiver port and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached 4 Click Apply Figure 287 Configuring Inte...

Страница 469: ...VLAN and port member to receive the multicast stream and then enter the multicast group address 5 Click Apply Figure 288 Assigning Static MVR Groups to a Port To show the static MVR groups assigned t...

Страница 470: ...cast service or displays an asterisk if the group address has been statically assigned VLAN Indicates the MVR VLAN receiving the multicast service Forwarding Port Shows the interfaces with subscribers...

Страница 471: ...nds on page 555 Remote Monitoring Commands on page 575 Authentication Commands on page 583 General Security Measures on page 637 Access Control Lists on page 683 Interface Commands on page 699 Link Ag...

Страница 472: ...TION III Command Line Interface 472 Multicast Filtering Commands on page 849 LLDP Commands on page 883 Domain Name Service Commands on page 901 DHCP Commands on page 911 IP Interface Commands on page...

Страница 473: ...console prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the...

Страница 474: ...254 Console config If your corporate network is connected to another network outside your office or to the Internet you need to apply for a registered IP address However if you are attached to an iso...

Страница 475: ...nit port You can enter commands as follows To enter a simple command enter the command keyword To enter multiple commands enter each command in the required order For example to enable Privileged Exec...

Страница 476: ...nformation dot1q tunnel dot1q tunnel dot1x 802 1X content garp GARP properties gvrp GVRP interface information history Shows history information hosts Host information interfaces Shows interface infor...

Страница 477: ...witchport information Console PARTIAL KEYWORD LOOKUP If you terminate a partial keyword with a question mark alternatives that match the initial letters are provided Remember not to leave a space betw...

Страница 478: ...and prompt Only a limited number of the commands are available in this mode You can access all commands only from the Privileged Exec command mode or administrator mode To access Privilege Exec mode o...

Страница 479: ...ame and snmp server community Access Control List Configuration These commands are used for packet filtering Class Map Configuration Creates a DiffServ class map for a specified traffic type IGMP Prof...

Страница 480: ...figuration mode and then return to Privileged Exec mode Console config interface ethernet 1 5 Console config if exit Console config Table 33 Configuration Command Modes Mode Command Prompt Page Line l...

Страница 481: ...tart of command line Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current task and displays the command prompt Ctrl E Shifts cursor to end of command line Ctrl F Shifts cursor...

Страница 482: ...nd replies and discarding invalid ARP responses 637 Access Control List Provides filtering for IPv4 frames based on address protocol TCP UDP port number or TCP control code or non IP frames based on M...

Страница 483: ...atabase Configuration Multicast Filtering Configures IGMP multicast filtering query profile and proxy parameters specifies ports attached to a multicast router also configures multicast VLAN registrat...

Страница 484: ...CHAPTER 19 Using the Command Line Interface CLI Command Groups 484...

Страница 485: ...arts the system at a specified time after a specified delay or at a periodic interval GC enable Activates privileged mode NE quit Exits a CLI session NE PE show history Shows the command history buffe...

Страница 486: ...hich to reload Range 0 23 minute The minute at which to reload Range 0 59 month The month at which to reload january december day The day of the month at which to reload Range 1 31 year The year at wh...

Страница 487: ...e you sure to reboot the system at the specified time y n enable This command activates Privileged Exec mode In privileged mode additional commands are available and certain commands display additiona...

Страница 488: ...Exec COMMAND USAGE The quit and exit commands can both exit the configuration program EXAMPLE This example shows how to quit a CLI session Console quit Press ENTER to start session User Access Verific...

Страница 489: ...tory buffer when you are in any of the configuration modes In this example the 2 command repeats the second command in the Execution history buffer config Console 2 Console config Console config confi...

Страница 490: ...indicate that the system is in normal access mode EXAMPLE Console disable Console RELATED COMMANDS enable 487 reload Privileged Exec This command restarts the system NOTE When the system is restarted...

Страница 491: ...ays 0 hours 29 minutes 52 seconds Console end This command returns to Privileged Exec mode DEFAULT SETTING None COMMAND MODE Global Configuration Interface Configuration Line Configuration VLAN Databa...

Страница 492: ...EXAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console config exit Console exit Press ENTER to start session Use...

Страница 493: ...version information Frame Size Enables support for jumbo frames File Management Manages code image or switch configuration files Line Sets communication parameters for the serial port including baud...

Страница 494: ...is automatically displayed before login as soon as a console or telnet connection has been established Table 39 Banner Commands Command Function Mode banner configure Configures the banner informatio...

Страница 495: ...rted If for example a mistake is made in the company name it can be corrected with the banner configure company command EXAMPLE Console config banner configure Company EdgeCore Networks Responsible de...

Страница 496: ...company information displayed in the banner Use the no form to remove the company name from the banner display SYNTAX banner configure company name no banner configure company name The name of the co...

Страница 497: ...COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The banner configure dc power info command interprets spaces as data input boundaries The use of underscores _ or o...

Страница 498: ...YNTAX banner configure equipment info manufacturer id mfr id floor floor id row row id rack rack id shelf rack sr id manufacturer mfr name no banner configure equipment info floor manufacturer manufac...

Страница 499: ...None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The banner configure equipment location command interprets spaces as data input boundaries The use of underscor...

Страница 500: ...igure lp number This command is used to configure the LP number information displayed in the banner Use the no form to restore the default setting SYNTAX banner configure lp number lp num no banner co...

Страница 501: ...mber The phone number of the third manager Maximum length of each parameter 32 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The b...

Страница 502: ...e no form to restore the default setting SYNTAX banner configure note note info no banner configure note note info Miscellaneous information that does not fit the other banner categories or any other...

Страница 503: ...0100 0500_GMT 0500_20071022 _20min_network_ Console SYSTEM STATUS This section describes commands used to display system information Table 40 System Status Commands Command Function Mode show access l...

Страница 504: ...CL to a port each rule in an ACL will use two PCEs and when setting an IP Source Guard filter rule for a port the system will also use two PCEs EXAMPLE Console show access list tcam utilization Total...

Страница 505: ...levels and encrypted passwords VLAN database VLAN ID name and state VLAN configuration settings for each interface Multiple spanning tree instances name and interfaces IP address configured for manag...

Страница 506: ...he show running config command to compare the information in running memory to the information stored in non volatile memory This command displays settings for key command modes Each mode group is sep...

Страница 507: ...ription ES3510MA System OID String 1 3 6 1 4 1 259 8 1 11 System Information System Up Time 0 days 7 hours 20 minutes and 43 30 seconds System Name System Location System Contact MAC Address Unit 1 00...

Страница 508: ...168 1 19 admin 0 00 00 Console show version This command displays hardware and software version information for the system COMMAND MODE Normal Exec Privileged Exec COMMAND USAGE See Displaying Hardwa...

Страница 509: ...s that run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields To use jumbo frames both the source and destination end...

Страница 510: ...er downloaded to restore switch settings The configuration file can be downloaded under a new file name and then set as the startup file or the current startup configuration file can be specified as t...

Страница 511: ...g Configuration file opcode Run time operation code filename Name of configuration file or code image The colon is required DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE A colon...

Страница 512: ...rtificate Keyword that allows you to copy the HTTPS secure site certificate public key Keyword that allows you to copy a SSH key from a TFTP server See Secure Shell on page 609 running config Keyword...

Страница 513: ...the default user name EXAMPLE The following example shows how to download new firmware from a TFTP server Console copy tftp file TFTP server ip address 10 1 0 19 Choose file type 1 config 2 opcode 1...

Страница 514: ...certificate Source private file name SS private Private password Success Console reload System will be restarted continue y n y This example shows how to copy a public key used by SSH from an TFTP se...

Страница 515: ...LE This example shows how to delete the test2 cfg configuration file from flash memory Console delete test2 cfg Console RELATED COMMANDS dir 515 delete public key 614 dir This command displays a list...

Страница 516: ...08 44 35 11354752 Factory_Default_Config cfg Config N 2009 12 16 08 44 35 455 startup1 cfg Config Y 2009 12 16 08 44 42 2297 Free space for compressed user config files 1052672 Console whichboot This...

Страница 517: ...OMMAND MODE Global Configuration COMMAND USAGE This command is used to enable or disable automatic upgrade of the operational code When the switch starts up and automatic image upgrade is enabled by t...

Страница 518: ...upgrade succeeds Downloading new image Flash programming started Flash programming completed The switch will now restart upgrade opcode path This command specifies an TFTP server and directory in whi...

Страница 519: ...to the directory containing the new image ftp username password 192 168 0 1 filedir If the user name is omitted Anonymous will be used for the connection If the password is omitted a null string will...

Страница 520: ...tion method to local console Telnet or SSH connections LC databits Sets the number of data bits per character that are interpreted and generated by hardware LC exec timeout Sets the interval that the...

Страница 521: ...ommand sets the number of data bits per character that are interpreted and generated by the console port Use the no form to restore the default value SYNTAX databits 7 8 no databits 7 Seven data bits...

Страница 522: ...he timeout interval the session is kept open otherwise the session is terminated This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using t...

Страница 523: ...ment interface starts in Normal Exec NE or Privileged Exec PE mode depending on the user s privilege level 0 or 15 respectively no login selects no authentication When using this method the management...

Страница 524: ...th 32 characters plain text or encrypted case sensitive DEFAULT SETTING No password is specified COMMAND MODE Line Configuration COMMAND USAGE When a connection is started on a line with password prot...

Страница 525: ...f allowed password attempts Range 1 120 0 no threshold DEFAULT SETTING The default value is three attempts COMMAND MODE Line Configuration COMMAND USAGE When the logon attempt threshold is reached the...

Страница 526: ...silent time to 60 seconds enter this command Console config line silent time 60 Console config line RELATED COMMANDS password thresh 525 speed This command sets the terminal line s baud rate This com...

Страница 527: ...ore the default setting SYNTAX stopbits 1 2 no stopbits 1 One stop bit 2 Two stop bits DEFAULT SETTING 1 stop bit COMMAND MODE Line Configuration EXAMPLE To specify 2 stop bits enter this command Cons...

Страница 528: ...o set the timeout to two minutes enter this command Console config line timeout login response 120 Console config line disconnect This command terminates an SSH Telnet or console connection SYNTAX dis...

Страница 529: ...abled Baud Rate Auto Data Bits 8 Parity None Stop Bits 1 VTY Configuration Password Threshold 3 times Inactive Timeout 600 sec Login Timeout 300 sec Console EVENT LOGGING This section describes comman...

Страница 530: ...ULT SETTING 23 COMMAND MODE Global Configuration COMMAND USAGE The command specifies the facility type tag sent in syslog messages See RFC 3164 This type has no effect on the kind of messages reported...

Страница 531: ...ash errors level 3 0 RAM debugging level 7 0 COMMAND MODE Global Configuration COMMAND USAGE The message level specified for flash memory must be a higher priority i e numerically lower than that spec...

Страница 532: ...s five EXAMPLE Console config logging host 10 1 0 3 Console config logging on This command controls logging of error messages sending debug or error messages to a logging process The no form disables...

Страница 533: ...le on page 531 Messages sent include the selected level through level 0 DEFAULT SETTING Disabled Level 7 COMMAND MODE Global Configuration COMMAND USAGE Using this command with a specified level enabl...

