24 Port 10/100 Layer 2 Managed Switch with 4 Gigabit Combo Ports Model: 065-7729 Active Management Guide
065-7729 E112008-R01/ST F1.1.3.
About This Guide Purpose This guide gives specific information on how to operate and use the management functions of the switch. Audience The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
iv SIGNAMAX LLC • www.signamax.
Contents Chapter 1: Introduction Key Features Description of Software Features System Defaults 1-1 1-1 1-2 1-6 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options Required Connections Remote Connections Basic Configuration Console Connection Setting Passwords Setting an IP Address Manual Configuration Dynamic Configuration Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) Trap Receivers Configuring Access for SNMP Version 3 Clients Managing S
Managing Firmware Downloading System Software from a Server Saving or Restoring Configuration Settings Downloading Configuration Settings from a Server Console Port Settings Telnet Settings Configuring Event Logging System Log Configuration Remote Log Configuration Displaying Log Messages Sending Simple Mail Transfer Protocol Alerts Resetting the System Setting the System Clock Setting the Time Manually Configuring SNTP Configuring NTP Setting the Time Zone Simple Network Management Protocol Enabling SNMP A
Authorization Summary Configuring HTTPS Replacing the Default Secure-site Certificate Configuring the Secure Shell Generating the Host Key Pair Importing User Public Keys Configuring the SSH Server Configuring 802.1X Port Authentication Displaying 802.1X Global Settings Configuring 802.1X Global Settings Configuring Port Settings for 802.1X Displaying 802.
Creating Trunk Groups Statically Configuring a Trunk Enabling LACP on Selected Ports Configuring Parameters for LACP Group Members Displaying LACP Port Counters Displaying LACP Settings and Status for the Local Side Displaying LACP Settings and Status for the Remote Side Setting Broadcast Storm Thresholds Configuring Port Mirroring Configuring Rate Limits Rate Limit Configuration Showing Port Statistics Address Table Settings Setting Static Addresses Displaying the Address Table Changing the Aging Time Span
Displaying Private VLAN Interface Information Configuring Private VLAN Interfaces Protocol VLANs Configuring Protocol VLAN Groups Configuring the Protocol VLAN System Link Layer Discovery Protocol Setting LLDP Timing Attributes Configuring LLDP Interface Attributes Displaying LLDP Local Device Information Displaying LLDP Remote Port Information Displaying LLDP Remote Information Details Displaying Device Statistics Displaying Detailed Device Statistics Class of Service Configuration Layer 2 Queue Settings S
Configuring IGMP Filtering and Throttling for Interfaces Multicast VLAN Registration Configuring Global MVR Settings Displaying MVR Interface Status Displaying Port Members of Multicast Groups Configuring MVR Interface Status Assigning Static Multicast Groups to Interfaces Configuring MVR Receiver VLAN and Group Addresses Displaying MVR Receiver Groups Configuring Static MVR Receiver Group Members Switch Clustering Configuring General Settings for Clusters Configuring Cluster Members Displaying Information
reload show reload prompt end exit quit System Management Commands Device Designation Commands hostname Banner Information Commands banner configure banner configure company banner configure dc-power-info banner configure department banner configure equipment-info banner configure equipment-location banner configure ip-lan banner configure lp-number banner configure manager-info banner configure mux banner configure note show banner System Status Commands show startup-config show running-config show system
silent-time databits parity speed stopbits disconnect show line Event Logging Commands logging on logging history logging host logging facility logging trap clear log show logging show log SMTP Alert Commands logging sendmail host logging sendmail level logging sendmail source-email logging sendmail destination-email logging sendmail show logging sendmail Time Commands sntp client sntp server sntp poll show sntp ntp client ntp server ntp poll ntp authenticate ntp authentication-key show ntp clock timezone-p
cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates UPnP Commands upnp device upnp device ttl upnp device advertise duration show upnp SNMP Commands snmp-server show snmp snmp-server community snmp-server contact snmp-server location snmp-server host snmp-server enable traps snmp-server engine-id show snmp engine-id snmp-server view show snmp view snmp-server group show snmp group snmp-server user show snmp user Authentication Commands User Acc
TACACS+ Client tacacs-server host tacacs-server port tacacs-server key tacacs-server retransmit tacacs-server timeout show tacacs-server AAA Commands aaa group server server aaa accounting dot1x aaa accounting exec aaa accounting commands aaa accounting update accounting dot1x accounting exec accounting commands aaa authorization exec authorization exec show accounting Web Server Commands ip http port ip http server ip http secure-server ip http secure-port Telnet Server Commands ip telnet server Secure She
dot1x port-control dot1x operation-mode dot1x re-authenticate dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout tx-period dot1x intrusion-action show dot1x Management IP Filter Commands management show management General Security Measures Port Security Commands port security Network Access (MAC Address Authentication) network-access mode network-access max-mac-count network-access dynamic-vlan network-access guest-vlan mac-authentication reauth-time mac-authenticat
ip dhcp snooping information policy ip dhcp snooping database flash clear ip dhcp snooping database flash show ip dhcp snooping show ip dhcp snooping binding IP Source Guard Commands ip source-guard ip source-guard binding show ip source-guard show ip source-guard binding Access Control List Commands IP ACLs access-list ip permit, deny (Standard ACL) permit, deny (Extended ACL) show ip access-list ip access-group show ip access-group MAC ACLs access-list mac permit, deny (MAC ACL) show mac access-list mac a
lacp lacp system-priority lacp admin-key (Ethernet Interface) lacp admin-key (Port Channel) lacp port-priority show lacp Mirror Port Commands port monitor show port monitor Rate Limit Commands rate-limit Address Table Commands mac-address-table static clear mac-address-table dynamic show mac-address-table mac-address-table aging-time show mac-address-table aging-time Spanning Tree Commands spanning-tree spanning-tree mode spanning-tree forward-time spanning-tree hello-time spanning-tree max-age spanning-tre
show spanning-tree show spanning-tree mst configuration VLAN Commands GVRP and Bridge Extension Commands bridge-ext gvrp show bridge-ext switchport gvrp show gvrp configuration garp timer show garp timer Editing VLAN Groups vlan database vlan Configuring VLAN Interfaces interface vlan switchport mode switchport acceptable-frame-types switchport ingress-filtering switchport native vlan switchport allowed vlan switchport forbidden vlan Displaying VLAN Information show vlan Configuring IEEE 802.
protocol-vlan protocol-group (Configuring VLANs) show protocol-vlan protocol-group show protocol-vlan protocol-group-vid Configuring Voice VLANs voice vlan voice vlan aging voice vlan mac-address switchport voice vlan switchport voice vlan rule switchport voice vlan security switchport voice vlan priority show voice vlan LLDP Commands lldp lldp holdtime-multiplier lldp medFastStartCount lldp notification-interval lldp refresh-interval lldp reinit-delay lldp tx-delay lldp admin-status lldp notification lldp
show lldp info remote-device show lldp info statistics Class of Service Commands Priority Commands (Layer 2) queue mode switchport priority default queue cos-map show queue mode show queue bandwidth show queue cos-map Priority Commands (Layer 3 and 4) map ip dscp (Global Configuration) map ip dscp (Interface Configuration) show map ip dscp Quality of Service Commands class-map match rename description policy-map class set police service-policy show class-map show policy-map show policy-map interface Multica
Static Multicast Routing Commands ip igmp snooping vlan mrouter show ip igmp snooping mrouter IGMP Filtering and Throttling Commands ip igmp filter (Global Configuration) ip igmp profile permit, deny range ip igmp filter (Interface Configuration) ip igmp max-groups ip igmp max-groups action show ip igmp filter show ip igmp profile show ip igmp throttle interface Multicast VLAN Registration Commands mvr (Global Configuration) mvr (Interface Configuration) show mvr IP Interface Commands ip address ip default-
xxii SIGNAMAX LLC • www.signamax.
Tables Table 1-1 Table 1-2 Table 3-1 Table 3-2 Table 3-3 Table 3-5 Table 3-6 Table 3-7 Table 3-8 Table 3-9 Table 3-10 Table 3-11 Table 3-12 Table 3-13 Table 3-14 Table 3-15 Table 3-16 Table 3-17 Table 3-18 Table 3-19 Table 3-20 Table 4-1 Table 4-2 Table 4-3 Table 4-4 Table 4-5 Table 4-6 Table 4-7 Table 4-8 Table 4-9 Table 4-10 Table 4-11 Table 4-12 Table 4-13 Table 4-14 Table 4-15 Table 4-16 Table 4-17 Table 4-18 Table 4-19 Table 4-20 Key Features System Defaults Configuration Options Main Menu Logging Lev
Table 4-21 Table 4-22 Table 4-23 Table 4-24 Table 4-25 Table 4-26 Table 4-27 Table 4-28 Table 4-29 Table 4-30 Table 4-31 Table 4-32 Table 4-33 Table 4-34 Table 4-35 Table 4-36 Table 4-37 Table 4-38 Table 4-39 Table 4-40 Table 4-41 Table 4-42 Table 4-43 Table 4-44 Table 4-45 Table 4-46 Table 4-47 Table 4-48 Table 4-49 Table 4-50 Table 4-51 Table 4-52 Table 4-53 Table 4-54 Table 4-55 Table 4-57 Table 4-56 Table 4-58 Table 4-59 Table 4-60 Table 4-61 Table 4-61 Table 4-61 xxiv Switch Cluster Commands SNMP Comm
Table 4-62 Table 4-62 Table 4-62 Table 4-62 Table 4-63 Table 4-64 Table 4-65 Table 4-66 Table 4-67 Table 4-68 Table 4-69 Table 4-70 Table 4-71 Table 4-72 Table 4-73 Table 4-74 Table 4-75 Table 4-76 Table 4-77 Table 4-78 Table 4-79 Table 4-80 Table 4-81 Table 4-82 Table 4-83 Table 4-84 Table 4-85 Table 4-86 Table 4-87 Table 4-89 Table 4-88 Table 4-90 Table 4-91 Table 4-92 Table B-1 Port Type Link Type IEEE 802.1D-1998 IEEE 802.
xxvi SIGNAMAX LLC • www.signamax.
Figures Figure 3-1 Figure 3-2 Figure 3-3 Figure 3-4 Figure 3-5 Figure 3-6 Figure 3-7 Figure 3-8 Figure 3-9 Figure 3-10 Figure 3-11 Figure 3-12 Figure 3-13 Figure 3-14 Figure 3-15 Figure 3-16 Figure 3-17 Figure 3-18 Figure 3-19 Figure 3-20 Figure 3-21 Figure 3-22 Figure 3-23 Figure 3-24 Figure 3-25 Figure 3-26 Figure 3-27 Figure 3-28 Figure 3-29 Figure 3-30 Figure 3-31 Figure 3-32 Figure 3-33 Figure 3-34 Figure 3-35 Figure 3-36 Figure 3-37 Figure 3-38 Figure 3-39 Figure 3-40 Figure 3-41 Home Page Panel Disp
Figure 3-42 Figure 3-43 Figure 3-44 Figure 3-45 Figure 3-46 Figure 3-47 Figure 3-48 Figure 3-49 Figure 3-50 Figure 3-51 Figure 3-52 Figure 3-53 Figure 3-54 Figure 3-55 Figure 3-56 Figure 3-57 Figure 3-58 Figure 3-59 Figure 3-60 Figure 3-61 Figure 3-62 Figure 3-63 Figure 3-64 Figure 3-65 Figure 3-66 Figure 3-67 Figure 3-68 Figure 3-69 Figure 3-70 Figure 3-71 Figure 3-72 Figure 3-73 Figure 3-74 Figure 3-75 Figure 3-76 Figure 3-77 Figure 3-78 Figure 3-79 Figure 3-80 Figure 3-81 Figure 3-82 Figure 3-83 Figure 3
Figure 3-85 Figure 3-86 Figure 3-87 Figure 3-88 Figure 3-89 Figure 3-90 Figure 3-91 Figure 3-92 Figure 3-93 Figure 3-94 Figure 3-95 Figure 3-96 Figure 3-97 Figure 3-98 Figure 3-99 Figure 3-100 Figure 3-101 Figure 3-102 Figure 3-103 Figure 3-104 Figure 3-105 Figure 3-106 Figure 3-107 Figure 3-108 Figure 3-109 Figure 3-110 Figure 3-111 Figure 3-112 Figure 3-113 Figure 3-114 Figure 3-115 Figure 3-116 Figure 3-117 Figure 3-118 Figure 3-119 Figure 3-120 Figure 3-121 Figure 3-122 Figure 3-123 Figure 3-124 Figure
Figure 3-128 Figure 3-129 Figure 3-130 Figure 3-131 Figure 3-132 Figure 3-133 Figure 3-134 Figure 3-135 Figure 3-136 Figure 3-137 Figure 3-138 Figure 3-139 Figure 3-140 Figure 3-141 Figure 3-142 Figure 3-143 Figure 3-144 Figure 3-145 Figure 3-146 Figure 3-147 Figure 3-148 Figure 3-149 Figure 3-150 Figure 3-151 Figure 3-152 Figure 3-153 Figure 3-154 Figure 3-155 Figure 3-156 Figure 3-157 Figure 3-158 xxx IP DSCP Priority Status Mapping IP DSCP Priority Values Configuring Class Maps Configuring Policy Maps
Chapter 1: Introduction This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
Table 1-1 Key Features (Continued) Feature Description Virtual LANs Up to 255 using IEEE 802.
filtering for SNMP/web/Telnet management access, and MAC address filtering for port access. Access Control Lists – ACLs provide packet filtering for IP frames (based on address, protocol, or TCP/UDP port number or TCP control code) or any frames (based on MAC address or Ethernet type). ACLs can be used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols.
and have been verified for accuracy with the cyclic redundancy check (CRC). This prevents bad frames from entering the network and wasting bandwidth. To avoid dropping frames on congested ports, this switch provides 1 Mbits for frame buffering. This buffer can queue packets awaiting transmission on congested networks. Spanning Tree Algorithm – This switch supports these spanning tree protocols: Spanning Tree Protocol (STP, IEEE 802.
Traffic Prioritization – This switch prioritizes each packet based on the required level of service, using four priority queues with strict priority or Weighted Round Robin Queuing. They use IEEE 802.1p and 802.1Q tags to prioritize incoming traffic based on input from the end-station application. These functions can be used to provide independent priorities for delay-sensitive data and best-effort data.
Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings. Media Endpoint Discovery (LLDP-MED) is an extension of LLDP intended for managing endpoint devices such as Voice over IP phones and network switches. The LLDP-MED TLVs advertise information such as network policy, power, inventory, and device location details.
Table 1-2 System Defaults (Continued) Function Parameter Default Authentication Privileged Exec Level Username “admin” Password “admin” Normal Exec Level Username “guest” Password “guest” Enable Privileged Exec from Normal Exec Level Password “super” RADIUS Authentication Disabled TACACS Authentication Disabled Web Management SNMP Port Configuration Port Trunking Congestion Control 802.
Table 1-2 System Defaults (Continued) Function Parameter Default Address Table Aging Time 300 seconds Spanning Tree Algorithm Status Enabled, RSTP (Defaults: All values based on IEEE 802.
Table 1-2 System Defaults (Continued) Function Parameter Default IP Source Guard Status Disabled (all ports) Switch Clustering Status Enabled Commander Disabled SIGNAMAX LLC • www.signamax.
1-10 SIGNAMAX LLC • www.signamax.
Chapter 2: Initial Configuration Connecting to the Switch Configuration Options This switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON (Groups 1, 2, 3, 9) and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: The IP address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 2-4.
• • • • • Configure Class of Service (CoS) priority queuing Configure up to 8 static or LACP trunks Enable port mirroring Set broadcast storm control on any port Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch. Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch.
Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. The IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-4. Note: This switch supports four concurrent Telnet/SSH sessions.
Setting Passwords Note: If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 8 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1. Open the console interface with the default user name and password “admin” to access the Privileged Exec level. 2.
Note: The IP address for this switch is obtained via DHCP by default. Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Default gateway for the network • Network mask for this network To assign an IP address to the switch, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press .
2. At the interface-configuration mode prompt, use one of the following commands: • To obtain IP settings via DHCP, type “ip address dhcp” and press . • To obtain IP settings via BOOTP, type “ip address bootp” and press . 3. Type “end” to return to the Privileged Exec mode. Press . 4. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 5.
The default strings are: • public - with read-only access. Authorized management stations are only able to retrieve MIB objects. • private - with read-write access. Authorized management stations are able to both retrieve and modify MIB objects. To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1.
Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB.
Due to the size limit of the flash memory, the switch supports only one operation code file. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. Transferring a new operation code file to the switch will overwrite the existing file. In the system flash memory, one file of each type must be set as the start-up file.
2-10 SIGNAMAX LLC • www.signamax.
Chapter 3: Configuring the Switch Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, Netscape 6.2 or above, or Mozilla Firefox 2.0.0.0 or above).
Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.” Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below. The home page displays the Main Menu on the left side of the screen and System Information on the right side.
Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3-1 Configuration Options Button Action Revert Cancels specified values and restores current values prior to pressing Apply. Apply Sets specified values to the system. Help Links directly to webhelp. Notes: 1.
Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
Table 3-2 Main Menu (Continued) Menu Description SNMPv3 Page 3-44 Engine ID Sets the SNMP v3 engine ID on this switch 3-44 Remote Engine ID Sets the SNMP v3 engine ID for a remote device 3-45 Users Configures SNMP v3 users on this switch 3-46 Remote Users Configures SNMP v3 users from a remote device 3-48 Groups Configures SNMP v3 groups 3-50 Views Configures SNMP v3 views 3-54 Security 3-55 User Accounts Assigns a new password for the current user 3-56 Authentication Settings Co
Table 3-2 Main Menu (Continued) Menu Port Security Description Page Configures per port security, including status, response for security breach, and maximum allowed MAC addresses 802.1X 3-88 Information Displays global configuration settings for 802.
Table 3-2 Main Menu (Continued) Menu Description Page Port Broadcast Control Sets the broadcast storm threshold for each port 3-144 Trunk Broadcast Control Sets the broadcast storm threshold for each trunk 3-144 Mirror Port Configuration Sets the source and target ports for mirroring 3-146 Rate Limit 3-147 Input Port Configuration Sets the input rate limit for each port 3-147 Input Trunk Configuration Sets the input rate limit for each trunk 3-147 Output Port Configuration Sets the outp
Table 3-2 Main Menu (Continued) Menu Description Page Current Table Shows the current port members of each VLAN and whether or not the port is tagged or untagged 3-182 Static List Used to create or remove VLAN groups 3-184 Static Table Modifies the settings for an existing VLAN 3-186 Static Membership by Port Configures membership type for interfaces, including tagged, untagged or forbidden 3-188 Port Configuration Specifies default PVID and VLAN attributes 3-189 Trunk Configuration Specif
Table 3-2 Main Menu (Continued) Menu Description Page Remote Port Information Displays LLDP information about a remote device connected to a port on this switch 3-215 Remote Trunk Information Displays LLDP information about a remote device connected to a trunk on this switch 3-215 Remote Information Details Displays detailed LLDP information about a remote device connected to this switch 3-216 Device Statistics Displays LLDP statistics for all connected remote devices 3-218 Device Statistics
Table 3-2 Main Menu (Continued) Menu Description Page Static Multicast Router Port Configuration Assigns ports that are attached to a neighboring multicast router 3-249 IP Multicast Registration Table Displays all multicast groups active on this switch, including multicast IP addresses and VLAN ID 3-250 IGMP Member Port Table Indicates multicast addresses associated with the selected VLAN 3-251 IGMP Filter Profile Configuration Configures IGMP Filter Profiles 3-253 IGMP Filter/Throttling Port
Table 3-2 Main Menu (Continued) Menu Description Page Port Configuration Enables IP source guard and selects filter type per port 3-123 Static Configuration Adds a static addresses to the source-guard binding table 3-125 Dynamic Information Displays the source-guard binding table for a selected interface 3-126 Cluster 3-268 Configuration Globally enables clustering for the switch 3-268 Member Configuration Adds switch Members to the cluster 3-270 Member Information Displays cluster Memb
Basic Configuration This section describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • • • • • System Name – Name assigned to the switch system. Object ID – MIB II object ID for switch’s network management subsystem. Location – Specifies the system location.