Страница 534: ...ry stored in flash memory i e permanent memory ram Event history stored in temporary RAM i e memory flushed on power reset DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE The following examp...

Страница 535: ...system logging is enabled the message level for flash memory is errors i e default level 3 0 and the message level for RAM is debugging i e default level 7 0 Console show logging flash Syslog logging...

Страница 536: ...been enabled via the logging trap command REMOTELOG facility type The facility type for remote logging of syslog messages as specified in the logging facility command REMOTELOG level type The severity...

Страница 537: ...g DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE You can specify up to three SMTP servers for event handing However you must enter a separate command to specify each server To se...

Страница 538: ...D MODE Global Configuration COMMAND USAGE The specified level indicates an event threshold All events at this level or higher will be sent to the configured email recipients For example using Level 7...

Страница 539: ...e default value SYNTAX logging sendmail source email email address no logging sendmail source email email address The source email address used in alert messages Range 1 41 characters DEFAULT SETTING...

Страница 540: ...ommand enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp server command Use the no form to disable SNTP client requests SYNTAX no sntp client...

Страница 541: ...rver 10 1 0 19 Console config sntp poll 60 Console config sntp client Console config end Console show sntp Current Time Dec 23 02 52 44 2002 Poll Interval 60 Current Mode unicast SNTP Status Enabled S...

Страница 542: ...d specifies time servers from which the switch will poll for time updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issu...

Страница 543: ...s before UTC 0 13 hours after UTC minutes Number of minutes before after UTC Range 0 59 minutes before utc Sets the local time zone before east of UTC after utc Sets the local time zone after west of...

Страница 544: ...Range 1 31 month january february march april may june july august september october november december year Year 4 digit Range 2001 2100 DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE...

Страница 545: ...1 30 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE This command sets a time range for use by other functions such as Access Control Lists EXAMPLE Console config time...

Страница 546: ...e Range Configuration COMMAND USAGE If a time range is already configured you must use the no form of this command to remove the current entry prior to configuring a new time range EXAMPLE This exampl...

Страница 547: ...ple configures a time range for the periodic occurrence of an event Console config time range sales Console config time range periodic daily 1 1 to 2 1 Console config time range show time range This c...

Страница 548: ...Candidates or active Members through VLAN 4093 Once a switch has been configured to be a cluster Commander it automatically discovers other cluster enabled switches in the network These Candidate swit...

Страница 549: ...k Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander Switch clusters are limited to the same Ethernet broad...

Страница 550: ...pool ip address no cluster ip pool ip address The base IP address for IP addresses assigned to cluster Members The IP address must start 10 x x x DEFAULT SETTING 10 254 254 1 COMMAND MODE Global Confi...

Страница 551: ...tion COMMAND USAGE The maximum number of cluster Members is 36 The maximum number of cluster Candidates is 100 EXAMPLE Console config cluster member mac address 00 12 34 56 78 9a id 5 Console config r...

Страница 552: ...Privileged Exec EXAMPLE Console show cluster Role commander Interval Heartbeat 30 Heartbeat Loss Count 3 seconds Number of Members 1 Number of Candidates 2 Console show cluster members This command s...

Страница 553: ...ws the discovered Candidate switches in the network COMMAND MODE Privileged Exec EXAMPLE Console show cluster candidates Cluster Candidates Role MAC Address Description Active member 00 E0 0C 00 00 FE...

Страница 554: ...CHAPTER 21 System Management Commands Switch Clustering 554...

Страница 555: ...Command Function Mode General SNMP Commands snmp server Enables the SNMP agent GC snmp server community Sets up the community access string to permit access to SNMP commands GC snmp server contact Se...

Страница 556: ...ast control apply Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires IC Port snmp server enable port traps atc broadcast control re...

Страница 557: ...ations are only able to retrieve MIB objects rw Specifies read write access Authorized management stations are able to both retrieve and modify MIB objects DEFAULT SETTING public Read only access Auth...

Страница 558: ...ocation Maximum length 255 characters DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE Console config snmp server location WC 19 Console config RELATED COMMANDS snmp server contact 557 s...

Страница 559: ...s 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging Disabled Console snmp server enable traps This command enables this device to send Simple Network Management Protocol traps or informs i e S...

Страница 560: ...r host This command specifies the recipient of a Simple Network Management Protocol notification operation Use the no form to remove the specified host SYNTAX snmp server host host addr inform retry r...

Страница 561: ...host The snmp server host command is used in conjunction with the snmp server enable traps command Use the snmp server enable traps command to enable the sending of traps or informs and to specify whi...

Страница 562: ...5 Allow the switch to send SNMP traps i e notifications page 559 6 Specify the target host that will receive inform messages with the snmp server host command as described in this section The switch c...

Страница 563: ...authenticating and encrypting SNMPv3 packets A remote engine ID is required when using SNMPv3 informs See the snmp server host command The remote engine ID is used to compute the security digest for...

Страница 564: ...the view for write access 1 32 characters notifyview Defines the view for notifications 1 32 characters DEFAULT SETTING Default groups public6 read only private7 read write readview Every object belon...

Страница 565: ...device ip address The Internet address of the remote device v1 v2c v3 Use SNMP version 1 2c or 3 encrypted Accepts the password as encrypted input auth Uses SNMPv3 with authentication md5 sha Uses MD5...

Страница 566: ...er will fail SNMP passwords are localized using the engine ID of the authoritative agent For informs the authoritative SNMP agent is the remote agent You therefore need to configure the remote agent s...

Страница 567: ...nfig This view includes the MIB 2 interfaces table and the mask selects all index entries Console config snmp server view ifEntry a 1 3 6 1 2 1 2 2 1 1 included Console config show snmp engine id This...

Страница 568: ...tile Row Status active Group Name public Security Model v2c Read View defaultview Write View none Notify View none Storage Type volatile Row Status active Group Name private Security Model v1 Read Vie...

Страница 569: ...eld Description groupname Name of an SNMP group security model The SNMP version readview The associated read view writeview The associated write view notifyview The associated notify view storage type...

Страница 570: ...n log SYNTAX no nlm filter name filter name Notification log name Range 1 32 characters DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE Notification logging is enabled by defau...

Страница 571: ...remote host parameter is only required to complete mandatory fields in the SNMP Notification MIB DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Systems that support SNMP often n...

Страница 572: ...entries and the entry aging time is 1440 minutes Information recorded in a notification log and the entry aging time can only be configured using SNMP from a network management station When a trap hos...

Страница 573: ...ileged Exec EXAMPLE This example displays the configured notification logs and associated target hosts Note that the last entry is a default filter created when a trap host is initially created Consol...

Страница 574: ...CHAPTER 22 SNMP Commands 574...

Страница 575: ...Event and Alarm groups When RMON is enabled the system gradually builds up information about its physical interfaces storing this information in the relevant RMON database group A management agent the...

Страница 576: ...ue and the difference is then compared to the thresholds threshold An alarm threshold for the sampled variable Range 1 65535 event index The index of the event to use if an alarm is triggered If there...

Страница 577: ...Log messages are processed based on the current configuration settings for event logging see Event Logging on page 529 trap Sends a trap message to all configured trap managers see snmp server host o...

Страница 578: ...rmon collection history index index Index to this entry Range 1 65535 number The number of buckets requested for this entry Range 1 65536 seconds The polling interval Range 1 3600 seconds name Name o...

Страница 579: ...on who created this entry Range 1 127 characters DEFAULT SETTING Enabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE By default each index number equates to a port on the swich but can...

Страница 580: ...mon event This command shows the settings for all configured events COMMAND MODE Privileged Exec EXAMPLE Console show rmon event event Index 1 Description RMON_TRAP_LOG Event type log trap Event commu...

Страница 581: ...istics group COMMAND MODE Privileged Exec EXAMPLE Console show rmon statistics rmon collection index 1 stats ifindex 1 input packets 00 bytes 00 dropped 00 multicast packets 00 output packets 00 bytes...

Страница 582: ...CHAPTER 23 Remote Monitoring Commands 582...

Страница 583: ...thentication Commands Command Group Function User Accounts Configures the basic user names and passwords for management access Authentication Sequence Defines logon authentication method and precedenc...

Страница 584: ...l Maximum length 32 characters plain text or encrypted case sensitive DEFAULT SETTING The default is level 15 The default password is super COMMAND MODE Global Configuration COMMAND USAGE You cannot s...

Страница 585: ...encrypted password password password The authentication password for the user Maximum length 32 characters plain text or encrypted case sensitive DEFAULT SETTING The default access level is Normal Ex...

Страница 586: ...fers a connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RAD...

Страница 587: ...connection oriented transport Also note that RADIUS encrypts only the password in the access request packet from the client to the server while TACACS encrypts the entire body of the packet RADIUS and...

Страница 588: ...ting messages Use the no form to restore the default SYNTAX radius server acct port port number no radius server acct port port number RADIUS server UDP port used for accounting messages Range 1 65535...

Страница 589: ...restore the default values SYNTAX no radius server index host host ip address auth port auth port acct port acct_port key key retransmit retransmit timeout timeout index Allows you to specify up to f...

Страница 590: ...erver key key string no radius server key key string Encryption key used to authenticate logon access for client Do not use blank spaces in the string Maximum length 48 characters DEFAULT SETTING None...

Страница 591: ...radius server timeout number of seconds no radius server timeout number of seconds Number of seconds the switch waits for a reply before resending a request Range 1 65535 DEFAULT SETTING 5 COMMAND MOD...

Страница 592: ...er and other optional parameters Use the no form to remove the server or to restore the default values SYNTAX tacacs server index host host ip address key key port port number no tacacs server index i...

Страница 593: ...er host host ip address IP address of a TACACS server DEFAULT SETTING 10 11 12 13 COMMAND MODE Global Configuration EXAMPLE Console config tacacs server host 192 168 1 25 Console config tacacs server...

Страница 594: ...hentication messages Range 1 65535 DEFAULT SETTING 49 COMMAND MODE Global Configuration EXAMPLE Console config tacacs server port 181 Console config show tacacs server This command displays the curren...

Страница 595: ...nge 1 255 characters start stop Records accounting from starting point and stopping point Table 65 AAA Commands Command Function Mode aaa accounting commands Enables accounting of Exec mode commands G...

Страница 596: ...nting method s configured on the specified TACACS server and do not actually send any information to the server about the methods to use EXAMPLE Console config aaa accounting commands 15 default start...

Страница 597: ...counting method s configured on the specified RADIUS or TACACS servers and do not actually send any information to the servers about the methods to use EXAMPLE Console config aaa accounting dot1x defa...

Страница 598: ...ethod name fields are only used to describe the accounting method s configured on the specified RADIUS or TACACS servers and do not actually send any information to the servers about the methods to us...

Страница 599: ...1 255 characters group Specifies the server group to use tacacs Specifies all TACACS hosts configured with the tacacs server command server group Specifies the name of a server group configured with t...

Страница 600: ...XAMPLE Console config aaa group server radius tps Console config sg radius server This command adds a security server to an AAA server group Use the no form to remove the associated server from the gr...

Страница 601: ...d list name Specifies a method list created with the aaa accounting dot1x command DEFAULT SETTING None COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 2 Console config...

Страница 602: ...ame Specifies a method list created with the aaa authorization exec command DEFAULT SETTING None COMMAND MODE Line Configuration EXAMPLE Console config line console Console config line authorization e...

Страница 603: ...ace Method list tps Group list radius Interface eth 1 2 Accounting type Exec Method list default Group list radius Interface vty Console WEB SERVER This section describes commands used to configure we...

Страница 604: ...nge 1 65535 DEFAULT SETTING 80 COMMAND MODE Global Configuration EXAMPLE Console config ip http port 769 Console config RELATED COMMANDS ip http server 604 show system 507 ip http server This command...

Страница 605: ...tablished in this way The client authenticates the server using the server s digital certificate The client and server negotiate a set of security protocols to use for the connection The client and se...

Страница 606: ...S connection to the switch s web interface Use the no form to restore the default port SYNTAX ip http secure port port_number no ip http secure port port_number The UDP port used for HTTPS Range 1 655...

Страница 607: ...o ip telnet max sessions session count The maximum number of allowed Telnet session Range 0 4 DEFAULT SETTING 4 sessions COMMAND MODE Global Configuration COMMAND USAGE A maximum of four sessions can...

Страница 608: ...CP port number to be used by the browser interface Range 1 65535 DEFAULT SETTING 23 COMMAND MODE Global Configuration EXAMPLE Console config ip telnet port 123 Console config ip telnet server This com...

Страница 609: ...authentication retries Specifies the number of retries allowed by a client GC ip ssh server Enables the SSH server on the switch GC ip ssh server key size Sets the SSH server key size GC ip ssh timeo...

Страница 610: ...ts file would appear similar to the following example 10 1 0 54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233...

Страница 611: ...ents that have a private key corresponding to the public keys stored on the switch can access it The following exchanges take place during this process Authenticating SSH v1 5 Clients a The client sen...

Страница 612: ...ssh authentication retries This command configures the number of times the SSH server attempts to reauthenticate a user Use the no form to restore the default setting SYNTAX ip ssh authentication retr...

Страница 613: ...er EXAMPLE Console ip ssh crypto host key generate dsa Console configure Console config ip ssh server Console config RELATED COMMANDS ip ssh crypto host key generate 615 show ssh 618 ip ssh server key...

Страница 614: ...e switch will wait for a response from the client during the SSH negotiation phase Once an SSH session has been established the timeout for user input is controlled by the exec timeout command for vty...

Страница 615: ...v1 5 clients and DSA Version 2 for SSHv2 clients This command stores the host key pair in memory i e RAM Use the ip ssh save host key command to save the host key pair to flash memory Some SSH client...

Страница 616: ...emory RAM Use the no ip ssh save host key command to clear the host key from flash memory The SSH server must be disabled before you can execute this command EXAMPLE Console ip ssh crypto zeroize dsa...

Страница 617: ...leged Exec COMMAND USAGE If no parameters are entered all keys are displayed If the user keyword is entered but no user name is specified then the public keys for all users are displayed When an RSA k...

Страница 618: ...27s6TLdtny1wRq ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF DjKGWtPNIQqabKgYCw2 o dVzX4Gg yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S...

Страница 619: ...osts on an dot1x port IC dot1x port control Sets dot1x mode for a port interface IC dot1x re authentication Enables re authentication for all ports IC dot1x timeout quiet period Sets the time that a s...

Страница 620: ...g as intermediate node in the network and does not need to perform dot1x authentication the dot1x eapol pass through command can be used to forward EAPOL frames from other switches on to the authentic...

Страница 621: ...t1x system auth control Console config dot1x intrusion action This command sets the port s response to a failed authentication either to block all traffic or to assign all traffic for the port to a gu...

Страница 622: ...ole config if dot1x max req 2 Console config if dot1x operation mode This command allows hosts clients to connect to an 802 1X authorized port Use the no form with no keywords to restore the default t...

Страница 623: ...ss to a port operating in this mode is limited only by the available space in the secure address table i e up to 1024 addresses EXAMPLE Console config interface eth 1 2 Console config if dot1x operati...

Страница 624: ...the process is handled transparently by the dot1x client software Only if re authentication fails is the port blocked The connected client is re authenticated after the interval specified by the dot1x...

Страница 625: ...t1x timeout re authperiod seconds The number of seconds Range 1 65535 DEFAULT 3600 seconds COMMAND MODE Interface Configuration EXAMPLE Console config interface eth 1 2 Console config if dot1x timeout...

Страница 626: ...erface eth 1 2 Console config if dot1x timeout supp timeout 300 Console config if dot1x timeout tx period This command sets the time that an interface on the switch waits during an authentication sess...

Страница 627: ...s SYNTAX dot1x identity profile username username password password no dot1x identity profile username password username Specifies the supplicant user name Range 1 8 characters password Specifies the...

Страница 628: ...icant mode on a port SYNTAX no dot1x pae supplicant DEFAULT Disabled COMMAND MODE Interface Configuration COMMAND USAGE When devices attached to a port must submit requests to another authenticator on...

Страница 629: ...o dot1x timeout auth period seconds The number of seconds Range 1 65535 DEFAULT 30 seconds COMMAND MODE Interface Configuration COMMAND USAGE This command sets the time that the supplicant waits for a...

Страница 630: ...NTAX dot1x timeout start period seconds no dot1x timeout start period seconds The number of seconds Range 1 65535 DEFAULT 30 seconds COMMAND MODE Interface Configuration EXAMPLE Console config interfa...

Страница 631: ...authentication page 624 Reauth Period Time after which a connected client must be re authenticated page 625 Quiet Period Time a port waits after Max Request Count is exceeded before attempting to acqu...

Страница 632: ...le show dot1x Global 802 1X Parameters System auth control Enabled Authenticator Parameters EAPOL Pass Through Disabled Supplicant Parameters Identity Profile Username steve 802 1X Port Summary Port N...

Страница 633: ...o form to restore the default setting SYNTAX no management all client http client snmp client telnet client start address end address all client Adds IP address es to all groups http client Adds IP ad...

Страница 634: ...ou cannot delete an individual address from a specified range You must delete the entire range and reenter the addresses You can delete an address range just by specifying the start address or by spec...

Страница 635: ...Filter HTTP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 168 1 30 SNMP Client Start IP address End IP address 1 192 168 1 19 192 168 1 19 2 192 168 1 25 192 16...

Страница 636: ...CHAPTER 24 Authentication Commands Management IP Filter 636...

Страница 637: ...y of execution for these filtering commands is Port Security Port Authentication Network Access Web Authentication Access Control Lists DHCP Snooping and then IP Source Guard Configures secure address...

Страница 638: ...ally take action by disabling the port and sending a trap message mac learning This command enables MAC address learning on the selected interface Use the no form to disable MAC address learning SYNTA...

Страница 639: ...o restore the default settings for a response to security violation or for the maximum number of allowed addresses SYNTAX port security action shutdown trap trap and shutdown max mac count address cou...

Страница 640: ...mand to disable port security and reset the maximum number of addresses to the default You can also manually add secure addresses with the mac address table static command A secure port has the follow...

Страница 641: ...s guest vlan Specifies the guest VLAN IC network access link detection Enables the link detection feature IC network access link detection link down Configures the link detection feature to detect and...

Страница 642: ...ured by the MAC Address Authenticataion process described in this section as well as to any secure MAC addresses authenticated by 802 1X regardless of the 802 1X Operation Mode Single Host Multi Host...

Страница 643: ...g network access mac filter 1 mac address 11 22 33 44 55 66 Console config mac authentication reauth time Use this command to set the time period after which a connected MAC address must be re authent...

Страница 644: ...QoS configuration for the port When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port the user is denied acce...

Страница 645: ...or they are treated as an authentication failure If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration the authentication is still treated as a success a...

Страница 646: ...e effective see the dot1x intrusion action command EXAMPLE Console config interface ethernet 1 1 Console config if network access guest vlan 25 Console config if network access link detection Use this...

Страница 647: ...isable the port DEFAULT SETTING Disabled COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 1 Console config if network access link detection link down action trap Consol...

Страница 648: ...onse to take when port security is violated shutdown Disable port only trap Issue SNMP trap message only trap and shutdown Issue SNMP trap message and disable the port DEFAULT SETTING Disabled COMMAND...

Страница 649: ...n enabled on a port the authentication process sends a Password Authentication Protocol PAP request to a configured RADIUS server The user name and password are both equal to the MAC address being aut...

Страница 650: ...ype attribute set to 802 EXAMPLE Console config if network access mode mac authentication Console config if network access port mac filter Use this command to enable the specified MAC address filter U...

Страница 651: ...e Con figuration EXAMPLE Console config if mac authentication intrusion action block traffic Console config if mac authentication max mac count Use this command to set the maximum number of MAC addres...

Страница 652: ...port unit Unit identifier Range 1 port Port number Range 1 10 DEFAULT SETTING Displays the settings for all interfaces COMMAND MODE Privileged Exec EXAMPLE Console show network access interface ether...

Страница 653: ...ange 1 port Port number Range 1 10 sort Sorts displayed entries by either MAC address or interface DEFAULT SETTING Displays all filters COMMAND MODE Privileged Exec COMMAND USAGE When using a bit mask...

Страница 654: ...perform DNS queries All other traffic except for HTTP protocol traffic is blocked The switch intercepts HTTP protocol traffic and redirects it to a switch generated web page that facilitates user name...

Страница 655: ...ole config web auth system auth control Enables web authentication globally for the switch GC web auth Enables web authentication for an interface IC web auth re authenticate Port Ends all web authent...

Страница 656: ...MODE Global Configuration EXAMPLE Console config web auth quiet period 120 Console config web auth session timeout This command defines the amount of time a web authentication session remains valid W...

Страница 657: ...and web auth for an interface must be enabled for the web authentication feature to be active EXAMPLE Console config web auth system auth control Console config web auth This command enables web auth...

Страница 658: ...ged Exec EXAMPLE Console web auth re authenticate interface ethernet 1 2 Failed to reauth Console web auth re authenticate IP This command ends the web authentication session associated with the desig...

Страница 659: ...mpts 3 Console show web auth interface This command displays interface specific web authentication parameters and statistics SYNTAX show web auth interface interface interface Specifies a port interfa...

Страница 660: ...tion Mode ip dhcp snooping Enables DHCP snooping globally GC ip dhcp snooping database flash Writes all dynamically learned snooping entries to flash memory GC ip dhcp snooping information option Enab...

Страница 661: ...tered based upon dynamic entries learned via DHCP snooping Table entries are only learned for trusted interfaces Each entry includes a MAC address IP address lease time VLAN identifier and port identi...

Страница 662: ...trusted ports in the same VLAN If a DHCP packet is from server is received on a trusted port it will be forwarded to both trusted and untrusted ports in the same VLAN If the DHCP snooping is globally...

Страница 663: ...n option DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server Known...

Страница 664: ...ying it keep Retains the Option 82 information in the client request and forwards the packets to trusted ports replace Replaces the Option 82 information circuit id and remote id fields in the client...

Страница 665: ...acket is dropped EXAMPLE This example enables MAC address verification Console config ip dhcp snooping verify mac address Console config RELATED COMMANDS ip dhcp snooping 661 ip dhcp snooping vlan 665...