Web – Click System, System Information. Specify the system name, location, and contact information for the system administrator, then click Apply. (This page also includes a Telnet button that allows access to the Command Line Interface via Telnet.) Figure 3-3 System Information CLI – Specify the hostname, location and contact information.
Displaying Switch Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • • • • Serial Number – The serial number of the switch. Number of Ports – Number of built-in RJ-45 ports. Hardware Version – Hardware version of the main board. Internal Power Status – Displays the status of the internal power supply.
CLI – Use the following command to display version information. Console#show version Serial Number: Hardware Version: EPLD Version: Number of Ports: Main Power Status: Redundant Power Status: A733006612 R01 0.07 28 Up Not present 4-34 Agent (Master) Unit ID: Loader Version: Boot ROM Version: Operation Code Version: 1 1.0.0.1 1.0.0.8 1.1.3.
Web – Click System, Bridge Extension Configuration. Figure 3-5 Bridge Extension Configuration CLI – Enter the following command.
Command Attributes • Management VLAN – ID of the configured VLAN (1-4094). By default, all ports on the switch are members of VLAN 1. However, the management station can be attached to a port belonging to any VLAN, as long as that VLAN has been assigned an IP address. • IP Address Mode – Specifies whether IP functionality is enabled via manual configuration (Static), Dynamic Host Configuration Protocol (DHCP), or Boot Protocol (BOOTP).
CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 0.0.0.0 Console(config)# 4-186 4-338 4-339 Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration.
CLI – Specify the management interface, and set the IP address mode to DHCP or BOOTP, and then enter the “ip dhcp restart” command. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart Console#show ip interface IP address and netmask: 192.168.1.254 255.255.255.0 on VLAN 1, and address mode: DHCP Console# 4-186 4-338 4-340 4-340 Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time.
Command Attributes Jumbo Packet Status – Check the box to enable jumbo frames. Web – Click System, Jumbo Frames. Figure 3-8 Jumbo Frames Configuration CLI – Enter the following command. Console(config)#jumbo frame Console(config)# 4-35 Managing Firmware You can upload/download firmware to or from a TFTP server. Just specify the method of file transfer, along with the file type and file names as required.
Downloading System Software from a Server When downloading runtime code, the new operation code file will overwrite the existing file. Versions of the code prior to 1.1.0.10 require the operation code file being transferred to have the same destination file name as the existing code file for the transfer to succeed. Web –Click System, File Management, Copy Operation.
CLI – To download new firmware from a TFTP server, enter the IP address of the TFTP server, select “opcode” as the file type, then enter the source and destination file names. When the file has finished downloading, and then restart the switch for the new code to take effect. To start the new firmware, enter the “reload” command or reboot the system. Console#copy tftp file TFTP server ip address: 192.168.1.23 Choose file type: 1. config: 2. opcode: <1-2>: Source file name: runtime.
Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch. Web – Click System, File Management, Copy Operation.
CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config TFTP server ip address: 192.168.1.19 Source configuration file name: config-1 Startup configuration file name [] : startup \Write to FLASH Programming. -Write to FLASH finish. Success.
• Speed – Sets the terminal line’s baud rate for transmit (to terminal) and receive (from terminal). Set the speed to match the baud rate of the device connected to the serial port. (Range: 9600, 19200, or 38400 baud; Default: 9600 baud) • Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) • Password1 – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password.
CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
• Login2 – Enables password checking at login. You can select authentication by a single global password as configured for the Password parameter, or by passwords set up for specific user-name accounts. (Default: Local) Web – Click System, Line, Telnet. Specify the connection parameters for Telnet access, then click Apply. Figure 3-14 Enabling Telnet CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required.
Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
Web – Click System, Log, System Logs. Specify System Log Status, set the level of event messages to be logged to RAM and flash memory, then click Apply. Figure 3-15 System Logs CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings.
Web – Click System, Log, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove. Figure 3-16 Remote Logs CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 192.168.1.
Displaying Log Messages The Logs page allows you to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory. Web – Click System, Log, Logs. Figure 3-17 Displaying Logs CLI – This example shows the event messages stored in RAM. Console#show log ram [1] 00:00:27 2001-01-01 "VLAN 1 link-up notification.
• Email Destination Address List – Specifies the email recipients of alert messages. You can specify up to five recipients. Use the New Email Destination Address text field and the Add/Remove buttons to configure the list. • Email Destination Address – This command specifies SMTP servers that may receive alert messages. Web – Click System, Log, SMTP. To add an IP address to the Server IP List, type the new IP address in the Server IP Address box, and then click Add.
CLI – Enter the host ip address, followed by the mail severity level, source and destination email addresses and enter the sendmail command to complete the action. Use the show logging command to display SMTP information. Console(config)#logging sendmail host 192.168.1.4 Console(config)#logging sendmail level 3 Console(config)#logging sendmail source-email big-wheels@matel.com Console(config)#logging sendmail destination-email chris@matel.
Web – Click System, Reset. Enter the amount of time the switch should wait before rebooting. Click the Reset button to reboot the switch or click the Cancel button to cancel a configured reset. If prompted, confirm that you want reset the switch or cancel a configured reset. Figure 3-19 Resetting the System CLI – Use the reload command to restart the switch. When prompted, confirm that you want to reset the switch. Console#reload in hour 5 minute 0 4-14 The switch will be rebooted at Jan 1 05:46:36 2001.
Setting the Time Manually You can set the system time on the switch manually without using SNTP. CLI – This example sets the system clock time and then displays the current time and date . Console#calendar set 17 46 00 october 18 2008 Console#show calendar 17:46:11 October 18 2008 Console# 4-75 4-75 Configuring SNTP You can configure the switch to send time synchronization requests to time servers. Command Attributes • SNTP Client – Configures the switch to operate as an SNTP client.
CLI – This example configures the switch to operate as an SNTP unicast client and then displays the current time and settings. Console(config)#sntp server 10.1.0.19 137.82.140.80 128.250.36.2 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#exit Console#show sntp Current time: Jan 6 14:56:05 2004 Poll interval: 60 Current mode: unicast SNTP status : Enabled SNTP server 10.1.0.19 137.82.140.80 128.250.36.2 Current server: 128.250.36.
Web – Select SNTP, Configuration. Modify any of the required NTP parameters, and click Apply. Figure 3-21 NTP Client Configuration CLI – This example configures the switch to operate as an NTP client and then displays the current settings. Console(config)#ntp authentication-key 19 md5 thisiskey19 Console(config)#ntp authentication-key 30 md5 ntpkey30 Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.4.
Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC. Command Attributes • Current Time – Displays the current time. • Name – Assigns a name to the time zone.
of the information controlled by the agent. SNMP defines both the format of the MIB specifications and the protocol used to access this information over the network. The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. A network management station can access this information using software such as HP OpenView.
Enabling SNMP Agent Status Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attributes SNMP Agent Status – Check the box to enable or disable the SNMP Agent. Web – Click SNMP, Agent Status. Figure 3-23 Enabling SNMP Agent Status CLI – The following example enables SNMP on the switch.
Web – Click SNMP, Configuration. Add new community strings as required, select the access rights from the Access Mode drop-down list, then click Add. Figure 3-24 Configuring SNMP Community Strings CLI – The following example adds the string “spiderman” with read/write access. Console(config)#snmp-server community spiderman rw Console(config)# 4-85 Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers.
To send an inform to a SNMPv2c host, complete these steps: 1. Enable the SNMP agent (page 3-40). 2. Enable trap informs as described in the following pages. 3. Create a view with the required notification messages (page 3-54). 4. Create a group that includes the required notify view (page 3-50). To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 3-40). 2. Enable trap informs as described in the following pages. 3.
• Enable Authentication Traps3 – Issues a notification message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process. (Default: Enabled) • Enable Link-up and Link-down Traps3 – Issues a notification message whenever a port link is established or broken. (Default: Enabled) Web – Click SNMP, Configuration.
Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, it must be changed first before configuring other parameters. 2. Specify read and write access views for the switch MIB tree. 3. Configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and privacy). 4.
Specifying a Remote Engine ID To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides. The remote engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent.
Configuring SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. Command Attributes • User Name – The name of user connecting to the SNMP agent. (Range: 1-32 characters) • Group Name – The name of the SNMP group to which the user is assigned. (Range: 1-32 characters) • Security Model – The user security model; SNMP v1, v2c or v3.
Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. To change the assigned group of a user, click Change Group in the Actions column of the users table and select the new group.
Configuring Remote SNMPv3 Users Each SNMPv3 user is defined by a unique name. Users must be configured with a specific security level and assigned to a group. The SNMPv3 group restricts users to a specific read, write, and notify view. To send inform messages to an SNMPv3 user on a remote device, you must first specify the engine identifier for the SNMP agent on the remote device where the user resides.
Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. Figure 3-29 Configuring Remote SNMPv3 Users SIGNAMAX LLC • www.signamax.
CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user mark group r&d remote 192.168.1.
Table 3-5 Supported Notification Messages Object Label Object ID Description newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
Table 3-5 Supported Notification Messages (Continued) Object Label Object ID Description risingAlarm 1.3.6.1.2.1.16.0.1 The SNMP trap that is generated when an alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps. fallingAlarm 1.3.6.1.2.1.16.0.2 The SNMP trap that is generated when an alarm entry crosses its falling threshold and generates an event that is configured for sending SNMP traps. swPowerStatus ChangeTrap 1.3.6.1.4.1.259.6.10.94.1.101.
Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read and write views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.
Setting SNMPv3 Views SNMPv3 views are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree. Command Attributes • View Name – The name of the SNMP view. (Range: 1-64 characters) • View OID Subtrees – Shows the currently configured object identifiers of branches within the MIB tree that define the SNMP view. • Edit OID Subtrees – Allows you to configure the object identifiers of branches within the MIB tree.
CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)#exit Console#show snmp view View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included Storage Type: nonvolatile Row Status: active 4-91 4-92 View Name: readaccess Subtree OID: 1.3.6.1.
Configuring User Accounts The guest only has read access for most configuration parameters. However, the administrator has write access for all parameters governing the onboard agent. You should therefore assign a new administrator password as soon as possible, and store it in a safe place. The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.
Web – Click Security, User Accounts. To configure a new user account, specify a user name, select the user’s access level, then enter a password and confirm it. Click Add to save the new user account and add it to the Account List. To change the password for a specific user, enter the user name and new password, confirm the password by entering it again, then click Apply. Figure 3-32 Access Levels CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the password.
Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords. You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols.
Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - RADIUS – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only. - [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence.
• TACACS Settings - Global – Provides globally applicable TACACS+ settings. - Server Index – Specifies the index number of the server to be configured. The switch currently supports only one TACACS+ server. - Server IP Address5 – Address of the TACACS+ server. - Server Port Number – Network (TCP) port of TACACS+ server used for authentication messages. (Range: 1-65535; Default: 49) - Number of Server Transmits – Number of times the switch tries to authenticate logon access via the authentication server.
Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 3-33 Authentication Settings SIGNAMAX LLC • www.signamax.
CLI – Specify all the required parameters to enable logon authentication. Console(config)#authentication login radius Console(config)#radius-server auth-port 181 Console(config)#radius-server acct-port 183 Console(config)#radius-server retransmit 5 Console(config)#radius-server timeout 10 Console(config)#radius-server 1 host 192.168.1.
Console#configure Console(config)#authentication login tacacs Console(config)#tacacs-server 1 host 10.20.30.
- Secret Text String – Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) - Confirm Secret Text String – Re-type the string entered in the previous field to ensure no errors were made. The switch will not change the encryption key if these two fields do not match. - Change – Clicking this button adds or modifies the selected encryption key. Web – Click Security, Encryption Key.
The switch supports the following AAA features: • Accounting for IEEE 802.1X authenticated users that access the network through the switch. • Accounting for users that access management interfaces on the switch through the console and Telnet. • Accounting for commands that users enter at specific CLI privilege levels. • Authorization of users that access management interfaces on the switch through the console and Telnet. To configure AAA on the switch, you need to follow this general process: 1.
Web – Click Security, AAA, Radius Group Settings. Enter the RADIUS group name, followed by the number of the server, then click Add. Figure 3-35 AAA Radius Group Settings CLI – Specify the group name for a list of RADIUS servers, and then specify the index number of a RADIUS server to add it to the group.
CLI – Specify the group name for a list of TACACS+ servers, and then specify the index number of a TACACS+ server to add it to the group. Console(config)#aaa group server tacacs+ tps-tacacs+ Console(config-sg-tacacs+)#server 1 Console(config-sg-tacacs+)# 4-112 4-113 Configuring AAA Accounting AAA accounting is a feature that enables the accounting of requested services for billing or security purposes. Command Attributes • Method Name – Specifies an accounting method for service requests.
Web – Click Security, AAA, Accounting, Settings. To configure a new accounting method, specify a method name and a group name, then click Add. Figure 3-37 AAA Accounting Settings CLI – Specify the accounting method required, followed by the chosen parameters. Console(config)#aaa accounting dot1x tps start-stop group radius Console(config)# 3-68 4-114 SIGNAMAX LLC • www.signamax.
AAA Accounting Update This feature sets the interval at which accounting updates are sent to accounting servers. Command Attributes Periodic Update - Specifies the interval at which the local accounting service updates information to the accounting server. (Range: 1-2147483647 minutes; Default: Disabled) Web – Click Security, AAA, Accounting, Periodic Update. Enter the required update interval and click Apply.
AAA Accounting 802.1X Port Settings This feature applies the specified accounting method to an interface. Command Attributes • Port/Trunk - Specifies a port or trunk number. • Method Name - Specifies a user defined method name to apply to the interface. This method must be defined in the AAA Accounting Settings menu (page 3-65). (Range: 1-255 characters) Web – Click Security, AAA, Accounting, 802.1X Port Settings. Enter the required accounting method and click Apply. Figure 3-39 AAA Accounting 802.
AAA Accounting Exec Command Privileges This feature specifies a method name to apply to commands entered at specific CLI privilege levels. Command Attributes • Commands Privilege Level - The CLI privilege levels (0-15). • Console/Telnet - Specifies a user-defined method name to apply to commands entered at the specified CLI privilege level. Web – Click Security, AAA, Accounting, Command Privileges. Enter a defined method name for console and Telnet privilege levels. Click Apply.
AAA Accounting Exec Settings This feature specifies a method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Accounting, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply. Figure 3-41 AAA Accounting Exec Settings CLI – Specify the accounting method to use for Console and Telnet interfaces.
Web – Click Security, AAA, Summary. Figure 3-42 AAA Accounting Summary CLI – Use the following command to display the currently applied accounting methods, and registered users.
Console#show accounting statistics Total entries: 3 Acconting type : dot1x Username : testpc Interface : eth 1/1 Time elapsed since connected: 00:24:44 Acconting type Username Interface Time elapsed : exec : admin : vty 0 since connected: 00:25:09 Console# Authorization Settings AAA authorization is a feature that verifies a user has access to specific services. Command Attributes • Method Name – Specifies an authorization method for service requests.
Authorization EXEC Settings This feature specifies an authorization method name to apply to console and Telnet connections. Command Attributes Method Name - Specifies a user-defined method name to apply to console and Telnet connections. Web – Click Security, AAA, Authorization, Exec Settings. Enter a defined method name for console and Telnet connections, and click Apply. Figure 3-44 AAA Authorization Exec Settings CLI – Specify the authorization method to use for Console and Telnet interfaces.
Authorization Summary The Authorization Summary displays the configured authorization methods and the interfaces to which they are applied. Command Attributes • • • • Accounting Type - Displays the accounting service. Method List - Displays the user-defined or default authorization method. Group List - Displays the authorization server group. Interface - Displays the console or Telnet interface to which the authorization method applies.
Configuring HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port. (HTTP can only be configured through the CLI using the ip http secure-server command described on page 4-122.
Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply. Figure 3-46 HTTPS Settings CLI – This example enables the HTTP secure server and modifies the port number. Console(config)#ip http secure-server Console(config)#ip http secure-port 443 Console(config)# 4-122 4-123 Replacing the Default Secure-site Certificate When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch.
• Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch. Web – Click Security, HTTPS Settings. Fill in the TFTP server, certificate and private file name details, then click Copy Certificate. Figure 3-47 HTTPS Settings CLI – This example copies the certificate file from the designated TFTP server.
Notes: 1. You need to install an SSH client on the management station to access the switch for management via the SSH protocol. 2. The switch supports both SSH Version 1.5 and 2.0 clients. Command Usage The SSH server on this switch supports both password and public key authentication.
5. Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch. 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b. The switch compares the client's password to those stored in memory. c. If a match is found, the connection is allowed.
Generating the Host Key Pair A host public/private key pair is used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the proceeding section (Command Usage). Field Attributes • Public-Key of Host-Key – The public key for the host. - RSA (Version 1): The first field indicates the size of the host key (e.g.
Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate. Figure 3-48 SSH Host-Key Settings CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys.
Importing User Public Keys A user’s Public Key must be uploaded to the switch in order for the user to be able to log in using the public key authentication mechanism. If the user’s public key does not exist on the switch, SSH will revert to the interactive password authentication mechanism to complete authentication. Field Attributes • Public-Key of user – The RSA and DSA public keys for the selected user. - RSA: The first field indicates the size of the host key (e.g.
Web – Click Security, SSH, SSH User Public-Key Settings. Select the user name and the public-key type from the respective drop-down boxes, input the TFTP server IP address and the public key source file name, and then click Copy Public Key. Figure 3-49 SSH User Public-Key Settings SIGNAMAX LLC • www.signamax.
CLI – This example imports an SSHv2 DSA public key for the user admin and then displays admin’s imported public keys. Note that public key authentication through SSH is only supported for users configured locally on the switch. Console#copy tftp public-key TFTP server IP address: 192.168.1.254 Choose public key type: 1. RSA: 2. DSA: <1-2>: 2 Source file name: admin-ssh2-dsa-pub.key Username: admin TFTP Download Success. Write to FLASH Programming. Success.
• SSH Authentication Retries – Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process. (Range: 1-5 times; Default: 3) • SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits; Default:768) - The server key is a private key that is never shared outside the switch. - The host key is shared with the SSH client, and is fixed at 1024 bits. Web – Click Security, SSH, Settings.
Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data. The IEEE 802.