Страница 666: ...d Use the no form to restore the default setting SYNTAX no ip dhcp snooping trust DEFAULT SETTING All interfaces are untrusted COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE...

Страница 667: ...lient request to the DHCP server must be configured as trusted EXAMPLE This example sets port 5 to untrusted Console config interface ethernet 1 5 Console config if no ip dhcp snooping trust Console c...

Страница 668: ...le DHCP Snooping Information Policy replace DHCP Snooping is configured on the following VLANs 1 Verify Source Mac Address enable Interface Trusted Eth 1 1 No Eth 1 2 No Eth 1 3 No Eth 1 4 No Eth 1 5...

Страница 669: ...no ip source guard binding mac address vlan vlan id mac address A valid unicast MAC address vlan id ID of a configured VLAN Range 1 4093 ip address A valid unicast IP address including classful types...

Страница 670: ...an entry with same VLAN ID and MAC address and the type of the entry is dynamic DHCP snooping binding then the new entry will replace the old one and the entry type will be changed to static IP sourc...

Страница 671: ...9 are automatically configured with an infinite lease time Dynamic entries learned via DHCP snooping are configured by the DHCP server itself If the IP source guard is enabled an inbound packet s IP a...

Страница 672: ...bled or disabled on each interface COMMAND MODE Privileged Exec EXAMPLE Console show ip source guard Interface Filter type Eth 1 1 DISABLED Eth 1 2 DISABLED Eth 1 3 DISABLED Eth 1 4 DISABLED Eth 1 5 S...

Страница 673: ...hosts with statically configured IP addresses This section describes commands used to configure ARP Inspection Table 80 ARP Inspection Commands Command Function Mode ip arp inspection Enables ARP Ins...

Страница 674: ...ction is enabled When ARP Inspection is disabled all ARP request and reply packets bypass the ARP Inspection engine and their manner of switching matches that of all other packets Disabling and then r...

Страница 675: ...not checked DEFAULT SETTING ARP ACLs are not bound to any VLAN Static mode is not enabled COMMAND MODE Global Configuration COMMAND USAGE ARP ACLs are configured with the commands described on page 31...

Страница 676: ...ogging is active for ARP Inspection and cannot be disabled When the switch drops a packet it places an entry in the log buffer Each entry contains flow information such as the receiving VLAN the port...

Страница 677: ...e target IP addresses are checked only in ARP responses src mac Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body This check is performed on both ARP...

Страница 678: ...ine and their manner of switching matches that of all other packets Disabling and then re enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs When ARP Inspect...

Страница 679: ...arp inspection trust This command sets a port as trusted and thus exempted from ARP Inspection Use the no form to restore the default setting SYNTAX no ip arp inspection trust DEFAULT SETTING Untruste...

Страница 680: ...ge Interval 10 s Log Message Number 1 Need Additional Validation s Yes Additional Validation Type Destination MAC address Console show ip arp inspection interface This command shows the trust status a...

Страница 681: ...st IP Address Src MAC Address Dst MAC Address Console show ip arp inspection statistics ARP packets received before rate limit 150 ARP packets dropped due to rate limt 5 Total ARP packets processed by...

Страница 682: ...HAPTER 25 General Security Measures ARP Inspection 682 COMMAND MODE Privileged Exec EXAMPLE Console show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status 1 disabled sales static Console...

Страница 683: ...Function IPv4 ACLs Configures ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code MAC ACLs Configures ACLs based on hardware addresses packet format and Ethernet type...

Страница 684: ...er more specific criteria acl name Name of the ACL Maximum length 16 characters no spaces or other special characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE When you crea...

Страница 685: ...one COMMAND MODE Standard IPv4 ACL COMMAND USAGE New rules are appended to the end of the list Address bit masks are similar to a subnet mask containing four integers from 0 to 255 each separated by a...

Страница 686: ...it deny tcp any source address bitmask host source any destination address bitmask host destination precedence precedence tos tos dscp dscp source port sport bitmask destination port dport port bitmas...

Страница 687: ...tmask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned You can specify both Precedenc...

Страница 688: ...0 255 255 255 0 any destination port 80 Console config ext acl This permits all TCP packets from class C addresses 192 168 1 0 with the TCP control code set to SYN Console config ext acl permit tcp 1...

Страница 689: ...ccess list 689 Time Range 545 show ip access group This command shows the ports assigned to IP ACLs COMMAND MODE Privileged Exec EXAMPLE Console show ip access group Interface ethernet 1 2 IP access l...

Страница 690: ...no form to remove the specified ACL SYNTAX no access list mac acl name acl name Name of the ACL Maximum length 16 characters no spaces or other special characters DEFAULT SETTING None COMMAND MODE Gl...

Страница 691: ...tion address bitmask vid vid vid bitmask ethertype protocol protocol bitmask time range time range name no permit deny any host source source address bitmask any host destination destination address b...

Страница 692: ...ermit deny untagged 802 3 any host source source address bitmask any host destination destination address bitmask tagged eth2 Tagged Ethernet II packets untagged eth2 Untagged Ethernet II packets tagg...

Страница 693: ...ermit any host 00 e0 29 94 34 de ethertype 0800 Console config mac acl RELATED COMMANDS access list mac 690 Time Range 545 mac access group This command binds a MAC ACL to a port Use the no form to re...

Страница 694: ...eged Exec EXAMPLE Console show mac access group Interface ethernet 1 5 MAC access list M5 in Console RELATED COMMANDS mac access group 693 show mac access list This command displays the rules for conf...

Страница 695: ...OMMAND MODE Global Configuration COMMAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To cr...

Страница 696: ...esponse ip any host source ip source ip ip address bitmask any host destination ip destination ip ip address bitmask mac any host source mac source mac mac address bitmask any host destination mac des...

Страница 697: ...mac any any Console config mac acl RELATED COMMANDS access list arp 695 show arp access list This command displays the rules for configured ARP ACLs SYNTAX show arp access list acl name acl name Name...

Страница 698: ...c EXAMPLE Console show access list IP standard access list david permit host 10 1 1 21 permit 168 92 0 0 255 255 15 0 IP extended access list bob permit 10 7 1 1 255 255 255 0 any permit 192 168 1 0 2...

Страница 699: ...led IC switchport packet rate Enabling hardware level storm control with this command on a port will disable software level automatic storm control on the same port if configured by the auto traffic c...

Страница 700: ...ort Port number Range 1 10 port channel channel id Range 1 5 vlan vlan id Range 1 4093 DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE To specify port 4 enter the following command Cons...

Страница 701: ...tric 1000full Supports 1 Gbps full duplex operation 100full Supports 100 Mbps full duplex operation 100half Supports 100 Mbps half duplex operation 10full Supports 10 Mbps full duplex operation 10half...

Страница 702: ...cription to an interface Use the no form to remove the description SYNTAX description string no description string Comment or a description to help you remember what is attached to this interface Rang...

Страница 703: ...low control on or off with the flowcontrol or no flowcontrol command use the no negotiation command to disable auto negotiation on the selected interface When using the negotiation command to enable a...

Страница 704: ...Ports 9 10 EXAMPLE This forces the switch to use the built in RJ 45 port for the combination port 10 Console config interface ethernet 1 10 Console config if media type copper forced Console config if...

Страница 705: ...ig if RELATED COMMANDS capabilities 701 speed duplex 706 shutdown This command disables an interface To restart a disabled interface use the no form SYNTAX no shutdown DEFAULT SETTING All interfaces a...

Страница 706: ...00BASE T standard does not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T port or trunk If not used the success of the link process cannot be...

Страница 707: ...tion Ethernet COMMAND USAGE When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic packets exceeding the threshold are dropped until the rate falls back do...

Страница 708: ...t interface the statistics displayed will show the absolute value accumulated since the last power reset EXAMPLE The following example clears statistics on port 5 Console clear counters ethernet 1 5 C...

Страница 709: ...Port or Trunk Statistics on page 128 EXAMPLE Console show interfaces counters ethernet 1 1 Ethernet 1 1 IF table Stats 2166458 Octets Input 14734059 Octets Output 14707 Unicast Input 19806 Unicast Out...

Страница 710: ...s the status for an interface SYNTAX show interfaces status interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 port channel channel id Range 1 5 vlan vlan...

Страница 711: ...w interfaces switchport This command displays the administrative and operational status of the specified interfaces SYNTAX show interfaces switchport interface interface ethernet unit port unit Unit i...

Страница 712: ...has been enabled or disabled page 719 Ingress Egress Rate Limit Shows if rate limiting is enabled and the current rate limit page 737 VLAN Membership Mode Indicates membership mode as Trunk or Hybrid...

Страница 713: ...test immediately upon completion including common cable failures as well as the status and approximate length of each cable pair Potential conditions which may be listed by the diagnostics include OK...

Страница 714: ...hernet COMMAND USAGE IEEE 802 3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters Enabling power saving mode can reduce power used for...

Страница 715: ...n can be reduced since signal attenuation is proportional to cable length When power savings mode is enabled the switch analyzes cable length to determine whether or not it can reduce the signal ampli...

Страница 716: ...CHAPTER 27 Interface Commands 716 EXAMPLE Console show power save interface ethernet 1 10 Power Saving Status Enabled Console...

Страница 717: ...A trunk can have up to 8 ports The ports at both ends of a connection must be configured as trunk ports All ports in a trunk must be configured in an identical manner including communication mode i e...

Страница 718: ...it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group However if the port channel admin key...

Страница 719: ...with another switch using LACP will automatically be assigned the next available port channel ID If the target switch has also enabled LACP on the connected ports the trunk will be activated automatic...

Страница 720: ...r partner admin key actor The local side an aggregate link partner The remote side of an aggregate link key The port admin key must be set to the same value for ports that belong to the same link aggr...

Страница 721: ...TING 32768 COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Setting a lower value indicates a higher effective priority If an active port link goes down the backup port with the highest pri...

Страница 722: ...switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a link has been established LACP...

Страница 723: ...he interfaces that joined the group Note that when the LAG is no longer used the port channel admin key is reset to 0 EXAMPLE Console config interface port channel 1 Console config if lacp admin key 3...

Страница 724: ...is channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group LACPDUs Unknown Pkts Number of f...

Страница 725: ...mation Collecting Collection of incoming frames on this link is enabled i e collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in re...

Страница 726: ...signed to this aggregation port by the partner Admin Key Current administrative value of the Key for the protocol partner Oper Key Current operational value of the Key for the protocol partner Admin S...

Страница 727: ...lan id mac address mac address no port monitor interface interface ethernet unit port source port unit Unit identifier Range 1 port Port number Range 1 10 rx Mirror received packets tx Mirror transmit...

Страница 728: ...monitor command to specify the source of the traffic to mirror When mirroring traffic from a port the mirror port and monitor port speeds should match otherwise traffic may be dropped from the monito...

Страница 729: ...ernet 1 5 Console config if port monitor ethernet 1 6 Console config if end Console show port monitor Port Mirroring Destination Port listen port Eth1 5 Source Port monitored port Eth1 6 Mode RX TX Co...

Страница 730: ...red as one type of RSPAN interface source destination or uplink Also note that the source port and destination port cannot be configured on the same switch Local Remote Mirror The destination of a loc...

Страница 731: ...e mirroring for the specified type SYNTAX no rspan session session id source interface interface list rx tx both session id A number identifying this RSPAN session Range 1 2 Only two mirror sessions a...

Страница 732: ...dentifying this RSPAN session Range 1 2 Only two mirror sessions are allowed including both local and remote mirroring If local mirroring is enabled with the port monitor command then there is only on...

Страница 733: ...ror sessions are allowed including both local and remote mirroring If local mirroring is enabled with the port monitor command then there is only one session available for RSPAN vlan id ID of configur...

Страница 734: ...n RSPAN VLAN but will only show configured RSPAN VLAN identifiers EXAMPLE The following example enables RSPAN on VLAN 2 specifies this device as an RSPAN destination switch and the uplink interface as...

Страница 735: ...e allowed including both local and remote mirroring If local mirroring is enabled with the port monitor command then there is only one session available for RSPAN COMMAND MODE Privileged Exec EXAMPLE...

Страница 736: ...CHAPTER 29 Port Mirroring Commands RSPAN Mirroring Commands 736...

Страница 737: ...f disabled SYNTAX rate limit input output rate no rate limit input output input Input rate for specified interface output Output rate for specified interface rate Maximum value in Kbps Range 64 100000...

Страница 738: ...control command It is therefore not advisable to use both of these commands on the same interface EXAMPLE Console config interface ethernet 1 1 Console config if rate limit input 64 Console config if...

Страница 739: ...imer expires IC Port auto traffic control control release Manually releases a control response IC Port auto traffic control auto control release Automatically releases a control response PE SNMP Trap...

Страница 740: ...eneath the lower threshold after a storm control response has been triggered and the release timer expires IC Port ATC Display Commands show auto traffic control Shows global configuration settings fo...

Страница 741: ...nable the port FUNCTIONAL LIMITATIONS Automatic storm control is a software level control function Traffic storms can also be controlled at the hardware level using the switchport packet rate command...

Страница 742: ...s the time at which to release the control response after ingress traffic has fallen beneath the lower threshold Use the no form to restore the default setting SYNTAX auto traffic control broadcast mu...

Страница 743: ...ING Disabled COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Automatic storm control can be enabled for either broadcast or multicast traffic It cannot be enabled for both of these traffic...

Страница 744: ...n only be manually re enabled DEFAULT SETTING rate control COMMAND MODE Interface Configuration Ethernet COMMAND USAGE When the upper threshold is exceeded and the apply timer expires a control respon...

Страница 745: ...s COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Once the traffic rate falls beneath the lower threshold a trap message may be sent if configured by the snmp server enable port traps atc...

Страница 746: ...figuration Ethernet COMMAND USAGE Once the upper threshold is exceeded a trap message may be sent if configured by the snmp server enable port traps atc broadcast alarm fire command or snmp server ena...

Страница 747: ...trol for broadcast traffic multicast Specifies automatic storm control for multicast traffic COMMAND MODE Interface Configuration Ethernet COMMAND USAGE This command can be used to automatically stop...

Страница 748: ...nmp server enable port traps atc broadcast alarm fire DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet EXAMPLE Console config interface ethernet 1 1 Console config if snmp server...

Страница 749: ...server enable port traps atc broadcast control release DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet EXAMPLE Console config interface ethernet 1 1 Console config if snmp serve...

Страница 750: ...nmp server enable port traps atc multicast alarm fire DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet EXAMPLE Console config interface ethernet 1 1 Console config if snmp server...

Страница 751: ...expires Use the no form to disable this trap SYNTAX no snmp server enable port traps atc multicast control release DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet EXAMPLE Conso...

Страница 752: ...unit port unit Unit identifier Range 1 port Port number Range 1 10 COMMAND MODE Privileged Exec EXAMPLE Console show auto traffic control interface ethernet 1 1 Eth 1 1 Information Storm Control Broad...

Страница 753: ...DEFAULT SETTING 300 seconds COMMAND MODE Global Configuration COMMAND USAGE The aging time is used to age out dynamically learned forwarding information EXAMPLE Console config mac address table aging...

Страница 754: ...The default mode is permanent COMMAND MODE Global Configuration COMMAND USAGE The static address for a host device can be assigned to a specific port within a specific VLAN Use this command to add sta...

Страница 755: ...ddress interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 port channel channel id Range 1 5 vlan id VLAN ID Range 1 4093 sort Sort by address vlan or interface DEFAU...

Страница 756: ...ss table Interface MAC Address VLAN Type Life Time Eth 1 1 00 E0 29 94 34 DE 1 Config Delete on Reset Eth 1 21 00 01 EC F8 D8 D9 1 Learn Delete on Timeout Console show mac address table aging time Thi...

Страница 757: ...e maximum number of hops allowed in the region before a BPDU is discarded MST mst priority Configures the priority of a spanning tree instance MST mst vlan Adds VLANs to a spanning tree instance MST n...

Страница 758: ...s down EXAMPLE This example shows how to enable the Spanning Tree Algorithm for the switch Console config spanning tree Console config spanning tree port priority Configures the spanning tree priority...

Страница 759: ...evice must receive information about topology changes before it starts to forward frames In addition each port needs time to listen for conflicting information that would make it return to the discard...

Страница 760: ...of 40 or 2 x forward time 1 DEFAULT SETTING 20 seconds COMMAND MODE Global Configuration COMMAND USAGE This command sets the maximum time in seconds a device can wait without receiving a configuration...

Страница 761: ...P supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits as described below STP M...

Страница 762: ...the IEEE 802 1w Rapid Spanning Tree Protocol short Specifies 16 bit based values that range from 1 65535 This method is based on the IEEE 802 1 Spanning Tree Protocol DEFAULT SETTING Long method COMMA...

Страница 763: ...electing the root device root port and designated port The device with the highest priority i e lower numeric value becomes the STA root device However if all devices have the same priority the device...

Страница 764: ...ole config spanning tree transmission limit 4 Console config max hops This command configures the maximum number of hops in the region before a BPDU is discarded Use the no form to restore the default...

Страница 765: ...e Range 0 61440 in steps of 4096 Options 0 4096 8192 12288 16384 20480 24576 28672 32768 36864 40960 45056 49152 53248 57344 61440 DEFAULT SETTING 32768 COMMAND MODE MST Configuration COMMAND USAGE MS...

Страница 766: ...allowing for faster convergence of a new topology for the failed instance By default all VLANs are assigned to the Internal Spanning Tree MSTI 0 that connects all bridges and LANs within the MST regi...

Страница 767: ...on This command configures the revision number for this multiple spanning tree configuration of this switch Use the no form to restore the default SYNTAX revision number number Revision number of the...

Страница 768: ...ng port connected to another switch or bridging device is mistakenly configured as an edge port and BPDU filtering is enabled on this port this might cause a loop in the spanning tree Before enabling...

Страница 769: ...f spanning tree bpdu guard Console config if RELATED COMMANDS spanning tree edge port 770 spanning tree spanning disabled 777 spanning tree cost This command configures the spanning tree path cost for...

Страница 770: ...refore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Path cost takes precedence over port priority When the path cost method p...

Страница 771: ...panning tree edge port Console config if spanning tree link type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree Use the no form to restore the default SYNTAX...

Страница 772: ...BPDU according to IEEE Standard 802 1W 2001 9 3 4 Note 1 Port Loopback Detection will not be active if Spanning Tree is disabled on the switch EXAMPLE Console config interface ethernet 1 5 Console co...

Страница 773: ...BPDU according to IEEE Standard 802 1W 2001 9 3 4 Note 1 Port Loopback Detection will not be active if Spanning Tree is disabled on the switch When configured for manual release mode then a link down...

Страница 774: ...th cost 0 is used to indicate auto configuration mode When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is set to...

Страница 775: ...ple spanning tree If the path cost for all interfaces on a switch are the same the interface with the highest priority that is lowest value will be configured as an active link in the spanning tree Wh...

Страница 776: ...ort Channel COMMAND USAGE A bridge with a lower bridge identifier or same identifier and lower MAC address can take over as the root bridge at any time When Root Guard is enabled and the switch receiv...

Страница 777: ...PLE This example disables the spanning tree algorithm for port 5 Console config interface ethernet 1 5 Console config if spanning tree spanning disabled Console config if spanning tree loopback detect...

Страница 778: ...t Port number Range 1 10 port channel channel id Range 1 5 COMMAND MODE Privileged Exec COMMAND USAGE If at any time the switch detects STP BPDUs including Configuration or Topology Change Notificatio...

Страница 779: ...d for every interface in the tree Use the show spanning tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree CST Use the show spanning tre...

Страница 780: ...Cost 100000 Priority 128 Designated Cost 100000 Designated Port 128 1 Designated Root 32768 0 0001ECF8D8C6 Designated Bridge 32768 0 123412341234 Fast Forwarding Disabled Forward Transitions 4 Admin E...

Страница 781: ...ing name VID and state Configuring VLAN Interfaces Configures VLAN interface parameters including ingress and egress tagging mode ingress filtering PVID and GVRP Displaying VLAN Information Displays V...

Страница 782: ...USAGE GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration...

Страница 783: ...AGE Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are indepen...

Страница 784: ...NG No VLANs are included in the forbidden list COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This command prevents a VLAN from being automatically added to the specified int...

Страница 785: ...nsole show bridge ext Maximum Supported VLAN Numbers 4093 Maximum Supported VLAN ID 4093 Extended Multicast Filtering Services No Static Entry Individual Port Yes VLAN Learning IVL Configurable PVID T...

Страница 786: ...ace interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 port channel channel id Range 1 5 DEFAULT SETTING Shows both global and interface specific configuration COMMA...

Страница 787: ...mmand EXAMPLE Console config vlan database Console config vlan RELATED COMMANDS show vlan 795 vlan This command configures a VLAN Use the no form to restore the default settings or delete a VLAN SYNTA...

Страница 788: ...TE The switch allows 256 user manageable VLANs EXAMPLE The following example adds a VLAN using VLAN ID 105 and name RD5 The VLAN is activated by default Console config vlan database Console config vla...

Страница 789: ...ration commands and save the configuration settings To change a Layer 3 normal VLAN back to a Layer 2 VLAN use the no interface command EXAMPLE The following example shows how to set the interface con...

Страница 790: ...gned to the default VLAN EXAMPLE The following example shows how to restrict the traffic received on port 1 to tagged frames Console config interface ethernet 1 1 Console config if switchport acceptab...

Страница 791: ...he host at the other end of the connection supports VLANs the interface should be added to these VLANs as an untagged member Otherwise it is only necessary to add at most one VLAN as untagged and this...

Страница 792: ...fig if switchport mode This command configures the VLAN membership mode for a port Use the no form to restore the default SYNTAX switchport mode access hybrid trunk no switchport mode access Specifies...

Страница 793: ...d Default VLAN ID for a port Range 1 4093 no leading zeroes DEFAULT SETTING VLAN 1 COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE When using Access mode and an interface is a...

Страница 794: ...LAN Trunking Without VLAN trunking you would have to configure VLANs 1 and 2 on all intermediate switches C D and E otherwise these switches would drop any frames with unknown VLAN group tags However...

Страница 795: ...Console config interface ethernet 1 9 Console config if vlan trunking Console config if interface ethernet 1 10 Console config if vlan trunking Console config if DISPLAYING VLAN INFORMATION This secti...