• Each client that needs to be authenticated must have dot1X client software installed and properly configured. • The RADIUS server and 802.1X client support EAP. (The switch only supports EAPOL in order to pass the EAP packets from the server to the client.) • The RADIUS server and client also have to support the same EAP authentication type – MD5, PEAP, TLS, or TTLS. (Some clients have native support in the operating system, otherwise the dot1x client must support the required authentication method.
Configuring 802.1X Global Settings The 802.1X protocol provides port-based client authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web – Select Security, 802.1X, Configuration. Enable 802.1X globally for the switch, and click Apply. Figure 3-52 802.1X Global Configuration CLI – This example enables 802.
• Re-authentication – Sets the client to be re-authenticated after the interval specified by the Re-authentication Period. Re-authentication can be used to detect if a new device is plugged into a switch port. (Default: Disabled) • Max-Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session.
Web – Click Security, 802.1X, Port Configuration. Modify the parameters required, and click Apply. Figure 3-53 802.1X Port Configuration 3-92 SIGNAMAX LLC • www.signamax.
CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 4-141.
Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 3-7 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator. Rx EAPOL Invalid The number of EAPOL frames that have been received by this Authenticator in which the frame type is not recognized.
Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 3-54 Displaying 802.1X Port Statistics CLI – This example displays the 802.1X statistics for port 4.
• IP address can be configured for SNMP, web and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. • When entering addresses for the same group (i.e., SNMP, web or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges. • You cannot delete an individual address from a specified range.
CLI – This example allows SNMP access for a specific client. Console(config)#management snmp-client 10.1.2.3 Console(config)#end Console#show management all-client Management IP Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 4-144 SNMP-Client: Start IP address End IP address ----------------------------------------------1. 10.1.2.3 10.1.2.
• DHCP Snooping – Filters IP traffic on unsecure ports for which the source address cannot be identified via DHCP snooping nor static source bindings. (See “DHCP Snooping” on page 3-116.) • IP Source Guard – Filters untrusted DHCP messages on unsecure ports by building and maintaining a DHCP snooping binding table. (See “IP Source Guard” on page 3-123.
• Security Status – Enables or disables port security on the port. (Default: Disabled) • Max MAC Count – The maximum number of MAC addresses that can be learned on a port. (Range: 0 - 1024, where 0 means disabled) • Trunk – Trunk number if port is a member (page 3-133 and 3-135). Web – Click Security, Port Security.
Configuring Web Authentication Web authentication is configured on a per-port basis, however there are four configurable parameters that apply globally to all ports on the switch. Command Attributes • System Authentication Control – Enables Web Authentication for the switch. (Default: Disabled) • Session Timeout – Configures how long an authenticated session stays active before it must be re-authenticated.
Configuring Web Authentication for Ports Web authentication is configured on a per-port basis. The following parameters are associated with each port. Command Attributes • Port – Indicates the port being configured • Status – Configures the web authentication status for the port. • Authenticated Host Counts – Indicates how many authenticated hosts are connected to the port. Web – Click Security, Web Authentication, Port Configuration.
Displaying Web Authentication Port Information This switch can display web authentication information for all ports and connected hosts. Command Attributes • Interface – Indicates the ethernet port to query. • IP Address – Indicates the IP address of each connected host. • Status – Indicates the authorization status of each connected host. • Remaining Session Time (seconds) – Indicates the remaining time until the current authorization session for the host expires.
Web – Click Security, Web Authentication, Re-authentication. Figure 3-60 Web Authentication Port Re-authentication CLI – This example forces the re-authentication of all hosts connected to port 1/5. Console#web-auth re-authenticate interface ethernet 1/5 Console# 4-159 Network Access (MAC Address Authentication) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
• Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024. • Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server.
CLI – This example sets and displays the reauthentication time.
Note: MAC authentication cannot be configured on trunk ports. Ports configured as trunk members are indicated on the Network Access Port Configuration page in the “Trunk” column. Web – Click Security, Network Access, Port Configuration. Figure 3-62 Network Access Port Configuration CLI – This example configures MAC authentication for port 1.
Displaying Secure MAC Address Information Authenticated MAC addresses are stored in the secure MAC address table. Information on the secure MAC entries can be displayed and selected entries removed from the table. Command Attributes • Network Access MAC Address Count – The number of MAC addresses currently in the secure MAC address table. • Query By – Specifies parameters to use in the MAC address query. - Port – Specifies a port interface. - MAC Address – Specifies a single MAC address information.
CLI – This example displays all entries currently in the secure MAC address table. Console#show network-access mac-address-table ---- ----------------- --------------- --------Port MAC-Address RADIUS-Server Attribute ---- ----------------- --------------- --------1/1 00-00-01-02-03-04 172.155.120.17 Static 1/1 00-00-01-02-03-05 172.155.120.17 Dynamic 1/1 00-00-01-02-03-06 172.155.120.17 Static 1/3 00-00-01-02-03-07 172.155.120.
Setting the ACL Name and Type Use the ACL Configuration page to designate the name and type of an ACL. Command Attributes • Name – Name of the ACL. (Maximum length: 15 characters) • Type – There are three filtering modes: - Standard – IP ACL mode that filters packets based on the source IP address. - Extended – IP ACL mode that filters packets based on source or destination IP address, as well as protocol type and protocol port number.
• Subnet Mask – A subnet mask containing four integers from 0 to 255, each separated by a period. The mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The mask is bitwise ANDed with the specified source IP address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address.
- DSCP – DSCP priority level. (Range: 0-63) • Protocol – Specifies the protocol type to match as TCP, UDP or Others, where others indicates a specific protocol number (0-255). (Options: TCP, UDP, Others; Default: TCP) • Source/Destination Port – Source/destination port number for the specified protocol type. (Range: 0-65535) • Source/Destination Port Bitmask – Decimal number representing the port bits to match.
Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add.
Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules. • Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bitmask fields. (Options: Any, Host, MAC; Default: Any) • Source/Destination MAC Address – Source or destination MAC address. • Source/Destination Bitmask – Hexadecimal mask for source or destination MAC address.
Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexadecimal bitmask for an address range. Set any other required criteria, such as VID, Ethernet type, or packet format. Then click Add.
Binding a Port to an Access Control List After configuring the Access Control Lists (ACL), you can bind the ports that need to filter traffic to the appropriate ACLs. You can assign one IP access list to any port. Command Usage • Each ACL can have up to 32 rules. • This switch supports ACLs for ingress filtering only. Command Attributes • Port – Fixed port or SFP module. (Range: 1-28) • IP – Specifies the IP ACL to bind to a port. • MAC – Specifies the MAC ACL to bind to a port.
DHCP Snooping The addresses assigned to DHCP clients on unsecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
- If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untrusted ports in the same VLAN. - If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table. - Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted.
Configuring VLANs for DHCP Snooping Use the DHCP Snooping VLAN Configuration page to enable or disable DHCP snooping on specific VLANs. Command Usage • When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN. • When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled.
Command Usage • DHCP Snooping (see page 3-117) must be enabled for Option 82 information to be inserted into request packets. • When Option 82 is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself) can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server.
CLI – This example enables DHCP Snooping Information Option, and sets the policy as replace.
Web – Click DHCP Snooping, Information Option Configuration. Figure 3-72 DHCP Snooping Port Configuration CLI – This example shows how to enable the DHCP Snooping Trust Status for ports.
Displaying DHCP Snooping Binding Information Binding table entries can be displayed on the Binding Information page. Command Attributes • Store DHCP snooping binding entries to flash. – Writes all dynamically learned snooping entries to flash memory. • • • • • • • • • This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 3-116). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network. This section describes commands used to configure IP Source Guard.
Command Attributes • Filter Type – Configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. (Default: None) • None – Disables IP source guard filtering on the port. • SIP – Enables traffic filtering based on IP addresses stored in the binding table. • SIP-MAC – Enables traffic filtering based on IP addresses and corresponding MAC addresses stored in the binding table. Web – Click IP Source Guard, Port Configuration.
Configuring Static Binding for IP Source Guard Use the IP Source Guard Static Configuration page to bind a static address to a port. Table entries include a MAC address, IP address, lease time, entry type (Static, Dynamic), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero in the table. Command Usage • Static addresses entered in the source guard binding table are automatically configured with an infinite lease time.
Web – Click IP Source Guard, Static Configuration. Select the VLAN and port to which the entry will be bound, enter the MAC address and associated IP address, then click Add. Figure 3-75 Static IP Source Guard Binding Configuration CLI – This example configures a static source-guard binding on port 5. Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.
Web – Click IP Source Guard, Dynamic Information. Figure 3-76 Dynamic IP Source Guard Binding Information CLI – This example shows how to configure a static source-guard binding on port 5. Console#show ip source-guard binding 4-173 MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# SIGNAMAX LLC • www.signamax.
Port Configuration Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name – Interface label. • Type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • Admin Status – Shows if the interface is enabled or disabled. • Oper Status – Indicates if the link is Up or Down.
Field Attributes (CLI) Basic Information: • Port type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 3-16.) Configuration: • • • • • • • • • • • • • • • • Name – Interface label. Port Admin – Shows if the interface is enabled or disabled (i.e., up or down). Speed-duplex – Shows the current speed and duplex mode.
Current Status: • Link Status – Indicates if the link is up or down. • Port Operation Status – Provides detailed information on port state. (Displayed only when the link is up.) • Operation Speed-duplex – Shows the current speed and duplex mode. • Flow Control Type – Indicates the type of flow control currently in use. (IEEE 802.3x, Back-Pressure or none) CLI – This example shows the connection status for Port 5.
Command Attributes • Name – Allows you to label an interface. (Range: 1-64 characters) • Admin – Allows you to manually disable an interface. You can disable an interface due to abnormal behavior (e.g., excessive collisions), and then reenable it after the problem has been resolved. You may also disable an interface for security reasons. • Speed/Duplex – Allows you to manually set the port speed and duplex mode. (i.e.
Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply. Figure 3-78 Port/Trunk Configuration CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/13 Console(config-if)#description RD SW#13 Console(config-if)#shutdown . Console(config-if)#no shutdown Console(config-if)#no negotiation Console(config-if)#speed-duplex 100half Console(config-if)#flowcontrol .
standby mode. Should one link in the trunk fail, one of the standby ports will automatically be activated to replace it. Command Usage Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends.
Web – Click Port, Trunk Membership. Enter a trunk ID of 1-8 in the Trunk field, select any of the switch ports from the scroll-down port list, and click Add. After you have completed adding ports to the member list, click Apply. Figure 3-79 Configuring Static Trunks CLI – This example creates trunk 2 with ports 1 and 2. Just connect these ports to two static trunk ports on another switch to form a trunk.
Enabling LACP on Selected Ports Command Usage dynamically enabled } • To avoid creating a loop in the network, be sure you enable LACP before connecting the ports, and also disconnect the ports before disabling LACP. } • If the target switch has also enabled LACP on the active backup connected ports, the trunk will be activated links link automatically. • A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID.
CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 Console(config-if)#lacp Console(config-if)#exit . . .
Command Attributes Set Port Actor – This menu sets the local side of an aggregate link; i.e., the ports on this switch. • Port – Port number. (Range: 1-28) • System Priority – LACP system priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations. (Range: 0-65535; Default: 32768) - Ports must be configured with the same system priority to join the same LAG.
Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply. Figure 3-81 LACP Port Configuration 3-138 SIGNAMAX LLC • www.signamax.
CLI – The following example configures LACP parameters for ports 1-4. Ports 1-4 are used as active members of the LAG. Console(config)#interface ethernet 1/1 4-186 Console(config-if)#lacp actor system-priority 3 4-202 Console(config-if)#lacp actor admin-key 120 4-203 Console(config-if)#lacp actor port-priority 128 4-205 Console(config-if)#exit . . .
Displaying LACP Port Counters You can display statistics for LACP protocol messages. Table 3-8 LACP Port Counters Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group. Marker Received Number of valid Marker PDUs received by this channel group.
CLI – The following example displays LACP counters. Console#show lacp counters 4-206 Port channel : 1 ------------------------------------------------------------------------Eth 1/ 1 ------------------------------------------------------------------------LACPDUs Sent: 91 LACPDUs Receive: 43 Marker Sent: 0 Marker Receive: 0 LACPDUs Unknown Pkts: 0 LACPDUs Illegal Pkts: 0 . . .
Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 3-83 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.
Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 3-10 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner.
CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.
Web – Click Port, Port/Trunk Broadcast Control. Set the threshold and mark the Enabled field for the required interface, then click Apply. Figure 3-85 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 500 kilobits per second for port 2.
Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner. Source port(s) Command Usage Single target port • Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port. • All mirror sessions must share the same destination port.
CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port and traffic type. Console(config)#interface ethernet 1/10 Console(config-if)#port monitor ethernet 1/13 tx Console(config-if)# 4-186 4-209 Configuring Rate Limits This function allows the network manager to control the maximum rate for traffic received on a port or transmitted from a port.
Web – Click Port, Rate Limit, Input/Output Port/Trunk Configuration. Set the Input Rate Limit Status or Output Rate Limit Status, then set the rate limit for the individual interfaces, and click Apply. Figure 3-87 Input Rate Limit Port Configuration CLI - This example sets the rate limit level for input traffic passing through port 3.
Table 3-11 Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higher-layer protocol. Received Multicast Packets The number of packets, delivered by this sub-layer to a higher (sub-)layer, which were addressed to a multicast address at this sub-layer.
Table 3-11 Port Statistics (Continued) Parameter Description Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions. This counter does not increment when the interface is operating in full-duplex mode. Single Collision Frames The number of successfully transmitted frames for which transmission is inhibited by exactly one collision.
Table 3-11 Port Statistics (Continued) Parameter Description Fragments The total number of frames received that were less than 64 octets in length (excluding framing bits, but including FCS octets) and had either an FCS or alignment error. 64 Bytes Frames The total number of frames (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets).
Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. Figure 3-88 Port Statistics 3-152 SIGNAMAX LLC • www.signamax.
CLI – This example shows statistics for port 13.
• MAC Address – Physical address of a device mapped to this interface. • VLAN – ID of configured VLAN (1-4094). Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 3-89 Configuring a Static Address Table CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
Web – Click Address Table, Dynamic Addresses. Specify the search type (i.e., mark the Interface, MAC Address, or VLAN checkbox), select the method of sorting the displayed addresses, and then click Query. Figure 3-90 Configuring a Dynamic Address Table CLI – This example also displays the address table entries for port 1.
Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the function. (Default: Enabled) • Aging Time – The time after which a learned entry is discarded. (Range: 10-630 seconds; Default: 300 seconds) Web – Click Address Table, Address Aging. Specify the new aging time, click Apply. Figure 3-91 Setting the Address Aging Time CLI – This example sets the aging time to 300 seconds.
Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops. Designated Root x x x Designated Bridge x Designated Port Root Port x Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see “Configuring Multiple Spanning Trees” on page 3-171). An MST Region may contain multiple MSTP Instances. An Internal Spanning Tree (IST) is used to connect all the MSTP switches within an MST region.
because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to a discarding state; otherwise, temporary data loops might result. • Designated Root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device. - Root Port – The number of the port on this switch that is closest to the root.
• Transmission limit – The minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. • Path Cost Method – The path cost is used to determine the best path between devices. The path cost method is used to determine the range of values that can be assigned to each interface.
Note: The current root port and current root cost display as zero when this device is not connected to the network. Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol11 Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network.
- STP: Spanning Tree Protocol (IEEE 802.1D); i.e., when this option is selected, the switch will use RSTP set to STP forced compatibility mode). - RSTP: Rapid Spanning Tree (IEEE 802.1w); RSTP is the default. - MSTP: Multiple Spanning Tree (IEEE 802.1s); • Priority – Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority becomes the STA root device.
- Maximum: 30 Configuration Settings for RSTP The following attributes apply to both RSTP and MSTP: • Path Cost Method – The path cost is used to determine the best path between devices. The path cost method is used to determine the range of values that can be assigned to each interface. - Long: Specifies 32-bit based values that range from 1-200,000,000. (This is the default.) - Short: Specifies 16-bit based values that range from 1-65535.
Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. Figure 3-93 Configuring Spanning Tree 3-164 SIGNAMAX LLC • www.signamax.
CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters.
• Oper Path Cost – This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) • Oper Link Type – The operational point-to-point status of the LAN segment attached to this interface.
• External Admin Path Cost – The path cost for the IST. This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) • Internal Admin Path Cost – The path cost for the MST. See the preceding item. • Priority – Defines the priority used for this port in the Spanning Tree Algorithm.
CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 Eth 1/ 5 information -------------------------------------------------------------Admin Status: Enabled Role: Designate State: Forwarding External Admin Path Cost: 0 Internal Admin Path Cost: 0 External Oper Path Cost: 100000 Internal Oper Path Cost: 100000 Priority: 128 Designated Cost: 5000 Designated Port: 128.1 Designated Root: 32768.0.0013F7D37E60 Designated Bridge: 32768.0.
The following interface attributes can be configured: • Spanning Tree – Enables/disables STA on this interface. (Default: Enabled). • Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree. This makes a port with higher priority less likely to be blocked if the Spanning Tree Protocol is detecting network loops.
Table 3-14 Default STA Path Costs Port Type Link Type IEEE 802.1w-2001 Ethernet Half Duplex Full Duplex Trunk 2,000,000 1,000,000 500,000 Fast Ethernet Half Duplex Full Duplex Trunk 200,000 100,000 50,000 Gigabit Ethernet Full Duplex Trunk 10,000 5,000 • Admin Link Type – The link type attached to this interface. - Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges.
Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 3-95 Configuring Spanning Tree per Port CLI – This example sets STA attributes for port 7.
Note: All VLANs are automatically added to the IST (Instance 0). To ensure that the MSTI maintains connectivity across the network, you must configure a related set of bridges with the same MSTI settings. Command Attributes • MST Instance – Instance identifier of this spanning tree. (Default: 0) • Priority – The priority of a spanning tree instance.
CLI – This example sets the priority for MSTI 1, and adds VLAN 1 to this MSTI. It then displays the STA settings for instance 1, followed by settings for each port.
Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance. Information displaying the current status of ports and trunks for a selected MST instance can be displayed through the command line interface (see page 4-234). Command Attributes • MST Instance ID – Instance identifier to configure.
CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST, the settings for other instances only apply to the local spanning tree. Console#show spanning-tree mst 0 Spanning Tree Information --------------------------------------------------------------Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enabled Instance: 0 VLANs Configuration: 1-4094 Priority: 32768 Bridge Hello Time (sec.
Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. the command line interface (see page 4-216). Field Attributes The following attributes are read-only and cannot be changed: • STA State – Displays current state of this port within the Spanning Tree. (See “Displaying Interface Settings” on page 3-165 for additional information.
Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 3-98 Displaying MSTP Interface Settings CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 Console(config-if)#spanning-tree mst port-priority 0 Console(config-if)#spanning-tree mst cost 50 Console(config-if) 4-186 4-233 4-232 VLAN Configuration IEEE 802.
inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.
Port Overlapping – Port overlapping can be used to allow access to commonly shared network resources among different VLAN groups, such as file servers or printers. Note that if you implement VLANs which do not overlap, but still need to communicate, you can connect them by enabled routing on this switch. Untagged VLANs – Untagged (or static) VLANs are typically used to reduce broadcast traffic and to increase security.
Note: If you have host devices that do not support GVRP, you should configure static or untagged VLANs for the switch ports connected to these devices (as described in “Adding Static Members to VLANs (VLAN Index)” on page 3-186). But you can still enable GVRP on these edge switches, as well as on the core switches in the network.
Enabling or Disabling GVRP (Global Setting) GARP VLAN Registration Protocol (GVRP) defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. VLANs are dynamically configured based on join messages issued by host devices and propagated throughout the network. GVRP must be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch. (Default: Disabled) Web – Click VLAN, 802.1Q VLAN, GVRP Status.
CLI – Enter the following command. Console#show bridge-ext Max Support VLAN Numbers: Max Support VLAN ID: Extended Multicast Filtering Services: Static Entry Individual Port: VLAN Learning: Configurable PVID Tagging: Local VLAN Capable: Traffic Classes: Global GVRP Status: GMRP: Console# 4-238 256 4094 No Yes IVL Yes No Enabled Disabled Disabled Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging.
Web – Click VLAN, 802.1Q VLAN, Current Table. Select any ID from the scroll-down list. Figure 3-101 Displaying Current VLANs Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. • Name – Name of the VLAN (1 to 32 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational. - Suspend: VLAN is suspended; i.e.
CLI – Current VLAN information can be displayed with the following command.
Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 3-102 Configuring a VLAN Static List CLI – This example creates a new VLAN.
Adding Static Members to VLANs (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index. Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol. Notes: 1. You can also use the VLAN Static Membership by Port page to configure VLAN groups based on the port index (page 3-188).
Web – Click VLAN, 802.1Q VLAN, Static Table. Select a VLAN ID from the scroll-down list. Modify the VLAN name and status if required. Select the membership type by marking the appropriate radio button in the list of ports or trunks. Click Apply. Figure 3-103 Configuring a VLAN Static Table CLI – The following example adds tagged and untagged ports to VLAN 2.
Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. • Non-Member – VLANs for which the selected interface is not a tagged member. Web – Open VLAN, 802.1Q VLAN, Static Membership by Port. Select an interface from the scroll-down box (Port or Trunk).
Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
• GARP Leave Timer16 – The interval a port waits before leaving a VLAN group. This time should be set to more than twice the join time. This ensures that after a Leave or LeaveAll message has been issued, the applicants can rejoin before the port actually leaves the group. (Range: 60-3000 centiseconds; Default: 60) • GARP LeaveAll Timer16 – The interval between sending out a LeaveAll query message for VLAN group participants and the port leaving the group.
CLI – This example sets port 3 to accept only tagged frames, assigns PVID 3 as the native VLAN ID, enables GVRP, sets the GARP timers, and then sets the switchport mode to hybrid.
When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing. However, the SPVLAN tag is not added when it is sent out the tunnel access port on the edge switch into the customer’s network. The packet is sent as a normal IEEE 802.1Q-tagged frame, preserving the original VLAN numbers used in the customer’s network.
Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: • Untagged • One tag (CVLAN or SPVLAN) • Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory. Then the egress process transmits the packet. Packets entering a QinQ uplink port are processed in the following manner: 1. If incoming packets are untagged, the PVID VLAN native tag is added.
• The native VLAN (VLAN 1) is not normally added to transmitted frames. Avoid using VLAN 1 as an SPVLAN tag for customer traffic to reduce the risk of misconfiguration. Instead, use VLAN 1 as a management VLAN instead of a data VLAN in the service provider network. • There are some inherent incompatibilities between Layer 2 and Layer 3 switching: - Tunnel ports do not support IP Access Control Lists.
ethertype field, as they would be with a standard 802.1Q trunk. Frames arriving on the port containing any other ethertype are looked upon as untagged frames, and assigned to the native VLAN of that port. • All ports on the switch will be set to the same ethertype. Command Attributes • 802.1Q Tunnel Status – Sets the switch to QinQ mode, and allows the QinQ tunnel port to be configured. The default is for the switch to function in normal mode. • 802.
Tunneling on the Switch” on page 3-194). • Set the mode to 802.1Q Tunnel (access) or 802.1Q Tunnel Uplink. Command Attributes Mode – Set the VLAN membership mode of the port. • None – The port operates in its normal VLAN mode. (This is the default.) • 802.1Q Tunnel – Configures IEEE 802.1Q tunneling (QinQ) for a client access port to segregate and preserve customer VLAN IDs for traffic crossing the service provider network. • 802.1Q Tunnel Uplink – Configures IEEE 802.
Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual client sessions. Traffic belonging to each client is isolated to the allocated downlink ports.
Configuring Traffic Segmentation Sessions Use the Traffic Segmentation Session Configuration page to create a client session, and assign the downlink and uplink ports to service the traffic associated with each session. Command Attributes • Session ID – Traffic segmentation session. (Range: 1-15) • Direction – Uplink or downlink interface. • Interface – Port or trunk used for assigned traffic segmentation session.
Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports private VLANs with primary/secondary associated groups. A primary VLAN contains promiscuous ports that can communicate with all other ports in the private VLAN group, while a secondary (or community) VLAN contains community ports that can only communicate with other hosts within the secondary VLAN and with any of the promiscuous ports in the associated primary VLAN.
Web – Click VLAN, Private VLAN, Information. Select the desired port from the VLAN ID drop-down menu. Figure 3-110 Private VLAN Information CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as a host ports and are associated with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3.
Web – Click VLAN, Private VLAN, Configuration. Enter the VLAN ID number, select Primary or Community type, then click Add. To remove a private VLAN from the switch, highlight an entry in the Current list box and then click Remove. Note that all member ports must be removed from the VLAN before it can be deleted. Figure 3-111 Private VLAN Configuration CLI – This example configures VLAN 5 as a primary VLAN, and VLAN 6 as a community VLAN.
CLI – This example associates community VLANs 6 and 7 with primary VLAN 5. Console(config)#vlan database Console(config-vlan)#private-vlan 5 association 6 Console(config-vlan)#private-vlan 5 association 7 Console(config)# 4-241 4-260 4-260 Displaying Private VLAN Interface Information Use the Private VLAN Port Information and Private VLAN Trunk Information menus to display the interfaces associated with private VLANs. Command Attributes • Port/Trunk – The switch interface.
CLI – This example shows the switch configured with primary VLAN 5 and community VLAN 6. Port 3 has been configured as a promiscuous port and mapped to VLAN 5, while ports 4 and 5 have been configured as host ports and associated with VLAN 6. This means that traffic for port 4 and 5 can only pass through port 3.
Web – Click VLAN, Private VLAN, Port Configuration or Trunk Configuration. Set the PVLAN Port Type for each port that will join a private VLAN. Assign promiscuous ports to a primary VLAN. Assign host ports to a community VLAN. After all the ports have been configured, click Apply. Figure 3-114 Private VLAN Port Configuration CLI – This example shows the switch configured with primary VLAN 5 and secondary VLAN 6.
Protocol VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Web – Click VLAN, Protocol VLAN, Configuration. Figure 3-115 Protocol VLAN Configuration CLI – This example shows the switch configured with Protocol Group 2 which matches RFC 1042 IP traffic. Console(config)#protocol-vlan protocol group 2 add frame-type rfc-1042 protocol-type ip Console(config)# 4-264 Configuring the Protocol VLAN System Use the Protocol VLAN System Configuration menu to map a Protocol VLAN Group to a VLAN.
Web – Click VLAN, Protocol VLAN, System Configuration. Figure 3-116 Protocol VLAN System Configuration CLI – This example shows the switch configured with Protocol Group 2 mapped to VLAN 2. Console(config)#protocol-vlan protocol-group 2 vlan 2 Console(config)# 4-265 Link Layer Discovery Protocol Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain.
Setting LLDP Timing Attributes Use the LLDP Configuration screen to set attributes for general functions such as globally enabling LLDP on the switch, setting the message ageout time, and setting the frequency for broadcasting general advertisements or reports about changes in the LLDP MIB. Command Attributes • LLDP – Enables LLDP globally on the switch. (Default: Enabled) • Transmission Interval – Configures the periodic transmit interval for LLDP advertisements.
• MED Fast Start Count – Configures the amount of LLDP MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism. (Range: 1-10 packets; Default: 4 packets) The MED Fast Start Count parameter is part of the timer which ensures that the LLDP-MED Fast Start mechanism is active for the port. LLDP-MED Fast Start is critical to the timely startup of LLDP, and therefore integral to the rapid availability of Emergency Call Service. Web – Click LLDP, Configuration.
Configuring LLDP Interface Attributes Use the LLDP Port/Trunk Configuration to specify the message attributes for individual interfaces, including whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised. Command Attributes • Admin Status – Enables LLDP message transmit and receive modes for LLDP Protocol Data Units.
protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV. - System Name – The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name. To configure the system name, see “Displaying System Information” on page 3-12. - System Capabilities – The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled.
Web – Click LLDP, Port/Trunk Configuration. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, select the information to advertise in LLDP messages, select the information to advertise in MED-TLV messages and specify whether or not to send MED notifications. Then click Apply.
Displaying LLDP Local Device Information Use the LLDP Local Device Information screen to display information about the switch, such as its MAC address, chassis ID, management IP address, and port information. Field Attributes Global Settings • Chassis Type – Identifies the chassis containing the IEEE 802 LAN entity associated with the transmitting LLDP agent.
• System Capabilities Enabled – The primary function(s) of the system which are currently enabled. Refer to the preceding table. • Management Address – The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement. Interface Settings The attributes listed below apply to both port and trunk interface types.
CLI – This example displays LLDP information for the local switch. Console#show lldp info local-device 4-293 LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name : System Description : 24 port 10/100 Managed Layer 2 Switch with 4 x Gigabit Combo ports System Capabilities Support : Bridge System Capabilities Enable : Bridge Management Address : 192.168.0.
Web – Click LLDP, Remote Port/Trunk Information. Figure 3-120 LLDP Remote Port Information CLI – This example displays LLDP information for remote devices attached to this switch which are advertising information through LLDP.
Table 3-17 Port ID Subtype (Continued) ID Basis Reference Interface name ifName (IETF RFC 2863) Agent circuit ID agent circuit ID (IETF RFC 3046) Locally assigned locally assigned • Port Description – A string that indicates the port’s description. If RFC 2863 is implemented, the ifDescr object should be used for this field. • Port ID – A string that contains the specific identifier for the port from which this LLDPDU was transmitted.
CLI – This example displays LLDP information for an LLDP-enabled remote device attached to a specific port on this switch.
Web – Click LLDP, Device Statistics. Figure 3-122 LLDP Device Statistics CLI – This example displays LLDP statistics received from all LLDP-enabled remote devices connected directly to this switch. switch#show lldp info statistics 4-295 LLDP Device Statistics Neighbor Entries List Last Updated New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . .
Displaying Detailed Device Statistics Use the LLDP Device Statistics Details screen to display detailed statistics for LLDP-capable devices attached to specific interfaces on the switch. Field Attributes • Frames Discarded – Number of frames discarded because they did not conform to the general validation rules as well as any specific usage rules defined for the particular TLV. • Frames Invalid – A count of all LLDPDUs received with one or more detectable errors.
CLI – This example displays detailed LLDP statistics for an LLDP-enabled remote device attached to a specific port on this switch.
Command Attributes • Default Priority17 – The priority that is assigned to untagged frames received on the specified interface. (Range: 0-7; Default: 0) • Number of Egress Traffic Classes – The number of queue buffers provided for each port. Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 3-124 Port Priority Configuration 17. CLI displays this information as “Priority for untagged traffic.
CLI – This example assigns a default priority of 5 to port 3.
Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four egress queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table.
Web – Click Priority, Traffic Classes. The current mapping of CoS values to output queues is displayed. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 3-125 Traffic Classes CLI – The following example shows how to change the CoS assignments.
Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue. Command Usage • Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced.
Note: This switch does not allow the queue service weights to be set. The weights are fixed as 1, 2, 4, 8, for queues 0 through 3 respectively. Command Attributes • WRR Setting Table19 – Displays a list of weights for each traffic class (i.e., queue). • Weight Value – Set a new weight for the selected traffic class. (Range: 1-15) Web – Click Priority, Queue Scheduling.
Enabling IP DSCP Priority The switch allows you to enable or disable the IP DSCP priority. Command Attributes • IP DSCP Priority Status – The following options are: - Disabled – Disables the priority service. (Default Setting: Disabled) - IP DSCP – Maps layer 3/4 priorities using Differentiated Services Code Point Mapping. Web – Click Priority, IP DSCP Priority Status. Select IP DSCP from the drop down menu, then click Apply.
Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP retains backward compatibility with the three precedence bits so that non-DSCP compliant devices will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0.
CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings. Console(config)#map ip dscp Console(config)#interface ethernet 1/1 Console(config-if)#map ip dscp 1 cos 0 Console(config-if)#end Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled 4-301 4-186 4-301 4-302 Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
2. You should create a Class Map before creating a Policy Map. Otherwise, you will not be able to select a Class Map from the Policy Rule Settings screen (see page 3-236). Configuring Quality of Service Parameters To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the “Class Map” to designate a class name for a specific category of traffic. 2.
• Add Class – Opens the “Class Configuration” page. Enter a class name and description on this page, and click Add to open the “Match Class Settings” page. Enter the criteria used to classify ingress traffic on this page. • Remove Class – Removes the selected class. Class Configuration • Class Name – Name of the class map. (Range: 1-16 characters) • Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command.
Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 3-130 Configuring Class Maps CLI - This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3. Console(config)#class-map rd_class match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# SIGNAMAX LLC • www.signamax.
Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 3-231. - Open the Policy Map page, and click Add Policy. - When the Policy Configuration page opens, fill in the “Policy Name” field, and click Add. - When the Policy Rule Settings page opens, select a class name from the scroll-down list (Class Name field).
• Back – Returns to previous page with making any changes. Policy Rule Settings - Class Settings • Class Name – Name of class map. • Action – Shows the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 3-231). • Meter – The maximum throughput and burst rate. - Rate (kbps) – Rate in kilobits per second. - Burst (byte) – Burst in bytes.
Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 3-131 Configuring Policy Maps 3-236 SIGNAMAX LLC • www.signamax.
CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0.
CLI - This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/5 Console(config-if)#service-policy input rd_policy#3 Console(config-if)# 4-186 4-310 VoIP Traffic Configuration When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation can provide higher voice quality by preventing excessive packet delays, packet loss, and jitter.
Web – Click QoS, VoIP Traffic Setting, Configuration. Enable Auto Detection, specify the Voice VLAN ID, the set the Voice VLAN Aging Time. Click Apply. Figure 3-133 Configuring VoIP Traffic CLI – This example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234, then sets the VLAN aging time to 3000 seconds.
form the first three octets of a device MAC address. MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. • 802.1ab – Uses LLDP to discover VoIP devices attached to the port. LLDP checks that the “telephone bit” in the system capability TLV is turned on. See “Link Layer Discovery Protocol” on page 3-207 for more information on LLDP. • Priority – Defines a CoS priority for port traffic on the Voice VLAN.
CLI – This example configures VoIP traffic settings for port 2 and displays the current Voice VLAN status.
Web – Click QoS, VoIP Traffic Setting, OUI Configuration. Enter a MAC address that specifies the OUI for VoIP devices in the network. Select a mask from the pull-down list to define a MAC address range. Enter a description for the devices, then click Add.
Multicast Filtering Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/router.
Layer 2 IGMP (Snooping and Query) IGMP Snooping and Query – If multicast routing is not supported on other switches in your network, you can use IGMP Snooping and Query (page 3-245) to monitor IGMP service requests passing between multicast clients and servers, and dynamically configure the switch ports which need to forward multicast traffic. When using IGMPv3 snooping, service requests from IGMP Version 1, 2 or 3 hosts are all forwarded to the upstream router as IGMPv3 reports.
Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
• IGMP Version — Sets the protocol version for compatibility with other devices on the network. (Range: 1-3; Default: 2) Notes: 1. All systems on the subnet must support the same version. 2. Some attributes are only enabled for IGMPv2 and/or v3, including Act as IGMP Querier, IGMP Report Delay and IGMP Query Timeout. Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.
Enabling IGMP Immediate Leave The switch can be configured to immediately delete a member port of a multicast service if a leave packet is received at that port and the immediate-leave function is enabled for the parent VLAN. This allows the switch to remove a port from the multicast forwarding table without first having to send an IGMP group-specific query to that interface.
CLI – This example enables IGMP immediate leave for VLAN 1 and then displays the current IGMP snooping status.
CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router. Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Port Type ---- ------------------ ------1 Eth 1/11 Static Console# 4-323 Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier.
Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service. Command Attributes • VLAN ID – Selects the VLAN for which to display port members. (Range: 1-4094) • Multicast IP Address – The IP address for a specific multicast service. • Multicast Group Port List – Shows the interfaces that have already been assigned to the selected VLAN to propagate a specific multicast service.
Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP snooping and Query Parameters” on page 3-133. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch. First add all the ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group.
CLI – This example assigns a multicast address to VLAN 1, and then displays all the known multicast services supported on VLAN 1. Console(config)#ip igmp snooping vlan 1 static 224.1.1.12 ethernet 1/12 Console(config)#exit Console#show mac-address-table multicast vlan 1 VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------1 224.1.1.12 Eth1/12 USER 1 224.1.2.
Web – Click IGMP Snooping, IGMP Filter Configuration. Create a profile group by entering a number in the text box and clicking Add. Enable the IGMP filter status, then click Apply. Figure 3-142 Enabling IGMP Filtering and Throttling CLI – This example enables IGMP filtering and creates a profile number. It then displays the current status and the existing profile numbers.
• Access Mode – Sets the access mode of the profile; either permit or deny. (Default: Deny) • New Multicast Address Range List – Specifies multicast groups to include in the profile. Specify a multicast group range by entering a start and end IP address. Specify a single multicast group by entering the same IP address for the start and end of the range. Click the Add button to add a range to the current list. • Current Multicast Address Range List – Lists multicast groups currently included in the profile.
Configuring IGMP Filtering and Throttling for Interfaces Once you have configured IGMP profiles, you can assign them to interfaces on the switch. Also you can set the IGMP throttling number to limit the number of multicast groups an interface can join at the same time. Command Usage • Only one profile can be assigned to an interface. • An IGMP profile or throttling setting can also be applied to a trunk interface.
Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP Filter/ Throttling Trunk Configuration. Select a profile to assign to an interface, then set the throttling number and action. Click Apply. Figure 3-144 IGMP Filter and Throttling Port Configuration CLI – This example assigns IGMP profile number 19 to port 1, and then sets the throttling number and action. The current IGMP filtering and throttling settings for the interface are then displayed.
Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers. This protocol can significantly reduce the processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN.
Configuring Global MVR Settings The global settings for Multicast VLAN Registration (MVR) include enabling or disabling MVR for the switch, selecting the VLAN that will serve as the sole channel for common multicast streams supported by the service provider, and assigning the multicast group address for each of these services to the MVR VLAN. Command Usage IGMP snooping and MVR share a maximum number of 255 groups.
Web – Click MVR, Configuration. Enable MVR globally on the switch, select the MVR VLAN, add the multicast groups that will stream traffic to attached hosts, and then click Apply. Figure 3-145 MVR Global Configuration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses. Console(config)#ip igmp snooping Console(config)#mvr Console(config)#mvr group 228.1.23.