Страница 796: ...VLAN space by using a VLAN in VLAN hierarchy preserving the customer s original tagged packets and adding SPVLAN tags to each frame also called double tagging This section describes commands used to...

Страница 797: ...n Limitations for QinQ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same However the same service VLANs can be set on both tunnel port types IGMP Snooping should n...

Страница 798: ...ng the dot1q tunnel system tunnel control command before the switchport dot1q tunnel mode interface command can take effect When a tunnel uplink port receives a packet from a customer the customer tag...

Страница 799: ...with third party switches that do not use the standard 0x8100 ethertype to identify 802 1Q tagged frames For example 0x1234 is set as the custom 802 1Q ethertype on a trunk port incoming frames conta...

Страница 800: ...to the service provider port based traffic segmentation can be used to isolate traffic for individual clients traffic segmentation This command enables traffic segmentation globally or configures the...

Страница 801: ...command without any parameters to enable traffic segmentation Then set the interface members for segmented groups Enter no traffic segmentation to disable traffic segmentation and clear the configura...

Страница 802: ...e protocol based VLANs follow these steps 1 First configure VLAN groups for the protocols you want to use page 787 Although not mandatory we suggest configuring a separate VLAN for each major protocol...

Страница 803: ...MAND MODE Global Configuration EXAMPLE The following creates protocol group 1 and specifies Ethernet frames with IP and ARP protocol types Console config protocol vlan protocol group 1 add frame type...

Страница 804: ...ames If the frame is untagged and the protocol type matches the frame is forwarded to the appropriate VLAN If the frame is untagged but the protocol type does not match the frame is forwarded to the d...

Страница 805: ...VLANs for the selected interfaces SYNTAX show interfaces protocol vlan protocol group interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 port channel chan...

Страница 806: ...ask vlan vlan id priority priority no subnet vlan subnet ip address mask all ip address The IP address that defines the subnet Valid IP addresses consist of four decimal numbers 0 to 255 separated by...

Страница 807: ...255 255 255 224 vlan 4 Console config show subnet vlan This command displays IP Subnet VLAN assignments COMMAND MODE Privileged Exec COMMAND USAGE Use this command to display subnet to VLAN mappings T...

Страница 808: ...remove an assignment SYNTAX mac vlan mac address mac address vlan vlan id priority priority no mac vlan mac address mac address all mac address The source MAC address to be matched Configured MAC add...

Страница 809: ...MAC address VLAN ID 00 00 00 11 22 33 10 Console CONFIGURING VOICE VLANS The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic VoIP traffic can be d...

Страница 810: ...n switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on a configured port the switch automatically a...

Страница 811: ...gures the Voice VLAN aging time as 3000 minutes Console config voice vlan aging 3000 Console config voice vlan mac address This command specifies MAC address ranges to add to the OUI Telephony list Us...

Страница 812: ...Telephony list Console config voice vlan mac address 00 12 34 56 78 90 mask ff ff ff 00 00 00 description A new phone Console config switchport voice vlan This command specifies the Voice VLAN mode fo...

Страница 813: ...MMAND USAGE Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is ac...

Страница 814: ...ing VoIP traffic Console config interface ethernet 1 1 Console config if switchport voice vlan rule oui Console config if switchport voice vlan security This command enables security filtering for VoI...

Страница 815: ...LE Console show voice vlan status Global Voice VLAN Status Voice VLAN Status Enabled Voice VLAN ID 1234 Voice VLAN aging time 1440 minutes Voice VLAN Port Summary Port Mode Security Rule Priority Eth...

Страница 816: ...CHAPTER 34 VLAN Commands Configuring Voice VLANs 816...

Страница 817: ...nfigures the queue mode queue weights and default priority for untagged frames Priority Commands Layer 3 and 4 Sets the default priority processing method CoS or DSCP maps priority tags for internal p...

Страница 818: ...a strict queue DEFAULT SETTING Strict and WRR with Queue 3 using strict mode COMMAND MODE Global Configuration COMMAND USAGE The switch can be set to service the port queues based on strict priority S...

Страница 819: ...ed at the egress ports by defining scheduling weights for SWDRR or for the queuing mode that uses a combination of strict and weighted queuing Service time is allocated to each queue by calculating a...

Страница 820: ...ult priority id no switchport priority default default priority id The priority number for untagged ingress traffic The priority is a number from 0 to 7 Seven is the highest priority DEFAULT SETTING T...

Страница 821: ...ted VLAN these frames are stripped of all VLAN tags prior to transmission EXAMPLE The following example shows how to set a default priority on port 3 to 5 Console config interface ethernet 1 3 Console...

Страница 822: ...l format Range 0 1 Table 116 Priority Commands Layer 3 and 4 Command Function Mode qos map cos dscp Maps CoS CFI values in incoming packets to per hop behavior and drop precedence values for internal...

Страница 823: ...riority tags in the original packet are not modified by this command The internal DSCP consists of three bits for per hop behavior PHB which determines the queue to which a packet is sent and two bits...

Страница 824: ...DSCP by the qos map trust mode command and the ingress packet type is IPv4 Two QoS domains can have different DSCP definitions so the DSCP to PHB Drop Precedence mutation map can be used to modify one...

Страница 825: ...rface ethernet 1 5 Console config if qos map dscp mutation 3 1 from 1 Console config if qos map phb queue This command determines the hardware output queues to use based on the internal per hop behavi...

Страница 826: ...essing will be based on the DSCP value in the ingress packet If the QoS mapping mode is set to DSCP and a non IP packet is received the packet s CoS and CFI Canonical Format Indicator values are used...

Страница 827: ...in the top row in other words ingress DSCP d1 10 d2 and the corresponding Internal DSCP and drop precedence is shown at the intersecting cell in the table Console show qos map dscp mutation interface...

Страница 828: ...cos dscp This command shows ingress CoS CFI to internal DSCP map SYNTAX show qos map cos dscp interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10...

Страница 829: ...map trust mode interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 10 port channel channel id Range 1 5 COMMAND MODE Privileged Exec EXAMPLE The foll...

Страница 830: ...CHAPTER 35 Class of Service Commands Priority Commands Layer 3 and 4 830...

Страница 831: ...of a policy map PM police flow Defines an enforcer for classified traffic based on a metered flow rate PM C police srtcm color Defines an enforcer for classified traffic based on a single rate three c...

Страница 832: ...he matching traffic class and use one of the police commands to monitor parameters such as the average flow and burst rate and drop any traffic that exceeds the specified rate or just reduce the DSCP...

Страница 833: ...ommands EXAMPLE This example creates a class map call rd class and sets it to match packets marked for DSCP service value 3 Console config class map rd class match any Console config cmap match ip dsc...

Страница 834: ...mand to designate a class map and enter the Class Map configuration mode Then use match commands to specify the fields within ingress packets that must match to qualify for this class map If an ingres...

Страница 835: ...onfig cmap rename This command redefines the name of a class map or policy map SYNTAX rename map name map name Name of the class map or policy map Range 1 16 characters COMMAND MODE Class Map Configur...

Страница 836: ...rd policy Console config pmap class rd class Console config pmap c set cos 0 Console config pmap c police flow 10000 4000 conform action transmit violate action drop Console config pmap c class This c...

Страница 837: ...Console config pmap c police flow This command defines an enforcer for classified traffic based on the metered flow rate Use the no form to remove a policer SYNTAX no police flow committed rate commi...

Страница 838: ...e The token bucket C is initially full that is the token count Tc 0 BC Thereafter the token count Tc is updated CIR times per second as follows If Tc is less than BC Tc is incremented by one else Tc i...

Страница 839: ...st Excess burst size BE in bytes Range 4000 1600000 at a granularity of 4k bytes conform action Action to take when rate is within the CIR and BC There are enough tokens in bucket BC to service the pa...

Страница 840: ...ken count Tc 0 BC and the token count Te 0 BE Thereafter the token counts Tc and Te are updated CIR times per second as follows If Tc is less than BC Tc is incremented by one else if Te is less then B...

Страница 841: ...color blind trtcm color aware committed rate committed burst peak rate peak burst conform action transmit exceed action drop new dscp violate action drop new dscp trtcm color blind Two rate three col...

Страница 842: ...ol queue congestion A packet is marked red if it exceeds the PIR Otherwise it is marked either yellow or green depending on whether it exceeds or doesn t exceed the CIR The trTCM is useful for ingress...

Страница 843: ...on other aspects of trTCM EXAMPLE This example creates a policy called rd policy uses the class command to specify the previously defined rd class uses the set phb command to classify the service that...

Страница 844: ...Console config pmap c police flow 10000 4000 conform action transmit violate action drop Console config pmap c set phb This command services IP traffic by setting a per hop behavior value for a matchi...

Страница 845: ...licy map defined by the policy map command to the ingress side of a particular interface Use the no form to remove this mapping SYNTAX no service policy input policy map name input Apply to the input...

Страница 846: ...ss list rd access Match ip dscp 0 Class Map match any rd class 2 Match ip precedence 5 Class Map match any rd class 3 Match vlan 1 Console show policy map This command displays the QoS policy maps whi...

Страница 847: ...le show policy map interface This command displays the service policy assigned to the specified interface SYNTAX show policy map interface interface input interface unit port unit Unit identifier Rang...

Страница 848: ...CHAPTER 36 Quality of Service Commands 848...

Страница 849: ...ic multicast router ports which forward all inbound multicast traffic to the attached VLANs IGMP Filtering and Throttling Configures IGMP filtering and throttling Multicast VLAN Registration Configure...

Страница 850: ...g vlan last memb query count Configures the number of IGMP proxy query messages that are sent out before the system assumes there are no local members GC ip igmp snooping vlan last memb query intvl Co...

Страница 851: ...o restore the default setting SYNTAX no ip igmp snooping proxy reporting ip igmp snooping vlan vlan id proxy reporting enable disable no ip igmp snooping vlan vlan id proxy reporting vlan id VLAN ID R...

Страница 852: ...ation COMMAND USAGE IGMP snooping querier is not supported for IGMPv3 snooping see ip igmp snooping version If enabled the switch will serve as querier if elected The querier is responsible for asking...

Страница 853: ...the switch is acting in the role of a multicast host such as when using proxy routing it should ignore version 2 or 3 queries that do not contain the Router Alert option EXAMPLE Console config ip igm...

Страница 854: ...ived and all the uplink ports are subsequently deleted a time out mechanism is used to delete all of the currently learned multicast channels When a new uplink port starts up the switch sends unsolici...

Страница 855: ...hen a switch receives this solicitation it floods it to all ports in the VLAN where the spanning tree change occurred When an upstream multicast router receives this solicitation it will also immediat...

Страница 856: ...command specifies how often the upstream interface should transmit unsolicited IGMP reports when proxy reporting is enabled Use the no form to restore the default value SYNTAX ip igmp snooping unsolic...

Страница 857: ...nd versions 2 and 3 are backward compatible so the switch can operate with other devices regardless of the snooping version employed If the IGMP snooping version is configured on a VLAN this setting t...

Страница 858: ...oping vlan general query suppression This command suppresses general queries except for ports attached to downstream multicast hosts Use the no form to flood general queries to all ports except for th...