Web – Click MVR, Port or Trunk Information. Figure 3-146 MVR Port Information CLI – This example shows information about interfaces attached to the MVR VLAN. Console#show mvr Port Type ------- -------eth1/1 SOURCE eth1/2 RECEIVER Console# interface Status ------------ACTIVE/UP ACTIVE/UP 4-335 Immediate Leave --------------Disable Disable Displaying Port Members of Multicast Groups You can display the multicast groups assigned to the MVR VLAN either through IGMP snooping or static configuration.
Web – Click MVR, Group IP Information. Figure 3-147 MVR Group IP Information CLI – This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN. Console#show mvr MVR Group IP ---------------225.0.0.1 225.0.0.2 225.0.0.3 225.0.0.4 225.0.0.5 225.0.0.6 225.0.0.7 225.0.0.8 225.0.0.9 225.0.0.
Configuring MVR Interface Status Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage • A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering.
• Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. (This option only applies to an interface configured as an MVR receiver.) • Trunk21 – Shows if port is a trunk member. Web – Click MVR, Port or Trunk Configuration. Figure 3-148 MVR Port Configuration CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port.
Command Attributes • Interface – Indicates a port or trunk. • Member – Shows the IP addresses for MVR multicast groups which have been statically assigned to the selected interface. • Non-Member – Shows the IP addresses for all MVR multicast groups which have not been statically assigned to the selected interface. Web – Click MVR, Group Member Configuration. Select a port or trunk from the “Interface” field, and click Query to display the assigned multicast groups.
Configuring MVR Receiver VLAN and Group Addresses Multicast traffic forwarded to subscribers is normally stripped of frame tags to prevent hosts from discovering the identity of the MVR VLAN. An MVR Receiver VLAN and the multicast services supported by this VLAN can be configured to hide the MVR VLAN, while allowing multicast traffic with frame tags to be forwarded to subscribers.
Displaying MVR Receiver Groups Interfaces assigned to the MVR receiver groups can be displayed using the Receiver Group IP Information page. Field Attributes • Group IP Address – Multicast groups assigned to the MVR Receiver VLAN. • Group Port List – Interfaces with subscribers for multicast services provided through the MVR Receiver VLAN. Web – Click MVR, Receiver Group IP Information.
Configuring Static MVR Receiver Group Members You can statically assign a multicast reciever group to the selected interface using the Receiver Group Member Configuration page. Field Attributes • Interface – Indicates a port or trunk. • Group Address List – Multicast receiver groups assigned to the selected interface.
Switch Clustering Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network. Command Usage • A switch cluster has a “Commander” unit that is used to manage all other “Member” switches in the cluster.
• Cluster IP Pool – An “internal” IP address pool that is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID. Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 36. Note that you cannot change the cluster IP pool when the switch is currently in Commander mode. Commander mode must first be disabled. (Default: 10.254.254.
Configuring Cluster Members Use the Member Configuration page to add Candidate switches to the cluster as Members. Command Attributes • Member ID – Specify a Member ID number for the selected Candidate switch. (Range: 1-36) • MAC Address – Select a discovered switch MAC address from the Candidate Table, or enter a specific MAC address of a known switch. Web – Click Cluster, Member Configuration.
Displaying Information on Cluster Members Use the Cluster Member Information page to display information on current cluster Member switches. Command Attributes • • • • • Member ID – The ID number of the Member switch. (Range: 1-36) Role – Indicates the current status of the switch in the cluster. IP Address – The internal cluster IP address assigned to the Member switch. MAC Address – The MAC address of the Member switch. Description – The system description string of the Member switch.
Displaying Information on Cluster Candidates Use the Cluster Candidate Information page to display information about discovered switches in the network that are already cluster Members or are available to become cluster Members. Command Attributes • Role – Indicates the current status of Candidate switches in the network. • MAC Address – The MAC address of the Candidate switch. • Description – The system description string of the Candidate switch. Web – Click Cluster, Candidate Information.
Once a control point has discovered a device its next step is to learn more about the device and its capabilities by retrieving the device's description from the URL provided by the device in the discovery message. After a control point has retrieved a description of the device, it can send actions to the device’s service. To do this, a control point sends a suitable control message to the control URL for the service (provided in the device description).
Web – Click UPNP, Configuration and enter the desired variables. Figure 3-158 UPnP Configuration CLI – This example enables UPnP, sets the device advertise duration to 200 seconds, the device TTL to 6, and displays information about basic UPnP configuration.
Chapter 4: Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, with subnet mask 255.255.255.0, consists of a network portion (10.1.0) and a host portion (1).
Entering Commands This section describes how to enter CLI commands. Keywords and Arguments A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port. You can enter commands as follows: • To enter a simple command, enter the command keyword.
Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line or VLAN Database). You can also display a list of valid keywords for a specific command.
version vlan voice web-auth Console#show System hardware and software versions Virtual LAN settings Shows the voice VLAN information Shows web authentication configuration The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Interface counters information status Interface status information switchport Interface switchport information Console#show interfaces Partial Keyword Lookup If you terminate a partial keyword with a question mark, alternatives th
Understanding Command Modes The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters. Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode.
Username: guest Password: [guest login password] CLI session with the 24 port 10/100 Managed Layer 2 Switch with 4 x Gigabit Combo ports is opened. To end the CLI session, enter [Exit]. Console>enable Password: [privileged level password] Console# Configuration Commands Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted.
To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
Command Groups The system commands can be broken down into the functional groups shown below.
Table 4-4 Command Groups (Continued) Command Group Description Page Multicast Filtering Configures IGMP multicast filtering, query parameters, specifies ports attached to a multicast router, and enables multicast VLAN registration 4-313 IP Interface Configures IP address for the switch 4-338 The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CM (Class Map Configuration) GC (Global Configuration) IC (Interface Configuration) LC
enable This command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands display additional information. See “Understanding Command Modes” on page 4-6. Syntax enable [level] level - Privilege level to log into the device. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec. Enter level 15 to access Privileged Exec mode.
Command Usage The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode. Example Console#disable Console> Related Commands enable (4-12) configure This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch.
Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes.
Command Usage This command resets the entire system. The switch will wait the designated amount of time before resetting. If a delayed reset has already been scheduled, then the newly configured reset will overwrite the original delay configuration. The configured delay time cannot exceed 24 days (576 hours, or 34560 minutes). If no time is specified, then the switch will reboot immediately.
Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# end This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration.
quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
Table 4-6 System Management Commands (Continued) Command Group Function Page Web Server Enables management access via a web browser Telnet Server Enables management access via Telnet 4-121 4-124 Secure Shell Provides secure replacement for Telnet 4-125 Device Designation Commands Table 4-7 Device Designation Commands Command Function Mode prompt Customizes the prompt used in PE and NE mode GC Page 4-15 hostname Specifies the host name for the switch GC 4-18 snmp-server contact Sets th
Banner Information Commands These commands are used to configure and manage administrative information about the switch, its exact data center location, details of the electrical and network circuits that supply the switch, as well as contact information for the network administrator and system manager. This information is only available via the CLI and is automatically displayed before login as soon as a console or telnet connection has been established.
Command Usage The administrator can batch-input all details for the switch with one command. When the administrator finishes typing the company name and presses the enter key, the script prompts for the next piece of information, and so on, until all information has been entered. Pressing enter without inputting information at any prompt during the script’s operation will leave the field empty. Spaces can be used during script mode because pressing the enter key signifies the end of data input.
banner configure company This command is used to configure company information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure company name no banner configure company name - The name of the company. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure company command interprets spaces as data input boundaries.
Command Usage Input strings cannot contain spaces. The banner configure dc-power-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure dc-power-info floor 3 row 15 rack 24 electrical-circuit 48v-id_3.15.24.
banner configure equipment-info This command is used to configure the equipment information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure equipment-info manufacturer-id mfr-id floor floor-id row row-id rack rack-id shelf-rack sr-id manufacturer mfr-name no banner configure equipment-info [floor | manufacturer | manufacturer-id | rack | row | shelf-rack] • • • • • • mfr-id - The name of the device model number. floor-id - The floor number.
Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure equipment-location command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
banner configure lp-number This command is used to configure the LP number information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure lp-number lp-num no banner configure lp-number lp-num - The LP number. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure lp-number command interprets spaces as data input boundaries.
Command Mode Global Configuration Command Usage Maximum string length for each command attribute is 32 characters. The banner configure manager-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
banner configure note This command is used to configure the note displayed in the banner. Use the no form to restore the default setting. Syntax banner configure note note-info no banner configure note note-info - Miscellaneous information that does not fit the other banner categories, or any other information of importance to users of the switch CLI. (Maximum length: 150 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces.
Example Console#show banner SIGNAMAX_LLC. WARNING - MONITORED ACTIONS AND ACCESSES R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis SIGNAMAX_LLC. - 2852SIGNAMAX-PoE Floor / Row / Rack / Sub-Rack 3 / 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3 / 15 / 24 / 48v-id_3.15.24.2 Number of LP: 12 Position MUX: telco-8734212kx_PVC-1/23 IP LAN: 192.168.1.1/255.255.255.
Command Usage • Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information: - Switch’s MAC address SNTP and NTP server settings 802.
Example Console#show startup-config building startup-config, please wait... !00 !01_00-16-b6-f0-6f-fd_00 ! phymap 00-16-b6-f0-6f-fd ! sntp server 0.0.0.0 0.0.0.0 0.0.0.
show running-config This command displays the configuration information currently in use. Default Setting None Command Mode Privileged Exec Command Usage • Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. • This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands.
Example Console#show startup-config building startup-config, please wait... !00 !01_00-16-b6-f0-6f-fd_00 ! phymap 00-16-b6-f0-6f-fd ! sntp server 0.0.0.0 0.0.0.0 0.0.0.
show system This command displays system information. Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 3-12. • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance. Example Console#show system System Description: 24 port 10/100 Managed Layer 2 Switch with 4 x Gigabit Combo ports System OID String: 1.3.6.1.4.1.259.6.10.
Example Console#show users Username accounts: Username Privilege Public-Key -------- --------- ---------admin 15 None guest 0 None steve 15 RSA Online users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------0 console admin 0:14:14 * 1 VTY 0 admin 0:00:00 192.168.1.19 2 SSH 1 steve 0:00:06 192.168.1.19 Web online users: Line Remote IP addr Username Idle time (h:m:s). ----------- -------------- -------- -----------------1 HTTP 192.168.1.
Frame Size Commands This section describes commands used to configure the Ethernet frame size on the switch. Table 4-10 Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames GC Page 4-35 jumbo frame This command enables support for jumbo frames. Use the no form to disable it.
File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
• startup-config - The configuration used for system initialization. • tftp - Keyword that allows you to copy to/from a TFTP server. • https-certificate - Copies an HTTPS certificate from an TFTP server to the switch. • public-key - Keyword that allows you to copy a SSH key from a TFTP server. (“Secure Shell Commands” on page 4-125) Default Setting None Command Mode Privileged Exec Command Usage • The system prompts for data required to complete the copy command.
The following example shows how to upload the configuration settings to a file on the TFTP server: Console#copy file tftp Choose file type: 1. config: 2. opcode: <1-2>: 1 Source file name: startup TFTP server ip address: 10.1.0.99 Destination file name: startup.01 TFTP completed. Success. Console# The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success.
This example shows how to copy a public-key used by SSH from a TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch: Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1. RSA: 2. DSA: <1-2>: 1 Source file name: steve.pub Username: steve TFTP Download Success. Write to FLASH Programming. Success. Console# delete This command deletes a file or image.
dir This command displays a list of files in flash memory. Syntax dir {{boot-rom: | config: | opcode:} [:filename]} The type of file or image to display includes: • • • • boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of the configuration file or code image. Default Setting None Command Mode Privileged Exec Command Usage • If you enter the command dir without any parameters, the system displays all files.
whichboot This command displays which files were booted when the system powered up. Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File name File type Startup Size (byte) -------------------------------- -------------- ------- ----------Unit1: 065-7729_diag_V1.0.0.8.bix Boot-Rom Image Y 065-7729_runtime_V1.1.3.4.
Related Commands dir (4-40) whichboot (4-41) Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
- no login selects no authentication. When using this method, the management interface starts in Normal Exec (NE) mode. • This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the RADIUS or TACACS software installed on those servers. Example Console(config-line)#login local Console(config-line)# Related Commands username (4-99) password (4-44) password This command specifies the password for a line.
Related Commands login (4-43) password-thresh (4-46) timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the number of seconds. (Range: 0-65535 seconds; 0: no timeout) Default Setting CLI: No timeout Telnet: 10 minutes Command Mode Line Configuration Command Usage • If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated.
Command Mode Line Configuration Command Usage • When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down. • This command applies to both the local console and Telnet connections.
databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. Syntax databits {7 | 8} no databits • 7 - Seven data bits per character. • 8 - Eight data bits per character. Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity.
Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-4) Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection.
Command Mode Normal Exec, Privileged Exec Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: 9600 Databits: 8 Parity: none Stopbits: 1 VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec console# Event Logging Commands This section describes commands used to configure event logging on the switch.
logging on This command controls logging of error messages, sending debug or error messages to switch memory. The no form disables the logging process. Syntax [no] logging on Default Setting None Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory.
• level - One of the levels listed below. Messages sent include the selected level down to level 0. (Range: 0-7) Table 4-15 Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition, such as cold start 4 warnings Warning conditions (e.g., return false, unexpected return) 3 errors Error conditions (e.g., invalid input, default used) 2 critical Critical conditions (e.g.
Command Usage • Use this command more than once to build up a list of host IP addresses. • The maximum number of host IP addresses allowed is five. Example Console(config)#logging host 10.1.0.3 Console(config)# logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default. Syntax [no] logging facility type type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service.
Default Setting • Enabled • Level 7 - 0 Command Mode Global Configuration Command Usage • Using this command with a specified level enables remote logging and sets the minimum severity level to be saved. • Using this command without a specified level also enables remote logging, but restores the minimum severity level to the default. Example Console(config)#logging trap 4 Console(config)# clear log This command clears messages from the log buffer.
show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} • flash - Displays settings for storing event messages in flash memory (i.e., permanent memory). • ram - Displays settings for storing event messages in temporary RAM (i.e., memory flushed on power reset). • sendmail - Displays settings for the SMTP event handler (page 4-61).
The following example displays settings for the trap function. Console#show logging trap Syslog logging: Enable REMOTELOG status: disable REMOTELOG facility type: local use 7 REMOTELOG level type: Debugging messages REMOTELOG server IP address: 1.2.3.4 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.0 REMOTELOG server IP address: 0.0.0.
Command Usage This command shows the system and event messages stored in memory, including the time stamp, message level (page 4-52), program module, function, and event number. Example The following example shows sample messages stored in RAM. Console#show log ram [5] 00:01:06 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and [4] 00:01:00 2001-01-01 "STA root change notification." level: 6, module: 6, function: 1, and [3] 00:00:54 2001-01-01 "STA root change notification.
logging sendmail host This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server. Syntax [no] logging sendmail host ip_address ip_address - IP address of an SMTP server that will be sent alert messages for event handling. Default Setting None Command Mode Global Configuration Command Usage • You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server.
Command Usage The specified level indicates an event threshold. All events at this level or higher will be sent to the configured email recipients. (For example, using Level 7 will report all events from level 7 to level 0.) Example This example will send email alerts for system errors from level 4 through 0. Console(config)#logging sendmail level 4 Console(config)# logging sendmail source-email This command sets the email address used for the “From” field in alert messages.
Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail This command enables SMTP event handling. Use the no form to disable this function.
Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Default Setting Disabled Command Mode Global Configuration Command Usage • The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001). • This command enables client time requests to time servers specified via the sntp servers command. It issues time synchronization requests based on the interval set via the sntp poll command.
Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command. Example Console(config)#sntp server 10.1.0.
show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current SNTP mode (i.e., unicast). Example Console#show sntp Current time: Dec 23 05:13:28 2002 Poll interval: 16 Current mode: unicast SNTP status : Enabled SNTP server 137.
Example Console(config)#ntp client Console(config)# Related Commands sntp client (4-62) ntp poll (4-67) ntp server (4-66) ntp server This command sets the IP addresses of the servers to which NTP time requests are issued. Use the no form of the command to clear a specific time server or all servers from the current list. Syntax ntp server ip-address [version number] [key key-number] no ntp server [ip-address] • ip-address - IP address of an NTP time server.
Example Console(config)#ntp Console(config)#ntp Console(config)#ntp Console(config)#ntp Console(config)# server server server server 192.168.3.20 192.168.3.21 192.168.4.22 version 2 192.168.5.23 version 3 key 19 Related Commands ntp client (4-65) ntp poll (4-67) show ntp (4-69) ntp poll This command sets the interval between sending time requests when the switch is set to NTP client mode. Use the no form to restore to the default.
Command Mode Global Configuration Command Usage You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients. The key numbers and key values must match on both the server and client.
• Use the no form of this command without an argument to clear all authentication keys in the list. Example Console(config)#ntp authentication-key 45 md5 thisiskey45 Console(config)# Related Commands ntp authenticate (4-67) show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated.
clock timezone-predefined This command uses predefined time zone configurations to set the time zone for the switch’s internal clock. Use the no form to restore the default. Syntax clock timezone-predefined offset-city no clock timezone-predefined • offset - Select the offset from GMT. (Range: GMT-0100 - GMT-1200; GMT-Greenwich-Mean-Time; GMT+0100 - GMT+1400) • city - Select the city associated with the chosen GMT offset.
Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
• • • • e-year- The year summer-time will end. e-hour - The hour summer-time will end. (Range: 0-23 hours) e-minute - The minute summer-time will end. (Range: 0-59 minutes) offset - Summer-time offset from the regular time zone, in minutes. (Range: 0-99 minutes) Default Setting Disabled Command Mode Global Configuration Command Usage • In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less.
Command Mode Global Configuration Command Usage • In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. • This command sets the summer-time time relative to the configured time zone.
• b-month - The month when summer-time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) • b-hour - The hour when summer-time will begin. (Range: 0-23 hours) • b-minute - The minute when summer-time will begin. (Range: 0-59 minutes) • e-week - The week of the month when summer-time will end. (Range: 1-5) • e-day - The day of the week summer-time will end.
calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} • • • • • hour - Hour in 24-hour format. (Range: 0-23) min - Minute. (Range: 0-59) sec - Second. (Range: 0-59) day - Day of month.
Switch Cluster Commands Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Command Usage • To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander. • Switch clusters are limited to the same Ethernet broadcast domain.
cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members. The IP address must start 10.x.x.x. Default Setting 10.254.254.1 Command Mode Global Configuration Command Usage • An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.
Command Usage • The maximum number of cluster Members is 36. • The maximum number of switch Candidates is 100. Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration. Syntax rcommand id member-id member-id - The ID number of the Member switch. (Range: 1-36) Command Mode Privileged Exec Command Usage • This command only operates through a Telnet connection to the Commander switch.
show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example Console#show cluster members Cluster Members: ID: 1 Role: Active member IP Address: 10.254.254.2 MAC Address: 00-12-cf-23-49-c0 Description: 24 port 10/100 Managed Layer 2 Switch wit Console# show cluster candidates This command shows the discovered Candidate switches in the network.
Table 4-1 UPnP Commands Command Function Mode upnp device Enables/disables UPnP on the network GC Page 4-81 upnp device ttl Sets the time-to-live (TTL) value. GC 4-81 upnp device advertise duration Sets the advertisement duration of the device GC 4-82 show upnp Displays UPnP status and parameters PE 4-82 upnp device This command enables UPnP on the device. Use the no form to disable UPnP.
Default Setting 4 Command Mode Global Configuration Command Usage UPnP devices and control points must be within the local network, that is within the TTL value for multicast messages. Example In the following example, the TTL is set to 6. Console(config)#upnp device ttl 6 Console(config)# upnp device advertise duration This command sets the duration for which a device will advertise its presence on the local network.
Example Console#show upnp UPnP global settings: Status: Advertise duration: TTL: Console# Enabled 200 20 SNMP Commands Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# show snmp This command can be used to check the status of SNMP communications.
0 Get-request PDUs 0 Get-next PDUs 0 Set-request PDUs 0 SNMP packets output 0 Too big errors 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP logging: disabled Console# snmp-server community This command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified community string.
snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Example Console(config)#snmp-server contact Paul Console(config)# Related Commands snmp-server location (4-86) snmp-server location This command sets the system location string.
snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr • host-addr - Internet address of the host (the targeted recipient).
• The snmp-server host command is used in conjunction with the snmp-server enable traps command. Use the snmp-server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally. For a host to receive notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled. • Some notification types cannot be controlled with the snmp-server enable traps command.
Example Console(config)#snmp-server host 10.1.19.23 batman Console(config)# Related Commands snmp-server enable traps (4-89) snmp-server enable traps This command enables this device to send Simple Network Management Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | link-up-down] • authentication - Keyword to issue authentication failure notifications.
snmp-server engine-id This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} • • • • local - Specifies the SNMP engine on this switch. remote - Specifies an SNMP engine on a remote device. ip-address - The Internet address of the remote device. engineid-string - String identifying the engine ID.
Related Commands snmp-server host (4-87) show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1 Remote SNMP engineID 80000000030004e2b316c54321 Console# IP address 192.168.1.19 Table 4-23 show snmp engine-id - display description Field Description Local SNMP engineID String identifying the engine ID.
Command Usage • Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. • The predefined view “defaultview” includes access to the entire MIB tree. Examples This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.
Table 4-24 show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree. View Type Indicates if the view is included or excluded. Storage Type The storage type for this entry. Row Status The row status of this entry. snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group.
• Note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with the snmp-server enable traps command (page 4-89). Example Console(config)#snmp-server group r&d v3 auth write daily Console(config)# show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
Group Name: private Security Model: v2c Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Console# Table 4-25 show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry.
Default Setting None Command Mode Global Configuration Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 4-90) to specify the engine ID for the remote device where the user resides.
show snmp user This command shows information on SNMP users.
Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or RADIUS authentication methods. You can also enable port-based authentication for network client access using IEEE 802.1X.
username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name. Syntax username name {access-level level | nopassword | password {0 | 7} password} no username name • name - The name of the user. (Maximum length: 8 characters, case sensitive. Maximum users: 16) • access-level level - Specifies the user level.
Example This example shows how to set the access level and password for a user. Console(config)#username bob access-level 15 Console(config)#username bob password 0 smith Console(config)# enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (4-99) authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 4-12). Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable • local - Use local password only.
Related Commands enable password - sets the password for changing command modes (4-100) RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Default Setting • auth-port - 1812 • acct-port - 1813 • timeout - 5 seconds • retransmit - 2 Command Mode Global Configuration Example Console(config)#radius-server 1 host 192.168.1.20 auth-port 181 timeout 10 retransmit 5 key green Console(config)# radius-server auth-port This command sets the RADIUS server network port for authentication messages. Use the no form to restore the default.
Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key_string no radius-server key key_string - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string.
radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request.
Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Communication Key with RADIUS Server: Auth-Port: 1812 Acct-port: 1813 Retransmit Times: 2 Request Timeout: 5 Server 1: Communication Key with RADIUS Server: Auth-Port: 1812 Acct-port: 1813 Retransmit Times: 2 Request Timeout: 5 Radius server group: Group Name --------------------radius Console# Member Index ------------1 TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authenticatio
tacacs-server host This command specifies a TACACS+ server. Use the no form to restore the default. Syntax [no] tacacs-server index host {host_ip_address} [port port_number] [timeout timeout] [retransmit retransmit] [key key] • index - Specifies the index number of the server. (Range: 1) • host_ip_address - IP address of the server. • port_number - The TACACS+ server TCP port used for authentication messages.
Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key_string no tacacs-server key key_string - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string.
tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number_of_seconds no tacacs-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request. (Range: 1-540) Default Setting 5 seconds Command Mode Global Configuration Example Console(config)#tacacs-server timeout 10 Console(config)# 4-110 SIGNAMAX LLC • www.signamax.
show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ server configuration: Global Settings: Communication Key with TACACS+ Server: Server Port Number: 49 Retransmit Times : 2 Request Times : 5 Server 1: Server IP address: 192.168.1.
AAA Commands The Authentication, authorization, and accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 4-1 AAA Commands Command Function Mode Page aaa group server Groups security servers in to defined lists GC 4-112 server Configures the IP address of a server in a group list SG 4-113 aaa accounting dot1x Enables accounting of 802.
Example Console(config)#aaa group server radius tps Console(config-sg-radius)# server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} • index - Specifies a server index and the sequence to use for the group. (Range: RADIUS 1-5, TACACS+ 1) • ip-address - Specifies the host IP address of a server.
aaa accounting dot1x This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service. Syntax aaa accounting dot1x {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting dot1x {default | method-name} • default - Specifies the default accounting method for service requests. • method-name - Specifies an accounting method for service requests.
aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} • default - Specifies the default accounting method for service requests. • method-name - Specifies an accounting method for service requests.
aaa accounting commands This command enables the accounting of Exec mode commands. Use the no form to disable the accounting service. Syntax aaa accounting commands level {default | method-name} start-stop group {tacacs+ |server-group} no aaa accounting commands level {default | method-name} • level - The privilege level for executing commands. (Range: 0-15) • default - Specifies the default accounting method for service requests. • method-name - Specifies an accounting method for service requests.
aaa accounting update This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting exec This command applies an accounting method to local console or Telnet connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec • default - Specifies the default method list created with the aaa accounting exec command (page 4-115). • list-name - Specifies a method list created with the aaa accounting exec command.
Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} • default - Specifies the default authorization method for Exec access.
authorization exec This command applies an authorization method to local console or Telnet connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec • default - Specifies the default method list created with the aaa authorization exec command (page 4-119). • list-name - Specifies a method list created with the aaa authorization exec command.
Default Setting None Command Mode Privileged Exec Example Console#show accounting Accounting type: dot1x Method list: default Group list: radius Interface: Method list: tps Group list: radius Interface: eth 1/2 Accounting type: Exec Method list: default Group list: radius Interface: vty Console# Web Server Commands This section describes commands used to configure web browser management access to the switch.
Command Mode Global Configuration Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (4-122) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function.
Command Usage • Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] • When you start HTTPS, the connection is established in this way: - The client authenticates the server using the server’s digital certificate.
Default Setting 443 Command Mode Global Configuration Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port.
Example Console(config)#ip telnet server Console(config)#ip telnet server port 123 Console(config)# Secure Shell Commands This section describes the commands used to configure the SSH server. However, note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0.
To use the SSH server, complete these steps: 1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b. The switch compares the client's public key to those stored in memory. c.
• The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption. • You must generate the host key before enabling the SSH server.
ip ssh authentication-retries This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] • username – Name of an SSH user. (Range: 1-8 characters) • dsa – DSA public key type. • rsa – RSA public key type. Default Setting Deletes both the DSA and RSA key. Command Mode Privileged Exec Example Console#delete public-key admin dsa Console# ip ssh crypto host-key generate This command generates the host key pair (i.e., public and private).
Related Commands ip ssh crypto zeroize (4-131) ip ssh save host-key (4-131) ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] • dsa – DSA key type. • rsa – RSA key type. Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory.
Example Console#ip ssh save host-key dsa Console# Related Commands ip ssh crypto host-key generate (4-130) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 1.99 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# 4-132 SIGNAMAX LLC • www.signamax.
show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State 0 2.0 Session-Started Username admin Encryption ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 4-37 show ssh - display description Field Description Session The session number. (Range: 0-3) Version The Secure Shell version number. State The authentication negotiation state.
show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 4-38 802.1X Port Authentication Command Mode Page dot1x system-auth-control Enables dot1x globally on the switch.
dot1x default This command sets all configurable dot1x global and port settings to their default values. Command Mode Global Configuration Example Console(config)#dot1x default Console(config)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
Default force-authorized Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) Command Mode Privileged Exec Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# Related Commands dot1x timeout re-authperiod (4-139) dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds.
Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
Example Console(config)#interface eth 1/2 Console(config-if)#dot1x intrusion-action guest-vlan Console(config-if)# show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] • statistics - Displays dot1x status for each port. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
- max-req - Status - Operation Mode - Max Count - Port-control - Supplicant - Current Identifier - Intrusion action – Maximum number of times a port will retransmit an EAP request/identity packet to the client before it times out the authentication session (page 4-136). – Authorization status (authorized or not). – Shows if single or multiple hosts (clients) can connect to an 802.1X-authorized port. – The maximum number of hosts allowed to access this port (page 4-137).
Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name 1/1 1/2 . . . 1/28 Status disabled enabled Operation Mode Single-Host Single-Host Mode ForceAuthorized auto Authorized n/a yes disabled Single-Host ForceAuthorized n/a 802.1X Port Details 802.1X is disabled on port 1/1 802.
Management IP Filter Commands This section describes commands used to configure IP management access to the switch. Table 4-39 IP Filter Commands Command Function Mode Page management Configures IP addresses that are allowed management access GC 4-144 show management Displays the switch to be monitored or configured from a browser PE 4-145 management This command specifies the client IP addresses that are allowed management access to the switch through various protocols.
Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console(config)# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} • • • • all-client - Adds IP address(es) to the SNMP, web and Telnet groups.
General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these methods, several other options of providing client security are described in this section.
Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. The port will drop any incoming frames with a source MAC address that is unknown or has been previously learned from another port.
Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. • Use the port security command to enable security on a port.
Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server. While authentication for a MAC address is in progress, all traffic is blocked until authentication is completed.
Command Usage • When enabled on a port, the authentication process sends a Password Authentication Protocol (PAP) request to a configured RADIUS server. The username and password are both equal to the MAC address being authenticated. • On the RADIUS server, PAP username and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case). • Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires.
Command Usage The maximum number of MAC addresses per port is 2048, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failed. Example Console(config-if)#network-access max-mac-count 5 Console(config-if)# network-access dynamic-vlan Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment.
Example The following example enables dynamic VLAN assignment on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-vlan Console(config-if)# network-access guest-vlan Use this command to assign all traffic on a port to a guest VLAN when network access (MAC authentication) or 802.1x authentication is rejected. Use the no form of this command to disable guest VLAN assignment.
Default Setting 1800 Command Mode Global Configuration Command Usage • The reauthentication time is a global setting and applies to all ports. • When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server. During the reauthentication process traffic through the port remains unaffected.
Default Setting 1024 Command Mode Interface Config Example Console(config-if)#mac-authentication max-mac-count 32 Console(config-if)# clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] • • • • static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry.
Default Setting Displays the settings for all interfaces.
Command Usage When using a bit mask to filter displayed MAC addresses, a 1 means “care” and a 0 means “don't care”. For example, a MAC of 00-00-01-02-03-04 and mask FF-FF-FF-00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FF-FF-FF to be displayed. All other MACs would be filtered out.
Table 4-43 Web Authentication (Continued) Command Function Mode Page show web-auth Displays global web authentication parameters PE 4-160 show web-auth interface Displays interface-specific web authentication parameters and statistics PE 4-161 show web-auth summary Displays a summary of web authentication port parameters PE and statistics 4-159 web-auth login-attempts This command defines the limit for failed web authentication login attempts.
Example Console(config)#web-auth quiet-period 120 Console(config)# web-auth session-timeout This command defines the amount of time a web-authentication session remains valid. When the session-timeout has been reached, the host is logged off and must re-authenticate itself the next time data is transmitted. Use the no form to restore the default. Syntax web-auth session-timeout timeout no web-auth session timeout timeout - The amount of time that an authenticated session remains valid.
web-auth This command enables web authentication for a port. Use the no form to restore the default. Syntax [no] web-auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for a port must be enabled for the web authentication feature to be active.
web-auth re-authenticate (IP) This command ends the web authentication session associated with the designated IP address and forces the user to re-authenticate. Syntax web-auth re-authenticate interface interface ip • interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-28) • ip - IPv4 formatted IP address Default Setting None Command Mode Privileged Exec Example Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.
show web-auth interface This command displays interface-specific web authentication parameters and statistics. Syntax show web-auth interface interface • interface - Specifies a port interface. • ethernet unit/port - unit - This is unit 1. - port - Port number. (Range: 1-28) Default Setting None Command Mode Privileged Exec Command Usage The session timeout displayed by this command is expressed in seconds.
show web-auth summary This command displays a summary of web authentication port parameters and statistics. Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control Port Status --------1/ 1 Disabled 1/ 2 Enabled 1/ 3 Disabled 1/ 4 Disabled 1/ 5 Disabled . . .
ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or firewall.
mac-address command, page 4-166). However, if MAC address verification is enabled, then the packet will only be forwarded if the client’s hardware address stored in the DHCP packet is the same as the source MAC address in the Ethernet header. * If the DHCP packet is not a recognizable type, it is dropped. - If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN.
Command Usage • When DHCP snooping enabled globally using the ip dhcp snooping command (page 4-163), and enabled on a VLAN with this command, DHCP packet filtering will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust command (page 4-165). • When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled.
• When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed. • Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted. Example This example sets port 5 to untrusted.
ip dhcp snooping information option This command enables the DHCP Option 82 information relay for the switch. Use the no form to disable this function. Syntax [no] ip dhcp snooping information option Default Setting Disabled Command Mode Global Configuration Command Usage • DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server.
ip dhcp snooping information policy This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. Syntax ip dhcp snooping information policy {drop | keep | replace} • drop - Drops the client’s request packet instead of relaying it. • keep - Retains the Option 82 information in the client request, and forwards the packets to trusted ports.
clear ip dhcp snooping database flash This command removes all dynamically learned snooping entries from flash memory. Command Mode Privileged Exec Example Console(config)#ip dhcp snooping database flash Console(config)# show ip dhcp snooping This command shows the DHCP snooping configuration settings.
IP Source Guard Commands IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping Commands” on page 4-162). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network. This section describes commands used to configure IP Source Guard.
• • • • • check these same parameters, plus the source MAC address. Use the no source guard command to disable this function on the selected port. When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table. Table entries include a MAC address, IP address, lease time, entry type (Static-IP-SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and port identifier.
ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry. Syntax ip source-guard binding mac-address vlan vlan-id ip-address interface ethernet unit/port no ip source-guard binding mac-address vlan vlan-id • • • • • mac-address - A valid unicast MAC address. vlan-id - ID of a configured VLAN (Range: 1-4094) ip-address - A valid unicast IP address, including classful types A, B or C. unit - Stack unit.
Related Commands ip source-guard (4-170) ip dhcp snooping (4-163) ip dhcp snooping vlan (4-164) show ip source-guard This command shows whether source guard is enabled or disabled on each interface. Command Mode Privileged Exec Example Console#show ip source-guard Interface Filter-type ------------------Eth 1/1 DISABLED Eth 1/2 DISABLED Eth 1/3 DISABLED Eth 1/4 DISABLED Eth 1/5 SIP Eth 1/6 DISABLED . . . show ip source-guard binding This command shows the source guard binding table.
Access Control List Commands Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, or Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules and then bind the list to a specific port. This section describes the Access Control List commands.
access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name • standard – Specifies an ACL that filters packets based on the source IP address. • extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. • acl_name – Name of the ACL.
permit, deny (Standard ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} • • • • any – Any source IP address. source – Source IP address. bitmask – Decimal number representing the address bits to match. host – Keyword followed by a specific IP address.
permit, deny (Extended ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Command Usage • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. • You can specify both Precedence and ToS in the same rule.
Related Commands access-list ip (4-175) show ip access-list This command displays the rules for configured IP ACLs. Syntax show ip access-list {standard | extended} [acl_name] • standard – Specifies a standard IP ACL. • extended – Specifies an extended IP ACL. • acl_name – Name of the ACL. (Maximum length: 16 characters, no spaces) Command Mode Privileged Exec Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.255.
• If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. Example Console(config)#int eth 1/25 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (4-179) show ip access-group This command shows the ports assigned to IP ACLs.
access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl_name acl_name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode Global Configuration Command Usage • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list.
permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [cos cos cos-bitmask] [vid vid vid-bitmask] [ethertype protocol [protocol-bitmask]] Note: The default is for Ethernet II packets.
• vid-bitmask – VLAN bitmask. (Range: 1-4095) • protocol – A specific Ethernet protocol number. (Range: 0-ffff hex.) • protocol-bitmask – Protocol bitmask. (Range: 0-ffff hex.) Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list. • The ethertype option can only be used to filter Ethernet II formatted packets. • A detailed listing of Ethernet protocol types can be found in RFC 1060.
Related Commands permit, deny 4-182 mac access-group (4-184) mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage • A port can only be bound to one ACL.
ACL Information Table 4-49 ACL Information Command Function Mode Page show access-list Show all ACLs and associated rules PE 4-185 show access-group Shows the ACLs assigned to each port PE 4-185 show access-list This command shows all ACLs and associated rules, as well as all the user-defined masks. Command Mode Privileged Exec Example Console#show access-list IP standard access-list david: permit host 10.1.1.21 permit 168.92.16.0 255.255.240.0 IP extended access-list bob: permit 10.7.1.1 255.
Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN.
Default Setting None Command Mode Global Configuration Example To specify port 24, enter the following command: Console(config)#interface ethernet 1/24 Console(config-if)# description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
speed-duplex This command configures the speed and duplex mode of a given interface when autonegotiation is disabled. Use the no form to restore the default.
Related Commands negotiation (4-189) capabilities (4-190) negotiation This command enables autonegotiation for a given interface. Use the no form to disable autonegotiation. Syntax [no] negotiation Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command.
capabilities This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
Related Commands negotiation (4-189) speed-duplex (4-188) flowcontrol (4-191) flowcontrol This command enables flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill.
media-type This command forces the port type selected for combination ports 25-28. Use the no form to restore the default mode. Syntax media-type mode no media-type mode • copper-forced - Always uses the built-in RJ-45 port. • sfp-forced - Always uses the SFP port (even if module not installed). • sfp-preferred-auto - Uses SFP port if both combination types are functioning and the SFP port has a valid link.
Example The following example disables port 5. Console(config)#interface ethernet 1/5 Console(config-if)#shutdown Console(config-if)# switchport broadcast packet-rate This command configures broadcast storm control. Use the no form to restore the default setting. Syntax switchport broadcast packet-rate rate no switchport broadcast • broadcast - Specifies storm control for broadcast traffic. • rate - Threshold level as a rate; i.e., kilobits per second.
clear counters This command clears statistics on an interface. Syntax clear counters interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-8) Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session.