Страница 859: ...sage is received The router querier stops forwarding traffic for that group only if no host replies to the query within the time out period The time out for this release is currently defined by Last M...

Страница 860: ...ere are no more group members Range 1 255 DEFAULT SETTING 2 COMMAND MODE Global Configuration COMMAND USAGE This command will take effect only if IGMP snooping proxy reporting or IGMP querier is enabl...

Страница 861: ...an id VLAN ID Range 1 4093 DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE Multicast Router Discovery MRD uses multicast router advertisement multicast router solicitation and...

Страница 862: ...proxy address source address vlan id VLAN ID Range 1 4093 source address The source address used for proxied IGMP query and report and leave messages Any valid IP unicast address DEFAULT SETTING 0 0 0...

Страница 863: ...nterval no ip igmp snooping vlan vlan id proxy query interval vlan id VLAN ID Range 1 4093 interval The interval between sending IGMP proxy general queries Range 10 31744 seconds DEFAULT SETTING 100 1...

Страница 864: ...ths of a second DEFAULT SETTING 100 10 seconds COMMAND MODE Global Configuration COMMAND USAGE This command will take effect only if IGMP snooping proxy reporting is enabled page 851 EXAMPLE Console c...

Страница 865: ...IGMP Snooping and Query Parameters on page 444 for a description of the displayed items EXAMPLE The following shows the current IGMP snooping configuration Console show ip igmp snooping IGMP snooping...

Страница 866: ...D 1 4093 user Display only the user configured multicast entries igmpsnp Display only entries learned through IGMP snooping DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Member types...

Страница 867: ...ic multicast router ports are configured COMMAND MODE Global Configuration COMMAND USAGE Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore...

Страница 868: ...n switch applications the administrator may want to control the multicast services that are available to end users For example an IP TV service based on a specific subscription plan The IGMP filtering...

Страница 869: ...ecked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP f...

Страница 870: ...o many interfaces but only one profile can be assigned to one interface Each profile has only one access mode either permit or deny EXAMPLE Console config ip igmp profile 19 Console config igmp profil...

Страница 871: ...p range DEFAULT SETTING None COMMAND MODE IGMP Profile Configuration COMMAND USAGE Enter this command multiple times to specify more than one multicast address or address range for a profile EXAMPLE C...

Страница 872: ...max groups number no ip igmp max groups number The maximum number of multicast groups an interface can join at the same time Range 1 255 DEFAULT SETTING 255 COMMAND MODE Interface Configuration Ether...

Страница 873: ...tch can take one of two actions either deny or replace If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch randomly removes an existing gr...

Страница 874: ...profile profile number profile number An existing IGMP filter profile number Range 1 4294967295 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console show ip igmp profile IGMP Profile 19...

Страница 875: ...all subscribers This can significantly reduce to processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN Also note that MVR maintains the u...

Страница 876: ...must be assigned vlan id MVR VLAN ID Range 1 4093 DEFAULT SETTING MVR is disabled No MVR group address is defined The default number of contiguous addresses is 0 MVR VLAN ID is 1 COMMAND MODE Global...

Страница 877: ...t Port Channel COMMAND USAGE Immediate leave applies only to receiver ports When enabled the receiver port is immediately removed from the multicast group identified in the leave message When immediat...

Страница 878: ...allow a receiver port to dynamically join or leave multicast groups sourced through the MVR VLAN Also note that VLAN membership for MVR receiver ports cannot be set to trunk mode see the switchport m...

Страница 879: ...AULT SETTING No receiver port is a member of any configured multicast group COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE Multicast groups can be statically assigned to a re...

Страница 880: ...Privileged Exec COMMAND USAGE Enter this command without any keywords to display the global settings for MVR Use the interface keyword to display information about interfaces attached to the MVR VLAN...

Страница 881: ...mber of contiguous MVR group addresses Table 127 show mvr interface display description Field Description Port Shows interfaces attached to the MVR Type Shows the MVR port type Status Shows the MVR st...

Страница 882: ...ssigned VLAN Indicates the MVR VLAN receiving the multicast service Forwarding Port Shows the interfaces with subscribers for multicast services provided through the MVR VLAN Also shows the VLAN throu...

Страница 883: ...g to re initialize after LLDP ports are disabled or the link goes down GC lldp tx delay Configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB...

Страница 884: ...ion capabilities IC lldp dot3 tlv mac phy Configures an LLDP enabled port to advertise its MAC and physical layer specifications IC lldp dot3 tlv max frame Configures an LLDP enabled port to advertise...

Страница 885: ...ds no lldp notification interval seconds Specifies the periodic interval at which SNMP notifications are sent Range 5 3600 seconds DEFAULT SETTING 5 seconds COMMAND MODE Global Configuration COMMAND U...

Страница 886: ...e following rule refresh interval holdtime multiplier 65536 EXAMPLE Console config lldp refresh interval 60 Console config lldp reinit delay This command configures the delay before attempting to re i...

Страница 887: ...ent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects and to increase the probability that multiple rather than single changes are reported in...

Страница 888: ...port sending this advertisement The management address TLV may also include information about the specific interface associated with this address and an object identifier indicating the type of hardwa...

Страница 889: ...des information about the manufacturer the product name and the version of the interface hardware software EXAMPLE Console config interface ethernet 1 1 Console config if lldp basic tlv port descripti...

Страница 890: ...RFC 3418 which includes the full name and version identification of the system s hardware type software operating system and networking software EXAMPLE Console config interface ethernet 1 1 Console...

Страница 891: ...es the protocols that are accessible through this interface EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot1 tlv proto ident Console config if lldp dot1 tlv proto vid This...

Страница 892: ...h which untagged or priority tagged frames are associated see the switchport native vlan command EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot1 tlv pvid Console config if...

Страница 893: ...tatus of the link and the 802 3 aggregated port identifier if this interface is currently a link aggregation member EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot3 tlv lin...

Страница 894: ...size for this switch EXAMPLE Console config interface ethernet 1 1 Console config if lldp dot3 tlv max frame Console config if lldp notification This command enables the transmission of SNMP trap noti...

Страница 895: ...thernet 1 1 Console config if lldp notification Console config if show lldp config This command shows LLDP configuration settings for all ports SYNTAX show lldp config detail interface detail Shows co...

Страница 896: ...show lldp info local device This command shows LLDP global and interface specific configuration settings for this device SYNTAX show lldp info local device detail interface detail Shows configuration...

Страница 897: ...hernet Port on unit 1 port 1 Console show lldp info remote device This command shows LLDP global and interface specific configuration settings for remote devices attached to an LLDP enabled port SYNTA...

Страница 898: ...port MAU type 6 Remote Power Via Mdi Remote power class PSE Remote power mdi supported Yes Remote power mdi enabled Yes Remote power pair controlable No Remote power pairs Spare Remote power classifi...

Страница 899: ...ntries Dropped Count 0 Neighbor Entries Ageout Count 0 Interface NumFramesRecvd NumFramesSent NumFramesDiscarded Eth 1 1 10 11 0 Eth 1 2 0 0 0 Eth 1 3 0 0 0 Eth 1 4 0 0 0 Eth 1 5 0 0 0 switch show lld...

Страница 900: ...CHAPTER 38 LLDP Commands 900...

Страница 901: ...me Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 68 characters DEFAULT SETTING None Table 130 Address Table Commands Command Function Mode i...

Страница 902: ...the default domain name is not used EXAMPLE This example adds two domain names to the current list and then displays the list Console config ip domain list sample com jp Console config ip domain list...

Страница 903: ...03 ip name server 905 ip domain name This command defines the default domain name appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation Use...

Страница 904: ...host name address name Name of an IPv4 host Range 1 100 characters address Corresponding IPv4 address DEFAULT SETTING No static entries COMMAND MODE Global Configuration COMMAND USAGE Use the no ip h...

Страница 905: ...servers DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE The listed name servers are queried in the specified sequence until a response is received or the end of the list is reach...

Страница 906: ...values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields DEFAULT SETTING No static entries COMMAND MODE Global Configuration...

Страница 907: ...ear host command to clear dynamic entries or the no ip host command to clear static entries EXAMPLE This example clears all static entries from the DNS table Console config clear host Console config s...

Страница 908: ...sole show hosts No Flag Type IP Address TTL Domain 0 2 Address 192 168 1 55 rd5 1 2 Address 2001 DB8 1 12 rd6 3 4 Address 209 131 36 158 65 www real wa1 b yahoo com 4 4 CNAME POINTER TO 3 65 www yahoo...

Страница 909: ...tored in the cache Type This field includes Address which specifies the primary name for the owner and CNAME which specifies multiple domain names or aliases which are mapped to the same IP address as...

Страница 910: ...CHAPTER 39 Domain Name Service Commands 910...

Страница 911: ...cquire other non address configuration information such as a default gateway from a DHCPv6 server Table 133 DHCP Commands Command Group Function DHCP Client Allows interfaces to dynamically acquire IP...

Страница 912: ...service the client or the type of information to return The general framework for this DHCP option is set out in RFC 2132 Opton 60 This information is used to convey configuration settings or other i...

Страница 913: ...p dhcp restart client Console show ip interface Vlan 1 is Administrative Up Link Up Address is 12 34 12 34 12 34 bia 12 34 12 34 12 34 Index 1001 MTU 1500 Bandwidth 1g Address Mode is DHCP IP Address...

Страница 914: ...s are then ranked based on their advertised preference value If the client needs to acquire prefixes from servers only servers that have advertised prefixes are considered EXAMPLE The following comman...

Страница 915: ...ange of consecutive numbers separated by a hyphen or multiple numbers separated by commas Range 1 4093 no leading zeroes COMMAND MODE Privileged Exec EXAMPLE Console show ipv6 dhcp vlan 1 VLAN 1 is in...

Страница 916: ...CHAPTER 40 DHCP Commands DHCP Client 916...

Страница 917: ...segment IPV4 INTERFACE There are no IP addresses assigned to this switch by default You must manually configure a new address to manage the switch over your network or to connect the switch to existin...

Страница 918: ...ific IP address can be manually configured or the switch can be directed to obtain an address from a BOOTP or DHCP server Valid IP addresses consist of four numbers 0 to 255 separated by periods Anyth...

Страница 919: ...nt 912 ipv6 address 927 ip default gateway This command specifies the default gateway for destinations not found in the local routing tables Use the no form to remove a default gateway SYNTAX ip defau...

Страница 920: ...ce This command displays the settings of an IPv4 interface COMMAND MODE Privileged Exec EXAMPLE Console show ip interface Vlan 1 is Administrative Up Link Up Address is 00 E0 0C 00 00 FD via 00 E0 0C...

Страница 921: ...If the timer goes off before a response is returned the trace function prints a series of asterisks and the Request Timed Out message A long sequence of these messages terminating only when the maximu...

Страница 922: ...ination is unreachable Network or host unreachable The gateway found no corresponding entry in the route table When pinging a host name be sure the DNS server has been enabled see page 902 If necessar...

Страница 923: ...onfiguration COMMAND USAGE When a ARP entry expires it is deleted from the cache and an ARP request packet is sent to re establish the MAC address The aging time determines how long dynamic entries re...

Страница 924: ...mal Exec Privileged Exec COMMAND USAGE This command displays information about the ARP cache The first line shows the cache timeout It also shows each cache entry including the IP address MAC address...