Default Setting Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Displaying Connection Status” on page 3-128.
show interfaces counters This command displays interface statistics. Syntax show interfaces counters [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-8) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Example Console#show interfaces counters ethernet 1/7 Ethernet 1/7 Iftable stats: Octets input: 30658, Octets output: 196550 Unicast input: 6, Unicast output: 5 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 3064 Broadcast input: 262, Broadcast output: 1 Ether-like stats: Alignment errors: 0, FCS errors: 0 Single Collision frames: 0, Multiple collision frames: 0 SQE Test errors: 0, De
Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the configuration setting for port 24.
Table 4-51 show interfaces switchport - display description (Continued) Field Description Private VLAN host-association Shows the secondary (or community) VLAN with which this port is associated (4-261). Private VLAN mapping Shows the primary VLAN mapping for a promiscuous port (4-262). 802.1Q-tunnel Status Shows if 802.1Q tunnel is enabled on this interface (page 4-251). 802.1Q-tunnel Mode Shows the tunnel mode as Normal, 802.1Q Tunnel or 802.1Q Tunnel Uplink (page 4-252). 802.
Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. • A trunk can have up to eight ports. • The ports at both ends of a connection must be configured as trunk ports. • All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings.
Command Usage • When configuring static trunks, the switches must comply with the Cisco EtherChannel standard. • Use no channel-group to remove a port group from a trunk. • Use no interfaces port-channel to remove a trunk from the switch. Example The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables 802.
Example The following shows LACP enabled on ports 11-13. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk 1 has been established.
Command Mode Interface Configuration (Ethernet) Command Usage • Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. • Once the remote side of a link has been established, LACP operational settings are already in use on that side.
• Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • priority - LACP port priority is used to select a backup link.
show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sysid} • • • • • port-channel - Local identifier for a link aggregation group. (Range: 1-8) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side. neighbors - Configuration settings and operational state for remote side. sysid - Summary of system priority and MAC address for all channel groups.
Console#show lacp 1 internal Port Channel : 1 ------------------------------------------------------------------------Oper Key : 4 Admin Key : 0 Eth 1/1 ------------------------------------------------------------------------LACPDUs Internal: 30 sec LACP System Priority: 32768 LACP Port Priority: 32768 Admin Key: 3 Oper Key: 3 Admin State: defaulted, aggregation, long timeout, active Oper State: distributing, collecting, synchronization, aggregation, long timeout, active . . .
Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------------Eth 1/11 ------------------------------------------------------------------------Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 32768, 00-16-B6-F0-71-3C Partner Admin Port Number: 11 Partner Oper Port Number: 11 Port Admin Priority: 32768 Port Oper Priority: 32768 Admin Key: 0 Oper Key: 3 Admin State: defaulted, distributing, collecting, synchronization, l
Table 4-56 Field show lacp sysid - display description Description Channel group A link aggregation group configured on this switch. System Priority* LACP system priority for this channel group. System MAC Address* System MAC address. * The LACP system priority and system MAC address are concatenated to form the LAG system ID. Mirror Port Commands This section describes how to mirror traffic from a source port to a target port.
• The mirror port and monitor port speeds should match, otherwise traffic may be dropped from the monitor port. • You can create multiple mirror sessions, but all sessions must share the same destination port. However, you should avoid sending too much traffic to the destination port from multiple source ports.
Rate Limit Commands This function allows the network manager to control the maximum rate for traffic received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into the network. Packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks. When an interface is configured with this feature, the traffic rate will be monitored by the hardware to verify conformity.
Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table. Static addresses have the following characteristics: • Static addresses will not be removed from the address table when a given interface link is down. • Static addresses are bound to the assigned interface and will not be moved.
show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 10-30000 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information.
Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Table 4-60 Spanning Tree Commands (Continued) Command Function Mode Page spanning-tree mst cost Configures the path cost of an instance in the MST IC 4-232 spanning-tree mst port-priority Configures the priority of an instance in the MST IC 4-233 spanning-tree protocol-migration Re-checks the appropriate BPDU format PE 4-234 show spanning-tree PE Shows spanning tree configuration for the common spanning tree (i.e.
spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp | mstp} no spanning-tree mode • stp - Spanning Tree Protocol (IEEE 802.1D) • rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) • mstp - Multiple Spanning Tree (IEEE 802.1s) Default Setting rstp Command Mode Global Configuration Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.1D BPDUs.
- Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic. Example The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default.
Default Setting 2 seconds Command Mode Global Configuration Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (4-219) spanning-tree max-age (4-220) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default.
Related Commands spanning-tree forward-time (4-219) spanning-tree hello-time (4-219) spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge.
Command Mode Global Configuration Command Usage The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port (see the spanning-tree port-bpdu-flooding command, page 4-231). Example Console(config)#spanning-tree system-bpdu-flooding Console(config)# spanning-tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default.
spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting 3 Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs.
mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) • vlan-range - Range of VLANs. (Range: 1-4094) Default Setting none Command Mode MST Configuration Command Usage • Use this command to group VLANs into spanning tree instances.
Default Setting 32768 Command Mode MST Configuration Command Usage • MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting 0 Command Mode MST Configuration Command Usage The MST region name (page 4-225) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region.
number of bridges that will propagate a BPDU. Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped. Example Console(config-mstp)#max-hops 30 Console(config-mstp)# spanning-tree spanning-disabled This command disables the spanning tree algorithm for the specified interface. Use the no form to reenable the spanning tree algorithm for the specified interface.
Table 4-62 Recommended STA Path Cost Port Type Link Type IEEE 802.1D-1998 IEEE 802.1w-2001 Ethernet Half Duplex Full Duplex Trunk 100 95 90 2,000,000 1,999,999 1,000,000 Fast Ethernet Half Duplex Full Duplex Trunk 19 18 15 200,000 100,000 50,000 Gigabit Ethernet Full Duplex Trunk 4 3 10,000 5,000 Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below.
spanning-tree port-priority This command configures the priority for the specified interface. Use the no form to restore the default. Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) Default Setting 128 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm.
forwarding loops, they can pass directly through to the spanning tree forwarding state. Specifying Edge Ports provides quicker convergence for devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA-related timeout problems.
Example Console(config)#interface ethernet 1/5 Console(config-if)#bridge-group 1 portfast Console(config-if)# Related Commands spanning-tree edge-port (4-229) spanning-tree port-bpdu-flooding This command floods BPDUs to other ports when spanning tree is disabled globally or disabled on a specific port. Use the no form to restore the default setting.
Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Specify a point-to-point link if the interface can only be connected to exactly one other bridge, or a shared link if it can be connected to two or more bridges. • When automatic detection is selected, the switch derives the link type from the duplex mode. A full-duplex interface is considered a point-to-point link, while a half-duplex interface is assumed to be on a shared link.
Command Usage • Each spanning-tree instance is associated with a unique set of VLAN IDs. • This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media. • Use the no spanning-tree mst cost command to specify auto-configuration mode. • Path cost takes precedence over interface priority.
Related Commands spanning-tree mst cost (4-232) spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface. Syntax spanning-tree protocol-migration interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Command Mode Privileged Exec Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
--------------------------------------------------------------Eth 1/ 1 information --------------------------------------------------------------Admin status: enable Role: root State: forwarding External admin path cost: 10000 Internal admin cost: 10000 External oper path cost: 10000 Internal oper path cost: 10000 Priority: 128 Designated cost: 200000 Designated port: 128.24 Designated root: 32768.0.0000ABCD0000 Designated bridge: 32768.0.
VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled Command Mode Global Configuration Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch.
switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/6 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} • {join | leave | leaveall} - Which timer to set. • timer_value - Value of timer.
show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-28) • port-channel channel-id (Range: 1-8) Default Setting Shows all GARP timers.
Command Mode Global Configuration Command Usage • Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. • Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN. The results of these commands are written to the running-configuration file, and you can display this file by entering the show running-config command.
• no vlan vlan-id state returns the VLAN to the default state (i.e., active). • You can configure up to 255 VLANs on the switch. Note: The switch allows 255 user-manageable VLANs. One extra, unmanageable VLAN (VLAN ID 4093) is maintained for switch clustering. Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
Command Mode Global Configuration Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (4-192) switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default.
Related Commands switchport acceptable-frame-types (4-245) switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default. Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types • all - The port accepts all frames, tagged or untagged. • tagged - The port only receives tagged frames.
Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Ingress filtering only affects tagged frames. • With ingress filtering enabled, a port will discard received frames tagged for VLANs for it which it is not a member. • Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STA. However, they do affect VLAN dependent BPDU frames, such as GMRP.
switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add. • remove vlan-list - List of VLAN identifiers to remove. • vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. Do not enter leading zeros.
switchport forbidden vlan This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan • add vlan-list - List of VLAN identifiers to add. • remove vlan-list - List of VLAN identifiers to remove. • vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. Do not enter leading zeros. (Range: 1-4094).
Displaying VLAN Information Table 4-68 Show VLAN Commands Command Function Mode Page show vlan Shows VLAN information NE, PE 4-249 show interfaces status vlan Displays status for the specified VLAN interface NE, PE 4-194 show interfaces switchport Displays the administrative and operational status of an interface NE, PE 4-197 show vlan This command shows VLAN information.
Example The following example shows how to display information for VLAN 1: Console#show vlan id 1 Default VLAN ID : 1 VLAN ID: Type: Name: Status: Ports/Port Channels: 1 Static DefaultVlan Active Eth1/ 1(S) Eth1/ 2(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/11(S) Eth1/12(S) Eth1/16(S) Eth1/17(S) Eth1/21(S) Eth1/22(S) Eth1/26(S) Eth1/27(S) Eth1/ 3(S) Eth1/ 8(S) Eth1/13(S) Eth1/18(S) Eth1/23(S) Eth1/28(S) Eth1/ 4(S) Eth1/ 9(S) Eth1/14(S) Eth1/19(S) Eth1/24(S) Eth1/ 5(S) Eth1/10(S) Eth1/15(S) Eth1/20(S) Eth1/25(S) Co
5. 6. 7. 8. 802.1Q tagged frames. The standard ethertype value is 0x8100. (See switchport dot1q-tunnel tpid, page 4-253.) Configure the QinQ tunnel access port to join the SPVLAN as an untagged member (switchport allowed vlan, page 4-247). Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (switchport native vlan, page 4-246). Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode, page 4-252).
switchport dot1q-tunnel mode This command configures an interface as a QinQ tunnel port. Use the no form to disable QinQ on the interface. Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode • access – Sets the port as an 802.1Q tunnel access port. • uplink – Sets the port as an 802.1Q tunnel uplink port.
switchport dot1q-tunnel tpid This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form to restore the default setting. Syntax switchport dot1q-tunnel tpid tpid no switchport dot1q-tunnel tpid tpid – Sets the ethertype value for 802.1Q encapsulation. This identifier is used to select a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. The standard ethertype value is 0x8100.
Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel Current double-tagged The dot1q-tunnel mode The dot1q-tunnel mode The dot1q-tunnel mode . . .
Default Setting Disabled Command Mode Global Configuration Command Usage • When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below.
pvlan uplink/downlink This command configures uplink/downlink ports for traffic-segmentation client sessions. Use the no form to restore a port to normal operating mode. Syntax [no] pvlan [session session-id] {uplink interface-list [downlink interface-list] | downlink interface-list} • session-id – Traffic segmentation session. (Range: 1-15) • interface-list – One or more uplink or downlink interfaces. • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Command Mode Global Configuration Command Usage • Use this command to create a new traffic-segmentation client session. • Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode. Example Console(config)#pvlan session 1 Console(config)# pvlan up-to-up This command specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions. Use the no form to restore the default.
Example Console#show pvlan Private VLAN Status : Uplink-to-Uplink Mode : Enabled Blocking Session Uplink Ports Downlink Ports --------- ------------------------------ ----------------------------1 Ethernet 1/28 Ethernet 1/9 Ethernet 1/10 Ethernet 1/11 Console# Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This switch supports two types of private VLANs: primary/secondary associated groups, and stand-alone isolated VLANs.
Table 4-72 Command Private VLAN Commands (Continued) Function Mode Page NE, PE 4-263 Display Private VLAN Information show vlan private-vlan Shows private VLAN information To configure primary/secondary associated groups, follow these steps: 1. Use the private-vlan command to designate one or more community VLANs and the primary VLAN that will channel traffic outside of the community groups. 2. Use the private-vlan association command to map the community VLAN(s) to the primary VLAN. 3.
using community VLANs, they must be mapped to an associated “primary” VLAN that contains promiscuous ports. • Port membership for private VLANs is static. Once a port has been assigned to a private VLAN, it cannot be dynamically moved to another VLAN via GVRP. • Private VLAN ports cannot be set to trunked mode. (See “switchport mode” on page 4-244.
switchport mode private-vlan Use this command to set the private VLAN mode for an interface. Use the no form to restore the default setting. Syntax switchport mode private-vlan {host | promiscuous} no switchport mode private-vlan • host – This port type can subsequently be assigned to a community VLAN. • promiscuous – This port type can communicate with all other promiscuous ports in the same primary VLAN, as well as with all the ports in the associated secondary VLANs.
Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage All ports assigned to a secondary (i.e., community) VLAN can pass traffic between group members, but must communicate with resources outside of the group via promiscuous ports in the associated primary VLAN.
show vlan private-vlan Use this command to show the private VLAN configuration settings on this switch. Syntax show vlan private-vlan [community | primary] • community – Displays all community VLANs, along with their associated primary VLAN and assigned host interfaces. • primary – Displays all primary VLANs, along with any assigned promiscuous interfaces.
To configure protocol-based VLANs, follow these steps: 1. 2. 3. First configure VLAN groups for the protocols you want to use (page 4-242). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. Create a protocol group for each of the protocols you want to assign to a VLAN using the protocol-vlan protocol-group add command.
protocol-vlan protocol-group (Configuring VLANs) This command globally maps a protocol group to a VLAN. Use the no form to remove the protocol mapping. Syntax protocol-vlan protocol-group group-id vlan vlan-id no protocol-vlan protocol-group group-id vlan • group-id - Group identifier of this protocol group. (Range: 1-2147483647) • vlan-id - VLAN to which matching protocol traffic is forwarded. (Range: 1-4094) Default Setting No protocol groups are mapped to any VLANs.
Default Setting All protocol groups are displayed. Command Mode Privileged Exec Example This shows protocol group 2 configured for IP over RFC 1042: Console#show protocol-vlan protocol-group ProtocolGroup ID Frame Type Protocol Type ------------------ ------------- --------------2 RFC 1042 08 00 Console# show protocol-vlan protocol-group-vid This command shows the mapping from protocol groups to VLANs.
Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port to the Voice VLAN. Alternatively, switch ports can be manually configured.
• VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN. • Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN.
voice vlan mac-address This command specifies MAC address ranges to add to the OUI Telephony list. Use the no form to remove an entry from the list. Syntax voice vlan mac-address mac-address mask mask-address [description description] no voice vlan mac-address mac-address mask mask-address • mac-address - Defines a MAC address OUI that identifies VoIP devices in the network. (For example, 01-23-45-00-00-00) • mask-address - Identifies a range of MAC addresses.
switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port. Syntax switchport voice vlan {manual | auto} no switchport voice vlan • manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN. • auto - The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port.
Command Mode Interface Configuration Command Usage • When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command on page 4-269). MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. • LLDP checks that the “telephone bit” in the system capability TLV is turned on. See “Spanning Tree Commands” on page 4-216 for more information on LLDP.
switchport voice vlan priority This command specifies a CoS priority for VoIP traffic on a port. Use the no form to restore the default priority on a port. Syntax switchport voice vlan priority priority-value no switchport voice vlan priority • priority-value - The CoS priority value. (Range: 0-6) Default Setting 6 Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN.
Example Console#show voice vlan status Global Voice VLAN Status Voice VLAN Status : Enabled Voice VLAN ID : 1234 Voice VLAN aging time : 1440 minutes Voice VLAN Port Summary Port Mode Security -------- -------- -------Eth 1/ 1 Auto Enabled Eth 1/ 2 Disabled Disabled Eth 1/ 3 Manual Enabled Eth 1/ 4 Auto Enabled Eth 1/ 5 Disabled Disabled Eth 1/ 6 Disabled Disabled Eth 1/ 7 Disabled Disabled Eth 1/ 8 Disabled Disabled Eth 1/ 9 Disabled Disabled Eth 1/10 Disabled Disabled Rule Priority --------- -------OUI 6
Table 4-75 LLDP Commands Command Function Mode lldp Enables LLDP globally on the switch GC 4-275 lldp holdtime-multiplier Configures the time-to-live (TTL) value sent in LLDP advertisements GC 4-276 medFastStartCount Configures how many medFastStart packets are transmitted GC 4-276 lldp notification-interval Configures the allowed interval for sending SNMP notifications about LLDP changes GC 4-277 lldp refresh-interval Configures the periodic transmit interval for LLDP advertisements G
Table 4-75 LLDP Commands (Continued) Command Function Mode Page lldp dot3-tlv max-frame Configures an LLDP-enabled port to advertise its maximum frame size IC 4-287 lldp dot3-tlv poe Configures an LLDP-enabled port to advertise its Power-over-Ethernet capabilities IC 4-288 lldp medtlv extpoe Configures an LLDP-MED-enabled port to advertise its extended Power over Ethernet configuration and usage information IC 4-288 lldp medtlv inventory Configures an LLDP-MED-enabled port to advertise it
lldp holdtime-multiplier This command configures the time-to-live (TTL) value sent in LLDP advertisements. Use the no form to restore the default setting.
Command Usage The MEDFastStartCount parameter is part of the timer which ensures that the LLDP-MED Fast Start mechanism is active for the port. LLDP-MED Fast Start is critical to the timely startup of LLDP, and therefore integral to the rapid availability of Emergency Call Service. Example Console(config)#lldp medfaststartcount 6 Console(config)# lldp notification-interval This command configures the allowed interval for sending SNMP notifications about LLDP MIB changes.
lldp refresh-interval This command configures the periodic transmit interval for LLDP advertisements. Use the no form to restore the default setting. Syntax lldp refresh-interval seconds no lldp refresh-delay seconds - Specifies the periodic interval at which LLDP advertisements are sent.
Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting. Syntax lldp tx-delay seconds no lldp tx-delay seconds - Specifies the transmit delay.
Default Setting tx-rx Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp admin-status rx-only Console(config-if)# lldp notification This command enables the transmission of SNMP trap notifications about LLDP changes. Use the no form to disable LLDP notifications.
lldp mednotification This command enables the transmission of SNMP trap notifications about LLDP-MED changes. Use the no form to disable LLDP-MED notifications. Syntax [no] lldp mednotification Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command (page 4-277).
Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv port-description Console(config-if)# lldp basic-tlv system-capabilities This command configures an LLDP-enabled port to advertise its system capabilities. Use the no form to disable this feature.
Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-description Console(config-if)# lldp basic-tlv system-name This command configures an LLDP-enabled port to advertise the system name. Use the no form to disable this feature.
Command Usage This option advertises the protocols that are accessible through this interface. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-ident Console(config-if)# lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port related VLAN information. Use the no form to disable this feature.
Command Usage The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see “switchport native vlan” on page 4-246). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv pvid Console(config-if)# lldp dot1-tlv vlan-name This command configures an LLDP-enabled port to advertise its VLAN name. Use the no form to disable this feature.
Command Usage This option advertises link aggregation capabilities, aggregation status of the link, and the 802.3 aggregated port identifier if this interface is currently a link aggregation member. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv link-agg Console(config-if)# lldp dot3-tlv mac-phy This command configures an LLDP-enabled port to advertise its MAC and physical layer capabilities. Use the no form to disable this feature.
Command Usage Refer to “Frame Size Commands” on page 4-35 for information on configuring the maximum frame size for this switch. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot3-tlv max-frame Console(config-if)# lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its Power-over-Ethernet (PoE) capabilities. Use the no form to disable this feature.
Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode).
Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp medtlv location Console(config-if)# lldp medtlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities. Use the no form to disable this feature.
Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption.
Example Console#show lldp config LLDP Global Configuation LLDP LLDP LLDP LLDP LLDP LLDP LLDP Enable Transmit interval Hold Time Multiplier Delay Interval Reinit Delay Notification Interval MED fast start counts : : : : : : : Yes 30 4 2 2 5 4 LLDP Port Configuration Interface |AdminStatus NotificationEnabled --------- + ----------- ------------------Eth 1/1 | Tx-Rx True Eth 1/2 | Tx-Rx True Eth 1/3 | Tx-Rx True Eth 1/4 | Tx-Rx True Eth 1/5 | Tx-Rx True . . .
show lldp info local-device This command shows LLDP global and interface-specific configuration settings for this device. Syntax show lldp info local-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
show lldp info remote-device This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
show lldp info statistics This command shows statistics based on traffic received through all attached LLDP-enabled interfaces. Syntax show lldp info statistics [detail interface] • detail - Shows detailed information. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Default Setting Weighted Round Robin Command Mode Global Configuration Command Usage • Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. • WRR uses a relative weight for each queue which determines the number of packets the switch transmits every time it services a queue before moving on to the next queue.
• This switch provides eight priority queues for each port. It is configured to use Weighted Round Robin, which can be viewed with the show queue bandwidth command. Inbound frames that do not have VLAN tags are tagged with the input port’s default ingress user priority, and then placed in the appropriate priority queue at the output port. The default priority for all ingress ports is zero. Therefore, any inbound frames that do not have priority tags will be placed in queue 0 of the output port.
Command Usage • CoS values assigned at the ingress port are also used at the egress port. • This command sets the CoS priority for all interfaces.
Example Console#show queue bandwidth Queue ID Weight -------- -----0 1 1 2 2 4 3 8 Console# show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch. Table 4-79 Priority Commands (Layer 3 and 4) Command Function Mode Page map ip dscp Enables IP DSCP class of service mapping GC 4-301 map ip dscp Maps IP DSCP value to a class of service IC 4-301 show map ip dscp Shows the IP DSCP map PE 4-302 map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e.
Default Setting The DSCP default values are defined in the following table. Note that all the DSCP values that are not specified are mapped to CoS value 0. Table 4-80 IP DSCP to CoS Vales IP DSCP Value CoS Value 0 0 8 1 10, 12, 14, 16 2 18, 20, 22, 24 3 26, 28, 30, 32, 34, 36 4 38, 40, 42 5 48 6 46, 56 7 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP DSCP and default switchport priority.
Default Setting None Command Mode Privileged Exec Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
Table 4-81 Quality of Service Commands (Continued) Command Function Mode Page police Defines an enforcer for classified traffic PM-C service-policy Applies a policy map defined by the policy-map command to IC the input of a particular interface 4-310 show class-map Displays the QoS class maps which define matching criteria PE used for classifying traffic 4-311 show policy-map Displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for ba
Command Mode Global Configuration Command Usage • First enter this command to designate a class map and enter the Class Map configuration mode. Then use the match command (page 4-305) to specify the criteria for ingress traffic that will be classified under this class map. • Up to 16 match commands are permitted per class map.
• Only one match command can be entered per class map.
Command Mode Class Map Configuration Policy Map Configuration Example Console(config)#class-map rd_class#1 Console(config-cmap)#description matches packets marked for DSCP service value 3 Console(config-cmap)# policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map and return to Global configuration mode. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
class This command defines a traffic classification upon which a policy can act, and enters Policy Map Class configuration mode. Use the no form to delete a class map and return to Policy Map configuration mode. Syntax [no] class class-map-name class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting None Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode.
set This command services IP traffic by setting a CoS or DSCP, value in a matching packet (as specified by the match command on page 4-305). Use the no form to remove the traffic classification. Syntax [no] set {cos new-cos | ip dscp new-dscp} • new-cos - New Class of Service (CoS) value. (Range: 0-7) • new-dscp - New Differentiated Service Code Point (DSCP) value.
Command Usage • You can configure up to 64 policers (i.e., meters or class maps) for each of the following access list types: MAC ACL, IP ACL (including Standard ACL and Extended ACL). • Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is specified by the burst-byte field, and the average rate at which tokens are removed from the bucket is specified by the rate-bps option.
Example This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/1 Console(config-if)#service-policy input rd_policy Console(config-if)# show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting Displays all class maps.
Example Console#show policy-map Policy Map rd_policy class rd_class set ip dscp 3 Console#show policy-map rd_policy class rd_class Policy Map rd_policy class rd_class set ip dscp 3 Console# show policy-map interface This command displays the service policy assigned to the specified interface. Syntax show policy-map interface interface input interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled Command Mode Global Configuration Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port.
ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2 | 3} no ip igmp snooping version • 1 - IGMP Version 1 • 2 - IGMP Version 2 • 3 - IGMP Version 3 Default Setting IGMP Version 2 Command Mode Global Configuration Command Usage • All systems on the subnet must support the same version.
Command Usage • The IGMP snooping leave-proxy feature suppresses all unnecessary IGMP leave messages so that the non-querier switch forwards an IGMP leave packet only when the last dynamic member port leaves a multicast group. • The leave-proxy feature does not function when a switch is set as the querier.
show ip igmp snooping This command shows the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 3-245 for a description of the displayed items.
Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------1 224.1.2.3 Eth1/11 IGMP Console# IGMP Query Commands (Layer 2) This section describes commands used to configure Layer 2 IGMP query on the switch.
Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping query-count This command configures the query count. Use the no form to restore the default. Syntax ip igmp snooping query-count count no ip igmp snooping query-count count - The maximum number of queries issued for which there has been no response before the switch takes action to drop a client from the multicast group.
ip igmp snooping query-interval This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
Example The following shows how to configure the maximum response time to 20 seconds: Console(config)#ip igmp snooping query-max-response-time 20 Console(config)# Related Commands ip igmp snooping version (4-315) ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default.
Static Multicast Routing Commands This section describes commands used to configure static multicast routing on the switch. Table 4-85 Command Static Multicast Routing Commands Function Mode Page ip igmp snooping vlan mrouter Adds a multicast router port GC 4-322 show ip igmp snooping mrouter Shows multicast router ports PE 4-323 ip igmp snooping vlan mrouter This command statically configures a multicast router port. Use the no form to remove the configuration.
show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static.
Table 4-86 IGMP Filtering and Throttling Commands (Continued) Command Function Mode Page ip igmp max-groups action Sets the IGMP throttling action for an interface IC 4-327 show ip igmp filter Displays the IGMP filtering status PE 4-328 show ip igmp profile Displays IGMP profiles and settings PE 4-329 show ip igmp throttle interface Displays the IGMP throttling setting for interfaces PE 4-329 ip igmp filter (Global Configuration) This command globally enables IGMP filtering and throttl
Default Setting Disabled Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode; either permit or deny. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)# permit, deny This command sets the access mode for an IGMP filter profile.
range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. Syntax [no] range low-ip-address [high-ip-address] • low-ip-address - A valid IP address of a multicast group or start of a group range. • high-ip-address - A valid IP address for the end of a multicast group range.
Example Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp filter 19 Console(config-if)# ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Default Setting Deny Command Mode Interface Configuration Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting None Command Mode Privileged Exec Example Console#show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console#show ip igmp profile 19 IGMP Profile 19 Deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.
Example Console#show ip igmp throttle interface ethernet 1/1 Eth 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console# Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
mvr (Global Configuration) This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, specifies the MVR VLAN identifier using the vlan keyword, or permits the use of tagged multicast traffic using the receiver-group and receiver-vlan attributes.
command (page 4-246), but MVR receiver ports should not be statically configured as members of this VLAN. • IGMP snooping must be enabled to a allow a subscriber to dynamically join or leave an MVR group (see ip igmp snooping on page 4-314). Note that only IGMP version 2 or 3 hosts can issue multicast join or leave messages. • IGMP snooping and MVR share a maximum number of 255 groups. Any multicast streams received in excess of this limitation will be flooded to all ports in the associated VLAN.
mvr (Interface Configuration) This command configures an interface as an MVR receiver or source port using the type keyword, enables immediate leave capability using the immediate keyword, configures an interface as a static member of the MVR VLAN using the group keyword, or as a static member of the MVR Receiver VLAN using the static-receiver-group keyword. Use the no form to restore the default settings, or to remove a static address.
• One or more interfaces may be configured as MVR source ports. A source port is able to both receive and send data for multicast groups which it has joined through IGMP snooping or which have been statically assigned using the group keyword. • The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. • Immediate leave applies only to receiver ports.
show mvr This command shows information about the global MVR configuration settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, the multicast groups assigned to the MVR VLAN using the members keyword, or the interfaces assigned to MVR receiver groups using the receiver-group members keyword. Syntax show mvr [interface [interface] | members [ip-address] | receiver-group members] • interface • ethernet unit/port - unit - Stack unit.
Table 4-88 Field show mvr - display description Description MVR Status Shows if MVR is globally enabled on the switch. MVR Running Status Indicates whether or not all necessary conditions in the MVR environment are satisfied. MVR Multicast VLAN Shows the VLAN used to transport all MVR multicast traffic. MVR Max Multicast Groups Shows the maximum number of multicast groups which can assigned to the MVR VLAN.
The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN: Console#show mvr members MVR Group IP Status ---------------- -------225.0.0.1 ACTIVE 225.0.0.2 INACTIVE 225.0.0.3 INACTIVE 225.0.0.4 INACTIVE 225.0.0.5 INACTIVE 225.0.0.6 INACTIVE 225.0.0.7 INACTIVE 225.0.0.8 INACTIVE 225.0.0.9 INACTIVE 225.0.0.
IP Interface Commands An IP addresses may be used for management access to the switch over your network. The IP address for this switch is obtained via DHCP by default. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server when it is powered on. You may also need to a establish a default gateway between this device and management stations or other devices that exist on another network segment.
• If you select the bootp or dhcp option, IP is enabled but will not function until a BOOTP or DHCP reply has been received. Requests will be broadcast periodically by this device in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask). • You can start broadcasting BOOTP or DHCP requests by entering an ip dhcp restart command, or by rebooting the switch. Note: Only one VLAN interface can be assigned an IP address (the default is VLAN 1).
Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console(config)# Related Commands show ip redirects (4-341) ip dhcp restart This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command.
Example Console#show ip interface IP Address and Netmask: 192.168.1.54 255.255.255.0 on VLAN 1, Address Mode: User Specified. Console# Related Commands show ip redirects (4-341) show ip redirects This command shows the default gateway configured for this device. Default Setting None Command Mode Privileged Exec Example Console#show ip redirects IP default gateway 10.1.0.
- Normal response - The normal response occurs in one to ten seconds, depending on network traffic. - Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds. - Destination unreachable - The gateway for this destination indicates that the destination is unreachable. - Network or host unreachable - The gateway found no corresponding entry in the route table. • Press to stop pinging. Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.
Appendix A: Software Specifications Software Features Management Authentication Local, RADIUS, TACACS, Port Authentication (802.1X), MAC Authentication, Web Authentication, HTTPS, SSH General Security Measures Access Control Lists (IP, MAC - 100 rules), Port Authentication (802.
Class of Service Supports 4 levels of priority Strict or Weighted Round Robin queueing CoS configured by port or VLAN tag Layer 3/4 priority mapping: IP DSCP Multicast Filtering IGMP Snooping (Layer 2) Multicast VLAN Registration Quality of Service DiffServ supports class maps, policy maps, and service policies Additional Features BOOTP client Link Layer Discovery Protocol SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts
IEEE 802.1v Protocol-based VLANs IEEE 802.1w Rapid Spanning Tree Protocol IEEE 802.1X Port Authentication IEEE 802.3-2005 Ethernet, Fast Ethernet, Gigabit Ethernet Link Aggregation Control Protocol (LACP) Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.
RADIUS Authentication Client MIB (RFC 2618) RMON MIB (RFC 2819) RMON II Probe Configuration Group (RFC 2021, partial implementation) SNMPv2 IP MIB (RFC 2011) SNMP Community MIB (RFC 3584) SNMP Framework MIB (RFC 3411) SNMP-MPD MIB (RFC 3412) SNMP Target MIB, SNMP Notification MIB (RFC 3413) SNMP User-Based SM MIB (RFC 3414) SNMP View Based ACM MIB (RFC 3415) TACACS+ Authentication Client MIB TCP MIB (RFC 2012) Trap (RFC 1215) UDP MIB (RFC 2013) A-4 SIGNAMAX LLC • www.signamax.
Appendix B: Troubleshooting Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, • Be sure the switch is powered up. web browser, or SNMP • Check network cabling between the management station and the switch. software • Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Designate the SNMP host that is to receive the error messages. 4. Repeat the sequence of commands or other actions that lead up to the error. 5.
Glossary Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Extensible Authentication Protocol over LAN (EAPOL) EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch. A user name and password is requested by the switch, and then passed to an authentication server (e.g., RADIUS) for verification. EAPOL is implemented as part of the IEEE 802.1X Port Authentication standard.
IEEE 802.1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication. IEEE 802.3ac Defines frame extensions for VLAN tagging. IEE 802.3af (PoE) An IEEE standard for providing Power over Ethernet (PoE) capabilities. When Ethernet is passed over copper cable, two twisted pairs are used for data transfer, and two twisted pairs are unused. With PoE, power can either be passed over the two data pairs or over the two spare pairs.
Link Aggregation See Port Trunk. Link Aggregation Control Protocol (LACP) Allows ports to automatically negotiate a trunked link with LACP-configured ports on another device. Link Layer Discovery Protocol (LLDP) LLDP is used to discover basic information about neighboring devices in the local broadcast domain by using periodic broadcasts to advertise information such as device identification, capabilities and configuration settings.
Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio. Out-of-Band Management Management of the network from a station not attached to the network. Port Authentication See IEEE 802.1X.
Remote Authentication Dial-in User Service (RADIUS) RADIUS is a logon authentication protocol that uses software running on a central server to control access to RADIUS-compliant devices on the network. Remote Monitoring (RMON) RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types.
Transmission Control Protocol/Internet Protocol (TCP/IP) Protocol suite that includes TCP as the primary transport protocol, and IP as the network layer protocol. Trivial File Transfer Protocol (TFTP) A TCP/IP protocol commonly used for software downloads. User Datagram Protocol (UDP) UDP provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IP-like services.
Glossary-8 SIGNAMAX LLC • www.signamax.
Index Numerics 802.1Q tunnel 3-191, 4-250 configuration, guidelines 3-194, 4-250 configuration, limitations 3-193 description 3-191 ethernet type 3-195, 4-253 interface configuration 3-194, 3-195, 4-252–4-253 mode selection 3-196, 4-252 status, configuring 3-194, 4-251 TPID 3-195, 4-253 uplink 3-196, 4-252 802.1X, port authentication 3-88, 4-135 802.1X, port authentication accounting 3-70, 4-117 A AAA 802.
DSCP 3-229, 4-301 layer 3/4 priorities 3-227, 4-301 queue mapping 3-224, 4-298 queue mode 3-226, 4-296 traffic class weights 3-226 D default gateway, configuration 3-17, 4-339 default priority, ingress port 3-221, 4-297 default settings, system 1-6 DHCP 3-18, 4-338 client 3-17, 4-338 dynamic configuration 2-5 snooping 3-116, 4-162 DHCP snooping enabling 3-117, 4-163 global configuration 3-117, 4-163 information option, enabling 3-119, 4-167 policy selection 3-119, 4-168 specifying trusted interfaces 3-120,
filtering/throttling 3-252, 4-323 filtering/throttling, configuring profile 4-325, 4-326 filtering/throttling, creating profile 4-324 filtering/throttling, enabling 3-252, 4-324 filtering/throttling, interface settings 3-255, 4-326–4-327 groups, displaying 3-250, 4-317 immediate leave, status 3-247, 4-316 Layer 2 3-244, 4-313 query 3-244, 4-318 query, Layer 2 3-245, 4-318 snooping 3-244, 4-314 snooping & query, parameters 3-245 snooping, configuring 3-245, 4-313 IGMP snooping immediate leave 3-247, 4-316 le
TLV, inventory 3-211, 4-289 TLV, location 3-211, 4-289 TLV, network policy 3-211, 4-290 TLV, PoE 3-211, 4-288 TLV, port capabilities 3-211, 4-290 logging syslog traps 3-29, 4-54 to syslog servers 3-29, 4-53 log-in, web interface 3-2 logon authentication 3-55, 4-98 encryption key, configuring secret text string 3-63, 4-105, 4-109 RADIUS client 3-58, 4-103 RADIUS encryption key, configuring secret text string 3-63, 4-105 RADIUS server 3-58, 4-103 TACACS+ client 3-58, 4-107 TACACS+ encryption key, configuring
STA 3-167, 4-229 port security, configuring 3-98, 4-147 port, statistics 3-148, 4-196 ports autonegotiation 3-131, 4-189 broadcast storm threshold 3-144, 4-193 capabilities 3-131, 4-190 duplex mode 3-131, 4-188 flow control 3-131, 4-191 forced selection on combo ports 3-131, 4-192 speed 3-131, 4-188 ports, configuring 3-128, 4-186 ports, mirroring 3-146, 4-209 primary VLAN 3-199, 4-259 priority, default port ingress 3-221, 4-297 private key 3-79, 4-125 private VLANs, configuring 3-199, 3-200, 4-259 private
Spanning Tree Protocol See STA specifications, software A-1 SSH 3-79, 4-125 server, configuring 3-86, 4-127 SSH, configuring 3-79, 4-125 SSL, replacing certificate 3-78 STA 3-156, 4-216 BPDU flooding 3-162, 3-170 edge port 3-167, 3-170, 4-229 global settings, configuring 3-161, 4-217–4-231 global settings, displaying 3-158, 4-234 interface settings 4-227–4-233 interface settings, configuring 3-168, 4-227–?? interface settings, displaying 3-165, 4-234 link type 3-167, 3-170, 4-231 path cost 3-159, 3-167, 4-2
interface configuration 3-189, 4-245–4-248 private 3-199, 4-258 protocol 3-205, 4-263, 4-264, 4-265 protocol, binding to interfaces 3-206, 4-265 protocol, configuring groups 3-205, 4-264 voice 3-238, 4-267 voice VLAN 3-238, 4-267 voice VLANs 3-238, 4-267 detecting VoIP devices 3-238, 4-267 enabling for ports 3-239, 4-270, 4-270–4-272 identifying client devices 3-241, 4-269 VoIP traffic 3-238, 4-267 ports, configuring 3-239, 4-270–4-272 telephony OUI, configuring 3-241 voice VLAN, configuring 3-238 enabling
Index-8 SIGNAMAX LLC • www.signamax.