Страница 925: ...e of the maximum transmission unit MTU for IPv6 packets sent on an interface IC show ipv6 default gateway Displays the current IPv6 default gateway NE PE show ipv6 interface Displays the usability and...

Страница 926: ...dress to indicate the appropriate number of zeros required to fill the undefined fields The same link local address may be used by different interfaces nodes in different zones RFC 4007 Therefore when...

Страница 927: ...te the appropriate number of zeros required to fill the undefined fields To connect to a larger network with multiple subnets you must configure a global unicast address This address can be manually c...

Страница 928: ...64 form of the interface identifier i e the switch s MAC address Use the no form to remove the address generated by this command SYNTAX no ipv6 address autoconfig DEFAULT SETTING No IPv6 addresses are...

Страница 929: ...l is 1000 milliseconds Console RELATED COMMANDS ipv6 address 927 show ipv6 interface 935 ipv6 address eui 64 This command configures an IPv6 address for an interface using an EUI 64 interface ID in th...

Страница 930: ...address The EUI 64 specification is designed for devices that use an extended 8 byte MAC address For devices that still use a 6 byte MAC address also known as EUI 48 format it must be converted into...

Страница 931: ...a specific address to remove it from the interface SYNTAX ipv6 address ipv6 address link local no ipv6 address ipv6 address link local ipv6 address The IPv6 address assigned to the interface DEFAULT...

Страница 932: ...00 72 FF02 1 FF00 FD FF02 1 IPv6 link MTU is 1500 bytes ND DAD is enabled number of DAD attempts 3 ND retransmit interval is 1000 milliseconds Console RELATED COMMANDS ipv6 enable 932 show ipv6 interf...

Страница 933: ...le show ipv6 interface Vlan 1 is up IPv6 is enable Link local address FE80 2E0 CFF FE00 FD 64 Global unicast address es 2001 DB8 2222 7273 72 96 subnet is 2001 DB8 2222 7273 96 Joined group address es...

Страница 934: ...enabled on an interface before the MTU can be set EXAMPLE The following example sets the MTU for VLAN 1 to 1280 bytes Console config interface vlan 1 Console config if ipv6 mtu 1280 Console config if...

Страница 935: ...work portion of the address COMMAND MODE Normal Exec Privileged Exec EXAMPLE This example displays all the IPv6 addresses configured for the switch Console show ipv6 interface Vlan 1 is up IPv6 is ena...

Страница 936: ...interface local multicast address is only used for loopback transmission of multicast traffic Link local multicast addresses cover the same types as used by link local unicast addresses including all...

Страница 937: ...ecived total received header errors too big errors no routes address errors unknown protocols truncated packets discards delivers reassembly request datarams reassembled succeeded reassembled failed I...

Страница 938: ...show ipv6 traffic display description Field Description IPv6 Statistics IPv6 recived total received The total number of input datagrams received by the interface including those received in error hea...

Страница 939: ...of discarded IPv6 fragments since some algorithms notably the algorithm in RFC 815 can lose track of the number of fragments by combining them as they are received This counter is incremented at the i...

Страница 940: ...CMPv6 Group Membership Query messages received by the interface group membership response messages The number of ICMPv6 Group Membership Response messages received by the interface group membership re...

Страница 941: ...er of Redirect messages sent For a host this object will always be zero since hosts do not send redirects group membership response messages The number of ICMPv6 Group Membership Response messages sen...

Страница 942: ...bytes COMMAND MODE Privileged Exec COMMAND USAGE Use the ping6 command to see if another site on the network can be reached or to evaluate delays over the path The same link local address may be used...

Страница 943: ...eady exists on the network before it is assigned to an interface Duplicate address detection is stopped on any interface that has been suspended see the vlan command While an interface is suspended al...

Страница 944: ...address FE80 200 E8FF FE90 0 64 TENTATIVE Global unicast address es 2009 DB9 2229 79 subnet is 2009 DB9 2229 0 64 TENTATIVE Joined group address es FF01 1 16 FF02 1 16 FF02 1 FF00 79 104 FF02 1 FF90 0...

Страница 945: ...4 Global unicast address es 2009 DB9 2229 79 subnet is 2009 DB9 2229 0 64 Joined group address es FF01 1 16 FF02 1 16 FF02 1 FF00 79 104 FF02 1 FF90 0 104 MTU is 1500 bytes ND DAD is enabled number of...

Страница 946: ...ic entries in the IPv6 neighbor cache Console clear ipv6 neighbors Console show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache SYNTAX show ipv6 neighbors vlan vl...

Страница 947: ...e neighbor was functioning While in REACH state the device takes no special action when sending packets STALE More than the ReachableTime interval has elapsed since the last positive confirmation was...

Страница 948: ...CHAPTER 41 IP Interface Commands IPv6 Interface 948...

Страница 949: ...949 SECTION IV APPENDICES This section provides additional information and includes these items Software Specifications on page 951 Troubleshooting on page 955 License Information on page 957...

Страница 950: ...SECTION IV Appendices 950...

Страница 951: ...uplex 1000 Mbps at full duplex 1000BASE SX LX LH 1000 Mbps at full duplex SFP FLOW CONTROL Full Duplex IEEE 802 3 2005 Half Duplex Back pressure STORM CONTROL Broadcast multicast or unicast traffic th...

Страница 952: ...policy maps and service policies MULTICAST FILTERING IGMP Snooping Layer 2 Multicast VLAN Registration ADDITIONAL FEATURES BOOTP Client DHCP Client DNS Client Proxy LLDP Link Layer Discover Protocol...

Страница 953: ...5 Ethernet Fast Ethernet Gigabit Ethernet Link Aggregation Control Protocol LACP Full duplex flow control ISO IEC 8802 3 IEEE 802 3ac VLAN tagging DHCP Client RFC 2131 HTTPS ICMP RFC 792 IGMP RFC 1112...

Страница 954: ...B II RFC 1213 P Bridge MIB RFC 2674P Port Access Entity MIB IEEE 802 1X Port Access Entity Equipment MIB Power Ethernet MIB RFC 3621 Private MIB Q Bridge MIB RFC 2674Q Quality of Service MIB RADIUS Au...

Страница 955: ...Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH...

Страница 956: ...sages reported to include all categories 3 Enable SNMP 4 Enable SNMP traps 5 Designate the SNMP host that is to receive the error messages 6 Repeat the sequence of commands or other actions that lead...

Страница 957: ...of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that yo...

Страница 958: ...notices stating that you changed the files and the date of any change b You must cause any work that you distribute or publish that in whole or in part contains or is derived from the Program or any p...

Страница 959: ...red to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These actions are prohibited by law if yo...

Страница 960: ...bution conditions are different write to the author to ask for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exce...

Страница 961: ...y prioritizing packets based on the required level of service and then placing them in the appropriate output queue Data is transmitted from the queues using weighted round robin service to enforce pr...

Страница 962: ...and password is requested by the switch and then passed to an authentication server e g RADIUS for verification EAPOL is implemented as part of the IEEE 802 1X Port Authentication standard EUI Extend...

Страница 963: ...Ns to communicate across switched networks IEEE 802 1P An IEEE standard for providing quality of service QoS in Ethernet networks The standard uses packet tags that define up to eight traffic classes...

Страница 964: ...outing protocols in an simple tree that uses IGMP Proxy IGMP SNOOPING Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify...

Страница 965: ...llows IGMP enabled devices to determine where to send multicast source and group membership messages MULTICAST SWITCHING A process whereby the switch filters incoming multicast frames for services for...

Страница 966: ...ervice to selected traffic flows using features such as data prioritization queuing congestion avoidance and traffic shaping These features effectively provide preferential treatment to specific flows...

Страница 967: ...ion protocol that uses software running on a central server to control access to TACACS compliant devices on the network TCP IP Transmission Control Protocol Internet Protocol Protocol suite that incl...

Страница 968: ...of their physical location or connection point in the network A VLAN serves as a logical workgroup with no physical barriers and allows users to share information and resources as though located on t...

Страница 969: ...configure lp number 500 banner configure manager info 501 banner configure mux 501 banner configure note 502 boot system 511 bridge ext gvrp 782 C calendar set 544 capabilities 701 channel group 718 c...

Страница 970: ...870 ip igmp snooping 850 ip igmp snooping proxy reporting 851 ip igmp snooping querier 852 ip igmp snooping router alert option check 852 ip igmp snooping router port expire time 853 ip igmp snooping...

Страница 971: ...st 537 logging sendmail level 538 logging sendmail source email 539 logging trap 533 login 522 M mac access group 693 mac address table aging time 753 mac address table static 754 mac authentication i...

Страница 972: ...s map 846 show cluster 552 show cluster candidates 553 show cluster members 552 show dns 907 show dns cache 908 show dot1q tunnel 799 show dot1x 630 show garp timer 785 show gvrp configuration 786 sho...

Страница 973: ...lent time 526 snmp server 556 snmp server community 557 snmp server contact 557 snmp server enable port traps atc broadcast alarm clear 747 snmp server enable port traps atc broadcast alarm fire 748 s...

Страница 974: ...oice vlan priority 813 switchport voice vlan rule 813 switchport voice vlan security 814 T tacacs server 592 tacacs server host 593 tacacs server key 593 tacacs server port 594 test cable diagnostics...

Страница 975: ...690 time range 298 545 address table 185 753 aging time 188 753 aging time displaying 188 756 aging time setting 188 753 administrative users displaying 507 ARP ACL 310 675 ARP configuration 923 ARP i...

Страница 976: ...tion 833 classifying QoS traffic 236 834 color aware srTCM 244 839 color aware trTCM 245 841 color blind srTCM 244 839 color blind trTCM 245 841 committed burst size 244 246 837 839 841 committed info...

Страница 977: ...oping query parameters 444 snooping configuring 444 849 snooping immediate leave 453 859 IGMP services displaying 457 IGMP snooping configuring 451 849 enabling per interface 451 453 850 forwarding en...

Страница 978: ...74 logon authentication 273 583 encryption keys 262 590 593 RADIUS client 261 588 RADIUS server 261 588 sequence 259 586 587 settings 260 587 TACACS client 260 592 TACACS server 260 592 logon authenti...

Страница 979: ...cs 709 unknown unicast storm threshold 219 707 power savings configuring 148 power savings configuring 714 power savings enabling per port 148 714 priority default port ingress 221 820 private key 289...

Страница 980: ...540 542 specifying servers 105 542 software displaying version 90 508 downloading 94 512 version displaying 90 508 Spanning Tree Protocol See STA specifications software 951 srTCM police meter 244 83...

Страница 981: ...aying port members 795 displaying port members by interface 164 displaying port members by interface range 165 displaying port members by VLAN index 163 dynamic assignment 281 645 egress mode 161 792...

Страница 982: ...INDEX 982...

Страница 983: ......

Страница 984: ...ES3510MA E032010 ST R01 149100000046A...

Результаты поиска

Содержание ES3510MA

Отзывы:

Похожие инструкции для ES3510MA

Бренды по названию

Популярные бренды

Edge-Core ES3510MA, Руководство по управлению

Результаты поиска

Содержание ES3510MA

Отзывы:

Похожие инструкции для ES3510MA

Бренды по названию

Популярные бренды